A bit more insight, wasn’t the first time I came across that snippet. But now realise it has nothing to do with code injection prevention but filtering out the correct anchors. I was preoccupied with the aforementioned because I just read that getting the
window.location.hash and using it in jQuery can easily create a vulnerability.
this.hash is quicker :