diff --git a/system/src/Grav/Common/Security.php b/system/src/Grav/Common/Security.php
index cfb3c8572..c7c6f4d5e 100644
--- a/system/src/Grav/Common/Security.php
+++ b/system/src/Grav/Common/Security.php
@@ -51,6 +51,7 @@ class Security
     {
         if (Grav::instance()['config']->get('security.sanitize_svg')) {
             $sanitizer = new DOMSanitizer(DOMSanitizer::SVG);
+            $sanitizer->addDisallowedAttributes(['href', 'xlink:href']);
             $sanitized = $sanitizer->sanitize($svg);
             if (is_string($sanitized)) {
                 $svg = $sanitized;
@@ -70,6 +71,7 @@ class Security
     {
         if (file_exists($file) && Grav::instance()['config']->get('security.sanitize_svg')) {
             $sanitizer = new DOMSanitizer(DOMSanitizer::SVG);
+            $sanitizer->addDisallowedAttributes(['href', 'xlink:href']);
             $original_svg = file_get_contents($file);
             $clean_svg = $sanitizer->sanitize($original_svg);