From a128c256a51392fcf752bf612d83a90e8c68027e Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@boum.org>
Date: Fri, 25 Jun 2010 23:18:34 +0200
Subject: po: added support for html pagetype

... after having audited the po4a Xml and Xhtml modules for security issues.

Signed-off-by: intrigeri <intrigeri@boum.org>
---
 doc/plugins/po/discussion.mdwn | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'doc/plugins/po')

diff --git a/doc/plugins/po/discussion.mdwn b/doc/plugins/po/discussion.mdwn
index 27683f1ea..73858c818 100644
--- a/doc/plugins/po/discussion.mdwn
+++ b/doc/plugins/po/discussion.mdwn
@@ -150,6 +150,23 @@ The following analysis was done with his help.
   variables; according to [[Joey]], this is "Freaky code, but seems ok
   due to use of `quotementa`".
 
+##### Locale::Po4a::Xhtml
+
+* does not run any external program
+* does not build regexp's from untrusted variables
+
+=> Seems safe as far as the `includessi` option is disabled; the po
+plugin explicitly disables it.
+
+Relies on Locale::Po4a::Xml` to do most of the work.
+
+##### Locale::Po4a::Xml
+
+* does not run any external program
+* the `includeexternal` option makes it able to read external files;
+  the po plugin explicitly disables it
+* untrusted variables are escaped when used to build regexp's
+
 ##### Text::WrapI18N
 
 `Text::WrapI18N` can cause DoS
-- 
cgit v1.2.3