See D8517. I don't immediately have a clean way to defuse this, although our global intercept of the code parameter is likely sufficient to prevent it, as is disabling "Client OAuth Login" in, e.g., the Facebook configuration. The three obvious options are:
- Add an empty anchor if the URL doesn't have one (but this is messy from a user perspective).
- Don't do anything and rely on code / configuration protections (or do something like just document this stuff).