alert(1)を実行させてください。ただし、リンク先のサーバへの細工は一切出来ないものとします（javascriptスキームへのリダイレクトとかは禁止ということで）。

Execute alert(1), but you can not customize server linked from IMG element (for example, redirection to "javascript:" scheme is not allowed).

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>XSS challange ( execute alert())</title>
<script type="text/javascript">
var w = null;
function isValidUrl(url) {
  var l = url.length;
  if (l==0) return false;
  for (var i=0; i < l; i++) {
    var c = url.charAt(i);
    if (c <= " ") return false;
    if (c == "<") return false;
    if (c == ">") return false;
    if (c == "\"") return false;
    if (c == "'") return false;
    if (c == "&") return false;
    if (c == ":") return false;
    if (c == "?") return false;
    if (c == "+") return false;
    if (c == "%") return false;
  }
  if ((l >=2) && (url.charAt(0)=="/") && (url.charAt(1)=="/")) {
    return false;
  }
  return true;
}

function addImg(w, url) {
  try {
    w.resizeTo(200,200);
    if (!isValidUrl(url)) return;
    w.document.write("<img src=\"");
    w.document.write(encodeURI(url));
    w.document.write("\">");
  } catch (e) {/*resizeTo may throw exception */}
}
function exec() {
  if (!w) {
    w = window.open();
    w.document.write("<html><head>");
    w.document.write("<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\">");
    w.document.write("<title>target<\/title><\/head>\n<body>\n");
  }
  addImg(w, document.getElementById("i1").value);
}
function finish() {if (w) {w.document.close();}}
 //Bug fix (!w) to (w), thanks to id:hasegawayosuke
</script>
</head>
<body>
<form>
  <input type="text" id="i1" value="">
  <input type="button" onclick="exec()" value="ADD IMG">
 <input type="button" onclick="finish()" value="finish">
</form>
</body>
</html>

LinuxではXSSを可能にする文字が入力できないかもしれません（On Linux, it may be impossible to input character to enable XSS. )