This ought to be a standard
This is not a new risk, which is why I do not accept shortened URLs from anyone but those who I know to not pass on 3rd party ones. There are some schemes that allow you to see the full URL beforehand, but they're rare, and I can see from a full URL if there's data in there that I do not want to trigger.
Even a "benign" URL from, say, the Guardian quite often contains extra tracking data that you can strip off, but you won't see that in a shortened version.
I partially blame this on not clamping down on domain name hoarders so we end up with http://theridiculouslongdomainnamesbecausetheshorteronesarehoarded.com which promotes the use of shorteners to keep the Net usable.