Ragesh Ragesh - 1 month ago 8
C# Question

Why does Url.IsLocalUrl return false if the URL contains a fragment?

I'm using

to check if the return URL passed to my authentication action is local or not. It works fine as long as there is no fragment in the URL. That is,
returns true, but
returns false.

What's the reasoning behind this? Is there some obscure security issue that could manifest itself in the fragment, or can I safely ignore the fragment when I'm checking if the URL is local?


This method internally calls the Uri.IsWellFormedUriString method. When you call this method on a relative URL containing a fragment it returns false. There is a bug on MS Connect which is closed with the by design reason.

When you use this method on an absolute URL (with a scheme like http/https) the method behaves as expected. I think the reason is that the Uri class is intended to work not only with HTTP URLs. When you don't specify the protocol (relative URL), a generic URL parser is used which doesn't allow fragments.

So I guess you have two possibilities:

  • Strip the fragment before calling the method
  • Call the method on an absolute URL (http://foo.com/t/test-team-3/tasks#/lists/15) because anyway if you are calling this method on a relative URL we can expect that it is a local URL.