> For the purpose of generating a SmallInteger (from XML ya know..), Object readFrom:'42' works just fine!

Do _not_ do that. This is a _huge_ security hole. What it does it
evalutates the string. This string can be any Smalltalk code. This way
you have aribrary code execution in Smalltalk.

An exploit for this would look like this:
Object readFrom: 'SmalltalkImage current snapshot: false andQuit: true'

Do
Number readFrom: aString
instead. This has its own problems like that
Number readFrom: 'garbage'
returns 0 but this will be fixed and at leas it's safe.

Please not that also Boolean class >> #readFrom: is borken in the same
way. This is the reason why you can execute arbitrary Smalltalk code
in every Squeak image that uses SOAP either as client or server.
Combine that with FFI and X11 root exploits and you have a nightmare.

Cheers
Philippe