strtol can parse negative values which opens the hole for a NUL
injection. The (invalid) entity "&#-256;" is parsed as 0xFFFFFF00 which
(when casted to a char) becomes 0.

Avoid this attack by using unsigned long integers. To avoid undefined
behavior due to negative shifts, restrict the upper bound of the code
points to the UTF-8 limits. (Add an assertion to make the Clang static
analyzer happy.)

Note: due to the specification of strtol, leading spaces and minus/plus
signs are also allowed, explicitly check for an integer. "&#0x1;" is
still accepted, but that is considered a minor issue.