This results in a stored cross-site scripting (XSS) vulnerability exploitable only by attackers with Overall/Administer permission.
We don't consider it a security vulnerability, because you need administer permission to exploit it and as an administer you can already do all the impact of a XSS.
- Escape the variable with Functions.htmlAttributeEscape() to avoid getting out of href's context
- Make sure the variable is a valid url, eg. starting with HTTP or HTTPs