HTML/JS injection and open redirect via OAuth callback meta-refresh

The OAuth callback embedded an attacker-controlled `?r=` redirect parameter into a `<meta http-equiv="refresh">` tag without validation, allowing JavaScript execution and arbitrary redirects in the application origin after authentication.

The OAuth callback rendered a meta-refresh HTML response that interpolated the user-controlled ?r= redirect parameter without validation, allowing JavaScript execution and arbitrary post-authentication redirects in the application origin.