diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7fd7c825955..53261a22704 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@
 - Fix missing field labels in CSV import, for some locales (#9393)
 - Fix command injection via crafted im_convert_path/im_identify_path on Windows
 - Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences
+- Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes
 
 ## Release 1.6.6
 
diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php
index 542174588fa..ca4e8d5198d 100644
--- a/program/lib/Roundcube/rcube_washtml.php
+++ b/program/lib/Roundcube/rcube_washtml.php
@@ -541,7 +541,7 @@ private static function attribute_value($node, $attr_name, $attr_value)
 
         foreach ($node->attributes as $name => $attr) {
             if (strtolower($name) === $attr_name) {
-                if (strtolower($attr_value) === strtolower($attr->nodeValue)) {
+                if (strtolower($attr_value) === strtolower(trim($attr->nodeValue))) {
                     return true;
                 }
             }
diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php
index f9757f3871c..6bfbc14c84c 100644
--- a/tests/Framework/Washtml.php
+++ b/tests/Framework/Washtml.php
@@ -473,6 +473,10 @@ function data_wash_svg_tests()
                     . 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x"></svg></html>',
                 '<svg><use x-washed="href"></use></svg>'
             ],
+            [
+                '<html><svg><animate attributeName="href " values="javascript:alert(\'XSS\')" href="#link" /></animate></svg></html>',
+                '<svg><!-- animate blocked --></svg>',
+            ],
         ];
     }