This can be tested by putting something like either the following in the URL bar and hitting enter:
This is restricted for executing in most browsers, but executes in Safari.
A main security concern around XSS is cookie stealing, so if a user is socially engineered to click a malicious link, or is prone to clicking links in sketchy emails, script could execute that would dump the users authenticated cookie to a malicious attacker’s remote site.
From a security stand point, Safari should not be used to browse unknown sites, click links in emails, and so forth. If OS X is used in your company, I recommend using Firefox or Chrome for your users!