diff --git a/dist/xss.js b/dist/xss.js
index 58c8285..ff05080 100644
--- a/dist/xss.js
+++ b/dist/xss.js
@@ -151,12 +151,13 @@ function safeAttrValue (tag, name, value, cssFilter) {
 
   if (name === 'href' || name === 'src') {
     // 过滤 href 和 src 属性
-    // 仅允许 http:// | https:// | mailto: | / 开头的地址
+    // 仅允许 http:// | https:// | mailto: | / | # 开头的地址
     value = _.trim(value);
     if (value === '#') return '#';
     if (!(value.substr(0, 7) === 'http://' ||
          value.substr(0, 8) === 'https://' ||
          value.substr(0, 7) === 'mailto:' ||
+         value[0] === '#' ||
          value[0] === '/')) {
       return '';
     }
diff --git a/test/test_xss.js b/test/test_xss.js
index c69a8cd..4d8d260 100644
--- a/test/test_xss.js
+++ b/test/test_xss.js
@@ -199,6 +199,7 @@ describe('test XSS', function () {
     assert.equal(xss('<a href="http://aa.com">'), '<a href="http://aa.com">');
     assert.equal(xss('<a href="https://aa.com">'), '<a href="https://aa.com">');
     assert.equal(xss('<a href="mailto:me@ucdok.com">'), '<a href="mailto:me@ucdok.com">');
+    assert.equal(xss('<a href="#hello">'), '<a href="#hello">');
     assert.equal(xss('<a href="other">'), '<a href>');
 
     // 这个暂时不知道怎么处理