Escape admin_url() when used for ajax_url in admin header

[jeremyfelt]

As admin_url() is filtered right before returning, it should be escaped when output for use as the ajax_url in the admin.

[c3mdigital]

I think we should be json encoding PHP string variables when outputting to javascript. This eliminates the need for escaping and surrounding with quotes.

Results of json_encode patch on output in header:

var ajaxurl = "\/wp-admin\/admin-ajax.php",
	pagenow = "edit-post",
	typenow = "post",
	adminpage = "edit-php",
	thousandsSeparator = ",",
	decimalPoint = ".",
	isRtl = 0;

[c3mdigital]

json encode javascript variables output in admin header

[nacin]

esc_url() isn't right, as it encodes ampersands for display. At most you'd want esc_url_raw() — but really, we're just looking to avoid issues with escaping data for a JS string.

[aliso]

Adding esc_js to variable values to use in place of json_encode

[helen]

esc_js() seems sensible.

[azaozz]

esc_js() would work but is intended for escaping of ​inline JS. The ​_wp_specialchars() used there could break it. Don't think we have a suitable esc_* function when we echo arbitrary PHP strings inside a <script> tag.

[iandunn]

Reopening being this still seems like useful hardening.

[jeremyfelt]

This specific instance was resolved in [49375].