xdg-open should pass the URL via pipes rather than arguments, for security
For security, xdg-open
should pass the URL via pipes rather than arguments, i.e. it should take the URL on the standard input and pass the URL to the browser to its standard input via a pipe (browsers must be fixed to handle that).
The issue with arguments is that, for instance, they are visible with the ps
utility, and URLs may contain private or even confidential information.