diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
index b0a3972b9..3916f8596 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
@@ -57,8 +57,9 @@ sub processHook {
             $self->logger->debug("Not a code ref: $sub");
         }
     }
-    if ($err != PE_OK) {
-        $self->logger->warn("Hook $hookName returned ".portalConsts->{$err});
+    if ( $err != PE_OK ) {
+        $self->logger->warn(
+            "Hook $hookName returned " . portalConsts->{$err} );
     }
     return $err;
 }
@@ -155,7 +156,7 @@ sub controlUrl {
         }
 
         # Unprotected hosts
-        my ( $proto, $vhost, $appuri ) = $tmp =~ m#^(https?://)([^/]*)(.*)#;
+        my ( $proto, $vhost, $appuri ) = $tmp =~ m{^(https?://)([^/#?]*)(.*)};
         $vhost =~ s/:\d+$//;
 
         # Try to resolve alias
diff --git a/lemonldap-ng-portal/t/01-Reject-Hashes-in-URL.t b/lemonldap-ng-portal/t/01-Reject-Hashes-in-URL.t
new file mode 100644
index 000000000..cb45007a4
--- /dev/null
+++ b/lemonldap-ng-portal/t/01-Reject-Hashes-in-URL.t
@@ -0,0 +1,29 @@
+use Test::More;
+use strict;
+use IO::String;
+use MIME::Base64;
+
+require 't/test-lib.pm';
+
+my $res;
+
+my $client = LLNG::Manager::Test->new(
+    { ini => { logLevel => 'debug', useSafeJail => 1 } } );
+
+ok(
+    $res = $client->_get(
+        '/',
+        query => 'url='
+          . encode_base64( 'http://bad.com#test.example.llng', '' )
+    ),
+    'Try http://bad.com#test.example.llng'
+);
+expectReject($res);
+ok( $res->[2]->[0] =~ /37/, 'Rejected with PE_BADURL' )
+  or print STDERR Dumper( $res->[2]->[0] );
+
+count(2);
+
+clean_sessions();
+
+done_testing( count() );