Open-Redirect Risk in Form Handler: Admin-Configured Redirects Can Be Weaponized via User-Controlled Merge Tags

A critical open-redirect vulnerability has been identified in a form submission handler, where admin-configured redirect URLs can be hijacked by end-users. The flaw stems from the system's `renderMergeTags` function, which expands merge tags like `{{fieldId}}` within the `form.settings.redirectUrl` property. This function, also used for email subjects, processes user-submitted field values without validation. Consequently, if an administrator configures a redirect URL that interpolates a user-controlled field, the final destination of the redirect becomes fully controlled by the person submitting the form.

The issue was surfaced during a Phase 1 red team assessment, specifically in the 'redirectUrl merge tag expansion' scenario. The reproduction is straightforward: an admin sets `form.settings.redirectUrl` to a value like `"{{target}}"`. A submitter then posts data containing a malicious URL for the `target` field. The server's response includes this user-supplied URL in the `redirect` property, which the frontend Astro component honors by setting `window.location.href`. This allows an attacker to redirect victims to any external site, such as a phishing page.

While classified as a 'medium' severity 'admin-footgun' and not a default-install vulnerability, the risk is significant for any deployment where admins might use merge tags in redirects. The current status, per PR review, is a non-blocker for the v1.0.0 release, with mitigation deemed an admin responsibility. This places the operational security burden directly on implementers, requiring them to audit and avoid using submitter-controlled merge tags in redirect configurations to prevent exploitation.