When I use approve and transferFrom, I notice the owner can give authority to spender. However, the owner CAN'T appoint an address for this approval that the token will be transfer to.
That means if the spender got the approval, it can transfer owner's token to any address it wants to, as far as I know.
Since approve and transferFrom are two separate process, how to manage the spender's behavior? Is there any idea or code to restrict the receiver of an approval?
What's the point in approving a "spender" to transfer your tokens to some address that the "spender" has no control over?
You may as well just approve that address instead.
The reason this entity is called "spender", is because it is allowed to spend your tokens.
And the only way that it can do that, is if it is allowed to transfer your tokens by the least to itself.
So your question really comes down to restricting the spender to transfer your tokens to no one other than itself.
But there's obviously not much point in this restriction, because the spender will still be able to transfer your tokens to itself, and then to any other address.
approve for spending.
I think approve and transferfrom works together.
first approve, then transferfrom.
spender can spend, send tokens on your behalf so far it has the approval.
I agree with @barakman once again.
Although you can extend the restriction mechanisms in the contract itself by overriding functions, that's something we don't recommend.
Do you think the answers solve your questions? @Huowuge, otherwise let me know if there's an specific OpenZeppelin contracts suggestion we can discuss 
Here is the point.
Let's discuss this case: A, B and C represent owner, spender and receiver of the token.
A approve B and appoint B transferFrom to C, not equals to A approve C directly, because in the first case, B has the right to start transaction ANY TIME B wants, but in the 2nd case, there is no B's business. Consider there is a circumstance that B has some condition to start the transaction.
In reply of 0xSolution, I think he/she gives a advice about using approve and transferFrom in one function, if so, it can't satisfy my demand neither.
Please see my reply above, thanks for your help.