The code here uses urldecode(str_replace("{", "", ...)), which is intended to be safe against XSS. However, there's a way to trigger a popup using a carefully crafted payload. Can you figure it out? Remember, we replace {.
The following block displays the input parameter after processing:
This lab also includes other parameters to explore: