A new XSS WAF bypass technique has been discovered using invisible separators before or after the function name. The payload <img/src/onerror=alert&#xFEFF;(1337)><svg/onload=&nbsp;alert&#65279;(2)> can be used to bypass XSS protection. Security researchers recommend WAF vendors to update their protection mechanisms to mitigate this bypass.
For more insights, check out the original tweet here: https://twitter.com/therceman/status/1804801839499460857. And don’t forget to follow @therceman for more exciting updates in the world of cybersecurity.