The vulnerability lies in the CssSelector class within the chrome-php/chrome library, specifically in how CSS selector expressions provided by the user were handled. The commit 34b2b8d1691f4e3940b1e1e95d388fffe81169c8 clearly shows the fix.

Before the patch:

1. The __construct method stored the raw CSS selector expression.
2. The expressionCount and expressionFindOne methods directly interpolated this raw expression into JavaScript code strings using sprintf with "%s".

This direct interpolation without proper encoding or sanitization meant that a crafted CSS selector containing special characters (e.g., ", </script>) could break out of the intended JavaScript string and inject arbitrary JavaScript code, leading to a Cross-Site Scripting (XSS) vulnerability.

The patch addresses this by encoding the expression using json_encode with appropriate flags (JSON_UNESCAPED_SLASHES, JSON_UNESCAPED_UNICODE, JSON_THROW_ON_ERROR) in the constructor. The methods expressionCount and expressionFindOne then use this pre-encoded expression, ensuring that any special characters are safely escaped before being embedded in the JavaScript context. The vulnerable functions are those that handled or used the unencoded expression: the constructor where it was stored, and the two methods that used it to generate JavaScript.