5 files changed, 23 insertions, 8 deletions

diff --git a/django/contrib/admin/media/css/base.css b/django/contrib/admin/media/css/base.css
index 88f7d9a95a..9760d67dc4 100644
--- a/django/contrib/admin/media/css/base.css
+++ b/django/contrib/admin/media/css/base.css
@@ -4,11 +4,11 @@
 */
 
 /* Block IE 5 */
-@import "null?\"\{";
+@import "null.css?\"\{";
 
 /* Import other styles */
 @import url('global.css');
 @import url('layout.css');
 
 /* Import patch for IE 6 Windows */
-/*\*/ @import "patch-iewin.css"; /**/
\ No newline at end of file
+/*\*/ @import "patch-iewin.css"; /**/
diff --git a/django/contrib/admin/media/js/admin/RelatedObjectLookups.js b/django/contrib/admin/media/js/admin/RelatedObjectLookups.js
index 36ae21411d..f6a39ca091 100644
--- a/django/contrib/admin/media/js/admin/RelatedObjectLookups.js
+++ b/django/contrib/admin/media/js/admin/RelatedObjectLookups.js
@@ -1,6 +1,16 @@
 // Handles related-objects functionality: lookup link for raw_id_admin=True
 // and Add Another links.
 
+function html_unescape(text) {
+    // Unescape a string that was escaped using django.utils.html.escape.
+    text = text.replace(/&lt;/g, '<');
+    text = text.replace(/&gt;/g, '>');
+    text = text.replace(/&quot;/g, '"');
+    text = text.replace(/&#39;/g, "'");
+    text = text.replace(/&amp;/g, '&');
+    return text;
+}
+
 function showRelatedObjectLookupPopup(triggeringLink) {
     var name = triggeringLink.id.replace(/^lookup_/, '');
     // IE doesn't like periods in the window name, so convert temporarily.
@@ -42,6 +52,10 @@ function showAddAnotherPopup(triggeringLink) {
 }
 
 function dismissAddAnotherPopup(win, newId, newRepr) {
+    // newId and newRepr are expected to have previously been escaped by
+    // django.utils.html.escape.
+    newId = html_unescape(newId);
+    newRepr = html_unescape(newRepr);
     var name = win.name.replace(/___/g, '.');
     var elem = document.getElementById(name);
     if (elem) {
diff --git a/django/contrib/admin/templatetags/admin_list.py b/django/contrib/admin/templatetags/admin_list.py
index b23013becd..a4e6269b6f 100644
--- a/django/contrib/admin/templatetags/admin_list.py
+++ b/django/contrib/admin/templatetags/admin_list.py
@@ -148,6 +148,8 @@ def items_for_result(cl, result):
                 # function has an "allow_tags" attribute set to True.
                 if not allow_tags:
                     result_repr = escape(result_repr)
+                else:
+                    result_repr = mark_safe(result_repr)
         else:
             field_val = getattr(result, f.attname)
 
@@ -185,7 +187,7 @@ def items_for_result(cl, result):
             else:
                 result_repr = escape(field_val)
         if force_unicode(result_repr) == '':
-            result_repr = '&nbsp;'
+            result_repr = mark_safe('&nbsp;')
         # If list_display_links not defined, add the link tag to the first field
         if (first and not cl.lookup_opts.admin.list_display_links) or field_name in cl.lookup_opts.admin.list_display_links:
             table_tag = {True:'th', False:'td'}[first]
diff --git a/django/contrib/admin/templatetags/admin_modify.py b/django/contrib/admin/templatetags/admin_modify.py
index e5f31ba723..ef33bb33b0 100644
--- a/django/contrib/admin/templatetags/admin_modify.py
+++ b/django/contrib/admin/templatetags/admin_modify.py
@@ -118,7 +118,7 @@ class FieldWrapper(object):
         return not isinstance(self.field, models.AutoField)
 
     def header_class_attribute(self):
-        return self.field.blank and ' class="optional"' or ''
+        return self.field.blank and mark_safe(' class="optional"') or ''
 
     def use_raw_id_admin(self):
         return isinstance(self.field.rel, (models.ManyToOneRel, models.ManyToManyRel)) \
diff --git a/django/contrib/admin/views/main.py b/django/contrib/admin/views/main.py
index 947d09b852..9786935bf8 100644
--- a/django/contrib/admin/views/main.py
+++ b/django/contrib/admin/views/main.py
@@ -273,10 +273,9 @@ def add_stage(request, app_label, model_name, show_delete=False, form_url='', po
                     post_url_continue += "?_popup=1"
                 return HttpResponseRedirect(post_url_continue % pk_value)
             if "_popup" in request.POST:
-                if type(pk_value) is str: # Quote if string, so JavaScript doesn't think it's a variable.
-                    pk_value = '"%s"' % pk_value.replace('"', '\\"')
-                return HttpResponse('<script type="text/javascript">opener.dismissAddAnotherPopup(window, %s, "%s");</script>' % \
-                    (pk_value, force_unicode(new_object).replace('"', '\\"')))
+                return HttpResponse('<script type="text/javascript">opener.dismissAddAnotherPopup(window, "%s", "%s");</script>' % \
+                    # escape() calls force_unicode.
+                    (escape(pk_value), escape(new_object)))
             elif "_addanother" in request.POST:
                 request.user.message_set.create(message=msg + ' ' + (_("You may add another %s below.") % force_unicode(opts.verbose_name)))
                 return HttpResponseRedirect(request.path)