diff --git a/src/Microsoft.AspNetCore.Routing.Abstractions/LinkGenerationTemplate.cs b/src/Microsoft.AspNetCore.Routing.Abstractions/LinkGenerationTemplate.cs
index 5f99df178d..b54692bd15 100644
--- a/src/Microsoft.AspNetCore.Routing.Abstractions/LinkGenerationTemplate.cs
+++ b/src/Microsoft.AspNetCore.Routing.Abstractions/LinkGenerationTemplate.cs
@@ -63,6 +63,7 @@ namespace Microsoft.AspNetCore.Routing
///
///
/// The URI host/authority, applied to the resulting URI. Optional. If not provided, the value will be used.
+ /// See the remarks section for details about the security implications of the .
///
///
/// An optional URI path base. Prepended to the path in the resulting URI. If not provided, the value of will be used.
@@ -73,6 +74,14 @@ namespace Microsoft.AspNetCore.Routing
/// names from RouteOptions.
///
/// A URI with an absolute path, or null.
+ ///
+ ///
+ /// The value of should be a trusted value. Relying on the value of the current request
+ /// can allow untrusted input to influence the resulting URI unless the Host header has been validated.
+ /// See the deployment documentation for instructions on how to properly validate the Host header in
+ /// your deployment environment.
+ ///
+ ///
public abstract string GetUri(
HttpContext httpContext,
object values,
@@ -87,7 +96,10 @@ namespace Microsoft.AspNetCore.Routing
///
/// The route values. Used to expand parameters in the route template. Optional.
/// The URI scheme, applied to the resulting URI.
- /// The URI host/authority, applied to the resulting URI.
+ ///
+ /// The URI host/authority, applied to the resulting URI.
+ /// See the remarks section for details about the security implications of the .
+ ///
/// An optional URI path base. Prepended to the path in the resulting URI.
/// An optional URI fragment. Appended to the resulting URI.
///
@@ -95,6 +107,14 @@ namespace Microsoft.AspNetCore.Routing
/// names from RouteOptions.
///
/// An absolute URI, or null.
+ ///
+ ///
+ /// The value of should be a trusted value. Relying on the value of the current request
+ /// can allow untrusted input to influence the resulting URI unless the Host header has been validated.
+ /// See the deployment documentation for instructions on how to properly validate the Host header in
+ /// your deployment environment.
+ ///
+ ///
public abstract string GetUri(
object values,
string scheme,
diff --git a/src/Microsoft.AspNetCore.Routing.Abstractions/LinkGenerator.cs b/src/Microsoft.AspNetCore.Routing.Abstractions/LinkGenerator.cs
index 9f6bb0640f..1f91a4446d 100644
--- a/src/Microsoft.AspNetCore.Routing.Abstractions/LinkGenerator.cs
+++ b/src/Microsoft.AspNetCore.Routing.Abstractions/LinkGenerator.cs
@@ -83,6 +83,7 @@ namespace Microsoft.AspNetCore.Routing
///
///
/// The URI host/authority, applied to the resulting URI. Optional. If not provided, the value will be used.
+ /// See the remarks section for details about the security implications of the .
///
///
/// An optional URI path base. Prepended to the path in the resulting URI. If not provided, the value of will be used.
@@ -93,6 +94,14 @@ namespace Microsoft.AspNetCore.Routing
/// names from RouteOptions.
///
/// A URI with an absolute path, or null.
+ ///
+ ///
+ /// The value of should be a trusted value. Relying on the value of the current request
+ /// can allow untrusted input to influence the resulting URI unless the Host header has been validated.
+ /// See the deployment documentation for instructions on how to properly validate the Host header in
+ /// your deployment environment.
+ ///
+ ///
public abstract string GetUriByAddress(
HttpContext httpContext,
TAddress address,
@@ -111,7 +120,10 @@ namespace Microsoft.AspNetCore.Routing
/// The address value. Used to resolve endpoints.
/// The route values. Used to expand parameters in the route template. Optional.
/// The URI scheme, applied to the resulting URI.
- /// The URI host/authority, applied to the resulting URI.
+ ///
+ /// The URI host/authority, applied to the resulting URI.
+ /// See the remarks section for details about the security implications of the .
+ ///
/// An optional URI path base. Prepended to the path in the resulting URI.
/// An optional URI fragment. Appended to the resulting URI.
///
@@ -119,6 +131,14 @@ namespace Microsoft.AspNetCore.Routing
/// names from RouteOptions.
///
/// An absolute URI, or null.
+ ///
+ ///
+ /// The value of should be a trusted value. Relying on the value of the current request
+ /// can allow untrusted input to influence the resulting URI unless the Host header has been validated.
+ /// See the deployment documentation for instructions on how to properly validate the Host header in
+ /// your deployment environment.
