AK: Replace the mutable String::replace API with an immutable version

This removes the awkward String::replace API which was the only String
API which mutated the String and replaces it with a new immutable
version that returns a new String with the replacements applied. This
also fixes a couple of UAFs that were caused by the use of this API.

As an optimization an equivalent StringView::replace API was also added
to remove an unnecessary String allocations in the format of:
`String { view }.replace(...);`

Userland/Libraries/LibJS/Runtime/RegExpPrototype.cpp

@@ -84,12 +84,7 @@ static String escape_regexp_pattern(const RegExpObject& regexp_object)
     if (pattern.is_empty())
         return "(?:)";
     // FIXME: Check u flag and escape accordingly
-    pattern.replace("\n", "\\n", true);
-    pattern.replace("\r", "\\r", true);
-    pattern.replace(LINE_SEPARATOR_STRING, "\\u2028", true);
-    pattern.replace(PARAGRAPH_SEPARATOR_STRING, "\\u2029", true);
-    pattern.replace("/", "\\/", true);
-    return pattern;
+    return pattern.replace("\n", "\\n", true).replace("\r", "\\r", true).replace(LINE_SEPARATOR_STRING, "\\u2028", true).replace(PARAGRAPH_SEPARATOR_STRING, "\\u2029", true).replace("/", "\\/", true);
 }
 
 // 22.2.5.2.3 AdvanceStringIndex ( S, index, unicode ), https://tc39.es/ecma262/#sec-advancestringindex

Userland/Libraries/LibJS/Runtime/StringPrototype.cpp

@@ -1141,11 +1141,10 @@ static Value create_html(GlobalObject& global_object, Value string, const String
         auto value_string = value.to_string(global_object);
         if (vm.exception())
             return {};
-        value_string.replace("\"", """, true);
         builder.append(' ');
         builder.append(attribute);
         builder.append("=\"");
-        builder.append(value_string);
+        builder.append(value_string.replace("\"", """, true));
         builder.append('"');
     }
     builder.append('>');