in fact the challenge is messed up ,
you could simply alert(1) in the web console and it will alert the flag
but the point is javascript injection so the proper solution is using an image tag like this: