diff --git a/includes/common.inc b/includes/common.inc
index d7189ab..c21159d 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -4804,8 +4804,8 @@ function drupal_clear_js_cache() {
  * @ingroup php_wrappers
  */
 function drupal_json_encode($var) {
-  // json_encode() does not escape <, > and &, so we do it with str_replace().
-  return str_replace(array('<', '>', '&'), array('\u003c', '\u003e', '\u0026'), json_encode($var));
+  // json_encode() escapes <, >, ', " and & using its options parameter.
+  return json_encode($var, JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_AMP | JSON_HEX_QUOT);
 }
 
 /**
diff --git a/modules/simpletest/tests/common.test b/modules/simpletest/tests/common.test
index 177e457..41d69e4 100644
--- a/modules/simpletest/tests/common.test
+++ b/modules/simpletest/tests/common.test
@@ -2316,9 +2316,12 @@ class DrupalJSONTest extends DrupalUnitTestCase {
     for ($i=0; $i < 128; $i++) {
       $str .= chr($i);
     }
+
     // Characters that must be escaped.
-    $html_unsafe = array('<', '>', '&');
-    $html_unsafe_escaped = array('\u003c', '\u003e', '\u0026');
+    // We check for unescaped " separately.
+    $html_unsafe = array('<', '>', '\'', '&');
+    // The following are the encoded forms of: < > ' & "
+    $html_unsafe_escaped = array('\u003C', '\u003E', '\u0027', '\u0026', '\u0022');
 
     // Verify there aren't character encoding problems with the source string.
     $this->assertIdentical(strlen($str), 128, t('A string with the full ASCII table has the correct length.'));
@@ -2338,13 +2341,18 @@ class DrupalJSONTest extends DrupalUnitTestCase {
     // characters are escaped.
     $source = array(TRUE, FALSE, 0, 1, '0', '1', $str, array('key1' => $str, 'key2' => array('nested' => TRUE)));
     $json = drupal_json_encode($source);
+    // Verify that JSON encoding escapes the HTML unsafe characters.
     foreach ($html_unsafe as $char) {
       $this->assertTrue(strpos($json, $char) === FALSE, t('A JSON encoded string does not contain @s.', array('@s' => $char)));
     }
-    // Verify that JSON encoding escapes the HTML unsafe characters
     foreach ($html_unsafe_escaped as $char) {
-      $this->assertTrue(strpos($json, $char) > 0, t('A JSON encoded string contains @s.', array('@s' => $char)));
+      $this->assertTrue(strpos($json, $char) !== FALSE, t('A JSON encoded string contains @s.', array('@s' => $char)));
     }
+    // The first and last characters should be ", and no others.
+    $this->assertTrue($json[0] == '"', t('A JSON encoded string begins with ".'));
+    $this->assertTrue($json[strlen($json) - 1] == '"', t('A JSON encoded string ends with ".'));
+    $this->assertTrue(substr_count($json, '"') == 2, t('A JSON encoded string contains exactly two ".'));
+
     $json_decoded = drupal_json_decode($json);
     $this->assertNotIdentical($source, $json, t('An array encoded in JSON is not identical to the source.'));
     $this->assertIdentical($source, $json_decoded, t('Encoding structured data to JSON and decoding back results in the original data.'));