merge()

[Mike Bonner]

I just had a thought while pondering some code from another thread.  I have
done things like put merge("This is a random number: [[random(tNum)]]")

Since merge can do what do can, is there a way this method could be taken
advantage of using an injection type of attack?   I'm thinking the answer
is no, (and I haven't managed to find a way to inject yet,) other than
allowing a user to build the whole merge string themselves (which would be
a "bad thing to do" (c))

Am I wrong?  Is it safe as long as I don't do anything careless?