use Win32::FileOp qw(ShellExecute);
ShellExecute("http://www.google.com?foo=1&bar=2");
[download]

Hello Jenda,

ShellExecute does the job nicely, and Win32::FileOp looks to be a useful module.

Unfortunately, when I tried to install it on my system (Windows 8.1, 64-bit), I got a gmake error similar to the one reported in Bug #71759. XLAT’s fork on GitHub (version “0.16.03”) fixed the problem for me. I note that although the status for Bug #71759 is “open,” it is also marked as “Fixed in: 0.16.02,” which would seem to be incorrect.

Just a heads-up,

Athanasius <°(((>< contra mundum

Iustus alius egestas vitae, eros Piratica,

Thank you for your help, and expecially for pointing to Win32::ShellQuote that I was not aware of. I found that having Browser::Open this shortcoming, the easiest solution for my case is the following script I found here. It just works, and for the moment I do not see any drawback:

sub openurl {
  my $url = shift;
  my $platform = $^O;
  my $cmd;
  if    ($platform eq 'darwin')  { $cmd = "open \"$url\"";       }  # 
+OS X
  elsif ($platform eq 'MSWin32' or $platform eq 'msys') { $cmd = "star
+t \"\" \"$url\""; } # Windows native or MSYS / Git Bash
  elsif ($platform eq 'cygwin')  { $cmd = "cmd.exe /c start \"\" \"$ur
+l \""; } # Cygwin; !! Note the required trailing space.
  else { $cmd = "xdg-open \"$url\""; }  # assume a Freedesktop-complia
+nt OS, which includes many Linux distros, PC-BSD, OpenSolaris, ...
  if (system($cmd) != 0) {
    die "Cannot locate or failed to open default browser; please open 
+'$url' manually.";
  }
}
[download]

Make sure you trust the source of the URLs. Otherwise it's still a shell injection: try passing a $url = q["$(touch ~/hello.txt)"] if you're on Linux or maybe $url = q["&calc&"] on Windows (not sure about the CMD syntax, but it's definitely possible to construct a string that would cause a command to be run when wrapped in double quotes).

Thank you for pointing me to this threat. In this case my script generates the URLs, so it should be fine.