The styles use an &redirect parameter to redirect, but you can allow redirecting to URLs (or URIs however pedantic you wish to be) that aren't part of the local domain.
Recommendation: Only allow redirection to area of local domain.
Example:
http://xenforo.com/community/misc/style?style_id=3&redirect=http://www.google.com
Also, when redirecting once to an external URL, it seems to automatically redirect you to that URL every time you change styles *more testing needed*
Recommendation: Only allow redirection to area of local domain.
Example:
http://xenforo.com/community/misc/style?style_id=3&redirect=http://www.google.com
Also, when redirecting once to an external URL, it seems to automatically redirect you to that URL every time you change styles *more testing needed*