thousandsSeparator and decimalPoint are not being escaped

[Chionsas]

file: wp-admin/admin-header.php
line: 44

[..] thousandsSeparator = '<?php echo $wp_locale->number_format['thousands_sep']; ?>', decimalPoint = '<?php echo $wp_locale->number_format['decimal_point']; ?>';

When the translation file has "'" put in for thousands separator, you get JavaScript code:

thousandsSeparator = '''

which raises JS syntax error and therefore the media buttons (add-file/add-image while editing page/post and possibly some other places) do not work.
I suppose some languages could also have "'" as a decimal point, though it's more less likely than the thousands separator.

---

There can be several approaches to solving this problem:

• wrapping the variables in esc_js() before echo (clean, but wastes CPU cycles)

• changing the quotes from ' to " (double quotes), which are less likely to be used as a thousands separator. This could be used in combination with a comment in the translations (.pot) file for the translators to be aware of this problem and not use " in delimiters.

[azaozz]

As we only expect one character there the "usual" fix would be echo addslashes(...).

[nacin]

(In [13078]) Escape thousandsSeparator and decimalPoint JS variables, see #12005

[nacin]

[13078] fixes this for trunk. Leaving open if there's a desire to apply to 2.9.

[eddieringle]

This looks like it's been inactive, so I'm adding a patch for 2.9 if that is what it takes to get this moving.

[nacin]

(In [14258]) Escape thousandsSeparator and decimalPoint JS variables. fixes #12005 for 2.9.

[nacin]

Milestone 2.9.3 deleted