If you are looking at an XSS within a hidden input this post may help you with a proof of concept.
The first way of getting that proof of concept is from an article posted in the PortSwigger blog.
And after the page loads successfully we will need to use the following key combinations to get the Alert box.
(Press ALT+SHIFT+X on Windows) or (CTRL+ALT+X on OS X)
This makes it tricky for a clean proof of concept without requiring user interaction.
Naturally the next step was to reduce this to a single click. Digging deeper, i came across an old chrome bug that explained how “type” can be overridden. You can read this in detail here,
https://bugs.chromium.org/p/chromium/issues/detail?id=585077. This works well even with the most recent version of chromium browser. There is another technique in there which works with IE 11 as well.