Solution:
After searching web found that Chrome changed its default implementation of X-XSS-Protection to 'X-XSS-Protection: 1; mode=block' (reference)
So the latest solution (and concerning the least change in code) is to disable X-XSS-Protection by sending a value of 0 from the server.
Here is the process how to do it from PHP
header("X-XSS-Protection: 0");
This is occured by a webpage displaying HTML that was POST
'd to it, at the time that HTML contains JS event triggers, for example :
<p class="someParagraph" onClick="doTheMagicThing();">
In case you have an iframe, that accepts text like this in a POST
or a forum, and you show that text, as well, thereafter Chrome will issue the error (and successfully block the page), if not you have the X-XSS-Protection
header disabled.
This error message is triggered at the time Google Chrome conceives a “cross-site scripting” attack is occuring. These attacks occur at the time a browser is tricked into rendering HTML or JavaScript that is not intended to be a part of the website being shown.
In case you administer the website
In case you’re viewing this message on a website you administer, and it’s occuring at the time usual usage, for example submitting a form, you can inhibit it by including a page header to the POST submission.
For PHP
header('X-XSS-Protection:0');
For ASP.net
HttpContext.Response.AddHeader("X-XSS-Protection","0");