Allowing a redirect target to be set through a URL parameter without any validation is potentially dangerous for your users, because it makes fishing attempts easier.

An attacker can send links to your users such as

http://my-trusted-site.com/some/action/path?redirect_uri=malicious-site-that-looks-like-trusted-site.com

, and many users will only see the domain part and fail to realize where they end up after clicking that link.

The Open Web Application Security Project (OWASP) therefor considers this a vulnerability:

Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.

It's important that you check the redirect_uri parameter carefully before executing the redirect.

But since proper validation is tricky and prone to errors, an even better idea is not to accept URI parameters in the first place, but to allow certain keywords instead that specify where the user will be redirected.

class ApplicationController < ActionController::Base

    protected

  def dynamic_redirect_to(default_route, options)
    options.stringify_keys!

    redirect_to options.fetch(params[:redirect_to], default_route)
  end
end

You can now define any number of allowed keywords in advance which may be used as the ?redirect_to= parameter:

def create
  @post = Post.new(params)
  if @post.save
    dynamic_redirect_to post_path(@post), edit: edit_post_path(@post)
  else
    render 'new'
  end
end

If ?redirect_to=edit is set, the user is redirected back to the edit page. If the parameter is not set or contains an unspecified keyword, she is redirected to the default post_path(@post) instead.

I agree with what janfoeh said above. But to implement your requirement, I hacked around in Rails code of redirection to make it simpler.

Make a file config/initializers/redirecting.rb with:

require 'abstract_controller/base'
module ActionController
  module Redirecting
    extend ActiveSupport::Concern

    include AbstractController::Logger
    include ActionController::RackDelegation
    include ActionController::UrlFor

    def _compute_redirect_to_location(options)
      if redirect_url = session.delete(:redirect_uri)
        options = redirect_url
      end
      case options
        # The scheme name consist of a letter followed by any combination of
        # letters, digits, and the plus ("+"), period ("."), or hyphen ("-")
        # characters; and is terminated by a colon (":").
        # See http://tools.ietf.org/html/rfc3986#section-3.1
        # The protocol relative scheme starts with a double slash "//".
      when /\A([a-z][a-z\d\-+\.]*:|\/\/).*/i
        options
      when String
        request.protocol + request.host_with_port + options
      when :back
        request.headers["Referer"] or raise RedirectBackError
      when Proc
        _compute_redirect_to_location request, options.call
      else
        url_for(options)
      end.delete("\0\r\n")
    end
  end
end

In your app/controllers/application_controller.rb :

class ApplicationController < ActionController::Base
  # Prevent CSRF attacks by raising an exception.
  # For APIs, you may want to use :null_session instead.

  before_action :set_redirect_uri
  protect_from_forgery with: :exception

  def set_redirect_uri
    session[:redirect_uri] = params[:redirect_uri] if params[:redirect_uri].present?
  end
end

And Voila! Now you can continue to use the original redirect_to, and whenever redirect_uri is supplied in the url, it will set that url in session and automatically override. :)

Note: I am clearing session[:redirect_uri] only when redirect_to is called. You can easily modify that behavior to reset this session depending upon the requirement.