That reminds my of a own xdg-open I wrote that sits in /usr/local/bin/xdg-open.
It's a simple python script that checks by looking at the protocol, mime type or extension which URL it is and also asks if there are multiple applications
[In the spirit of elucidation, and not general meanness…]
Like jojo14 points out Python has the shlex module, and it is definitely useful in these situations even if just for quote(). And, os.system() is basically never safe with external input. Without proper escaping you're one click from code execution, for example with the input "file:///etc/issue%3Becho%20whoops" or "http://example.com/';echo whoops'".
It doesn't appear to matter in this instance, but you can feed check_output() with the stdin argument, which removes the need for using shell=True. shell=True in other paths could easily lead to unwanted code execution without thorough escaping.
It's a simple python script that checks by looking at the protocol, mime type or extension which URL it is and also asks if there are multiple applications
https://paste.sr.ht/~fossdd/7fa65e10998ebcc03a2bbcc8488f94e9... (CC0)