XSS

[lkrids]

https://github.com/LukeAskew/Front-End-Standards/blob/master/JavaScript/Security.md
-- the hash is just a string, it never gets evaled or inserted in dom. Does that allow xss?

[lukeaskew]

You are correct.

I pulled this snippet from an issue we had on an HP site. There was some additional AJAX things happening as well. I will work to complete the example.