LibWeb: Use string literals as format strings during form serialization

Passing a StringView bypasses compile-time format string validation.
Author: https://github.com/trflynn89 Commit: c0d18e976e Pull-request: https://github.com/SerenityOS/serenity/pull/23574
2025-05-12 22:22:55 +00:00 · 2024-03-13 17:24:38 -04:00 · 2024-03-13 17:24:38 -04:00 · c0d18e976e · 2024-07-16 22:11:09 +09:00
commit c0d18e976e
parent bb38cc1010
1 changed files with 4 additions and 4 deletions
--- a/Userland/Libraries/LibWeb/HTML/FormControlInfrastructure.cpp
+++ b/Userland/Libraries/LibWeb/HTML/FormControlInfrastructure.cpp
@ -267,18 +267,18 @@ ErrorOr<SerializedFormData> serialize_to_multipart_form_data(Vector<XHR::FormDat
                // For filenames replace any 0x0A (LF) bytes with the byte sequence `%0A`, 0x0D (CR) with `%0D` and 0x22 (") with `%22`
                auto escaped_filename = TRY(escape_line_feed_carriage_return_double_quote(file->name()));
                // Add a `Content-Disposition` header with a `name` set to entry's name and `filename` set to entry's filename.
-                TRY(builder.try_append(TRY(String::formatted("Content-Disposition: form-data; name=\"{}\"; filename=\"{}\"\r\n"sv, escaped_name, escaped_filename))));
+                TRY(builder.try_append(TRY(String::formatted("Content-Disposition: form-data; name=\"{}\"; filename=\"{}\"\r\n", escaped_name, escaped_filename))));
                // The parts of the generated multipart/form-data resource that correspond to file fields must have a `Content-Type` header specified.
-                TRY(builder.try_append(TRY(String::formatted("Content-Type: {}\r\n\r\n"sv, file->type()))));
+                TRY(builder.try_append(TRY(String::formatted("Content-Type: {}\r\n\r\n", file->type()))));
                // FIXME: Serialize the contents of the file.
-                TRY(builder.try_append(TRY(String::formatted("\r\n"sv))));
+                TRY(builder.try_append("\r\n"sv));
                return {};
            },
            [&](String const& string) -> ErrorOr<void> {
                // Replace every occurrence of U+000D (CR) not followed by U+000A (LF), and every occurrence of U+000A (LF) not preceded by U+000D (CR) by a string consisting of a U+000D (CR) and U+000A (LF).
                auto normalized_value = TRY(normalize_line_breaks(string));
                // Add a `Content-Disposition` header with a `name` set to entry's name.
-                TRY(builder.try_append(TRY(String::formatted("Content-Disposition: form-data; name=\"{}\"\r\n\r\n"sv, escaped_name))));
+                TRY(builder.try_append(TRY(String::formatted("Content-Disposition: form-data; name=\"{}\"\r\n\r\n", escaped_name))));
                TRY(builder.try_append(TRY(String::formatted("{}\r\n", normalized_value))));
                return {};
            }));