Security checks
---------------
-- `refreshpofiles` uses `system()`, whose args have to be checked more
- thoroughly to prevent any security issue (command injection, etc.).
- > Always pass `system()` a list of parameters to avoid the shell.
- > I've checked in a change fixing that. --[[Joey]]
-- `refreshpofiles` and `refreshpot` create new files; this may need
- some checks, e.g. using `IkiWiki::prep_writefile()`
- > Yes, it would be ideal to call `prep_writefile` on each file
- > that they write, beforehand. This way you'd avoid symlink attacks etc to the
- > generated po/pot files. I haven't done it, but it seems pretty trivial.
- > --[[Joey]]
- Can any sort of directives be put in po files that will
cause mischief (ie, include other files, run commands, crash gettext,
whatever).
[[bugs/pagetitle_function_does_not_respect_meta_titles]], which might
be fixed by something like [[todo/using_meta_titles_for_parentlinks]].
-### websetup
-
-Which configuration settings are safe enough for websetup?
-
-> I see no problems with `po_master_language` and `po_slave_languages`
-> (assuming websetup handles the hashes correctly). Would not hurt to check
-> that the values of these are legal language codes, in `checkconfig`.
-> `po_translatable_pages` seems entirely safe. `po_link_to` w/o usedirs
-> causes ikiwiki to error out. If it were changed to fall back to a safe
-> setting in this case rather than error, it would be safe.
-> --[[Joey]]
-
-### backlinks
-
-`po_link_to = negotiated`: if a given translatable `sourcepage.mdwn`
-links to \[[destpage]], `sourcepage.LL.po` also link to \[[destpage]],
-and the latter has the master page *and* all its translations listed
-in the backlinks.
-
-`po_link_to = current`: seems to work nicely
-
-### license
-
-> Could you please put a copyright and license on po.pm? I assume it's
-> GPLed as it's based on po4a-translate. --[[Joey]]
-
Translation quality assurance
-----------------------------