By looking at the documentation you can see that:
Fetches and returns a given filtered variable. The string filter deletes ‘bad’ HTML code, if not overridden by the mask. This is currently only a proxy function for getVar().
By “mask” they mean this:
TL;DR; “Converts the input to a plain text string; strips all tags / attributes.”
So, you can’t use tags like
"><img src=X onerror=alert(1)> but you can close the string with a “quote” and keep writing some html attributes.
To replicate this XSS you can use the following payload:
"onmouseover%3d"alert('XSS')" (for example) in front of any of the three vulnerable parameters (field_id, field_type, field_namekey).
The original url request is:
Below you can see an image of the XSS on one of those fields.