From 33207174a9c1c87657e2ae0875cc85cbf41075f8 Mon Sep 17 00:00:00 2001
From: Andreas Kling <andreas@ladybird.org>
Date: Fri, 19 Jul 2024 20:02:14 +0200
Subject: [PATCH] LibWeb: Allow splitting surrogate pairs in
 CharacterData.replaceData()

We're expected to handle this situation gracefully, and certainly not
by falling apart like we were.

Found by Domato.
---
 ...cterData-replaceData-break-surrogate-pair.txt |  5 +++++
 ...terData-replaceData-break-surrogate-pair.html | 16 ++++++++++++++++
 Userland/Libraries/LibWeb/DOM/CharacterData.cpp  |  4 ++--
 3 files changed, 23 insertions(+), 2 deletions(-)
 create mode 100644 Tests/LibWeb/Text/expected/DOM/CharacterData-replaceData-break-surrogate-pair.txt
 create mode 100644 Tests/LibWeb/Text/input/DOM/CharacterData-replaceData-break-surrogate-pair.html

diff --git a/Tests/LibWeb/Text/expected/DOM/CharacterData-replaceData-break-surrogate-pair.txt b/Tests/LibWeb/Text/expected/DOM/CharacterData-replaceData-break-surrogate-pair.txt
new file mode 100644
index 00000000000..5a61969353d
--- /dev/null
+++ b/Tests/LibWeb/Text/expected/DOM/CharacterData-replaceData-break-surrogate-pair.txt
@@ -0,0 +1,5 @@
+Before replaceData:
+[0]: 53997
+[1]: 56998
+After replaceData:
+[0]: 56998
diff --git a/Tests/LibWeb/Text/input/DOM/CharacterData-replaceData-break-surrogate-pair.html b/Tests/LibWeb/Text/input/DOM/CharacterData-replaceData-break-surrogate-pair.html
new file mode 100644
index 00000000000..be07b2b5753
--- /dev/null
+++ b/Tests/LibWeb/Text/input/DOM/CharacterData-replaceData-break-surrogate-pair.html
@@ -0,0 +1,16 @@
+<script src="../include.js"></script>
+<script>
+    test(() => {
+        const str = '\uD2ED\uDEA6';
+        let t = document.createTextNode(str);
+        println("Before replaceData:");
+        for (let i = 0; i < t.length; ++i) {
+            println("[" + i + "]: " + t.data.charCodeAt(i));
+        }
+        t.replaceData(0, 1, '')
+        println("After replaceData:");
+        for (let i = 0; i < t.length; ++i) {
+            println("[" + i + "]: " + t.data.charCodeAt(i));
+        }
+    });
+</script>
diff --git a/Userland/Libraries/LibWeb/DOM/CharacterData.cpp b/Userland/Libraries/LibWeb/DOM/CharacterData.cpp
index cfab32a311a..4ff366b07e6 100644
--- a/Userland/Libraries/LibWeb/DOM/CharacterData.cpp
+++ b/Userland/Libraries/LibWeb/DOM/CharacterData.cpp
@@ -87,9 +87,9 @@ WebIDL::ExceptionOr<void> CharacterData::replace_data(size_t offset, size_t coun
     // 6. Let delete offset be offset + data’s length.
     // 7. Starting from delete offset code units, remove count code units from node’s data.
     StringBuilder builder;
-    builder.append(MUST(utf16_view.substring_view(0, offset).to_utf8()));
+    builder.append(MUST(utf16_view.substring_view(0, offset).to_utf8(Utf16View::AllowInvalidCodeUnits::Yes)));
     builder.append(data);
-    builder.append(MUST(utf16_view.substring_view(offset + count).to_utf8()));
+    builder.append(MUST(utf16_view.substring_view(offset + count).to_utf8(Utf16View::AllowInvalidCodeUnits::Yes)));
     m_data = MUST(builder.to_string());
 
     // 8. For each live range whose start node is node and start offset is greater than offset but less than or equal to offset plus count, set its start offset to offset.