LibWeb: Don't crash when cloning a CDATASection node

Tests/LibWeb/Text/expected/DOM/CDATASection-cloneNode.txt

@@ -0,0 +1 @@
+Cloned CDATASection node data: PASS

Tests/LibWeb/Text/input/DOM/CDATASection-cloneNode.html

@@ -0,0 +1,9 @@
+<script src="../include.js"></script>
+<script>
+    test(() => {
+        const xmlDocument = new DOMParser().parseFromString(`<xml></xml>`, "application/xml");
+        const cdata = xmlDocument.createCDATASection("PASS");
+        const clone = cdata.cloneNode();
+        println(`Cloned CDATASection node data: ${clone.data}`);
+    });
+</script>

Userland/Libraries/LibWeb/DOM/Node.cpp

@@ -978,12 +978,14 @@ WebIDL::ExceptionOr<JS::NonnullGCPtr<Node>> Node::clone_node(Document* document,
         // Set copy’s namespace, namespace prefix, local name, and value to those of node.
         auto& attr = static_cast<Attr&>(*this);
         copy = attr.clone(*document);
-    } else if (is<Text>(this)) {
+    }
+    // NOTE: is<Text>() currently returns true only for text nodes, not for descendant types of Text.
+    else if (is<Text>(this) || is<CDATASection>(this)) {
         // Text
-        auto text = verify_cast<Text>(this);
+        auto& text = static_cast<Text&>(*this);
 
         // Set copy’s data to that of node.
-        auto text_copy = heap().allocate<Text>(realm(), *document, text->data());
+        auto text_copy = heap().allocate<Text>(realm(), *document, text.data());
         copy = move(text_copy);
     } else if (is<Comment>(this)) {
         // Comment