From fb0ead5a37afb7d3749bbbac69809df97d18a347 Mon Sep 17 00:00:00 2001
From: sravan27 <sridharsravan@live.com>
Date: Mon, 15 Jun 2026 21:25:49 +0530
Subject: [PATCH] fix(validator): reject numeric char refs with no digits (&#;
 and &#x;)

validateNumberAmpersand returned success on a ';' immediately following
'&#' or '&#x', so XMLValidator.validate marked '<r>&#x;</r>' and
'<r>&#;</r>' as valid. XML 1.0 requires at least one digit in a CharRef.
---
 src/validator.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/validator.js b/src/validator.js
index 277225c2..5bfd136b 100644
--- a/src/validator.js
+++ b/src/validator.js
@@ -358,11 +358,16 @@ function validateNumberAmpersand(xmlData, i) {
     i++;
     re = /[\da-fA-F]/;
   }
+  // Per the XML 1.0 CharRef production a numeric reference must contain at
+  // least one digit; "&#;" and "&#x;" are invalid. Without this guard the
+  // loop returns success on a ';' that immediately follows "&#"/"&#x".
+  let hasDigit = false;
   for (; i < xmlData.length; i++) {
     if (xmlData[i] === ';')
-      return i;
+      return hasDigit ? i : -1;
     if (!xmlData[i].match(re))
       break;
+    hasDigit = true;
   }
   return -1;
 }