Open Redirect on lovable.dev via redirect parameter leads to phishing attacks

## Summary: An open redirect exists on lovable.dev. After logging in, a request is sent to 'https://lovable.dev/auth/post-login?redirect=%2F%3Fshould-refresh-credentials%3D1&_rsc=1b5jt'. Changing the redirect URL to /\google.com (https://lovable.dev/auth/post-login?redirect=/\google.com), for instance, allows a redirect to be performed to google.com. The application expects a relative path, but supplying a backslash-prefixed value (e.g., /\google.com) results in a redirect to an external domain (https://google.com). This open redirect allows an attacker to craft URLs on the lovable.dev domain that redirect users to arbitrary external sites, which could be used in phishing campaigns or social engineering attacks. ### Note: This vulnerability also exists at https://lovable.dev/purchase-success?redirect=/%5Cgoogle.com. ## Steps To Reproduce: 1. Login to an account 2. Visit https://lovable.dev/auth/post-login?redirect=/\google.com 3. You will be redirected to google.com ## Supporting Material/References: [list any additional material (e.g. screenshots, logs, etc.)] * [attachment / reference]