The tweet humorously highlights a common misconception among clients who believe they are fully protected from Cross-Site Scripting (XSS) attacks simply because they have a Web Application Firewall (WAF) in place. The author indicates that bypassing WAFs for XSS attacks has become so frequent and routine for security professionals that it's like a holiday. However, the tweet does not provide a specific payload or vendor, so we cannot discuss the technical details of any particular bypass. The takeaway is that while WAFs can offer protection against XSS, they are not foolproof and attackers often find ways to bypass them. Therefore, relying solely on a WAF for XSS protection is risky and additional security measures should be implemented.