LibWeb: Cap HTML dimension values at 17895700 (same as Firefox)

Instead of allowing arbitrarily large values (which could eventually
overflow an i32), let's just cap them at the same limit as Firefox does.

Found by Domato.

Tests/LibWeb/Text/expected/HTML/maxed-out-dimension-value.txt

@@ -0,0 +1 @@
+   Image height: 17895700

Tests/LibWeb/Text/input/HTML/maxed-out-dimension-value.html

@@ -0,0 +1,9 @@
+<img height="2147483647">
+<script src="../include.js"></script>
+<script>
+    test(() => {
+        let img = document.querySelector("img");
+        println("Image height: " + img.offsetHeight);
+        img.remove();
+    });
+</script>

Userland/Libraries/LibWeb/HTML/Parser/HTMLParser.cpp

@@ -4691,13 +4691,16 @@ RefPtr<CSS::StyleValue> parse_dimension_value(StringView string)
         number_string.append(*position);
         ++position;
     }
-    auto integer_value = number_string.string_view().to_number<int>();
+    auto integer_value = number_string.string_view().to_number<double>();
+
+    // NOTE: This is apparently the largest value allowed by Firefox.
+    static float max_dimension_value = 17895700;
+
+    float value = min(*integer_value, max_dimension_value);
 
     // 6. If position is past the end of input, then return value as a length.
     if (position == input.end())
-        return CSS::LengthStyleValue::create(CSS::Length::make_px(*integer_value));
-
-    float value = *integer_value;
+        return CSS::LengthStyleValue::create(CSS::Length::make_px(CSSPixels(value)));
 
     // 7. If the code point at position within input is U+002E (.), then:
     if (*position == '.') {