From 011e8f37f6d9991bd141d76a8fc24a3d1271942c Mon Sep 17 00:00:00 2001
From: Alexander Yastrebov <yastrebov.alex@gmail.com>
Date: Wed, 6 Mar 2024 18:47:06 +0100
Subject: [PATCH] html: handle single digit decimal numeric entities without
 semicolon

Fix handling of "&#9" and add tests for other single-digit cases.

Fixes #66058
Updates #21563
---
 src/html/escape.go      |  3 ++-
 src/html/escape_test.go | 13 +++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/html/escape.go b/src/html/escape.go
index 1dc12873b0f..de5a85833ff 100644
--- a/src/html/escape.go
+++ b/src/html/escape.go
@@ -104,7 +104,8 @@ func unescapeEntity(b []byte, dst, src int) (dst1, src1 int) {
 			break
 		}
 
-		if i <= 3 { // No characters matched.
+		// We need to have at least "&#." or "&#x.".
+		if (!hex && i < 3) || (hex && i < 4) {
 			b[dst] = b[src]
 			return dst + 1, src + 1
 		}
diff --git a/src/html/escape_test.go b/src/html/escape_test.go
index 8b51a55409f..c24dbc56970 100644
--- a/src/html/escape_test.go
+++ b/src/html/escape_test.go
@@ -49,12 +49,24 @@ var unescapeTests = []unescapeTest{
 		"Delta = &#916; ",
 		"Delta = Δ ",
 	},
+	// Handle single-digit decimal numeric entities.
+	{
+		"singleDigitDecimalEntity",
+		"Tab = &#9; = &#9 ",
+		"Tab = \t = \t ",
+	},
 	// Handle hexadecimal numeric entities.
 	{
 		"hexadecimalEntity",
 		"Lambda = &#x3bb; = &#X3Bb ",
 		"Lambda = λ = λ ",
 	},
+	// Handle single-digit hexadecimal numeric entities.
+	{
+		"singleDigitHexadecimalEntity",
+		"Tab = &#x9; = &#x9 ",
+		"Tab = \t = \t ",
+	},
 	// Handle numeric early termination.
 	{
 		"numericEnds",
@@ -109,6 +121,7 @@ func TestUnescapeEscape(t *testing.T) {
 		`&quot;&lt;&amp;&gt;&quot;`,
 		`3&5==1 && 0<1, "0&lt;1", a+acute=&aacute;`,
 		`The special characters are: <, >, &, ' and "`,
+		`&#9; &#9 &#x9; &#x9`,
 	}
 	for _, s := range ss {
 		if got := UnescapeString(EscapeString(s)); got != s {