diff --git a/lib/xss.js b/lib/xss.js
index a31e0bed..56398934 100644
--- a/lib/xss.js
+++ b/lib/xss.js
@@ -262,4 +262,20 @@ function sanitizeText(str) {
     return str;
 }
 
+function decodeText(str) {
+    str = str.replace(/&#([0-9]{2,4});?/g, function (m, p1) {
+        return String.fromCharCode(parseInt(p1));
+    });
+    str = str.replace(/&#x([0-9a-f]{2,4});?/ig, function (m, p1) {
+        return String.fromCharCode(parseInt(p1, 16));
+    });
+    str = str.replace(/&lt;/g, "<")
+             .replace(/&gt;/g, ">")
+             .replace(/&quot;/g, "\"")
+             .replace(/&amp;/g, "&");
+    return str;
+}
+
 module.exports.sanitizeHTML = sanitizeHTML;
+module.exports.sanitizeText = sanitizeText;
+module.exports.decodeText = decodeText;
diff --git a/tests/xss.js b/tests/xss.js
index b6088aea..8361e78e 100644
--- a/tests/xss.js
+++ b/tests/xss.js
@@ -1,21 +1,46 @@
-var sanitize = require('../lib/xss').sanitizeHTML;
+var sanitize = require('../lib/xss');
+var sanitizeHTML = sanitize.sanitizeHTML;
+var sanitizeText = sanitize.sanitizeText;
+var decodeText = sanitize.decodeText;
 var assert = require('assert');
+var failed = 0;
 
-function basicTest() {
-    assert(sanitize("<  script src   =  bad.js>blah</script>") ===
-                    "[tag removed]blah[tag removed]");
-
-    assert(sanitize("< img src=asdf onerror='alert(\"xss\")'>") ===
-                    "<img src=\"asdf\">");
-
-    assert(sanitize("<a href='javascript:alert(document.cookie)'>") ===
-                    "<a href=\"[removed]:[removed]([removed])\">");
-
-    assert(sanitize("<a ") === "<a>");
-
-    assert(sanitize("<img src=\"<a href=\"javascript:void(0)\">>") ===
-                    "<img src=\"<a href=\" javascriptvoid0=\"\">>");
+function doTest(s, src, expected) {
+    try {
+        assert(s(src) === expected);
+    } catch (e) {
+        failed++;
+        console.log("Expected '" + expected + "'");
+        console.log("Got      '" + s(src) + "'");
+    }
 }
 
-basicTest();
-console.log("Tests passed.");
+function testSanitizeHTML() {
+    doTest(sanitizeHTML, "<  script src   =  bad.js>blah</script>", "[tag removed]blah[tag removed]");
+
+    doTest(sanitizeHTML, "< img src=asdf onerror='alert(\"xss\")'>", "<img src=\"asdf\">");
+
+    doTest(sanitizeHTML, "<a href='javascript:alert(document.cookie)'>", "<a href=\"[removed]:[removed]([removed])\">");
+
+    doTest(sanitizeHTML, "<a ", "<a>");
+
+    doTest(sanitizeHTML, "<img src=\"<a href=\"javascript:void(0)\">>", "<img src=\"<a href=\" javascriptvoid0>>");
+}
+
+function testSanitizeText() {
+    doTest(sanitizeText, "<a href=\"#\" onerror=\"javascript:alert('xss')\">", "&lt;a href=&quot;#&quot; onerror=&quot;javascript:alert&#40;&#39;xss&#39;&#41;&quot;&gt;");
+    doTest(sanitizeText, "&lt;&gt;&amp;&quot;&ccedil;&#x09", "&amp;lt;&amp;gt;&amp;amp;&amp;quot;&amp;ccedil;&amp;#x09");
+}
+
+function testDecode() {
+    doTest(decodeText, "&lt;a href=&quot;#&quot; onerror=&quot;javascript:alert&#40;&#39;xss&#39;&#41;&quot;&gt;", "<a href=\"#\" onerror=\"javascript:alert('xss')\">");
+    doTest(decodeText, "&amp;lt;&amp;gt;&amp;amp;&amp;quot;&amp;ccedil;&amp;#x09", "&lt;&gt;&amp;&quot;&ccedil;&#x09");
+}
+
+testSanitizeHTML();
+testSanitizeText();
+testDecode();
+if (!failed)
+    console.log("Tests passed.");
+else
+    console.log(""+failed, "tests failed");