[codezero]

If you ever get a third party penetration test, this is like, the first thing they find. To say "no one but attackers cares about," is pretty nonchalant – we immediately patched up this clearly bad attack vector, despite it not being extremely likely to manifest as a serious problem to us, because, like, you should just do that.

[OliverJones]

I just fixed one myself. It's not that hard to sanitize redirect parameters. One good way, if it fits your app, is to insist they be internal-only: "/app/profile" rather than external "https://evil.example.com/phish/login"

I believe it's worth fixing these, not only because it gets penetration tests to shuddup, but because cybercreeps...