diff --git a/lib/upload_creator.rb b/lib/upload_creator.rb
index ffae64ec4d..d646fc30a3 100644
--- a/lib/upload_creator.rb
+++ b/lib/upload_creator.rb
@@ -258,6 +258,7 @@ class UploadCreator
   def whitelist_svg!
     doc = Nokogiri::XML(@file)
     doc.xpath(svg_whitelist_xpath).remove
+    doc.xpath("//@*[starts-with(name(), 'on')]").remove
     File.write(@file.path, doc.to_s)
     @file.rewind
   end
diff --git a/spec/lib/upload_creator_spec.rb b/spec/lib/upload_creator_spec.rb
index 5754a5c6cb..9ef77b6816 100644
--- a/spec/lib/upload_creator_spec.rb
+++ b/spec/lib/upload_creator_spec.rb
@@ -247,4 +247,26 @@ RSpec.describe UploadCreator do
       end
     end
   end
+
+  describe '#whitelist_svg!' do
+    let(:file) do
+      file = Tempfile.new
+      file.write(<<~XML)
+        <?xml version="1.0" encoding="UTF-8"?>
+        <svg xmlns="http://www.w3.org/2000/svg" width="200px" height="200px" onload="alert(location)">
+        </svg>
+      XML
+      file.rewind
+      file
+    end
+
+    it 'removes event handlers' do
+      begin
+        UploadCreator.new(file, 'file.svg').whitelist_svg!
+        expect(file.read).not_to include('onload')
+      ensure
+        file.unlink
+      end
+    end
+  end
 end