OS command injection on windows when opening urls

[tripodsan]

it is possible to run os commands when opening urls, eg:

open('https://$(calc.exe)')

opens the default browser, but als runs calc.exe

expected

the url argument should be sufficiently escaped when invoking powershell so that this vulnerability cannot be exploited.

[sindresorhus]

From the readme:

This package does not make any security guarantees. If you pass in untrusted input, it's up to you to properly sanitize it.

It's almost impossible to make it entirely secure. That being said, I'm happy to merge pull requests to improve the escaping logic.