Ahah, it seems that this xml_command function is being called as one of the arguments to preg_replace. There's got to be a better way.
program/include/rcube_template.php 450
private function parse_xml($input)
{
return preg_replace('/]+)>/Uie', "\$this->xml_command('\\1', '\\2')", $input);
This is probably why suhosin is triggering the eval blacklist