Fix HtmlUtils unescape for supplementary chars

See gh-35477

Signed-off-by: potato <[email protected]>

Author: juntae6942

spring-web/src/main/java/org/springframework/web/util/HtmlCharacterEntityDecoder.java

@@ -124,7 +124,10 @@ private boolean processNumberedReference() {
 			int value = (!isHexNumberedReference ?
 					Integer.parseInt(getReferenceSubstring(2)) :
 					Integer.parseInt(getReferenceSubstring(3), 16));
-			this.decodedMessage.append((char) value);
+			if (value > Character.MAX_CODE_POINT) {
+				return false;
+			}
+			this.decodedMessage.appendCodePoint(value);
 			return true;
 		}
 		catch (NumberFormatException ex) {

spring-web/src/test/java/org/springframework/web/util/HtmlCharacterEntityDecoderTest.java

@@ -0,0 +1,42 @@
+package org.springframework.web.util;
+
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+class HtmlCharacterEntityDecoderTest {
+
+	@Test
+	@DisplayName("Should correctly unescape Unicode supplementary characters")
+	void unescapeHandlesSupplementaryCharactersCorrectly() {
+		// Arrange: Prepare test cases with the 'grinning face' emoji (😀, U+1F600).
+		String expectedCharacter = "😀";
+		String decimalEntity = "😀";
+		String hexEntity = "😀";
+
+		// Act: Call the HtmlUtils.htmlUnescape method to get the actual results.
+		String actualResultFromDecimal = HtmlUtils.htmlUnescape(decimalEntity);
+		String actualResultFromHex = HtmlUtils.htmlUnescape(hexEntity);
+
+		// Assert: Verify that the actual results match the expected character.
+		assertEquals(expectedCharacter, actualResultFromDecimal, "Decimal entity was not converted correctly.");
+		assertEquals(expectedCharacter, actualResultFromHex, "Hexadecimal entity was not converted correctly.");
+	}
+
+	@Test
+	@DisplayName("Should correctly unescape basic and named HTML entities")
+	void unescapeHandlesBasicEntities() {
+		// Arrange
+		String input = "<p>Tom & Jerry's "Show"</p>";
+		String expectedOutput = "<p>Tom & Jerry's \"Show\"</p>";
+
+		// Act
+		String actualOutput = HtmlUtils.htmlUnescape(input);
+
+		// Assert
+		assertEquals(expectedOutput, actualOutput, "Basic HTML entities were not unescaped correctly.");
+	}
+
+}
+