Beautiful WAF bypass I just found:

Strips specific tags, including ‘<>’.
Blocks all event handlers.

So I used ‘on<>load’ instead. It checks it; not an event handler. Then it strips the ‘<>’ and the script gets added to the page!

Example of when extra security measures is worse