Security: Top level navigation to data URI is not being blocked.

[gojo-satorou-v7]

Describe the bug

Top level navigation to data URI has been blocked by every browser (including DuckDuckGo) however due to the exported activity not blocking data scheme can be launched through another application.

The activity SelectedTextSearchActivity does not filter/sanitize data URI schemes allowing the top level navigation to data URI which can result in GET, POST based CSRF, phishing, and other vulnerabilities.

How to Reproduce

1. Run the command in adb shell linux adb shell am start -a android.intent.action.PROCESS_TEXT -t text/plain --es android.intent.extra.PROCESS_TEXT "data://text/html,<script>alert(3)</script>" -n com.duckduckgo.mobile.android/com.duckduckgo.app.SelectedTextSearchActivity

2. Notice the app loads the URI scheme data://text/html,<script>alert(3)</script>

Note: adb shell is just being used to trigger the activity it can be launched by third party app too.

Expected behavior

It should either result in the text being passed as a search term to duckduckgo search engine (like it's with javascript: scheme) or simply not execute the scheme contents (even returning to text/plain is safer).

Environment

Latest

[github-actions]

Thank you for opening an Issue in our Repository.
The issue has been forwarded to the team and we'll follow up as soon as we have time to investigate.
As stated in our Contribution Guidelines, requests for feedback should be addressed via the Feedback section in the Android app.

[gojo-satorou-v7]

I had reported this to bug bounty program but they closed it as informative. Hence opening it here.
There's no such thing as free lunch ;)