The openExternal API of Electron's shell module enables the use of the desktop's native utilities to open a protocol URI.
If not used carefully, the openExternal method can be used to compromise your application. It can be exploited to run arbitrary commands when invoked with untrusted content.
const { shell } = require('electron')
app.post('/', (req, res) => {
const url = req.body.url;
shell.openExternal(url); // unsanitized content used with `openExternal`
});
const { shell } = require('electron')
app.post('/', (req, res) => {
const url = req.body.url;
const safeUrl = sanitize(url)
shell.openExternal(safeUrl); // sanitized content used with `openExternal`
});