@avlidienbrunn discovered a flaw in our validation of URLs used for redirection when processing an OAuth authorization request. Unlike other browsers, Internet Explorer and Edge URL decode certain characters found in the host component of a HTTP 302 response Location header. An attacker could have exploited this flaw against Internet Explorer and Edge users to redirect users from GitHub.com to another site and gain access to an OAuth application as another user. We addressed this by restricting the characters that can exist within the host component of the redirect_uri request parameter.