package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "twitch-vod-manager",
-  "version": "4.6.61",
+  "version": "4.6.60",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "twitch-vod-manager",
-      "version": "4.6.61",
+      "version": "4.6.60",
       "license": "MIT",
       "dependencies": {
         "axios": "^1.6.0",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "twitch-vod-manager",
-  "version": "4.6.61",
+  "version": "4.6.60",
   "description": "Twitch VOD Manager - Download Twitch VODs easily",
   "main": "dist/main.js",
   "author": "xRangerDE",

src/main.ts

@@ -6975,20 +6975,7 @@ ipcMain.handle('install-update', () => {
 });
 
 ipcMain.handle('open-external', async (_, url: string) => {
-    // Only allow https / http URLs — never let the renderer push a
+    await shell.openExternal(url);
-    // file://, javascript:, or shell:-style URL through to the OS
-    // shell.openExternal handler. The renderer is contextIsolated +
-    // nodeIntegration: false, but an XSS through (e.g.) a streamer name
-    // smuggling a payload into a template would otherwise hand the
-    // attacker shell.openExternal which on Windows happily resolves
-    // file:///C:/Windows/System32/calc.exe.
-    if (typeof url !== 'string') return;
-    const trimmed = url.trim();
-    if (!/^https?:\/\//i.test(trimmed)) {
-        appendDebugLog('open-external-rejected', { url: trimmed.slice(0, 200) });
-        return;
-    }
-    await shell.openExternal(trimmed);
 });
 
 // Tracks active standalone clip downloads so cancel-download / window-all-closed