The other option I see would be a maliciously-entered product entry with a bad name that could result in XSS when rendered, but that’s also implies compromise to your product management API