chrome-err-blocked-by-xss-auditor

**diptimoy** · 24 Jan 2019, 04:45 PM

Chrome version 71 and zencart 156a .

there is some raw data in product description .

This code <?php echo header('X-XSS-Protection:0'); ?> at product page not working

This code at . htaccess

# Protection against XSS (Cross-Site Scripting)
Header set X-XSS-Protection "0"

or

# Protection against XSS (Cross-Site Scripting)
Header set X-XSS-Protection "1; mode=block

Not working . Everything fine in firefox but not in chrome . client want to sue chrome only , how to fix , it.

**lat9** · 24 Jan 2019, 04:49 PM

See this posting for additional information: https://www.zen-cart.com/showthread....ue-XSS-Auditor

**diptimoy** · 24 Jan 2019, 04:53 PM

Originally Posted by lat9

See this posting for additional information: https://www.zen-cart.com/showthread....ue-XSS-Auditor

Thanks a lot.
Have tried those ways before posting . But those changes not solve the issue .

**DrByte** · 24 Jan 2019, 07:55 PM

Originally Posted by diptimoy

there is some raw data in product description .

That is your problem.
So, what is it, and why are you doing that?

**diptimoy** · 25 Jan 2019, 03:49 AM

Originally Posted by DrByte

Originally Posted by diptimoy

there is some raw data in product description .

That is your problem.
So, what is it, and why are you doing that?

I am upgrading from 1.5.4 to 1.5.6a . the data is already there. I am not entering anything new there.

**diptimoy** · 25 Jan 2019, 04:07 AM

The code is like

Code:

<dl><dt>
<a rel ="something"  name="something" id="something" href=Javascript:void(0) class="something" >Something...</a>
</dt>
</dl>

**DrByte** · 26 Jan 2019, 02:24 AM

You didn't say "why" you're doing that.
I gather your "javascript:void" call is intended to just disable the link so it's not clickable?

Instead of using "javascript:void(0)", does using "#" work?
How about just using CSS to style it to "look like a link" instead of actually using an "<a href>" link at all?

I'd be very surprised if this had anything to do with v1.5.6. The same problem would occur in v1.5.4 in Chrome.

**diptimoy** · 27 Jan 2019, 08:58 AM

Originally Posted by DrByte

You didn't say "why" you're doing that.
I gather your "javascript:void" call is intended to just disable the link so it's not clickable?

Instead of using "javascript:void(0)", does using "#" work?
How about just using CSS to style it to "look like a link" instead of actually using an "<a href>" link at all?

I'd be very surprised if this had anything to do with v1.5.6. The same problem would occur in v1.5.4 in Chrome.

" You didn't say "why" you're doing that. "

I want to say that it was there while there already in the db when I get the file in 1.5.4 and want to upgrade to 1.5.6a .
As a developer I mostly use firefox so not aware of that chrome issue .

I told teh client to think of other option buy client want to stick to it and always says that it was running fine earlier and don't want to change it . I have no valid argument to convince him to fix keeping the code same and fix the issue . That's why asked for help .

its not my software , what can i do if the owner don't want the change the way. :)

Thanks for the help , I will again convince him the css way