If redirect targets come from user input, they should be validated so attackers cannot send users to malicious external sites.