[wp-trac] [WordPress Trac] #12005: thousandsSeparator and decimalPoint are not being escaped

WordPress Trac wp-trac at lists.automattic.com
Mon Jan 25 14:21:09 UTC 2010


#12005: thousandsSeparator and decimalPoint are not being escaped
--------------------------+-------------------------------------------------
 Reporter:  Chionsas      |       Owner:  nbachiyski                                
     Type:  defect (bug)  |      Status:  new                                       
 Priority:  low           |   Milestone:  2.9.2                                     
Component:  i18n          |     Version:  2.9.1                                     
 Severity:  normal        |    Keywords:  thousandsSeparator decimalPoint javascript
--------------------------+-------------------------------------------------
 file: wp-admin/admin-header.php
 line: 44

 {{{
 [..] thousandsSeparator = '<?php echo
 $wp_locale->number_format['thousands_sep']; ?>', decimalPoint = '<?php
 echo $wp_locale->number_format['decimal_point']; ?>';
 }}}

 When the translation file has "'" put in for thousands separator, you get
 JavaScript code:

 {{{
 thousandsSeparator = '''
 }}}

 which raises JS syntax error and therefore the media buttons (add-file
 /add-image while editing page/post and possibly some other places) do not
 work.
 I suppose some languages could also have "'" as a decimal point, though
 it's more less likely than the thousands separator.

 ----

 There can be several approaches to solving this problem:

 * wrapping the variables in esc_js() before echo (clean, but wastes CPU
 cycles)

 * changing the quotes from ' to " (double quotes), which are less likely
 to be used as a thousands separator. This could be used in combination
 with a comment in the translations (.pot) file for the translators to be
 aware of this problem and not use " in delimiters.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/12005>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list