Fixed #24466 -- Added JavaScript escaping in a couple places in the admin.

Thanks Aymeric Augustin and Florian Apolloner for work on the patch.

tests/admin_views/tests.py

@@ -24,6 +24,7 @@ from django.core.checks import Error
 from django.core.files import temp as tempfile
 from django.core.urlresolvers import NoReverseMatch, resolve, reverse
 from django.forms.utils import ErrorList
+from django.template.loader import render_to_string
 from django.template.response import TemplateResponse
 from django.test import (
     TestCase, modify_settings, override_settings, skipUnlessDBFeature,
@@ -3490,6 +3491,30 @@ action)</option>
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response.template_name, 'admin/popup_response.html')
 
+    def test_popup_template_escaping(self):
+        context = {
+            'new_value': 'new_value\\',
+            'obj': 'obj\\',
+            'value': 'value\\',
+        }
+        output = render_to_string('admin/popup_response.html', context)
+        self.assertIn(
+            'opener.dismissAddRelatedObjectPopup(window, "value\\u005C", "obj\\u005C");', output
+        )
+
+        context['action'] = 'change'
+        output = render_to_string('admin/popup_response.html', context)
+        self.assertIn(
+            'opener.dismissChangeRelatedObjectPopup(window, '
+            '"value\\u005C", "obj\\u005C", "new_value\\u005C");', output
+        )
+
+        context['action'] = 'delete'
+        output = render_to_string('admin/popup_response.html', context)
+        self.assertIn(
+            'opener.dismissDeleteRelatedObjectPopup(window, "value\\u005C");', output
+        )
+
 
 @override_settings(PASSWORD_HASHERS=['django.contrib.auth.hashers.SHA1PasswordHasher'],
     ROOT_URLCONF="admin_views.urls")