Looking at the URL decoded version of your link it is
https://example.com/robots.txtlfjad'+alert('-x-s-s')+'sdyh2
In my app I would get a 404 page since this file is not present inside my webroot folder.
I would start to look into the generated HTML which gets sent to the browser and see where the alert() is being printed without escaping.
After that check your template files which print at those spots.
In my case the template is templates/Error/error400.php which basically outputs the URL which has been requested here:
But this does NOT allow XSS so it could be something on your side.
If its not the error template but some different template then check that and/or got back to the controller which provides the data for that template to see what should be escaped.