diff --git a/plugins/sudoers/strlcpy_unesc.c b/plugins/sudoers/strlcpy_unesc.c
index ee6276e76..c8c89ac69 100644
--- a/plugins/sudoers/strlcpy_unesc.c
+++ b/plugins/sudoers/strlcpy_unesc.c
@@ -29,6 +29,9 @@
 
 #include "sudoers.h"
 
+/*
+ * Like strlcpy() but collapses non-space chars escaped with a backslash.
+ */
 size_t
 strlcpy_unescape(char *dst, const char *src, size_t size)
 {
diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index abe63147d..c079ea3fb 100644
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -1047,6 +1047,7 @@ set_cmnd(void)
 		 * When running a command via a shell, the sudo front-end
 		 * escapes potential meta chars.  We unescape non-spaces
 		 * for sudoers matching and logging purposes.
+		 * TODO: move escaping to the policy plugin instead
 		 */
 		user_args = strvec_join(NewArgv + 1, ' ', strlcpy_unescape);
 	    } else {
diff --git a/src/parse_args.c b/src/parse_args.c
index 1128604ed..56f207e8f 100644
--- a/src/parse_args.c
+++ b/src/parse_args.c
@@ -606,6 +606,7 @@ parse_args(int argc, char **argv, int *old_optind, int *nargc, char ***nargv,
 
     /*
      * For shell mode we need to rewrite argv
+     * TODO: move this to the policy plugin and make escaping configurable
      */
     if (ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL) && ISSET(mode, MODE_RUN)) {
 	char **av, *cmnd = NULL;