XSS challenge

Rules:

• Please enter some HTML. It gets sanitized and shown in the iframe.
• The task is: execute alert(1) (it must actually execute so you have to bypass CSP as well).
• The solution must work on current version of at least one major browser (Chrome, Firefox, Safari, Edge).
• If you find a solution, please DM me at Twitter: @SecurityMB.
• The challenge is over! @terjanq made a great write up!

Solvers:

• @bonaff3
• @haqpl
• @fluxfingers
• @terjanq
• @zoczus
• @Abdulahhusam
• @RootEval
• @BenHayak
• @insertScript and @garethheyes
• @sirdarckcat