+**FIXME**: check whether this plugin would have been a possible attack
+vector to exploit these vulnerabilities.
+
+Depending on my mood, the lack of found security issues can either
+indicate that there are none, or reveal that no-one ever bothered to
+find (and publish) them.
+
+### PO file features
+
+Can any sort of directives be put in po files that will cause mischief
+(ie, include other files, run commands, crash gettext, whatever)?
+
+> No [documented](http://www.gnu.org/software/gettext/manual/gettext.html#PO-Files)
+> directive is supposed to do so.
+
+### Running po4a on untrusted content
+
+Are there any security issues on running po4a on untrusted content?
+
+> To say the least, this issue is not well covered, at least publicly:
+>
+> - the documentation does not talk about it;
+> - grep'ing the source code for `security` or `trust` gives no answer.
+>
+> I'll ask their opinion to the po4a maintainers.
+>
+> I'm not in a position to audit the code, but I had a look anyway:
+>
+> - no use of `system()`, `exec()` or backticks in `Locale::Po4a`; are
+> there any other way to run external programs in Perl?
+> - a symlink attack vulnerability was already discovered, so I "hope"
+> the code has been checked to find some more already
+> - the po4a parts we are using themselves use the following Perl
+> modules: `DynaLoader`, `Encode`, `Encode::Guess`,
+> `Text::WrapI18N`, `Locale::gettext` (`bindtextdomain`,
+> `textdomain`, `gettext`, `dgettext`)
+>
+> --[[intrigeri]]
+
+### Fuzzing input
+
+I was not able to find any public information about gettext or po4a
+having been tested with a fuzzing program, such as `zzuf` or `fusil`.
+Moreover, some gettext parsers seem to be quite
+[easy to crash](http://fusil.hachoir.org/trac/browser/trunk/fuzzers/fusil-gettext),
+so it might be useful to bang gettext/po4a's heads against such
+a program in order to easily detect some of the most obvious DoS.
+[[--intrigeri]]
+