diff --git a/lib/xss.js b/lib/xss.js
index a31e0bed..d258c3af 100644
--- a/lib/xss.js
+++ b/lib/xss.js
@@ -216,6 +216,13 @@ function sanitizeHTML(str) {
             continue;
         }
         for (var k in t.attributes) {
+            // Keys should not contain non-word characters.
+            var k2 = k.replace(/[^\w]/g, "");
+            if (k2 !== k) {
+                t.attributes[k2] = t.attributes[k];
+                delete t.attributes[k];
+                k = k2;
+            }
             // If it's an evil attribute, just nuke it entirely
             if (k.match(badAttrs)) {
                 delete t.attributes[k];
@@ -225,12 +232,6 @@ function sanitizeHTML(str) {
                     t.attributes[k] = t.attributes[k].replace(badAttrValues, "[removed]");
                 }
 
-                // Keys should not contain non-word characters.
-                var k2 = k.replace(/[^\w]/g, "");
-                if (k2 !== k) {
-                    t.attributes[k2] = t.attributes[k];
-                    delete t.attributes[k];
-                }
             }
         }
         // Build the sanitized tag