Fix fix for CVE 2026-4519

A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass
the dash-prefix safety check.

https://github.com/python/cpython/pull/148517

Index: Lib/test/test_webbrowser.py
--- Lib/test/test_webbrowser.py.orig
+++ Lib/test/test_webbrowser.py
@@ -118,6 +118,15 @@ class ChromeCommandTest(CommandTestMixin, unittest.Tes
                        arguments=[URL],
                        kw=dict(new=999))
 
+    def test_reject_action_dash_prefixes(self):
+        browser = self.browser_class(name=CMD_NAME)
+        with self.assertRaises(ValueError):
+            browser.open('%action--incognito')
+        # new=1: action is "--new-window", so "%action" itself expands to
+        # a dash-prefixed flag even with no dash in the original URL.
+        with self.assertRaises(ValueError):
+            browser.open('%action', new=1)
+
 
 class EdgeCommandTest(CommandTestMixin, unittest.TestCase):
 
