However, there is a vulnerability in the way the URI fragment is interpreted by this site. The site updates the page number directly from the URI fragment, without checking the contents.
Dangerous use of innerHTML
window.addEventListener('load', function() { const page = window.location.hash.substr(1); loadPage(page); document.getElementById('page-no').innerHTML = page; });