Unsafe usage of JavaScript"s Element.innerHTML could result in XSS in the admin"s add/change related popup. Element.textContent is now used to prevent execution of the data. The debug view also used innerHTML. Although a security issue wasn"t identified there, out of an abundance of caution it"s also updated to use textContent. Fixed In Version: django 1.9.8, django 1.8.14