+ ///
+ ///
public abstract string GetUriByAddress(
TAddress address,
RouteValueDictionary values,
diff --git a/src/Microsoft.AspNetCore.Routing/LinkGeneratorEndpointNameAddressExtensions.cs b/src/Microsoft.AspNetCore.Routing/LinkGeneratorEndpointNameAddressExtensions.cs
index a5904d1071..d3e50328cf 100644
--- a/src/Microsoft.AspNetCore.Routing/LinkGeneratorEndpointNameAddressExtensions.cs
+++ b/src/Microsoft.AspNetCore.Routing/LinkGeneratorEndpointNameAddressExtensions.cs
@@ -112,6 +112,7 @@ namespace Microsoft.AspNetCore.Routing
///
///
/// The URI host/authority, applied to the resulting URI. Optional. If not provided, the value will be used.
+ /// See the remarks section for details about the security implications of the .
///
///
/// An optional URI path base. Prepended to the path in the resulting URI. If not provided, the value of will be used.
@@ -122,6 +123,14 @@ namespace Microsoft.AspNetCore.Routing
/// names from RouteOptions.
///
/// A URI with an absolute path, or null.
+ ///
+ ///
+ /// The value of should be a trusted value. Relying on the value of the current request
+ /// can allow untrusted input to influence the resulting URI unless the Host header has been validated.
+ /// See the deployment documentation for instructions on how to properly validate the Host header in
+ /// your deployment environment.
+ ///
+ ///
public static string GetUriByName(
this LinkGenerator generator,
HttpContext httpContext,
@@ -167,7 +176,10 @@ namespace Microsoft.AspNetCore.Routing
/// The endpoint name. Used to resolve endpoints.
/// The route values. Used to expand parameters in the route template. Optional.
/// The URI scheme, applied to the resulting URI.
- /// The URI host/authority, applied to the resulting URI.
+ ///
+ /// The URI host/authority, applied to the resulting URI.
+ /// See the remarks section for details about the security implications of the .
+ ///
/// An optional URI path base. Prepended to the path in the resulting URI.
/// An optional URI fragment. Appended to the resulting URI.
///
@@ -175,6 +187,14 @@ namespace Microsoft.AspNetCore.Routing
/// names from RouteOptions.
///
/// An absolute URI, or null.
+ ///
+ ///
+ /// The value of should be a trusted value. Relying on the value of the current request
+ /// can allow untrusted input to influence the resulting URI unless the Host header has been validated.
+ /// See the deployment documentation for instructions on how to properly validate the Host header in
+ /// your deployment environment.
+ ///
+ ///
public static string GetUriByName(
this LinkGenerator generator,
string endpointName,
diff --git a/src/Microsoft.AspNetCore.Routing/LinkGeneratorRouteValuesAddressExtensions.cs b/src/Microsoft.AspNetCore.Routing/LinkGeneratorRouteValuesAddressExtensions.cs
index d025679e41..d41f43d644 100644
--- a/src/Microsoft.AspNetCore.Routing/LinkGeneratorRouteValuesAddressExtensions.cs
+++ b/src/Microsoft.AspNetCore.Routing/LinkGeneratorRouteValuesAddressExtensions.cs
@@ -104,6 +104,7 @@ namespace Microsoft.AspNetCore.Routing
///
///
/// The URI host/authority, applied to the resulting URI. Optional. If not provided, the value will be used.
+ /// See the remarks section for details about the security implications of the .
///
///
/// An optional URI path base. Prepended to the path in the resulting URI. If not provided, the value of will be used.
@@ -114,6 +115,14 @@ namespace Microsoft.AspNetCore.Routing
/// names from RouteOptions.
///
/// A URI with an absolute path, or null.
+ ///
+ ///
+ /// The value of should be a trusted value. Relying on the value of the current request
+ /// can allow untrusted input to influence the resulting URI unless the Host header has been validated.
+ /// See the deployment documentation for instructions on how to properly validate the Host header in
+ /// your deployment environment.
+ ///
+ ///
public static string GetUriByRouteValues(
this LinkGenerator generator,
HttpContext httpContext,
@@ -155,7 +164,10 @@ namespace Microsoft.AspNetCore.Routing
/// The route name. Used to resolve endpoints. Optional.
/// The route values. Used to resolve endpoints and expand parameters in the route template. Optional.
/// The URI scheme, applied to the resulting URI.
- /// The URI host/authority, applied to the resulting URI.
+ ///
+ /// The URI host/authority, applied to the resulting URI.
+ /// See the remarks section for details about the security implications of the .
+ ///
/// An optional URI path base. Prepended to the path in the resulting URI.
/// An optional URI fragment. Appended to the resulting URI.
///
@@ -163,6 +175,14 @@ namespace Microsoft.AspNetCore.Routing
/// names from RouteOptions.
///
/// An absolute URI, or null.
+ ///
+ ///
+ /// The value of should be a trusted value. Relying on the value of the current request
+ /// can allow untrusted input to influence the resulting URI unless the Host header has been validated.
+ /// See the deployment documentation for instructions on how to properly validate the Host header in
+ /// your deployment environment.
+ ///
+ ///
public static string GetUriByRouteValues(
this LinkGenerator generator,
string routeName,