po/todo: remove silly ideas.

[ikiwiki.git] / doc / plugins / po.mdwn

diff --git a/doc/plugins/po.mdwn b/doc/plugins/po.mdwn
index 5337a2ce230810cd80c679a9497f538ba004c63c..f6405f3b3e6ec65c362265fa7de2425719feccce 100644 (file)
--- a/doc/plugins/po.mdwn
+++ b/doc/plugins/po.mdwn
@@ -399,6 +399,10 @@ use in our case, I suggest we define `ENV{COLUMNS}` before loading
 `refreshpofiles()` runs this external program. A po4a developer
 answered he does "not expect any security issues from it".
 
+### msgfmt
+
+`isvalidpo()` runs this external program. Its security should be checked.
+
 ### Fuzzing input
 
 I was not able to find any public information about gettext or po4a
@@ -530,20 +534,13 @@ be merged upstream, though.
 Translation quality assurance
 -----------------------------
 
-Modifying a PO file via the CGI must be forbidden if the new version
-is not a valid PO file. As a bonus, check that it provides a more
-complete translation than the existing one.
-
-A new `cansave` type of hook would be needed to implement this.
+Modifying a PO file via the CGI is already forbidden if the new
+version is not a valid PO file. As a bonus, check that it provides
+a more complete translation than the existing one.
 
 Note: committing to the underlying repository is a way to bypass
 this check.
 
-Creating new pages on the web
------------------------------
-
-See [[contrib/po|contrib/po]].
-
 Robustness tests
 ----------------
 
@@ -597,3 +594,11 @@ Documentation
 Maybe write separate documentation depending on the people it targets:
 translators, wiki administrators, hackers. This plugin may be complex
 enough to deserve this.
+
+Gettext-ize the plugin code.
+
+Misc
+----
+
+* Can the form validation system be used instead of creating the
+  `cansave` hook?