Validate URLs before opening in url_opener

[dvoraj75]

Context

url_opener.open_url() passes its argument directly to XDG portal / xdg-open without scheme validation. A malformed PR URL from the API could open arbitrary schemes.

Task

Restrict to https:// (or http:///https://). Reject anything else.

Severity: HIGH
Source: Code review H2