From 855d38b5395b9f3188d62bb98cf83b03d6642bb6 Mon Sep 17 00:00:00 2001
From: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com>
Date: Wed, 16 Apr 2025 15:49:45 -0600
Subject: [PATCH 1/3] isUrlLocal /3

---
 .../security/preventing-open-redirects.md     | 25 +++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/aspnetcore/security/preventing-open-redirects.md b/aspnetcore/security/preventing-open-redirects.md
index acd0804ec3e5..9ee66cedcf1b 100644
--- a/aspnetcore/security/preventing-open-redirects.md
+++ b/aspnetcore/security/preventing-open-redirects.md
@@ -50,7 +50,7 @@ public IActionResult SomeAction(string redirectUrl)
 
 `LocalRedirect` will throw an exception if a non-local URL is specified. Otherwise, it behaves just like the `Redirect` method.
 
-### IsLocalUrl
+### IUrlHelper.IsLocalUrl
 
 Use the <xref:Microsoft.AspNetCore.Mvc.IUrlHelper.IsLocalUrl%2A> method to test URLs before redirecting:
 
@@ -70,4 +70,25 @@ private IActionResult RedirectToLocal(string returnUrl)
 }
 ```
 
-The `IsLocalUrl` method protects users from being inadvertently redirected to a malicious site. You can log the details of the URL that was provided when a non-local URL is supplied in a situation where you expected a local URL. Logging redirect URLs may help in diagnosing redirection attacks.
+The `IUrlHelper.IsLocalUrl` method protects users from being inadvertently redirected to a malicious site. You can log the details of the URL that was provided when a non-local URL is supplied in a situation where you expected a local URL. Logging redirect URLs may help in diagnosing redirection attacks.
+
+:::moniker range=">= aspnetcore-10.0"
+
+### Detect if URL is local using `RedirectHttpResult.IsLocalUrl`
+
+The [`RedirectHttpResult.IsLocalUrl(url)`](https://source.dot.net/#Microsoft.AspNetCore.Http.Results/RedirectHttpResult.cs,c0ece2e6266cb369) helper method to detects if a URL is local. A URL is considered local if the following are true:
+
+* It doesn't have the [host](https://developer.mozilla.org/docs/Web/API/URL/host) or [authority](https://developer.mozilla.org/docs/Web/URI/Authority) section.
+* It has an [absolute path](https://developer.mozilla.org/docs/Learn_web_development/Howto/Web_mechanics/What_is_a_URL#absolute_urls_vs._relative_urls).
+
+URLs using [virtual paths](/previous-versions/aspnet/ms178116(v=vs.100)) `"~/"` are also local.
+
+`IsLocalUrl` is useful for validating URLs before redirecting to them to prevent [open redirection attacks](https://brightsec.com/blog/open-redirect-vulnerabilities/).
+
+```csharp
+if (RedirectHttpResult.IsLocalUrl(url))
+{
+    return Results.LocalRedirect(url);
+}
+
+:::moniker range=">= aspnetcore-10.0"

From f3275487cc5bc69f086625589edcf12c9c704b46 Mon Sep 17 00:00:00 2001
From: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com>
Date: Wed, 16 Apr 2025 15:56:30 -0600
Subject: [PATCH 2/3] isUrlLocal /3

---
 aspnetcore/security/preventing-open-redirects.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aspnetcore/security/preventing-open-redirects.md b/aspnetcore/security/preventing-open-redirects.md
index 9ee66cedcf1b..6f8f2cb116e1 100644
--- a/aspnetcore/security/preventing-open-redirects.md
+++ b/aspnetcore/security/preventing-open-redirects.md
@@ -91,4 +91,4 @@ if (RedirectHttpResult.IsLocalUrl(url))
     return Results.LocalRedirect(url);
 }
 
-:::moniker range=">= aspnetcore-10.0"
+:::moniker-end

From c6b6afa4d351633bc5415fe2155f17e639a03b88 Mon Sep 17 00:00:00 2001
From: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com>
Date: Wed, 16 Apr 2025 19:02:18 -0600
Subject: [PATCH 3/3] Update aspnetcore/security/preventing-open-redirects.md

Co-authored-by: Martin Costello <martin@martincostello.com>
---
 aspnetcore/security/preventing-open-redirects.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aspnetcore/security/preventing-open-redirects.md b/aspnetcore/security/preventing-open-redirects.md
index 6f8f2cb116e1..0cd967b36fb1 100644
--- a/aspnetcore/security/preventing-open-redirects.md
+++ b/aspnetcore/security/preventing-open-redirects.md
@@ -76,7 +76,7 @@ The `IUrlHelper.IsLocalUrl` method protects users from being inadvertently redir
 
 ### Detect if URL is local using `RedirectHttpResult.IsLocalUrl`
 
-The [`RedirectHttpResult.IsLocalUrl(url)`](https://source.dot.net/#Microsoft.AspNetCore.Http.Results/RedirectHttpResult.cs,c0ece2e6266cb369) helper method to detects if a URL is local. A URL is considered local if the following are true:
+The [`RedirectHttpResult.IsLocalUrl(url)`](https://source.dot.net/#Microsoft.AspNetCore.Http.Results/RedirectHttpResult.cs,c0ece2e6266cb369) helper method detects if a URL is local. A URL is considered local if the following are true:
 
 * It doesn't have the [host](https://developer.mozilla.org/docs/Web/API/URL/host) or [authority](https://developer.mozilla.org/docs/Web/URI/Authority) section.
 * It has an [absolute path](https://developer.mozilla.org/docs/Learn_web_development/Howto/Web_mechanics/What_is_a_URL#absolute_urls_vs._relative_urls).