Beautiful WAF bypass I just found:
Strips specific tags, including ‘<>’.
Blocks all event handlers.
So I used ‘on<>load’ instead. It checks it; not an event handler. Then it strips the ‘<>’ and the script gets added to the page!
Example of when extra security measures is worse