The ValueError message interpolates the raw URL, which can include control characters/newlines and makes logs/debug output ambiguous. Consider using a safer/clearer representation (e.g.,url!r) and/or a message that specifically calls out “URLs must not start with '-' after leading whitespace”.

_check_url() is only effective when each browser implementation calls it. CurrentlyMacOSXOSAScript.open() andGrail.open() do not call_check_url(), so on macOS (default controller) and when Grail is available,webbrowser.open() can still accept leading-dash values. If the intent is to reject leading dashes for allwebbrowser.open() calls, add_check_url() calls to those implementations (or enforce the check once in the module-levelopen() function).

The new test only exercisesGenericBrowser.open(), but this change also adds_check_url() calls in several other controllers (e.g.,BackgroundBrowser,UnixBrowser,Konqueror, and platform-specific implementations). Consider adding a small parametrized test (or a mixin-based loop) to assert that each affectedbrowser_class.open() rejects leading-dash inputs, so the security behavior is covered across implementations.