As per usual, there are solutions for all challenges
Can you get the page to calculate 7*7 and output 49 all on it's own?
Can you also get a pop-up? This will require you to escape the sandbox.

the code here is safe against XSS, yet we can get a popup by using the following payload: ... Oh wait, you will have to find that online :) this will echo the $_GET parameter 'input':