The modals in the Security Reports and License Management simply exposed
urls as link href's without proper sanitation.

They now use a proper Vue component `<safe-link>` which only renders a
link if the href is an absolute http or https link. It falls back to a
<span> if the link contains something else.