If he can get a reference to the window or 'this' at any point (which I haven't yet figured out), he can presumably use his string-building tricks to build the string "alert", then use:
(it's lucky that all of the letters in "alert" can be found in "true" and "false", although "undefined", "NaN" and "[object Object]" could probably be used too.)
It's quite clever, the script gets a reference to the function prototype by making the string "constructor" and calling (0)["constructor"]["constructor"]. Calling Function on a string returns a new function with the string as the body, which you can then execute.
So he's doing 0["constructor"] which gives the constructor of a number, Number.
Then he's 0["constructor"]["constructor"] gives the constructor of Number, which is like a function, so he gets Function.
var y = (0)["constructor"]["constructor"];
y == Function; // true
Then he basically does this ($.$ == Function):
Function(
Function(
"return \"alert('I love you');\""
)()
)();
The inner function just returns the string "alert('I love you');", which then becomes the body for the outer function.
I don't know why they didn't make it:
Function ("alert('I love you');")();
Maybe they needed more chars for the heart. That was a good little crash course in javascript Function constructors!
He gets the other letters from names of types and other JS native things. I guess he couldn't get 'r', 'I', ' ', 'v' or 'y' and so had to make them using the octal escape codes.