From: intrigeri <intrigeri@boum.org>
Date: Fri, 25 Jun 2010 21:18:34 +0000 (+0200)
Subject: po: added support for html pagetype
X-Git-Tag: 3.20100722~8^2~8^2~13
X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/a128c256a51392fcf752bf612d83a90e8c68027e

po: added support for html pagetype

... after having audited the po4a Xml and Xhtml modules for security issues.

Signed-off-by: intrigeri <intrigeri@boum.org>
---

diff --git a/IkiWiki/Plugin/po.pm b/IkiWiki/Plugin/po.pm
index 10a5ba467..ab1cc7ae6 100644
--- a/IkiWiki/Plugin/po.pm
+++ b/IkiWiki/Plugin/po.pm
@@ -869,8 +869,8 @@ sub refreshpot ($) {
 	my $masterfile=shift;
 
 	my $potfile=potfile($masterfile);
-	my %options = ("markdown" => (pagetype($masterfile) eq 'mdwn') ? 1 : 0);
-	my $doc=Locale::Po4a::Chooser::new('text',%options);
+	my $doc=Locale::Po4a::Chooser::new(po4a_type($masterfile),
+					   po4a_options($masterfile));
 	$doc->{TT}{utf_mode} = 1;
 	$doc->{TT}{file_in_charset} = 'utf-8';
 	$doc->{TT}{file_out_charset} = 'utf-8';
@@ -961,10 +961,8 @@ sub percenttranslated ($) {
 	return gettext("N/A") unless istranslation($page);
 	my $file=srcfile($pagesources{$page});
 	my $masterfile = srcfile($pagesources{masterpage($page)});
-	my %options = (
-		"markdown" => (pagetype($masterfile) eq 'mdwn') ? 1 : 0,
-	);
-	my $doc=Locale::Po4a::Chooser::new('text',%options);
+	my $doc=Locale::Po4a::Chooser::new(po4a_type($masterfile),
+					   po4a_options($masterfile));
 	$doc->process(
 		'po_in_name'	=> [ $file ],
 		'file_in_name'	=> [ $masterfile ],
@@ -1115,10 +1113,8 @@ sub po_to_markup ($$) {
 		or return $fail->(sprintf(gettext("failed to write %s"), $infile));
 
 	my $masterfile = srcfile($pagesources{masterpage($page)});
-	my %options = (
-		"markdown" => (pagetype($masterfile) eq 'mdwn') ? 1 : 0,
-	);
-	my $doc=Locale::Po4a::Chooser::new('text',%options);
+	my $doc=Locale::Po4a::Chooser::new(po4a_type($masterfile),
+					   po4a_options($masterfile));
 	$doc->process(
 		'po_in_name'	=> [ $infile ],
 		'file_in_name'	=> [ $masterfile ],
@@ -1181,6 +1177,37 @@ sub isvalidpo ($) {
 					"to previous page to continue edit"));
 }
 
+sub po4a_type ($) {
+	my $file = shift;
+
+	my $pagetype = pagetype($file);
+	if ($pagetype eq 'html') {
+		return 'xhtml';
+        }
+	return 'text';
+}
+
+sub po4a_options($) {
+	my $file = shift;
+
+	my %options;
+	my $pagetype = pagetype($file);
+
+	if ($pagetype eq 'html') {
+		# how to disable options is not consistent across po4a modules
+		$options{includessi} = '';
+		$options{includeexternal} = 0;
+        }
+	elsif ($pagetype eq 'mdwn') {
+		$options{markdown} = 1;
+        }
+        else {
+		$options{markdown} = 0;
+        }
+
+	return %options;
+}
+
 # ,----
 # | PageSpecs
 # `----
diff --git a/doc/plugins/po.mdwn b/doc/plugins/po.mdwn
index 576d36ec1..585e14383 100644
--- a/doc/plugins/po.mdwn
+++ b/doc/plugins/po.mdwn
@@ -213,16 +213,16 @@ preferred `$EDITOR`, without needing to be online.
 Markup languages support
 ------------------------
 
-[[Markdown|mdwn]] is well supported. Some other markup languages supported
-by ikiwiki mostly work, but some pieces of syntax are not rendered
-correctly on the slave pages:
+[[Markdown|mdwn]] and [[html]] are well supported. Some other markup
+languages supported by ikiwiki mostly work, but some pieces of syntax
+are not rendered correctly on the slave pages:
 
 * [[reStructuredText|rst]]: anonymous hyperlinks and internal
   cross-references
 * [[wikitext]]: conversion of newlines to paragraphs
 * [[creole]]: verbatim text is wrapped, tables are broken
-* [[html]] and LaTeX: not supported yet; the dedicated po4a modules
-  could be used to support them, but they would need a security audit
+* LaTeX: not supported yet; the dedicated po4a module
+  could be used to support it, but it would need a security audit
 * other markup languages have not been tested.
 
 Security
diff --git a/doc/plugins/po/discussion.mdwn b/doc/plugins/po/discussion.mdwn
index 27683f1ea..73858c818 100644
--- a/doc/plugins/po/discussion.mdwn
+++ b/doc/plugins/po/discussion.mdwn
@@ -150,6 +150,23 @@ The following analysis was done with his help.
   variables; according to [[Joey]], this is "Freaky code, but seems ok
   due to use of `quotementa`".
 
+##### Locale::Po4a::Xhtml
+
+* does not run any external program
+* does not build regexp's from untrusted variables
+
+=> Seems safe as far as the `includessi` option is disabled; the po
+plugin explicitly disables it.
+
+Relies on Locale::Po4a::Xml` to do most of the work.
+
+##### Locale::Po4a::Xml
+
+* does not run any external program
+* the `includeexternal` option makes it able to read external files;
+  the po plugin explicitly disables it
+* untrusted variables are escaped when used to build regexp's
+
 ##### Text::WrapI18N
 
 `Text::WrapI18N` can cause DoS