allow urls that are prefixed with # or ? in js/unsafe-external-link

javascript/ql/src/DOM/TargetBlank.ql

@@ -29,7 +29,7 @@ predicate hasDynamicHrefHostAttributeValue(DOM::ElementDefinition elem) {
     or
     exists(string url | url = attr.getStringValue() |
       // fixed string with templating
-      url.regexpMatch(Templating::getDelimiterMatchingRegexp()) and
+      url.regexpMatch(Templating::getDelimiterMatchingRegexpWithPrefix("[^?#]*")) and
       // ... that does not start with a fixed host or a relative path (common formats)
       not url.regexpMatch("(?i)((https?:)?//)?[-a-z0-9.]*/.*") and
       // ... that is not a mailto: link

javascript/ql/src/semmle/javascript/frameworks/Templating.qll

@@ -39,4 +39,15 @@ module Templating {
   string getDelimiterMatchingRegexp() {
     result = "(?s).*(" + concat("\\Q" + getADelimiter() + "\\E", "|") + ").*"
   }
+
+  /**
+   * Gets a regular expression that matches a string containing one
+   * of the known template delimiters identified by `getADelimiter()`,
+   * storing it in its first (and only) capture group.
+   * Where the string prior to the template delimiter matches the regexp `prefix`.
+   */
+  bindingset[prefix]
+  string getDelimiterMatchingRegexpWithPrefix(string prefix) {
+    result = "(?s)" + prefix + "(" + concat("\\Q" + getADelimiter() + "\\E", "|") + ").*"
+  }
 }

javascript/ql/test/query-tests/DOM/TargetBlank/tst.html

@@ -29,5 +29,10 @@
 <h1>OK: mailto is fine.</h1>
 <a target="_blank" href="mailto:{{var:mail}}">mail somone</a>
 
+<h1>OK: template elements after # or ? are fine.</h1>
+<a href="file.extension?#[% row.href %]" target="_blank">Example</a>
+<a href="file.extension?[% row.href %]" target="_blank">Example</a>
+<a href="file.extension#[% row.href %]" target="_blank">Example</a>
+
 </body>
 </html>