Validate the URLs before opening them, prompt user confirmation when opening untrusted domains

### Describe the request

This feature request is based on https://github.com/arduino/arduino-ide/pull/2027#pullrequestreview-1416931822.

External library contributors can specify any meaningful content for a library, including URLs. IDE2 renders these links on the UI, and the URL links are clickable, but IDE2 cannot guarantee anything regarding the links. For example, VS Code asks the user before opening a link not among the trusted domains. It's still possible to open untrusted URLs from Code without user confirmation, though, so it could be better. IDE2 opens every link without asking.

Acceptance criteria:
 - IDE2 should validate the URLs before opening them in the users' default browser.
 - IDE2 should raise a confirmation dialog when opening untrusted (other than arduino.cc) URLs to prevent users from landing on an undesired page.

### Describe the current behavior

IDE2 opens any links in the default browser without prompting the user.

### Arduino IDE version

2.1.0

### Operating system

macOS

### Operating system version

12.6.3

### Additional context

Related links and best practices:
 - https://benjamin-altpeter.de/shell-openexternal-dangers
 - https://positive.security/blog/url-open-rce
 - [Here](https://code.visualstudio.com/docs/editor/workspace-trust) is the corresponding VS Code documentation.
 - [Here](https://github.com/microsoft/vscode/blob/a54b497150197f773f485038f44af02772c5a016/src/vs/workbench/contrib/url/browser/trustedDomains.ts) is how VS Code handles trusted domains at the code level.
 - Eclipse Theia: [vscode: Support trusted commands in markdown and webviews](https://github.com/eclipse-theia/theia/issues/12079)
 - Eclipse Theia: [[vscode] Implement full Workspace Trust behavior](https://github.com/eclipse-theia/theia/issues/12318)


> IDE2 renders these links on the UI, and the URL links are clickable

The Arduino security team has suggested not to render a link on the UI clickable if the URL scheme is not `http`, `https`, or `mailto`.

Suggested pseudo code:
```
// examples:
// external_url_string = "https://maliciouswebsite/"
// external_url_string = "sftp://1.1.1.1"

...
// in general, i prefer call native parser instead implement regex, i consider it safer and more readable
parsed_url_obj = URL(external_url_string) 

if (parsed_url.protocol == 'https' or parsed_url.protocol == 'http' or parsed_url.protocol == 'mailto'){
    // the URL is acceptable, ask confirmation to user
    OpenConfirmDialog(...,"_blank",callback(...))
} else {
    // render it as not clickable string
}
...
```

### Issue checklist

- [X] I searched for previous requests in [the issue tracker](https://github.com/arduino/arduino-ide/issues?q=)
- [X] I verified the feature was still missing when using the latest [nightly build](https://www.arduino.cc/en/software#nightly-builds)
- [X] My request contains all necessary details

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Validate the URLs before opening them, prompt user confirmation when opening untrusted domains #2056

Describe the request

Describe the current behavior

Arduino IDE version

Operating system

Operating system version

Additional context

Issue checklist

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Validate the URLs before opening them, prompt user confirmation when opening untrusted domains #2056

Description

Describe the request

Describe the current behavior

Arduino IDE version

Operating system

Operating system version

Additional context

Issue checklist

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions