Its also mentioned below about the redirect rules:
Trusted Callback URL’s
Our sample rule and webtask make one security compromise for the sake of convenience: the rule passes the Auth0 domain (i.e.
your-tenant.auth0.com ) to the form website and the form uses that to construct a callback URL (i.e.
https://your-tenant.auth0.com/continue ) for returning back to the rule. This is essentially an open redirect and should not be used in production scenarios.
You can lock this down by configuring your form website implementation to only return to a specific URL (i.e. just your Auth0 tenant) instead of one that’s generated from a query param. You can then simplify the rule too so it no longer passes the Auth0 domain.
what does the bolded paragraph above mean?