Look at the server codes, the server try to filter the input then create a new page and pasting the input in there. Then the server automatically request the page.
The flag is in the same page and store in the third "

" tag . So we can try to bypass the filter to XSS and send the flag to our server by SSRF.

Full payload: 404 Not Found