Check for invalid code points before passing them to String.fromCodePoint

- Now the call will not throw RangeError exceptions
- Tests are included for both strict: true and strict: false modes
- Fixes #116 and #160

PR-URL: #163
Credit: @aularon
Close: #163
Reviewed-by: @isaacs

Author: aularon

lib/sax.js

@@ -999,7 +999,12 @@
       }
     }
     entity = entity.replace(/^0+/, '')
-    if (isNaN(num) || numStr.toLowerCase() !== entity) {
+    if (
+      isNaN(num) ||
+      numStr.toLowerCase() !== entity ||
+      num < 0 ||
+      num > 0x10ffff
+    ) {
       strictFail(parser, 'Invalid character entity')
       return '&' + parser.entity + ';'
     }

test/invalid-entities.js

@@ -0,0 +1,30 @@
+var invalidEntities = ['1114112', '-1', 'NaN']
+
+for (var i = invalidEntities.length - 1; i >= 0; --i) {
+  require(__dirname).test({
+    xml: '<r>&#' + invalidEntities[i] + ';</r>',
+    strict: false,
+    expect: [
+      ['opentagstart', { name: 'R', attributes: {} }],
+      ['opentag', { name: 'R', attributes: {}, isSelfClosing: false }],
+      ['text', '&#' + invalidEntities[i] + ';'],
+      ['closetag', 'R'],
+    ],
+  })
+  require(__dirname).test({
+    xml: '<r>&#' + invalidEntities[i] + ';</r>',
+    strict: true,
+    expect: [
+      ['opentagstart', { name: 'r', attributes: {} }],
+      ['opentag', { name: 'r', attributes: {}, isSelfClosing: false }],
+      [
+        'error',
+        'Invalid character entity\nLine: 0\nColumn: ' +
+          (6 + invalidEntities[i].length) +
+          '\nChar: ;',
+      ],
+      ['text', '&#' + invalidEntities[i] + ';'],
+      ['closetag', 'r'],
+    ],
+  })
+}