https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37573 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Failed QA --- Comment #10 from David Cook <dcook@prosentient.com.au> --- Marking "Failed QA". Here's the thing: If the goal here was just about fixing the removal of {TOKEN}, then I could see the purpose, but this patch would allow a lot of potential tokens to split through still. But the key problem here is that your intention here is to inject Javascript specifically, and that's a problem. I'm going to open a new bug report which will specifically prevent the injection of Javascript via this system preference. As I noted before, if you want to inject Javascript, the place to do that would be OpacUserJS. -- You are receiving this mail because: You are watching all bug changes.