Basically I want a library I can run a url through before I redirect to it, to ensure it's not some type of security risk that I am unaware of.

Questions:

• What are the risks of a redirect to a malicious URL?
• What can you do to prevent the risks?
• Is it your responsibility to prevent those risks?

A URL is just that. You could check some basics:

• Does the URL have a scheme and is it allowed? Typically, you would only allow http, https, and ftp, and not telnet or file.
• Does the URL have a host name or IP address, does it resolve, and is it a non-private IP address?
• Are the path, query and fragment parts of the URL properly encoded?

After that, the browser leaves what you can control. You can't protect the browser user from being redirected to malicious pages. Simply because any sufficiently evil page can detect that you attempt to check it and present itself as a completely harmless page.

You can prevent information leakage. Many browsers sent a Referer header, so if the URL of the redirecting page contains sensitive information like a session ID, you may want to redirect via a "trampolin" page that is passed the redirection URL, and only that, as URL parameter. Perhaps you also want to create a new browser tab/window for the trampolin page.

If the redirection goes back to your own page / application, well, it should not be able to do any harm, because you validate all your input, properly encode / escape all your output, and use only DBI placeholders for database access. Also, your application runs with taint mode enabled, and it refuses to work on any input that can't be properly validated.

Alexander