From 8716f61690ca1161fd3ab81666f35938633258e7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=EC=96=91=EB=B4=89=EC=88=98=5BPaaS=5D?=
 <bongsoo.yang@navercorp.com>
Date: Wed, 20 May 2020 16:34:38 +0900
Subject: [PATCH 1/2] '-' and '_' may be treated in plain letters.

---
 .../java/org/owasp/html/HtmlEntities.java     |  1 +
 .../java/org/owasp/html/HtmlEntitiesTest.java | 23 +++++++++++++++++++
 2 files changed, 24 insertions(+)
 create mode 100644 src/test/java/org/owasp/html/HtmlEntitiesTest.java

diff --git a/src/main/java/org/owasp/html/HtmlEntities.java b/src/main/java/org/owasp/html/HtmlEntities.java
index 08423268..6c1e6636 100644
--- a/src/main/java/org/owasp/html/HtmlEntities.java
+++ b/src/main/java/org/owasp/html/HtmlEntities.java
@@ -2232,6 +2232,7 @@ public static int appendDecodedEntity(
         case 'y': case 'z':
         case '0': case '1': case '2': case '3': case '4': case '5':
         case '6': case '7': case '8': case '9':
+        case '-': case '_':
           break;
         case '=':
           // An equal sign after an entity missing a closing semicolon should
diff --git a/src/test/java/org/owasp/html/HtmlEntitiesTest.java b/src/test/java/org/owasp/html/HtmlEntitiesTest.java
new file mode 100644
index 00000000..47ad8ebe
--- /dev/null
+++ b/src/test/java/org/owasp/html/HtmlEntitiesTest.java
@@ -0,0 +1,23 @@
+package org.owasp.html;
+
+import static org.junit.Assert.*;
+
+import org.junit.Test;
+
+public class HtmlEntitiesTest {
+
+	@Test
+	public void decodeTest() {
+		String input = "<a href=\"/t?a=1&order_id=2\">order</a>";
+		String output = Encoding.decodeHtml(input);
+		assertEquals("<a href=\"/t?a=1&order_id=2\">order</a>", output);
+
+		input = "<a href=\"/t?a=1&order-id=2\">order</a>";
+		output = Encoding.decodeHtml(input);
+		assertEquals("<a href=\"/t?a=1&order-id=2\">order</a>", output);
+
+		input = "<a href=\"/t?a=1&order=2\">order</a>";
+		output = Encoding.decodeHtml(input);
+		assertEquals("<a href=\"/t?a=1&order=2\">order</a>", output);
+	}
+}
\ No newline at end of file

From 5ed4cbccbb47ec21928f4a0e3fa2df7be36ebb99 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=EC=96=91=EB=B4=89=EC=88=98=5BPaaS=5D?=
 <bongsoo.yang@navercorp.com>
Date: Wed, 20 May 2020 17:13:16 +0900
Subject: [PATCH 2/2] change test code

---
 src/test/java/org/owasp/html/HtmlEntitiesTest.java | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/test/java/org/owasp/html/HtmlEntitiesTest.java b/src/test/java/org/owasp/html/HtmlEntitiesTest.java
index 47ad8ebe..347cd05f 100644
--- a/src/test/java/org/owasp/html/HtmlEntitiesTest.java
+++ b/src/test/java/org/owasp/html/HtmlEntitiesTest.java
@@ -1,13 +1,14 @@
 package org.owasp.html;
 
-import static org.junit.Assert.*;
-
 import org.junit.Test;
 
-public class HtmlEntitiesTest {
+import junit.framework.TestCase;
+
+@SuppressWarnings("javadoc")
+public class HtmlEntitiesTest extends TestCase {
 
 	@Test
-	public void decodeTest() {
+	public void testAfterAmpString() {
 		String input = "<a href=\"/t?a=1&order_id=2\">order</a>";
 		String output = Encoding.decodeHtml(input);
 		assertEquals("<a href=\"/t?a=1&order_id=2\">order</a>", output);