Now when I enter alert("Hacked"), shouldnt a message box be thrown.
No, of course not. alert("Hacked")
is a javascript function whereas you have Html.Raw inside an <h1>
tag.
So you end up with the following markup:
<h1>alert("Hacked")<h1>
from which you cannot expect any message boxes to be thrown. If you want to throw something make sure you are hacking it right, i.e. by typing the following in your textbox:
<script>alert("Gotcha this time")</script>