You know when it’s coming from Gareth Heyes you did something right!
XSS WAF bypass using multi-character HTML entities like >⃒ or <⃒ which are interpreted by the server respectively as 'less than' and greater than symbols (plus some other unicode character).
Shout out also to @therceman!
