URL Redirection to Untrusted Site ('Open Redirect')
We either need to verify the "ref" parameter used for login/logout or use urls without hostname/schema only. Another option would be to use the flask session encryption to add a signature to the ref parameter
Edited by Julian