The clickable "Current URL" link generated by AdminURLFieldWidget displayed the
provided value without validating it as a safe URL. Thus, an unvalidated value stored
in the database, or a value provided as a URL query parameter payload, could result
in an clickable JavaScript link..
jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because of Object.prototype
pollution. If an unsanitized source object contained an enumerable __proto__ property,
it could extend the native Object.prototype.