id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
12005,thousandsSeparator and decimalPoint are not being escaped,Chionsas,nbachiyski,"file: wp-admin/admin-header.php
line: 44

{{{
[..] thousandsSeparator = '<?php echo $wp_locale->number_format['thousands_sep']; ?>', decimalPoint = '<?php echo $wp_locale->number_format['decimal_point']; ?>';
}}}

When the translation file has ""'"" put in for thousands separator, you get JavaScript code:

{{{
thousandsSeparator = '''
}}}

which raises JS syntax error and therefore the media buttons (add-file/add-image while editing page/post and possibly some other places) do not work.
I suppose some languages could also have ""'"" as a decimal point, though it's more less likely than the thousands separator.

----

There can be several approaches to solving this problem:

* wrapping the variables in esc_js() before echo (clean, but wastes CPU cycles)

* changing the quotes from ' to "" (double quotes), which are less likely to be used as a thousands separator. This could be used in combination with a comment in the translations (.pot) file for the translators to be aware of this problem and not use "" in delimiters.

",defect (bug),closed,low,3.0,I18N,2.9.1,normal,fixed,thousandsSeparator decimalPoint javascript has-patch,eddie@…