As per usual, there are solutions for all challenges
Can you get the page to calculate 7*7 and output 49 all on it's own?
Can you also get a pop-up? This will require you to escape the sandbox.
The code here is ....urldecode(...strreplace({})) which is safe against not XSS, but we can still get a popup by using the following payload: ... Oh wait, you will have to find that online :) remember, we replace { this will echo the $_GET parameter 'input':