DOM-XSS through location.hash with sanitization test