Correctly unescape '+' in URLs and decimal escapes in XML (e.g. ' ' instead of ' ')

This patch changes only URL/XML unescaping, not escaping--changing escaping
would remove the reversibility of the tests.

I've been meaning to submit this ever since
http://lists.infradead.org/pipermail/openconnect-devel/2016-October/004042.html
but didn't have a particularly good reason.

However, I recently ran into a (weirdly-customized) version of AnyConnect which
actually sends '+' in one of the authentication forms. So this should improve
AnyConnect compatibility in some corner cases.

src/html.c

@@ -64,13 +64,18 @@ char *unescape_html(void *pool, const char *html, unsigned len, unsigned *out_le
 			} else if (!c_strncasecmp(&html[i], "'", 6)) {
 				msg[pos++] = '\'';
 				i += 6;
-			} else if (!strncmp(&html[i], "&#x", 3)) {
+			} else if (!strncmp(&html[i], "&#", 2)) {
 				const char *p = &html[i];
 				char *endptr = NULL;
 				long val;
 
-				p+=3;
-				val = strtol(p, &endptr, 16);
+				if (p[2]=='x') {
+					p += 3;
+					val = strtol(p, &endptr, 16);
+				} else {
+					p += 2;
+					val = strtol(p, &endptr, 10);
+				}
 				if (endptr == NULL || *endptr != ';' || val > WCHAR_MAX) {
 					/* skip */
 					msg[pos++] = html[i++];
@@ -134,6 +139,9 @@ char *unescape_url(void *pool, const char *url, unsigned len, unsigned *out_len)
 
 			msg[pos++] = u;
 			i += 3;
+		} else if (url[i] == '+') {
+			msg[pos++] = ' ';
+			i++;
 		} else
 			msg[pos++] = url[i++];
 	}