False positives


So, first off - if this isn’t the right place to ask this, I’m sorry. If anyone can recommend a better place on reddit, that would be ace!! (I’ve already posted it in r/javascript)

Next… the problem:

We have a WAF infront of our application. As part of the application, users can enter rich text and store it away into the database - this is fine, but sometimes the html being stored can trigger false positive alerts on the firewall. We were thinking of getting around this by encoding and decoding the data in the browser with Javascript (using btoa and atob functions). While this stops the WAF from giving us the false positives, it creates a security flaw in allowing potentially harmful scripts to run.

Can anyone think of any way to get around / solve this issue?

Thanks for help in advance.