Skip to content

Commit dd546b6

Browse files
Rick-AndersonRick-Anderson
authored
WN: IsLocalUrl (#34758)
* WN: IsLocalUrl * WN: IsLocalUrl * WN: IsLocalUrl * WN: IsLocalUrl
1 parent 37d79bb commit dd546b6

File tree

1 file changed

+20
-0
lines changed

1 file changed

+20
-0
lines changed

aspnetcore/release-notes/aspnetcore-10.0.md

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,4 +47,24 @@ This section describes miscellaneous new features in ASP.NET Core 10.0.
4747

4848
[!INCLUDE[](~/release-notes/aspnetcore-10/includes/testAppsTopLevel.md)]
4949

50+
### Detect if URL is local using `RedirectHttpResult.IsLocalUrl`
51+
52+
Use the new [`RedirectHttpResult.IsLocalUrl(url)`](https://source.dot.net/#Microsoft.AspNetCore.Http.Results/RedirectHttpResult.cs,c0ece2e6266cb369) helper method to detect if a URL is local. A URL is considered local if the following are true:
53+
54+
- It doesn't have the [host](https://developer.mozilla.org/docs/Web/API/URL/host) or [authority](https://developer.mozilla.org/docs/Web/URI/Authority) section.
55+
- It has an [absolute path](https://developer.mozilla.org/docs/Learn_web_development/Howto/Web_mechanics/What_is_a_URL#absolute_urls_vs._relative_urls).
56+
57+
URLs using [virtual paths](/previous-versions/aspnet/ms178116(v=vs.100)) '~/' are also local.
58+
59+
`IsLocalUrl` is useful for validating URLs before redirecting to them to prevent [open redirection attacks](https://brightsec.com/blog/open-redirect-vulnerabilities/).
60+
61+
```csharp
62+
if (RedirectHttpResult.IsLocalUrl(url))
63+
{
64+
return Results.LocalRedirect(url);
65+
}
66+
```
67+
68+
Thank you [@martincostello](https://github.com/martincostello) for this contribution!
69+
5070
## Related content

0 commit comments

Comments
 (0)