html: html.UnescapeString("(&#9)") does not decode single character number

[yffrankwang]

Go version

go version go1.21.4 linux/amd64

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/ubuntu/.cache/go-build'
GOENV='/home/ubuntu/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/ubuntu/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/ubuntu/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/opt/gol.21.4'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/opt/gol.21.4/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build4093406638=/tmp/go-build -gno-record-gcc-switches'

What did you do?

the html.UnescapeString() function does not decode one character number correctly.

package main

import (
	"fmt"
	"html"
)

func main() {
	fmt.Println(html.UnescapeString("(&#9)"))
}

https://go.dev/play/p/kCEC5INrCNt

What did you see happen?

output:

(&#9)

I think the "No characters matched." check logic of function html.unescapeEntity() is incorrect.

https://cs.opensource.google/go/go/+/refs/tags/go1.22.0:src/html/escape.go;l=107

What did you expect to see?

want:

(\t)

Edge/Chrome/Firefox displays the following html as (　　).

<pre>(&#9)</pre>

https://jsfiddle.net/Lkm6jy3c/

[seankhliao]

entities need to end with a semicolon
https://go.dev/play/p/KysJYYkgzbD

[yffrankwang]

entities do not need to end with a semmicolon.

package main

import (
	"fmt"
	"html"
)

func main() {
	fmt.Println(html.UnescapeString("(&#33)"))
}

output:

(!)

https://go.dev/play/p/1EawuIJeFka

Edge/Chrome/Firefox allows entity without a semicolon.
This should be a bug, right?

[seankhliao]

mdn says starts with & and ends with ;
https://developer.mozilla.org/en-US/docs/Glossary/Entity

whatwg html spec agrees
https://html.spec.whatwg.org/#character-references

Decimal numeric character reference
The ampersand must be followed by a U+0023 NUMBER SIGN character (#), followed by one or more ASCII digits, representing a base-ten integer that corresponds to a code point that is allowed according to the definition below. The digits must then be followed by a U+003B SEMICOLON character (;).

Hexadecimal numeric character reference
The ampersand must be followed by a U+0023 NUMBER SIGN character (#), which must be followed by either a U+0078 LATIN SMALL LETTER X character (x) or a U+0058 LATIN CAPITAL LETTER X character (X), which must then be followed by one or more ASCII hex digits, representing a hexadecimal integer that corresponds to a code point that is allowed according to the definition below. The digits must then be followed by a U+003B SEMICOLON character (;).

[yffrankwang]

Yes, current HTML5 specification states that entity must ends with a semicolon.
BUT HTML4.01 allows entity without a semicolon.

https://www.w3.org/TR/1999/REC-html401-19991224/charset.html#entities

Note. HTML provides other ways to present character data, in particular inline images.

Note. In SGML, it is possible to eliminate the final ";" after a character reference in some cases (e.g., at a line break or immediately before a tag). In other circumstances it may not be eliminated (e.g., in the middle of a word). We strongly suggest using the ";" in all cases to avoid problems with user agents that require this character to be present.

If html.UnescapeString() follow HTML5 specification, how do you explain the following code's output.

package main

import (
	"fmt"
	"html"
)

func main() {
	fmt.Println(html.UnescapeString("(&#33)"))
}

output:

(!)

[seankhliao]

see previously #21563

[yffrankwang]

#21563 (comment)

says:
This means that

<html><body>&#1;</body></html>

and

<html><body>&#1</body></html>

parse to the same document.

---

BUT, current html.UnescapeString() behave differently.
https://go.dev/play/p/45xKzS91su5

import (
	"fmt"
	"html"
)

func main() {
	fmt.Printf("%q\n", html.UnescapeString("()"))
	fmt.Printf("%q\n", html.UnescapeString("(&#1)"))
}

output:

"(\x01)"
"(&#1)"

if

<html><body>&#1;</body></html>
<html><body>&#1</body></html>

means same document.

html.UnescapeString("()"

should equals to

html.UnescapeString("(&#1)")

[yffrankwang]

@seankhliao Please reopen this issue.

This is clearly a bug. This code explains everything.

package main

import (
	"fmt"
	"html"
)

func main() {
	fmt.Printf("%q\n", html.UnescapeString("(&#x9)"))
	fmt.Printf("%q\n", html.UnescapeString("(&#9)"))
}

output:

"(\t)"
"(&#9)"

https://go.dev/play/p/3izgk-VqKG4