There are many hosted CMS applications that provide you with some sort of inline markup/ templating engine that lets you output things into a page.
for example, a hosted cms application lets you edit your templates to custome html/css, but they also let you do some basic inline code on the page to do this like inject the article title, date, etc. (object properties) and let you loop through predefined collections.
How do they do this?
How do they prevent the user from accessing other objects which you don't want them to?
e.g. Imaine them outputing your connection string! lol
here is an example: http://wiki.shopify.com/UsingLiquid