How to bybass ASP.NET server XSS filter?

I found an endpoint that has a parameter which value is directly displayed between span tags in the website. However, the server (ASP.NET Version 4.7) does filter the param value and throws an exception when it detects a potential XSS:

A potentially dangerous Request.QueryString value was detected from the client (response=“alert(1)</sc…”).

I played a little bit around and found some interesting things about the filter, however I could not bypass it yet. Hope you could give me some inspiration.

No characters are replaced by the filter. Thus, characters like <>/*’" etc are allowed. The filter throws an exception when it detects input in form of <[letters]> but not when I try numbers instead of letters like <1> or putting a space between like < tag>. So < script>alert(1);< /script> is not filtered and displayed in the source code but not executed because of the spaces. Also <1 onload=“alert(1);”/> passed the filter but is not executed as well. Since charset is uft8 I tried \x ecoding like


and percent encoding like


Both were transferred into plain text and threw an exception.

I feel like there is a way to bypass the filter but ran out of ideas. Any hint?