Fixed #24466 -- Added JavaScript escaping in a couple places in the admin.

                attr = obj._meta.pk.attname

            value = obj.serializable_value(attr)

            return SimpleTemplateResponse('admin/popup_response.html', {

                'pk_value': escape(pk_value),  # for possible backwards-compatibility

                'value': escape(value),

                'obj': escapejs(obj)

                'value': value,

                'obj': obj,

            })

        elif "_continue" in request.POST:

<script type="text/javascript">

(function($) {

  $("#{{ inline_admin_formset.formset.prefix }}-group .inline-related").stackedFormset({

    prefix: '{{ inline_admin_formset.formset.prefix }}',

    deleteText: "{% trans "Remove" %}",

    addText: "{% blocktrans with verbose_name=inline_admin_formset.opts.verbose_name|capfirst %}Add another {{ verbose_name }}{% endblocktrans %}"

  $("#{{ inline_admin_formset.formset.prefix|escapejs }}-group .inline-related").stackedFormset({

    prefix: "{{ inline_admin_formset.formset.prefix|escapejs }}",

    deleteText: "{% filter escapejs %}{% trans "Remove" %}{% endfilter %}",

    addText: "{% filter escapejs %}{% blocktrans with verbose_name=inline_admin_formset.opts.verbose_name|capfirst %}Add another {{ verbose_name }}{% endblocktrans %}{% endfilter %}"

  });

})(django.jQuery);

</script>

<script type="text/javascript">

(function($) {

  $("#{{ inline_admin_formset.formset.prefix }}-group .tabular.inline-related tbody tr").tabularFormset({

    prefix: "{{ inline_admin_formset.formset.prefix }}",

    addText: "{% blocktrans with inline_admin_formset.opts.verbose_name|capfirst as verbose_name %}Add another {{ verbose_name }}{% endblocktrans %}",

    deleteText: "{% trans 'Remove' %}"

  $("#{{ inline_admin_formset.formset.prefix|escapejs }}-group .tabular.inline-related tbody tr").tabularFormset({

    prefix: "{{ inline_admin_formset.formset.prefix|escapejs }}",

    addText: "{% filter escapejs %}{% blocktrans with inline_admin_formset.opts.verbose_name|capfirst as verbose_name %}Add another {{ verbose_name }}{% endblocktrans %}{% endfilter %}",

    deleteText: "{% filter escapejs %}{% trans 'Remove' %}{% endfilter %}"

  });

})(django.jQuery);

</script>

  <body>

    <script type="text/javascript">

      {% if action == 'change' %}

        opener.dismissChangeRelatedObjectPopup(window, "{{ value }}", "{{ obj }}", "{{ new_value }}");

        opener.dismissChangeRelatedObjectPopup(window, "{{ value|escapejs }}", "{{ obj|escapejs }}", "{{ new_value|escapejs }}");

      {% elif action == 'delete' %}

        opener.dismissDeleteRelatedObjectPopup(window, "{{ value }}");

        opener.dismissDeleteRelatedObjectPopup(window, "{{ value|escapejs }}");

      {% else %}

        opener.dismissAddRelatedObjectPopup(window, "{{ value }}", "{{ obj }}");

        opener.dismissAddRelatedObjectPopup(window, "{{ value|escapejs }}", "{{ obj|escapejs }}");

      {% endif %}

    </script>

  </body>

from django.utils import six

from django.utils.encoding import force_text

from django.utils.html import (

    escape, format_html, format_html_join, smart_urlquote,

    escape, escapejs, format_html, format_html_join, smart_urlquote,

)

from django.utils.safestring import mark_safe

from django.utils.text import Truncator

        # TODO: "id_" is hard-coded here. This should instead use the correct

        # API to determine the ID dynamically.

        output.append('SelectFilter.init("id_%s", "%s", %s); });</script>\n'

            % (name, self.verbose_name.replace('"', '\\"'), int(self.is_stacked)))

            % (name, escapejs(self.verbose_name), int(self.is_stacked)))

        return mark_safe(''.join(output))