LibWeb/CSS: Fix stack use after scope in matches_attribute()

If a short string is used for the attribute value, then the result of: ```cpp auto const view = element.attribute(attribute_name).value_or({}) .bytes_as_string_view().split_view(' '); ``` is an array of string views pointing into a temporarily allocated string. With this change we keep string on stack until the end of scope. Page that allows to reproduce the problem. ```html <!DOCTYPE html><style> div[data-info~="a"] { background-color: yellow; } </style><div data-info="a">a</div> ```
Author: https://github.com/kalenikaliaksandr Commit: 32a6bf908a Pull-request: https://github.com/SerenityOS/serenity/pull/22414
2025-06-10 18:10:56 +09:00 · 2023-12-24 02:51:02 +01:00 · 2023-12-24 02:51:02 +01:00 · 32a6bf908a · 2024-07-17 07:19:27 +09:00
commit 32a6bf908a
parent 95e9c89a15
1 changed files with 2 additions and 1 deletions
--- a/Userland/Libraries/LibWeb/CSS/SelectorEngine.cpp
+++ b/Userland/Libraries/LibWeb/CSS/SelectorEngine.cpp
@ -151,7 +151,8 @@ static inline bool matches_attribute(CSS::Selector::SimpleSelector::Attribute co
            // This selector is always false is match value is empty.
            return false;
        }
-        auto const view = element.attribute(attribute_name).value_or({}).bytes_as_string_view().split_view(' ');
+        auto attribute_value = element.attribute(attribute_name).value_or({});
+        auto const view = attribute_value.bytes_as_string_view().split_view(' ');
        auto const size = view.size();
        for (size_t i = 0; i < size; ++i) {
            auto const value = view.at(i);