Application testing cases - describe possible issues with using unvalidated redirects and forwards.

Does the application set redirect or forward targets within parameters? Are redirect(s) and forward(s) not validated by the server prior to redirecting the user?