{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 聊天终结者 的问题《Chromium's XSS auditor refused to execute a sc》','https://www.manongdao.com/q-140944.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
This is a message from the Chrome Inspector:
The XSS Auditor refused to execute a script in
http://localhost/Disposable Working NOTAS.phpbecause its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
... I have a couple dozen websites sitting on localhost on my notebook which I use for a big part of my workflow, and in the last couple days, after an updated Chrome changed something, pretty much all the websites' textareas' content is not being saved to file anymore.
The code which was saving edits I made, is uniformly broken; I enter new text, click on save and my browser, instead of executing the file~writing subroutines in the script for the webpage I am working in, simply opens a new blank page. If I then hit the back button, the textarea still shows the freshly added content, but in the file, no changes are being appended.
If you'd like to tell Chrome to disable its XSS protection, you can send an
X-XSS-Protectionheader with a value of0. Since you appear to be using PHP, you'd add this somewhere where it'll always be executed before any content has been output:I encountered exactly the same issue when I was studying XSS recently. And below screenshot shows a PHP way to bypass Chrome XSS Auditor.
Just add -- header("X-XSS-Protection: 0");
If you are getting blocked by XSS Auditor, you should check whether your code has a XSS vulnerability or not before simply disabling it.
If you're getting blocked by XSS Auditor, there's a decent chance you have a XSS vulnerability and just didn't realize it. If you simply disable the XSS Auditor, you will remain vulnerable: it's treating the symptoms, rather than the underlying illness (the root cause).