* Open `url` in the user's default browser without going through a shell. * Using execFile/spawn (not exec) avoids shell-injection via crafted URLs (#79).
(url: string)
| 122 | * Using execFile/spawn (not exec) avoids shell-injection via crafted URLs (#79). |
| 123 | */ |
| 124 | function openBrowser(url: string): void { |
| 125 | // eslint-disable-next-line @typescript-eslint/no-require-imports |
| 126 | const { execFile, spawn } = require('child_process') as typeof import('child_process'); |
| 127 | if (process.platform === 'darwin') { |
| 128 | execFile('open', [url]); |
| 129 | } else if (process.platform === 'win32') { |
| 130 | spawn('cmd.exe', ['/c', 'start', '', url], { shell: false, detached: true }); |
| 131 | } else { |
| 132 | execFile('xdg-open', [url]); |
| 133 | } |
| 134 | } |