Validate XML numeric character references before string construction

[yuki-matsuhashi]

Fixes #1045

This PR validates XML numeric character references before string construction.

Changes in this PR:

• reject XML-invalid numeric character references with JSONException
• add regression tests for out-of-range hex and decimal values
• add regression coverage for surrogate values and attribute values

Note

#1045 focused on out-of-range values such as �, which raised an uncaught runtime exception before this fix. Surrogate values such as � did not reproduce the same exception in my testing, but they are still invalid XML character references and are rejected by the same validation.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[stleary]

What problem does this code solve?
XML code throws an uncontrolled exception when parsing invalid codepoints to JSON. This fix replaced the exception with a JSONException

Does the code still compile with Java6?
Yes

Risks
Low

Changes to the API?
Yes, but just in the type of exception thrown

Will this require a new release?
No

Should the documentation be updated?
No

Does it break the unit tests?
No, new unit tests were added.

Was any code refactored in this commit?
No

Review status
APPROVED

Starting 3-day comment window