Don't accept parameters as argument for redirect to [via @homakov]

Closes #16170

actionpack/lib/action_controller/metal/redirecting.rb

@@ -68,6 +68,7 @@ module Redirecting
     # <tt>ActionController::RedirectBackError</tt>.
     def redirect_to(options = {}, response_status = {}) #:doc:
       raise ActionControllerError.new("Cannot redirect to nil!") unless options
+      raise ActionControllerError.new("Cannot redirect to a parameter hash!") if options.is_a?(ActionController::Parameters)
       raise AbstractController::DoubleRenderError if response_body
 
       self.status        = _extract_redirect_to_status(options, response_status)

actionpack/test/controller/redirect_test.rb

@@ -90,6 +90,10 @@ def redirect_to_nil
     redirect_to nil
   end
 
+  def redirect_to_params
+    redirect_to ActionController::Parameters.new(status: 200, protocol: 'javascript', f: '%0Aeval(name)')
+  end
+
   def redirect_to_with_block
     redirect_to proc { "http://www.rubyonrails.org/" }
   end
@@ -281,6 +285,12 @@ def test_redirect_to_nil
     end
   end
 
+  def test_redirect_to_params
+    assert_raise(ActionController::ActionControllerError) do
+      get :redirect_to_params
+    end
+  end
+
   def test_redirect_to_with_block
     get :redirect_to_with_block
     assert_response :redirect