URI fragments are not sent with HTTP requests, so they need to
be interpreted by client-side JavaScript. You should be careful
that your treatment of URI fragments does not permit the injection of
malicious JavaScript. Let's see how a site might be vulnerable to
DOM-based XSS attacks.