diff --git a/core/lib/Drupal/Component/Utility/Xss.php b/core/lib/Drupal/Component/Utility/Xss.php
index d9f24b4..340262d 100644
--- a/core/lib/Drupal/Component/Utility/Xss.php
+++ b/core/lib/Drupal/Component/Utility/Xss.php
@@ -251,6 +251,10 @@ protected static function attributes($attributes) {
           break;
 
         case 2:
+          // Once we've finished processing the attribute value continue to look
+          // for attributes.
+          $mode = 0;
+          $working = 1;
           // Attribute value, a URL after href= for instance.
           if (preg_match('/^"([^"]*)"(\s+|$)/', $attributes, $match)) {
             $thisval = $skip_protocol_filtering ? $match[1] : UrlHelper::filterBadProtocol($match[1]);
@@ -258,8 +262,6 @@ protected static function attributes($attributes) {
             if (!$skip) {
               $attributes_array[] = "$attribute_name=\"$thisval\"";
             }
-            $working = 1;
-            $mode = 0;
             $attributes = preg_replace('/^"[^"]*"(\s+|$)/', '', $attributes);
             break;
           }
@@ -270,7 +272,6 @@ protected static function attributes($attributes) {
             if (!$skip) {
               $attributes_array[] = "$attribute_name='$thisval'";
             }
-            $working = 1; $mode = 0;
             $attributes = preg_replace("/^'[^']*'(\s+|$)/", '', $attributes);
             break;
           }
@@ -281,10 +282,8 @@ protected static function attributes($attributes) {
             if (!$skip) {
               $attributes_array[] = "$attribute_name=\"$thisval\"";
             }
-            $working = 1; $mode = 0;
             $attributes = preg_replace("%^[^\s\"']+(\s+|$)%", '', $attributes);
           }
-          break;
       }
 
       if ($working == 0) {
diff --git a/core/modules/editor/tests/src/Unit/EditorXssFilter/StandardTest.php b/core/modules/editor/tests/src/Unit/EditorXssFilter/StandardTest.php
index d19758e..4735a73 100644
--- a/core/modules/editor/tests/src/Unit/EditorXssFilter/StandardTest.php
+++ b/core/modules/editor/tests/src/Unit/EditorXssFilter/StandardTest.php
@@ -100,7 +100,7 @@ public function providerTestFilterXss() {
 
     // Default SRC tag by leaving it empty.
     // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Default_SRC_tag_by_leaving_it_empty
-    $data[] = array('<IMG SRC= onmouseover="alert(\'xxs\')">', '<IMG nmouseover="alert(&#039;xxs&#039;)">');
+    $data[] = array('<IMG SRC= onmouseover="alert(\'xxs\')">', '<IMG>');
 
     // Default SRC tag by leaving it out entirely.
     // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Default_SRC_tag_by_leaving_it_out_entirely
diff --git a/core/tests/Drupal/Tests/Component/Utility/XssTest.php b/core/tests/Drupal/Tests/Component/Utility/XssTest.php
index 0b2f51e..b7aebf1 100644
--- a/core/tests/Drupal/Tests/Component/Utility/XssTest.php
+++ b/core/tests/Drupal/Tests/Component/Utility/XssTest.php
@@ -529,6 +529,25 @@ public function providerTestAttributes() {
         'Link tag with numeric data attribute',
         array('a')
       ),
+      array(
+        '<img src= onmouseover="script(\'alert\');">',
+        '<img>',
+        'Image tag with malformed SRC',
+        array('img')
+      ),
+      array(
+        'Body"></iframe><img/src="x"/onerror="alert(document.domain)"/><"',
+        'Body"&gt;<img />&lt;"',
+        'Image tag with malformed SRC',
+        array('img')
+      ),
+      array(
+        '<img/src="x"/onerror="alert(document.domain)"/>',
+        '<img />',
+        'Image tag with malformed SRC',
+        array('img')
+      ),
+
     );
   }