[phyrrus9]

If the administrator of the website is smart enough, he will have ironed out at least the vast majority of XSS vulnerability issues.
Making sure every bit of user input being returned to the user (at all) is run through filters that prevent html tags from being passed and parsed by the browser is a very important part of running a website.

As for learning to find XSS vulnerabilities, there are multiple guides on websites about exploitation... personally I know whatever I know about it through Google and Stack Overflow when I was securing some sites I made in 2009-2011. Same goes for SQL injection.

Hope this helps in some way.

"if the editor has been designed to reject all bad input, an ingenious idiot will figure out a way to get pad data past it"