$NetBSD$

 2008-01-24 Kevin Krammer <kevin.krammer@gmx.at>
     * Fixing security issue in xdg-email and xdg-open at replacing
       parameter in $BROWSER
(and modifies to sync 1.1.0-rc1 to be safe with some shells)

--- scripts/xdg-open.orig	2007-06-25 04:58:01.000000000 +0900
+++ scripts/xdg-open	2011-04-05 23:29:05.000000000 +0900
@@ -364,7 +364,8 @@
     for browser in $BROWSER; do
         if [ x"$browser" != x"" ]; then
 
-            browser_with_arg=`echo "$browser" | sed s#%s#"$1"#`
+            IFS=' '
+            browser_with_arg=${browser//'%s'/"$1"}
 
             if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1";
             else $browser_with_arg;
@@ -406,13 +407,17 @@
 detectDE
 
 if [ x"$DE" = x"" ]; then
-    # if BROWSER variable is not set, check some well known browsers instead
-    if [ x"$BROWSER" = x"" ]; then
-        BROWSER=firefox:mozilla:netscape
-    fi
     DE=generic
 fi
 
+# if BROWSER variable is not set, check some well known browsers instead
+if [ x"$BROWSER" = x"" ]; then
+    BROWSER=links2:links:lynx:w3m
+    if [ -n "$DISPLAY" ]; then
+        BROWSER=firefox:mozilla:epiphany:konqueror:chromium-browser:google-chrome:$BROWSER
+    fi
+fi
+
 case "$DE" in
     kde)
     open_kde "$url"