URI fragments are not sent with HTTP requests, so they need to be interpreted by client-side
JavaScript. You should be careful that your treatment of URI fragments does not permit the
injection of malicious JavaScript. Let's see how a site might be vulnerable to DOM-based XSS
attacks.
