A tip to bypass XSS WAF protection using invisible separators before or after the function name has been shared by @therceman. The payload <img/src/onerror=alert?;(1337)> <svg/onload= alert;(2)> can be used for this bypass. This technique can be effective against various WAF vendors. Remember to validate and sanitize user inputs to prevent XSS attacks.
Original tweet: https://twitter.com/WllGates/status/1805174505528001009