diff --git a/lib/polyfill/aria.js b/lib/polyfill/aria.js
index 388c37a5f8..7517035c3e 100644
--- a/lib/polyfill/aria.js
+++ b/lib/polyfill/aria.js
@@ -48,7 +48,13 @@ shaka.polyfill.Aria = class {
    * @private
    */
   static addARIAMixinAttribute_(name) {
-    const snakeCaseName = name.toLowerCase().replace('aria', 'aria-');
+    const baseName = name.toLowerCase().replace(/^aria/, '');
+    // NOTE: All the attributes listed in the method above begin with "aria".
+    // However, to add extra protection against the possibility of XSS attacks
+    // through this method, this enforces "aria-" at the beginning of the
+    // snake-case name, even if somehow "aria" were missing from the input.
+    const snakeCaseName = `aria-${baseName}`;
+
     /* eslint-disable no-restricted-syntax */
     Object.defineProperty(Element.prototype, name, {
       get() {