Hi, Team
i see today very important i see console.table() and console.clear() and document.body.remove() and document.title (Variable) same result for both function not detected used in XSS in PL3 my request is

curl -ig -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level: 3" -H "x-backend: coraza-caddy" --data-urlencode "q=console.table(\"DaD\")" https://sandbox.coreruleset.org/

HTTP/1.1 200 OK
Date: Thu, 10 Jul 2025 08:19:44 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: keep-alive
X-Unique-ID: aG93oA3ZsEJGA-19Uz89hQAAAMk
x-backend: invalid, fallback to apache-latest
x-crs-last-commit: none

And also document.scrollingElement.remove() critical and document.body.remove() critical and document.title = "Pwned" this also manipulate title and console.table() bypass filtered console.log()

The WAF it should block suspcious function and variable for DOM and etc... like console.table() and console.clear() etc... because used in XSS