Description of the problem: launchUrlString() in url_launcher on Flutter Web executes JavaScript URIs by default. Many apps, for example social media web apps, use url_launcher to open user-provided URLs and links to external web pages. For example https://skyfeed.app/, which is a third-party client for the Bluesky social network. Malicious users can craft a simple JavaScript URI and post it on the network, and then when users see that link and click it, it executes the code directly in the client-side app context. Attackers could use this to steal sensitive data like authentication tokens or act as the currently logged-in user.

Steps you took to reproduce the problem:

• Clone the latest example app of https://pub.dev/packages/url_launcher
• Hook up launchUrlString('javascript:alert(1)'); to a button somewhere
• Run with flutter run -d web-server , open web app and click button
• It shows an alert dialog, indicating that the JavaScript was executed

Affected versions: latest and likely all previous ones of https://pub.dev/packages/url_launcher

Any known mitigations:

• checking canLaunchUrlString first, but many apps don't do that (the docs do not indicate that it's required)
• manually checking for javascript: URIs and rejecting them before calling the url_launcher plugin

In my opinion, this behavior is not really intuitive for developers, because they don't expect a "URL launcher" to just execute JavaScript code, especially when it's not mentioned in the README on pub.dev. So developers likely won't expect this attack vector, which can cause a massive risk to users depending on the type of app.