I'm working on a site where users can input URLs.
The URLs should point to sites where you can buy an item (for birthday/special event/...)
It also sends out mails to e-mail addresses the user provides.
Now, I would like to assess how unsafe this is and to mitigate the unsafeness if possible. (It's a hobby project, if it's too unsafe I'll abandon it).
I'm mostly concerned with the URLs.
I can imagine that it isn't impossible to find someplace in an online store where a redirect is issued (and where an attacker could inject a custom URL).
Is it safe to only accept URLs (given on my site) that respond with an http code 200? (in other words, does every redirect which is not issued by javascript only possible if the http return code is different from 200?)