How to bybass ASP.NET server XSS filter?

I found an endpoint that has a parameter which value is directly displayed between span tags in the website. However, the server (ASP.NET Version 4.7) does filter the param value and throws an exception when it detects a potential XSS:

A potentially dangerous Request.QueryString value was detected from the client (response=“alert(1)</sc…”).

I played a little bit around and found some interesting things about the filter, however I could not bypass it yet. Hope you could give me some inspiration.

No characters are replaced by the filter. Thus, characters like <>/*’" etc are allowed. The filter throws an exception when it detects input in form of <[letters]> but not when I try numbers instead of letters like <1> or putting a space between like < tag>. So < script>alert(1);< /script> is not filtered and displayed in the source code but not executed because of the spaces. Also <1 onload=“alert(1);”/> passed the filter but is not executed as well. Since charset is uft8 I tried \x ecoding like

\x3c\x73\x63\x72\x69\x70\x74\x3e\x61\x6c\x65\x72\x74\x28\x31\x29\x3b\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e

and percent encoding like

%3cscript%3ealert%281%29%3b%3c%2fscript%3e

Both were transferred into plain text and threw an exception.

I feel like there is a way to bypass the filter but ran out of ideas. Any hint?

Is injection into HTML body context?

Yes, as mentioned, the payload is placed between span tags.

You’re out of luck, unless you want a P5 IE only bug.

Google “Request Validation bypass”.