diff --git a/tests/lib/template.php b/tests/lib/template.php
index b4f1a4c405..b3d0975b79 100644
--- a/tests/lib/template.php
+++ b/tests/lib/template.php
@@ -28,13 +28,23 @@ class Test_TemplateFunctions extends PHPUnit_Framework_TestCase {
 	}
 
 	public function testP() {
-		// FIXME: do we need more testcases?
-		$htmlString = "<script>alert('xss');</script>";
+		$badString = '<img onload="alert(1)" />';
 		ob_start();
-		p($htmlString);
+		p($badString);
 		$result = ob_get_clean();
+		$this->assertEquals('&lt;img onload=&quot;alert(1)&quot; /&gt;', $result);
 
-		$this->assertEquals("&lt;script&gt;alert(&#039;xss&#039;);&lt;/script&gt;", $result);
+		$badString = "<script>alert('Hacked!');</script>";
+		ob_start();
+		p($badString);
+		$result = ob_get_clean();
+		$this->assertEquals('&lt;script&gt;alert(&#039;Hacked!&#039;);&lt;/script&gt;', $result);
+
+		$goodString = 'This is a good string without HTML.';
+		ob_start();
+		p($goodString);
+		$result = ob_get_clean();
+		$this->assertEquals('This is a good string without HTML.', $result);
 	}
 
 	public function testPNormalString() {
diff --git a/tests/lib/util.php b/tests/lib/util.php
index ee336aa111..c4780cc5f4 100644
--- a/tests/lib/util.php
+++ b/tests/lib/util.php
@@ -43,15 +43,32 @@ class Test_Util extends PHPUnit_Framework_TestCase {
 	}
 
 	function testSanitizeHTML() {
+		$badArray = array(
+			'While it is unusual to pass an array',
+			'this function actually <blink>supports</blink> it.',
+			'And therefore there needs to be a <script>alert("Unit"+\'test\')</script> for it!'
+		);
+		$goodArray = array(
+			'While it is unusual to pass an array',
+			'this function actually &lt;blink&gt;supports&lt;/blink&gt; it.',
+			'And therefore there needs to be a &lt;script&gt;alert(&quot;Unit&quot;+&#039;test&#039;)&lt;/script&gt; for it!'
+		);
+		$result = OC_Util::sanitizeHTML($badArray);
+		$this->assertEquals($goodArray, $result);
+
+		$badString = '<img onload="alert(1)" />';
+		$result = OC_Util::sanitizeHTML($badString);
+		$this->assertEquals('&lt;img onload=&quot;alert(1)&quot; /&gt;', $result);
+
 		$badString = "<script>alert('Hacked!');</script>";
 		$result = OC_Util::sanitizeHTML($badString);
-		$this->assertEquals("&lt;script&gt;alert(&#039;Hacked!&#039;);&lt;/script&gt;", $result);
+		$this->assertEquals('&lt;script&gt;alert(&#039;Hacked!&#039;);&lt;/script&gt;', $result);
 
-		$goodString = "This is an harmless string.";
+		$goodString = 'This is a good string without HTML.';
 		$result = OC_Util::sanitizeHTML($goodString);
-		$this->assertEquals("This is an harmless string.", $result);
+		$this->assertEquals('This is a good string without HTML.', $result);
 	}
-	
+
 	function testEncodePath(){
 		$component = '/§#@test%&^ä/-child';
 		$result = OC_Util::encodePath($component);