I disagree that clicking a hyperlink is not bad. If you have a determined attacker with some 0-days up their sleeves, simply opening a hyperlink may result in arbitrary code execution.

See an example from last summer: https://blog.coinbase.com/responding-to-firefox-0-days-in-th...