Use "?r=..." as a GET parameter for an "open" redirect.
I actually only allow ?r=javascript:alert(document.domain) for the demo, but actual "Open" redirect will allow arbitrary JS execution (XSS).