Do you... realize it's actually a live webpage your testing on? It's not like the server checks to see if you wrote exactly the right answer. It just checks to see if an alert is fired. If it didn't work, it's because you didn't do it right.
<script>alert()</script> most certainly works unless you have noscript.
I realize it's JS, but I can see it's just dumbly parsing what I've typed as opposed to eg overloading alert() (which can be done: http://stackoverflow.com/questions/1729501/javascript-overri...) and demonstrating/using best practices in the source code to prevent the JS I type from actually damaging the demo itself.
For something that's really interesting, search Pinterest for "reactjs", and see if you get the "Hack Pinterest" tile as your first result. That was fun to play with!
Thanks. I'll admit this is a field I'm completely unfamiliar with. (I was actually considering bug bounty hunting in the future, thanks for the wake up call.)
I actually noticed the ; was being removed and am very confused as to why, but forgot to mention that in my earlier comment.
Full disclosure: I didn't bother to learn about why the ; is being split. But I can hasten a guess: the python web server treats that as a parameter separator.
Okay, URL injection, that's easy: <script>alert('hi');</script>
Or not: that didn't work.
I had to remove the semicolon for it to notice my code. At that point I immediately closed the tab.