Unvalidated Redirects and Forwards

• Avoid using request parameters as part of a forward or redirect.
• Where a request parameter must be used as part of a forward or redirect, validate it and ensure that the user is authorised for the resulting URL.
• Where possible, use a server-side mapping from the request parameter to the value used for the forward or redirect.