The best way to test the website on XSS is to check the source code.
The main cause of XSS is lack of filtering of user input (&, <, >, ", ')
Most modern ORM, templating languages serve escaping user data that should be protected from XSS. Unfortunately developers often turn off these checks by hand.
Learn more about how to protect your code from XSS: https://www.owasp.org/index.php/XSS_(Cross_Site_Sc...
How to bypass filters and to introduce XSS: https://www.owasp.org/index.php/XSS_Filter_Evasion...
By the way, I'm one of the developers of scanner vulnerabilities, including XSS https://metascan.ru
Can try scanner, or just ask our children. firstname.lastname@example.org