Use Python webbrowser module instead of open_url command to prevent arbitrary remote code execution.

[Thom1729]

When a link in a preview is clicked, this package uses the open_url command to open the URL of the link. The intended behavior is to open the link in a web browser. However, when you pass a file:// URL to open_url, this is basically like double-clicking the target of the URL. If the target is (say) a shell script, then that script will run. On some OSes, it is possible to specify file:// URLs referring to unknown remote file shares, and the OS will attempt to connect to the share. As a result, you can create a URL that will execute arbitrary code if you click on the link in the preview.

Instead, this package should use Python's built-in webbrowser module.

[math2001]

Are you sure that this will fix the problem though? From the Python documentation:

Note that on some platforms, trying to open a filename using this function, may work and start the operating system’s associated program. However, this is neither supported nor portable.

And doesn't open_url rely on something like webbrowser underneath (like a c equivalent)