From 32a6bf908a72b4d1345d65c259846683531b0cbe Mon Sep 17 00:00:00 2001
From: Aliaksandr Kalenik <kalenik.aliaksandr@gmail.com>
Date: Sun, 24 Dec 2023 02:51:02 +0100
Subject: [PATCH] LibWeb/CSS: Fix stack use after scope in matches_attribute()

If a short string is used for the attribute value, then the result of:
```cpp
auto const view = element.attribute(attribute_name).value_or({})
    .bytes_as_string_view().split_view(' ');
```
is an array of string views pointing into a temporarily allocated
string.

With this change we keep string on stack until the end of scope.

Page that allows to reproduce the problem.
```html
<!DOCTYPE html><style>
    div[data-info~="a"] {
        background-color: yellow;
    }
</style><div data-info="a">a</div>
```
---
 Userland/Libraries/LibWeb/CSS/SelectorEngine.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Userland/Libraries/LibWeb/CSS/SelectorEngine.cpp b/Userland/Libraries/LibWeb/CSS/SelectorEngine.cpp
index a0df1af042..6a3d189cdd 100644
--- a/Userland/Libraries/LibWeb/CSS/SelectorEngine.cpp
+++ b/Userland/Libraries/LibWeb/CSS/SelectorEngine.cpp
@@ -151,7 +151,8 @@ static inline bool matches_attribute(CSS::Selector::SimpleSelector::Attribute co
             // This selector is always false is match value is empty.
             return false;
         }
-        auto const view = element.attribute(attribute_name).value_or({}).bytes_as_string_view().split_view(' ');
+        auto attribute_value = element.attribute(attribute_name).value_or({});
+        auto const view = attribute_value.bytes_as_string_view().split_view(' ');
         auto const size = view.size();
         for (size_t i = 0; i < size; ++i) {
             auto const value = view.at(i);