By looking at the documentation you can see that:
Fetches and returns a given filtered variable. The string filter deletes ‘bad’ HTML code, if not overridden by the mask. This is currently only a proxy function for getVar().
By “mask” they mean this:
TL;DR; “Converts the input to a plain text string; strips all tags / attributes.”
So, you can’t use tags like "><script>alert(1)</script>
or "><img src=X onerror=alert(1)>
but you can close the string with a “quote” and keep writing some html attributes.
To replicate this XSS you can use the following payload: "onmouseover%3d"alert('XSS')"
(for example) in front of any of the three vulnerable parameters (field_id, field_type, field_namekey).
The original url request is:
http://<joomla url>/administrator/index.php?option=com_hikashop&ctrl=update&task=state&tmpl=component&field_type=address_country&field_id=address_state&field_namekey=address_state&namekey=country_Portugal_171
Below you can see an image of the XSS on one of those fields.