> That means: There only is a real and severe security problem if
> lilypond-invoke-editor is installed to handle non-textedit URIs.
>
> Does anybody do that? Probably not.
>
> I think we simply should nuke run-browser and do nothing
> if lilypond-invoke-editor is called with a non-textedit URI.
Hi,
I reported this bug on sensible-browser:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881767
The summary is that some specially crafted URIs might lead to the
injection of arbitrary arguments when calling the browser.
As mentioned in the bug report, I found other softwares having this
