`refreshpofiles()` runs this external program. A po4a developer
answered he does "not expect any security issues from it".
+### msgfmt
+
+`isvalidpo()` runs this external program. Its security should be checked.
+
### Fuzzing input
I was not able to find any public information about gettext or po4a
Translation quality assurance
-----------------------------
-Modifying a PO file via the CGI must be forbidden if the new version
-is not a valid PO file. As a bonus, check that it provides a more
-complete translation than the existing one.
-
-A new `cansave` type of hook would be needed to implement this.
+Modifying a PO file via the CGI is already forbidden if the new
+version is not a valid PO file. As a bonus, check that it provides
+a more complete translation than the existing one.
Note: committing to the underlying repository is a way to bypass
this check.
-Creating new pages on the web
------------------------------
-
-See [[contrib/po|contrib/po]].
-
Robustness tests
----------------
Maybe write separate documentation depending on the people it targets:
translators, wiki administrators, hackers. This plugin may be complex
enough to deserve this.
+
+Gettext-ize the plugin code.
+
+Misc
+----
+
+* Can the form validation system be used instead of creating the
+ `cansave` hook?