=== How does this work?

In case the application strictly requires redirecting based on user-controllable data, this could be done using the following alternatives:

1. Using an allow-list approach, in case the destination URLs are limited.
2. Adding a customized page to which users are redirected, warning about the imminent action and requiring manual authorization to proceed.