When trying to add the relevant alert after the “incorrect pass” alert, using firefox’s firebug it seems that the modified script gets reevaluated.
This causes “code…” to be a valid password for the JS (but of course, not for the PHP). The series of alerts caused by this is a bit strange (“wrong pass”, “wrong pass”, “[empty]”, “wrong pass”, “code…”), but anyway they give no clue of the needed password for the PHP.
I managed to work around this by downloading the page and changing the actual source, but people using firebug (and any other tool which reevaluates the modified script) will indeed not be able to find the needed code using an alert in the submit function’s code. And that might be the source of the difficulties people describe regarding this level.
A simple fix for that would be separating thecode’s assignment to an inline script of it’s own, above the script it is currently included in.
