Sources from the location.hash and sinks into various javascript functions.

• Location.hash - assign - assign
• Location.hash - documentwrite
• Location.hash - documentwriteln
• Location.hash - eval
• Location.hash - innerHtml
• Location.hash - range.createContextualFragment
• Location.hash - replace
• Location.hash - setTimeout
• Location.hash - function


• Location.hash - onclick setAttribute
• Location.hash - onclick addEventListener
• Location.hash - javascript url
• Location.hash - inline event handler
• Location.hash - form action

Sources from the raw location and sinks into various javascript functions.

• location - assign
• location - documentwrite
• location - documentwriteln
• location - eval
• location - innerHtml
• Location - range.createContextualFragment
• location - replace
• Location - setTimeout

Various other sources and sinks: the first value represents the DOM source, the second the JS sink.

• documentURI - documentwrite
• baseURI - documentwrite
• location.href - documentwrite
• location.pathname - documentwrite
• location.search - documentwrite
• URL - documentwrite
• URL Unencoded - documentwrite