From 726d3995f437bd4c4c367cc503b90b9aa0bbfa45 Mon Sep 17 00:00:00 2001
From: SomberNight <somber.night@protonmail.com>
Date: Wed, 25 Mar 2026 18:54:13 +0000
Subject: [PATCH] qt gui: more defensive 'gui' RPC (i.e. URI) handling

---
 electrum/gui/qt/__init__.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/electrum/gui/qt/__init__.py b/electrum/gui/qt/__init__.py
index 9c151542c..38a8a95b6 100644
--- a/electrum/gui/qt/__init__.py
+++ b/electrum/gui/qt/__init__.py
@@ -439,6 +439,14 @@ class ElectrumGui(BaseElectrumGui, Logger):
         window.activateWindow()
         if uri:
             window.show_send_tab()
+            # Handle URI defensively - local attacker with access to RPC server and config file could get here:
+            #   - tell user something happened
+            window.notify(_("Updated 'Pay To' field to handle external URI"))
+            #   - clear all fields in Send tab:
+            #     - perhaps user was just filling out the fields, trying to make another payment.
+            #       e.g. if the given URI does not have an amount, we should clear the amount field
+            window.send_tab.do_clear()
+            #   - update "Pay To" field (and maybe others)
             window.send_tab.set_payment_identifier(uri)
         return window