See D8517. I don't immediately have a clean way to defuse this, although our global intercept of the `code` parameter is likely sufficient to prevent it, as is disabling "Client OAuth Login" in, e.g., the Facebook configuration. The three obvious options are:
- Add an empty anchor if the URL doesn't have one (but this is messy from a user perspective).
- Don't do anything and rely on `code` / configuration protections (or do something like just document this stuff).