This tweet highlights a beautiful and instructive bypass technique for cross-site scripting (XSS) vulnerabilities on web application firewalls (WAFs). The bypass technique is remarkable because it uses HTML injection (HTMLi) within a JavaScript context, combined cleverly with JavaScript hoisting. This approach manages to trick the WAF filtering mechanisms more effectively and concisely than the original payload used for the related CVE, which was much longer. The use of JavaScript hoisting—a behavior where variable and function declarations are moved to the top of their scope before code execution—likely enables bypassing some parsing or filtering logics that rely on pattern matching or static payload analysis. Although the specific vendor is not mentioned, this technique demonstrates advanced creative use of web technologies to evade WAF detection and highlights the challenges of designing secure and robust WAF rules against sophisticated XSS attacks. Web security practitioners should study this example to improve their understanding of WAF evasion methods and consider similar attack patterns when implementing or tuning WAFs.