diff --git a/core/lib/Drupal/Core/Form/FormBuilder.php b/core/lib/Drupal/Core/Form/FormBuilder.php
index 64e01e6..50599aa 100644
--- a/core/lib/Drupal/Core/Form/FormBuilder.php
+++ b/core/lib/Drupal/Core/Form/FormBuilder.php
@@ -731,6 +731,10 @@ protected function buildFormAction() {
     //   https://www.drupal.org/node/2504709.
     $parsed = UrlHelper::parse($request_uri);
     unset($parsed['query'][static::AJAX_FORM_REQUEST], $parsed['query'][MainContentViewSubscriber::WRAPPER_FORMAT]);
+
+    // Prevent multiple slashes to avoid cross site requests via the Form API.
+    $parsed['path'] = '/' . ltrim($parsed['path'], '/');
+
     return $parsed['path'] . ($parsed['query'] ? ('?' . UrlHelper::buildQuery($parsed['query'])) : '');
   }
 
diff --git a/core/modules/system/src/Tests/Form/ExternalFormUrlTest.php b/core/modules/system/src/Tests/Form/ExternalFormUrlTest.php
new file mode 100644
index 0000000..8e03650
--- /dev/null
+++ b/core/modules/system/src/Tests/Form/ExternalFormUrlTest.php
@@ -0,0 +1,93 @@
+<?php
+
+/**
+ * @file
+ * Contains \Drupal\system\Tests\Form\ExternalFormUrlTest.
+ */
+
+namespace Drupal\system\Tests\Form;
+
+use Drupal\Core\Form\FormInterface;
+use Drupal\Core\Form\FormStateInterface;
+use Drupal\simpletest\KernelTestBase;
+use Drupal\user\Entity\User;
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * Ensures that form actions can't be tricked into sending to external URLs.
+ *
+ * @group system
+ */
+class ExternalFormUrlTest extends KernelTestBase implements FormInterface {
+
+  /**
+   * {@inheritdoc}
+   */
+  public static $modules = ['user', 'system'];
+
+  /**
+   * {@inheritdoc}
+   */
+  public function getFormId() {
+    return 'external_form_url_test';
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function buildForm(array $form, FormStateInterface $form_state) {
+    $form['something'] = [
+      '#type' => 'textfield',
+      '#title' => 'What do you think?',
+    ];
+    return $form;
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function validateForm(array &$form, FormStateInterface $form_state) {}
+
+  /**
+   * {@inheritdoc}
+   */
+  public function submitForm(array &$form, FormStateInterface $form_state) {}
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp() {
+    parent::setUp();
+    $this->installSchema('system', ['key_value_expire', 'sequences']);
+    $this->installEntitySchema('user');
+
+    $test_user = User::create([
+      'name' => 'foobar',
+      'mail' => 'foobar@example.com',
+    ]);
+    $test_user->save();
+    \Drupal::service('current_user')->setAccount($test_user);
+
+    // Create a new request and make it the master request.
+    $request_stack = \Drupal::service('request_stack');
+    $original_request = $request_stack->pop();
+    $request = Request::create($original_request->getSchemeAndHttpHost() . '//example.org');
+    $request_stack->push($request);
+  }
+
+  /**
+   * Tests form behaviour.
+   */
+  public function testExternalUrlBehavior() {
+    $form = \Drupal::formBuilder()->getForm($this);
+    $markup = \Drupal::service('renderer')->renderRoot($form);
+
+    $this->setRawContent($markup);
+    $elements = $this->xpath('//form/@action');
+    $action = (string) $elements[0];
+
+    $this->assertNotEqual('//example.org', $action);
+    $this->assertEqual('/example.org', $action);
+  }
+
+}