Check that the reactions set_from_email redirect_url is legit

- These email reactions URLs look like
  https://soulmedicine.io/pathways/[...]/reaction/set_from_email?reaction_name=[...]&redirect_url=https://soulmedicine.io[...].
- Fixes https://github.com/chaynHQ/soulmedicine/security/code-scanning/1.

app/controllers/reactions_controller.rb

@@ -31,6 +31,10 @@ def find_or_initialize_reaction
  end
 
  def redirect_url
- params[:redirect_url].presence || course_lesson_path(@reaction.course_slug, @reaction.lesson_slug)
+ if params[:redirect_url].present? && params[:redirect_url].starts_with?("https://soulmedicine.io/")
+ params[:redirect_url]
+ else
+ course_lesson_path(@reaction.course_slug, @reaction.lesson_slug)
+ end
  end
 end