Avoid to waf blocking

[Serizao-bzhunt]

I think it would be interesting to have several scan levels on xss. The first is to detect simple reflections: for example, if a parameter seems to be reflected without sending additional requests. The second is to send a canary to the query parameters to get a more detailed view of reflections. And the last level is what you've implemented. For this last level, however, I recommend injecting dummy tags with fictive events, e.g. <z xxx=a()>. The reflexion of this payalod will be less likely to be caught by WAFs and will show that there is a reflexion and potentially a need to find a bypass.