Yesterday, during a pentest, I managed to bypass the latest version of Reblaze WAF in order to get XSS ( It can’t handle events like ondrag and not even the use of print() ). This taught me that the more a vendor flexes its customers and how secure it is, the more it sucks.