Bitrix WAF bypass
In Russian: https://blog.deteact.com/ru/bitrix-waf-bypass/ UPD: CVE-2020-13758 assigned Sometimes when exploiting reflected XSS the input parameters get injected directly into the body of the <script> tag. Typically, this means that the exploit is trivial: HTML entity encoding