thousandsSeparator and decimalPoint are not being escaped
|Reported by:||Chionsas||Owned by:||nbachiyski|
[..] thousandsSeparator = '<?php echo $wp_locale->number_format['thousands_sep']; ?>', decimalPoint = '<?php echo $wp_locale->number_format['decimal_point']; ?>';
thousandsSeparator = '''
which raises JS syntax error and therefore the media buttons (add-file/add-image while editing page/post and possibly some other places) do not work.
I suppose some languages could also have "'" as a decimal point, though it's more less likely than the thousands separator.
There can be several approaches to solving this problem:
- wrapping the variables in esc_js() before echo (clean, but wastes CPU cycles)
- changing the quotes from ' to " (double quotes), which are less likely to be used as a thousands separator. This could be used in combination with a comment in the translations (.pot) file for the translators to be aware of this problem and not use " in delimiters.