Spesmilo has supported URIs for months. The Satoshi client devs don't want to.
Huh what? Version 0.5 supports drag-and-drop of bitcoin: URIs. And there's a pull request pending for click-to-pay support.
Security. Shortly after the first URI usage will be the first URI malware. Likely not something that should be rushed into. Of course it is open source so you can make a URI capable client.
If the URI is only used in a user-mediated way, i.e., you click a payment button, and get a dialog from your client, then where is the security problem? Or do you mean script injection of some sort? Sanitizing the URI inputs shouldn't be too difficult… or am I missing something here?One fear is bitcoin-address-rewriting malware, like the URL-rewriting phishing malware we have today. Actually, combining the two would be very effective (direct the user to a phishing site where all the bitcoin: URIs pay or donate to the scammers). We need better ways users can be certain they are paying who they think they are paying.