diff --git a/core/js/js.js b/core/js/js.js
index cf35d8aac6a9af972807cf823904d51fc180759b..21a2d4c1b35c5317e29bfb91625c17585cae7d0e 100644
--- a/core/js/js.js
+++ b/core/js/js.js
@@ -154,7 +154,7 @@ function n(app, text_singular, text_plural, count, vars) {
 * @return {string} Sanitized string
 */
 function escapeHTML(s) {
-	return s.toString().split('&').join('&amp;').split('<').join('&lt;').split('"').join('&quot;');
+	return s.toString().split('&').join('&amp;').split('<').join('&lt;').split('>').join('&gt;').split('"').join('&quot;').split('\'').join('&#039;');
 }
 
 /**
diff --git a/core/js/tests/specs/coreSpec.js b/core/js/tests/specs/coreSpec.js
index 65f768fbc5173416387e57e0dfdc234e8632b02d..233c4d5a0b4222ab7d84938842ffabf6ebe89c98 100644
--- a/core/js/tests/specs/coreSpec.js
+++ b/core/js/tests/specs/coreSpec.js
@@ -124,6 +124,17 @@ describe('Core base tests', function() {
 			expect(OC.dirname('/subdir/')).toEqual('/subdir');
 		});
 	});
+	describe('escapeHTML', function() {
+		it('Returns nothing if no string was given', function() {
+			expect(escapeHTML('')).toEqual('');
+		});
+		it('Returns a sanitized string if a string containing HTML is given', function() {
+			expect(escapeHTML('There needs to be a <script>alert(\"Unit\" + \'test\')</script> for it!')).toEqual('There needs to be a &lt;script&gt;alert(&quot;Unit&quot; + &#039;test&#039;)&lt;/script&gt; for it!');
+		});
+		it('Returns the string without modification if no potentially dangerous character is passed.', function() {
+			expect(escapeHTML('This is a good string without HTML.')).toEqual('This is a good string without HTML.');
+		});
+	});
 	describe('Link functions', function() {
 		var TESTAPP = 'testapp';
 		var TESTAPP_ROOT = OC.webroot + '/appsx/testapp';