According to the URL specification, the Referer header must not contain URL fragments (the part of the URL beginning with #). However, in practice many clients will simply copy the current URL into the Referer header. Since web servers have to allow fragments in the Referer header, this opens the door to attacks in the fragment part (we already detect attacks in the path and query parts of URLs in the Referer header).

We should add a new rule that targets the fragment part or URLs in the Referer header only and applies RCE detection as 932205 does to path and query.

See also the discussion in #3485.