diff --git a/src/wp-includes/kses.php b/src/wp-includes/kses.php
index b707dca813..7975949370 100644
--- a/src/wp-includes/kses.php
+++ b/src/wp-includes/kses.php
@@ -1664,6 +1664,7 @@ function wp_kses_html_error( $string ) {
  * @return string Sanitized content.
  */
 function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) {
+	$string  = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string );
 	$string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
 	if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) {
 		$string   = trim( $string2[1] );
diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php
index a36cdf4f93..039d5400b2 100644
--- a/tests/phpunit/tests/kses.php
+++ b/tests/phpunit/tests/kses.php
@@ -145,6 +145,8 @@ EOF;
 			'javascript&#0000058alert(1)//?:',
 			'feed:javascript:alert(1)',
 			'feed:javascript:feed:javascript:feed:javascript:alert(1)',
+			'javascript&#58alert(1)',
+			'javascript&#x3ax=1;alert(1)',
 		);
 		foreach ( $bad as $k => $x ) {
 			$result = wp_kses_bad_protocol( wp_kses_normalize_entities( $x ), wp_allowed_protocols() );
@@ -165,8 +167,14 @@ EOF;
 					case 24:
 						$this->assertEquals( 'feed:alert(1)', $result );
 						break;
+					case 26:
+						$this->assertEquals( 'javascript&amp;#58alert(1)', $result );
+						break;
+					case 27:
+						$this->assertEquals( 'javascript&amp;#x3ax=1;alert(1)', $result );
+						break;
 					default:
-						$this->fail( "wp_kses_bad_protocol failed on $x. Result: $result" );
+						$this->fail( "wp_kses_bad_protocol failed on $k, $x. Result: $result" );
 				}
 			}
 		}