[Vendor] blevesearch v0.8.1 -> v1.0.7 (#11360)

* Update blevesearch v0.8.1 -> v1.0.7 * make vendor Co-authored-by: zeripath <art27@cantab.net>
author: 6543 <6543@obermui.de> 2020-05-10 07:40:54 +0200
committer: GitHub <noreply@github.com> 2020-05-10 06:40:54 +0100
commit: fdf750e4d4273620e774d03db087ab0dd4eef8c5 (patch)
tree: 3185d56c8cdbdce9fdd5d320062fed16bee65db9 /vendor/github.com/tinylib
parent: a44854c287ac7127a73ea2790716311ba918dd1d (diff)
download: gitea-fdf750e4d4273620e774d03db087ab0dd4eef8c5.tar.gz
gitea-fdf750e4d4273620e774d03db087ab0dd4eef8c5.zip
1 files changed, 44 insertions, 18 deletions
diff --git a/vendor/github.com/tinylib/msgp/msgp/json.go b/vendor/github.com/tinylib/msgp/msgp/json.go
index 4325860ada..77601e52c3 100644
--- a/vendor/github.com/tinylib/msgp/msgp/json.go
+++ b/vendor/github.com/tinylib/msgp/msgp/json.go
@@ -466,7 +466,23 @@ func rwquoted(dst jsWriter, s []byte) (n int, err error) {
 					return
 				}
 				n++
+			case '\t':
+				err = dst.WriteByte('\\')
+				if err != nil {
+					return
+				}
+				n++
+				err = dst.WriteByte('t')
+				if err != nil {
+					return
+				}
+				n++
 			default:
+				// This encodes bytes < 0x20 except for \t, \n and \r.
+				// It also escapes <, >, and &
+				// because they can lead to security holes when
+				// user-controlled strings are rendered into JSON
+				// and served to some browsers.
 				nn, err = dst.WriteString(`\u00`)
 				n += nn
 				if err != nil {
@@ -495,16 +511,23 @@ func rwquoted(dst jsWriter, s []byte) (n int, err error) {
 				if err != nil {
 					return
 				}
-				nn, err = dst.WriteString(`\ufffd`)
-				n += nn
-				if err != nil {
-					return
-				}
-				i += size
-				start = i
-				continue
 			}
+			nn, err = dst.WriteString(`\ufffd`)
+			n += nn
+			if err != nil {
+				return
+			}
+			i += size
+			start = i
+			continue
 		}
+		// U+2028 is LINE SEPARATOR.
+		// U+2029 is PARAGRAPH SEPARATOR.
+		// They are both technically valid characters in JSON strings,
+		// but don't work in JSONP, which has to be evaluated as JavaScript,
+		// and can lead to security holes there. It is valid JSON to
+		// escape them, so we do so unconditionally.
+		// See http://timelessrepo.com/json-isnt-a-javascript-subset for discussion.
 		if c == '\u2028' || c == '\u2029' {
 			if start < i {
 				nn, err = dst.Write(s[start:i])
@@ -512,17 +535,20 @@ func rwquoted(dst jsWriter, s []byte) (n int, err error) {
 				if err != nil {
 					return
 				}
-				nn, err = dst.WriteString(`\u202`)
-				n += nn
-				if err != nil {
-					return
-				}
-				err = dst.WriteByte(hex[c&0xF])
-				if err != nil {
-					return
-				}
-				n++
 			}
+			nn, err = dst.WriteString(`\u202`)
+			n += nn
+			if err != nil {
+				return
+			}
+			err = dst.WriteByte(hex[c&0xF])
+			if err != nil {
+				return
+			}
+			n++
+			i += size
+			start = i
+			continue
 		}
 		i += size
 	}
author	6543 <6543@obermui.de>	2020-05-10 07:40:54 +0200
committer	GitHub <noreply@github.com>	2020-05-10 06:40:54 +0100
commit	fdf750e4d4273620e774d03db087ab0dd4eef8c5 (patch)
tree	3185d56c8cdbdce9fdd5d320062fed16bee65db9 /vendor/github.com/tinylib
parent	a44854c287ac7127a73ea2790716311ba918dd1d (diff)
download	gitea-fdf750e4d4273620e774d03db087ab0dd4eef8c5.tar.gz gitea-fdf750e4d4273620e774d03db087ab0dd4eef8c5.zip