XSS Works,但只有1个字

Maybe it's an weird question but I'll try to explain it as good I can. Currently I'm pentesting a website, for xss (cross site scripting). First I just tried, <script>alert(1)</script> and it resulted in [removed]alert(1)[removed], but also <scr<script> and those kinds of things, and I tried much more.

Now I finally got a working one: <input onfocus=alert("test") autofocus> and yes it really spits out 'test' but when i type alert(document.cookie) it already doesn't spit anything out anymore, also <input onfocus=alert("test lol") autofocus> doesn't spit anything out anymore, but like how can I now get the cookie? And why is it spitting out test, or ahihawiejawije but not ahjiahwe jijaja or test test, just one word? Also integers WORKS.

Also all html code, I try to in does work like <div> or <iframes> so how can I get the document.cookie spitted out on the page?

This is where I enter the XSS code: https://gyazo.com/d260e065a305941e92a414a321501134

And when I save it I can view it on this page: https://gyazo.com/723c1bff1d6fb7f3341a5b19cadcd264

But since the document.cookie one isn't working it'll just show an input bar, but when I replace the document.cookie just with "lol" it gives me this: "lol" (can't put more than 2 links bcz reputation) so it is working with lol.

So how is it possible that like one word, or one big word like AAAAAAAAA is working but not just 2 words like aaa aaa or document.cookie?

I'm just curious why printing out helloworld does work and hello world not.

The space, because of the messed-up HTML, starts another attribute.

Take a look in Chrome's inspector and the syntax highlighting makes it clear what's happening:

<input onfocus=alert("test lol") autofocus>

becomes:

enter image description here

Chrome attempts to fix the HTML, and lol") becomes another attribute. (I have no idea where the autofocus goes...) Nothing to do with the site's XSS protection (or lack thereof), just how the browser interprets the bad HTML.