This post talks about a new bypass for Cloudflare's Web Application Firewall (WAF) specifically targeting Cross-Site Scripting (XSS) vulnerabilities. The bypass uses a payload that is URL-encoded: %3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E. Decoded, this payload is <SVG/oNlY=1 ONLOAD=confirm(document.domain)>, which is a variation of an SVG tag with an onload event handler that triggers a JavaScript confirm dialog showing the document's domain. This bypass technique exploits how Cloudflare's WAF interprets and filters unusual or malformed SVG tags and attributes. By obfuscating the common 'onload' attribute as 'ONlOAD' with mixed case letters, it may evade standard WAF filters that expect lower-case HTML event handlers. This allows an attacker to inject malicious scripts that execute when the SVG is loaded in a browser, resulting in a successful XSS attack despite the presence of Cloudflare WAF protection. Such bypasses highlight the importance of continuously updating WAF rules and the challenge of filtering HTML5 and SVG content with non-standard attribute usage or case variations.