About Licenses display changes + revise license URL return method to improve security

[LianaHarris360]

Summary

Description of the change(s) you made

This pull request is a new version of #4716. It now includes a check to ensure that the hostname of a URL is within an array of approved hosts. This is in response to CodeQL's feedback of incomplete URL substring sanitization because 'creativecommons.org' can be anywhere in the URL, and arbitrary hosts may come before or after it.

Screenshots (if applicable)

---

Reviewer guidance

Are there any risky areas that deserve extra testing?

Ensure that clicking on "Learn More" in the About Licenses section correctly directs the user to the specified URL.

---

Contributor's Checklist

PR process:

• If this is an important user-facing change, PR or related issue the CHANGELOG label been added to this PR. Note: items with this label will be added to the CHANGELOG at a later time
• If this includes an internal dependency change, a link to the diff is provided
• The docs label has been added if this introduces a change that needs to be updated in the user docs?
• If any Python requirements have changed, the updated requirements.txt files also included in this PR
• Opportunities for using Google Analytics here are noted
• Migrations are safe for a large db

Studio-specifc:

• All user-facing strings are translated properly
• The notranslate class been added to elements that shouldn't be translated by Google Chrome's automatic translation feature (e.g. icons, user-generated text)
• All UI components are LTR and RTL compliant
• Views are organized into pages, components, and layouts directories as described in the docs
• Users' storage used is recalculated properly on any changes to main tree files
• If there new ways this uses user data that needs to be factored into our Privacy Policy, it has been noted.

Testing:

• Code is clean and well-commented
• Contributor has fully tested the PR manually
• If there are any front-end changes, before/after screenshots are included
• Critical user journeys are covered by Gherkin stories
• Any new interactions have been added to the QA Sheet
• Critical and brittle code paths are covered by unit tests

---

Reviewer's Checklist

This section is for reviewers to fill out.

• Automated test coverage is satisfactory
• PR is fully functional
• PR has been tested for accessibility regressions
• External dependency files were updated if necessary (yarn and pip)
• Documentation is updated
• Contributor is in AUTHORS.md

[akolson]

Hi @LianaHarris360 is the license.license_url a guaranteed non null, non empty, url string? If not, it might be worthwhile adding a try...catch to prevent any failures.

Otherwise the rest of change seems logical to me and fixes the issue with the codeQL. We should be good to merge this back to unstable once once the above question is clarified.

Thanks

[LianaHarris360]

It would be good to include a try...catch here, thanks for pointing this out! All entries, with the exception of one, are guaranteed to be non-empty URL strings.

[akolson]

LGTM! Thanks @LianaHarris360. Merging this in light of successful review done on #4716