Just tried to hack one of my own sites and happy to confirm that it is protected from basic XXS attack using WAF. ?
2 mins of reading and I believe I can bypass the WAF ?
Fix: User input should be output encoded in correct context where it is copied into response application.