A bug bounty tip suggests using HTML encoded backquote ` symbol to bypass XSS WAF restrictions in HTML events. The payload includes &grave; and &DiacriticalGrave; to execute the alert function, as shown with alert&grave;1&grave; and alert&DiacriticalGrave;1&DiacriticalGrave;. Additionally, an example of injecting JavaScript code into an anchor tag is provided with <a href="javascript:PAYLOAD">go</a>. This technique can be used to evade WAF protections against XSS vulnerabilities.
Bug Bounty Tip
Don’t forget that you can use HTML encoded backquote ` symbol to bypass the XSS WAF restriction of () in HTML events.
?`
?`alert`1`
alert`1`<a href="javascript:PAYLOAD">go</a>
Cheers!
— Anton (@therceman) June 19, 2024