summaryrefslogtreecommitdiff
path: root/doc/plugins/po
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2010-06-25 23:18:34 +0200
committerintrigeri <intrigeri@boum.org>2010-06-25 23:18:57 +0200
commita128c256a51392fcf752bf612d83a90e8c68027e (patch)
treebb7e9a73df42d589cabe4dc09ce269e5936f9b29 /doc/plugins/po
parent903a71c1b9d71bcd10442bee695da6efd4ec953d (diff)
po: added support for html pagetype
... after having audited the po4a Xml and Xhtml modules for security issues. Signed-off-by: intrigeri <intrigeri@boum.org>
Diffstat (limited to 'doc/plugins/po')
-rw-r--r--doc/plugins/po/discussion.mdwn17
1 files changed, 17 insertions, 0 deletions
diff --git a/doc/plugins/po/discussion.mdwn b/doc/plugins/po/discussion.mdwn
index 27683f1ea..73858c818 100644
--- a/doc/plugins/po/discussion.mdwn
+++ b/doc/plugins/po/discussion.mdwn
@@ -150,6 +150,23 @@ The following analysis was done with his help.
variables; according to [[Joey]], this is "Freaky code, but seems ok
due to use of `quotementa`".
+##### Locale::Po4a::Xhtml
+
+* does not run any external program
+* does not build regexp's from untrusted variables
+
+=> Seems safe as far as the `includessi` option is disabled; the po
+plugin explicitly disables it.
+
+Relies on Locale::Po4a::Xml` to do most of the work.
+
+##### Locale::Po4a::Xml
+
+* does not run any external program
+* the `includeexternal` option makes it able to read external files;
+ the po plugin explicitly disables it
+* untrusted variables are escaped when used to build regexp's
+
##### Text::WrapI18N
`Text::WrapI18N` can cause DoS