diff --git a/src/html/escape.go b/src/html/escape.go
index 1dc12873b0f..de5a85833ff 100644
--- a/src/html/escape.go
+++ b/src/html/escape.go
@@ -104,7 +104,8 @@ func unescapeEntity(b []byte, dst, src int) (dst1, src1 int) {
break
}
- if i <= 3 { // No characters matched.
+ // We need to have at least "&#." or "&#x.".
+ if (!hex && i < 3) || (hex && i < 4) {
b[dst] = b[src]
return dst + 1, src + 1
}
diff --git a/src/html/escape_test.go b/src/html/escape_test.go
index 8b51a55409f..c24dbc56970 100644
--- a/src/html/escape_test.go
+++ b/src/html/escape_test.go
@@ -49,12 +49,24 @@ var unescapeTests = []unescapeTest{
"Delta = Δ ",
"Delta = Δ ",
},
+ // Handle single-digit decimal numeric entities.
+ {
+ "singleDigitDecimalEntity",
+ "Tab = = ",
+ "Tab = \t = \t ",
+ },
// Handle hexadecimal numeric entities.
{
"hexadecimalEntity",
"Lambda = λ = λ ",
"Lambda = λ = λ ",
},
+ // Handle single-digit hexadecimal numeric entities.
+ {
+ "singleDigitHexadecimalEntity",
+ "Tab = = ",
+ "Tab = \t = \t ",
+ },
// Handle numeric early termination.
{
"numericEnds",
@@ -109,6 +121,7 @@ func TestUnescapeEscape(t *testing.T) {
`"<&>"`,
`3&5==1 && 0<1, "0<1", a+acute=á`,
`The special characters are: <, >, &, ' and "`,
+ ` `,
}
for _, s := range ss {
if got := UnescapeString(EscapeString(s)); got != s {