// NOT OK
eval(document.location.href.substring(document.location.href.indexOf("default=")+8))

// NOT OK
setTimeout(document.location.hash);

// OK
setTimeout(document.location.protocol);

// OK
$('. ' + document.location.hostname);

// NOT OK
Function(document.location.search.replace(/.*\bfoo\s*=\s*([^;]*).*/, "$1"));

// NOT OK
WebAssembly.compile(document.location.hash);

// NOT OK
WebAssembly.compileStreaming(document.location.hash);

// NOT OK
eval(atob(document.location.hash.substring(1)));

// NOT OK
$('<a>').attr("onclick", location.search.substring(1));

(function test() {
    var source = document.location.search.replace(/.*\bfoo\s*=\s*([^;]*).*/, "$1"); 

    new Function(source); // NOT OK

    Function(source); // NOT OK

    new Function("a", "b", source); // NOT OK

    new Function(...["a", "b"], source); // NOT OK
})();