I can put any string inside "link" field, and that field is displayed as-is on the front-end.
This can generate bad user experience and security issue (potential XSS attack)