[wp-trac] [WordPress Trac] #12005: thousandsSeparator and decimalPoint are not being escaped
WordPress Trac
wp-trac at lists.automattic.com
Mon Jan 25 14:21:09 UTC 2010
#12005: thousandsSeparator and decimalPoint are not being escaped
--------------------------+-------------------------------------------------
Reporter: Chionsas | Owner: nbachiyski
Type: defect (bug) | Status: new
Priority: low | Milestone: 2.9.2
Component: i18n | Version: 2.9.1
Severity: normal | Keywords: thousandsSeparator decimalPoint javascript
--------------------------+-------------------------------------------------
file: wp-admin/admin-header.php
line: 44
{{{
[..] thousandsSeparator = '<?php echo
$wp_locale->number_format['thousands_sep']; ?>', decimalPoint = '<?php
echo $wp_locale->number_format['decimal_point']; ?>';
}}}
When the translation file has "'" put in for thousands separator, you get
JavaScript code:
{{{
thousandsSeparator = '''
}}}
which raises JS syntax error and therefore the media buttons (add-file
/add-image while editing page/post and possibly some other places) do not
work.
I suppose some languages could also have "'" as a decimal point, though
it's more less likely than the thousands separator.
----
There can be several approaches to solving this problem:
* wrapping the variables in esc_js() before echo (clean, but wastes CPU
cycles)
* changing the quotes from ' to " (double quotes), which are less likely
to be used as a thousands separator. This could be used in combination
with a comment in the translations (.pot) file for the translators to be
aware of this problem and not use " in delimiters.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/12005>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list