[5.2.x] Fixed #36179 -- Unhexed entries and removed duplicates in auth/common-passwords.txt.gz.

Backport of 727731d76d9dfd5304d536478d862778f6dd6d9b from main.

django/contrib/auth/password_validation.py

@@ -222,7 +222,7 @@ class CommonPasswordValidator:
 
     The password is rejected if it occurs in a provided list of passwords,
     which may be gzipped. The list Django ships with contains 20000 common
-    passwords (lowercased and deduplicated), created by Royce Williams:
+    passwords (unhexed, lowercased and deduplicated), created by Royce Williams:
     https://gist.github.com/roycewilliams/226886fd01572964e1431ac8afc999ce
     The password list must be lowercased to match the comparison in validate().
     """

tests/auth_tests/test_validators.py

@@ -273,6 +273,15 @@ class CommonPasswordValidatorTest(SimpleTestCase):
             CommonPasswordValidator().validate("godzilla")
         self.assertEqual(cm.exception.messages, [expected_error])
 
+    def test_common_hexed_codes(self):
+        expected_error = "This password is too common."
+        common_hexed_passwords = ["asdfjkl:", "&#2336:"]
+        for password in common_hexed_passwords:
+            with self.subTest(password=password):
+                with self.assertRaises(ValidationError) as cm:
+                    CommonPasswordValidator().validate(password)
+                self.assertEqual(cm.exception.messages, [expected_error])
+
     def test_validate_custom_list(self):
         path = os.path.join(
             os.path.dirname(os.path.realpath(__file__)), "common-passwords-custom.txt"