diff --git a/django/contrib/admin/media/js/admin/RelatedObjectLookups.js b/django/contrib/admin/media/js/admin/RelatedObjectLookups.js
index 36ae21411d..f6a39ca091 100644
--- a/django/contrib/admin/media/js/admin/RelatedObjectLookups.js
+++ b/django/contrib/admin/media/js/admin/RelatedObjectLookups.js
@@ -1,6 +1,16 @@
 // Handles related-objects functionality: lookup link for raw_id_admin=True
 // and Add Another links.
 
+function html_unescape(text) {
+    // Unescape a string that was escaped using django.utils.html.escape.
+    text = text.replace(/&lt;/g, '<');
+    text = text.replace(/&gt;/g, '>');
+    text = text.replace(/&quot;/g, '"');
+    text = text.replace(/&#39;/g, "'");
+    text = text.replace(/&amp;/g, '&');
+    return text;
+}
+
 function showRelatedObjectLookupPopup(triggeringLink) {
     var name = triggeringLink.id.replace(/^lookup_/, '');
     // IE doesn't like periods in the window name, so convert temporarily.
@@ -42,6 +52,10 @@ function showAddAnotherPopup(triggeringLink) {
 }
 
 function dismissAddAnotherPopup(win, newId, newRepr) {
+    // newId and newRepr are expected to have previously been escaped by
+    // django.utils.html.escape.
+    newId = html_unescape(newId);
+    newRepr = html_unescape(newRepr);
     var name = win.name.replace(/___/g, '.');
     var elem = document.getElementById(name);
     if (elem) {
diff --git a/django/contrib/admin/views/main.py b/django/contrib/admin/views/main.py
index 947d09b852..9786935bf8 100644
--- a/django/contrib/admin/views/main.py
+++ b/django/contrib/admin/views/main.py
@@ -273,10 +273,9 @@ def add_stage(request, app_label, model_name, show_delete=False, form_url='', po
                     post_url_continue += "?_popup=1"
                 return HttpResponseRedirect(post_url_continue % pk_value)
             if "_popup" in request.POST:
-                if type(pk_value) is str: # Quote if string, so JavaScript doesn't think it's a variable.
-                    pk_value = '"%s"' % pk_value.replace('"', '\\"')
-                return HttpResponse('<script type="text/javascript">opener.dismissAddAnotherPopup(window, %s, "%s");</script>' % \
-                    (pk_value, force_unicode(new_object).replace('"', '\\"')))
+                return HttpResponse('<script type="text/javascript">opener.dismissAddAnotherPopup(window, "%s", "%s");</script>' % \
+                    # escape() calls force_unicode.
+                    (escape(pk_value), escape(new_object)))
             elif "_addanother" in request.POST:
                 request.user.message_set.create(message=msg + ' ' + (_("You may add another %s below.") % force_unicode(opts.verbose_name)))
                 return HttpResponseRedirect(request.path)