I’ve just tried and it works for me, but if you want to take a look of what is a content-security-policy, you can go there:

https://www.owasp.org/index.php/Content_Security_Policy
http://www.html5rocks.com/en/tutorials/security/content-security-policy/

What I got is this:

The XSS Auditor refused to execute a script in ‘https://www.hackthis.co.uk/levels/intermediate/4’ because its source code was found within the request. The auditor was enabled as the server sent neither an ‘X-XSS-Protection’ nor ‘Content-Security-Policy’ header.

and the result block:
<div class="info"> <script> </script> </div>

Chrome blocks some XSS in user requests acording to its configuration, probaby delete your request but stored XSS can bypass this because it analyze the sended data, in console is possible view the message of XSS error.

I confirm, this is not possible in Chrome.
I wish I’ve read this sooner :)

I just updated Chrome and it works fine. There is no real reason it shouldn’t work as Chrome doesn’t block requests, it just doesn’t execute reflected stuff.

Perhaps you can tell us in more detail what you’ve tried on the solutions board (or PM)?

Damn, I forgot the exact solution because I was kind of sprinting through multiple levels, but I remember having a “what the hell” moment because what I got simply had to work, I thought it was the XSS auditor. Copied to solution to Firefox and it worked.

Sure you did, buddy… pats shomz

feeling better already

Alright, you made me retry it! :D
Sending you the PM with the code that doesn’t work in Chrome 53 @ Ubuntu 16.04, but works in Firefox.