diff --git a/CHANGELOG.md b/CHANGELOG.md
index 59f4a11290..0c993524c2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@
     * When saving yaml and markdown, create also a cached version of the file and recompile it in opcache
 2. [](#bugfix)
     * Fixed missing changes in yaml & markdown files if saved multiple times during the same second because of a caching issue
+    * Fixed XSS check not detecting onX events without quotes
 
 # v1.7.32
 ## 03/28/2022
diff --git a/system/src/Grav/Common/Security.php b/system/src/Grav/Common/Security.php
index 11153a625c..982618544f 100644
--- a/system/src/Grav/Common/Security.php
+++ b/system/src/Grav/Common/Security.php
@@ -219,7 +219,8 @@ public static function detectXss($string, array $options = null): ?string
         $string = html_entity_decode($string, ENT_NOQUOTES | ENT_HTML5, 'UTF-8');
 
         // Strip whitespace characters
-        $string = preg_replace('!\s!u', '', $string);
+        $string = preg_replace('!\s!u', ' ', $string);
+        $stripped = preg_replace('!\s!u', '', $string);
 
         // Set the patterns we'll test against
         $patterns = [
@@ -242,7 +243,7 @@ public static function detectXss($string, array $options = null): ?string
         // Iterate over rules and return label if fail
         foreach ($patterns as $name => $regex) {
             if (!empty($enabled_rules[$name])) {
-                if (preg_match($regex, $string) || preg_match($regex, $orig)) {
+                if (preg_match($regex, $string) || preg_match($regex, $stripped) || preg_match($regex, $orig)) {
                     return $name;
                 }
             }