Challenge
This is the script that violates the web
1
2
3
4
5
<!-- Challenge -->
<h2 id="spaghet"></h2>
<script>
spaghet.innerHTML = (new URL(location).searchParams.get('somebody') || "Somebody") + " Toucha Ma Spaghet!"
</script>
Solution
We have only to add a simple XSS, with img and the option alt we display something in the website and for execute some js we use onclick or onmouseover function to run the code
Creator solution
The solution given by the creator of the game is as follows
<svg onload=alert(1337)>