It is not just the use of a testing string like <script>alert(1)</script> a way to detect XSS bugs, actually it is important to understand how the information is showed by the response in the application, in order to know how to exploit a XSS.
If we examine the response generated by the application, we can understand more about how the application and bug is working.
Let's check the exploited example again. Here, we have a form to submit comments to a website:
If we use the application as it is supposed to be used:
You will ...