JS: Fix a bug in isSafeClientSideUrlProperty

Author: asgerf

javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll

@@ -255,7 +255,7 @@ module TaintTracking {
     exists(StringSplitCall c |
       c.getBaseString().getALocalSource() =
         [DOM::locationRef(), DOM::locationRef().getAPropertyRead("href")] and
-      c.getSeparator() = "?" and
+      c.getSeparator() = ["?", "#"] and
       read = c.getAPropertyRead("0")
     )
   }

javascript/ql/test/library-tests/TaintedUrlSuffix/tst.js

@@ -5,7 +5,7 @@ function t1() {
 
     sink(href); // $ flow=tainted-url-suffix
 
-    sink(href.split('#')[0]); // $ MISSING: flow=tainted-url-suffix SPURIOUS: flow=taint
+    sink(href.split('#')[0]); // $ MISSING: flow=tainted-url-suffix
     sink(href.split('#')[1]); // $ flow=taint
     sink(href.split('#').pop()); // $ flow=taint
     sink(href.split('#')[2]); // $ flow=taint