diff --git a/core/modules/system/src/Controller/EntityAutocompleteController.php b/core/modules/system/src/Controller/EntityAutocompleteController.php
index 1bffd291a477ead30835868056469611112b77a0..863c7535d685c38709592af33435cf89d0d947e4 100644
--- a/core/modules/system/src/Controller/EntityAutocompleteController.php
+++ b/core/modules/system/src/Controller/EntityAutocompleteController.php
@@ -79,27 +79,29 @@ public function handleAutocomplete(Request $request, $target_type, $selection_ha
     $matches = [];
     // Get the typed string from the URL, if it exists.
     if ($input = $request->query->get('q')) {
-      $typed_string = Tags::explode($input);
-      $typed_string = mb_strtolower(array_pop($typed_string));
+      $tag_list = Tags::explode($input);
+      if (!empty($tag_list)) {
+        $typed_string = mb_strtolower(array_pop($tag_list));
 
-      // Selection settings are passed in as a hashed key of a serialized array
-      // stored in the key/value store.
-      $selection_settings = $this->keyValue->get($selection_settings_key, FALSE);
-      if ($selection_settings !== FALSE) {
-        $selection_settings_hash = Crypt::hmacBase64(serialize($selection_settings) . $target_type . $selection_handler, Settings::getHashSalt());
-        if (!hash_equals($selection_settings_hash, $selection_settings_key)) {
-          // Disallow access when the selection settings hash does not match the
-          // passed-in key.
-          throw new AccessDeniedHttpException('Invalid selection settings key.');
+        // Selection settings are passed in as a hashed key of a serialized array
+        // stored in the key/value store.
+        $selection_settings = $this->keyValue->get($selection_settings_key, FALSE);
+        if ($selection_settings !== FALSE) {
+          $selection_settings_hash = Crypt::hmacBase64(serialize($selection_settings) . $target_type . $selection_handler, Settings::getHashSalt());
+          if (!hash_equals($selection_settings_hash, $selection_settings_key)) {
+            // Disallow access when the selection settings hash does not match the
+            // passed-in key.
+            throw new AccessDeniedHttpException('Invalid selection settings key.');
+          }
+        }
+        else {
+          // Disallow access when the selection settings key is not found in the
+          // key/value store.
+          throw new AccessDeniedHttpException();
         }
-      }
-      else {
-        // Disallow access when the selection settings key is not found in the
-        // key/value store.
-        throw new AccessDeniedHttpException();
-      }
 
-      $matches = $this->matcher->getMatches($target_type, $selection_handler, $selection_settings, $typed_string);
+        $matches = $this->matcher->getMatches($target_type, $selection_handler, $selection_settings, $typed_string);
+      }
     }
 
     return new JsonResponse($matches);
diff --git a/core/tests/Drupal/KernelTests/Core/Entity/EntityAutocompleteTest.php b/core/tests/Drupal/KernelTests/Core/Entity/EntityAutocompleteTest.php
index 1b0bd8974a5da689b6913c045a471f9ac7c1c3be..e6cb4de3ae63cacfa4ff481376c5d3ab7d77ee37 100644
--- a/core/tests/Drupal/KernelTests/Core/Entity/EntityAutocompleteTest.php
+++ b/core/tests/Drupal/KernelTests/Core/Entity/EntityAutocompleteTest.php
@@ -88,6 +88,10 @@ public function testEntityReferenceAutocompletion() {
       'label' => Html::escape($entity_3->name->value),
     ];
     $this->assertSame($target, reset($data), 'Autocomplete returns an entity label containing a comma and a slash.');
+
+    $input = '"l!J>&Tw';
+    $data = $this->getAutocompleteResult($input);
+    $this->assertSame([], $data, 'Autocomplete of invalid string returns empty result');
   }
 
   /**