I dont think its a hack try passing plain texts gets same alert box by eliminating xss tags <,>,(,),",'
[To see links please register here]
I think <script> , alert(" ") are filtered and only string is passed so its showing final result as string in alert
Then add string in brackets and hit enter both brackets eliminited and only string is shown
now again pass <"Hii its not easy to hack me"> again < & > & " are removed so its not hack what ever you passed except string is filtered and only string is displayed
Hope you cleared actually what was that