As per usual, there are solutions for all challenges
Can you get the page to calculate 7*7 and output 49 all on it's own?
Can you also get a pop-up? This will require you to escape the sandbox.
This is a simple AngularJS application. The code here is ... which is safe not against XSS, yet we can get a popup by using the following payload: ... Oh wait, you will have to find that online :) and rememebr that you can not use {} but urldecode .... this will echo the $_GET parameter 'input':