Validate plural formula before replacing the existing one

This issue was brought up by Damien Tournoud at http://drupal.org/node/276111#comment-900679 . Basically, the current implementation of importing translations in Drupal trusts the administrator to trust the translation author that no malicious HTML tags are included, but what is worse is that trust of the plural formula is also required which is converted to PHP and eval()-ed.

As I've said on that issue:

We can certainly improve on validation of the plural forumla, since we know about the few characters which are allowed. Such as no other letter but the letter 'n' is allowed, or that comparison, the ternary operator and parenthesis are the basic building blocks. So we can quite clearly define the possible parts of a plural formula and lock is down hopefully enough. That should be another issue.

This is that other issue. I suggest we should develop a regular expression which defines the allowed values in plural formulas and validate against that. This should help not require that trust in translators.

http://cvs.drupal.org/viewvc.py/drupal/contributions/modules/l10n_server... should provide a decent overview of the existing plural formulas used in Drupal translation projects. That leads us to some allowed stuff:

• the letter n
• ( and ) parenthesis
• numbers
• ? and : (the ternary operator)
• % (modulo division)
• != <= >= < > == comparisons
• && and || logical operators
• whitespace

Anything else I might have missed? Does this set of stuff allow for any kind of PHP injection?