Comment 13 for bug 1869971

Thanks, Rogan! This does remove potentially harmful <script> tags and js before they can bug a user. A note for other testers, because it took me a little while to figure out: the contents of this setting are filtered when the setting is saved, so existing values in the opac.patron.custom_css setting won't be affected (until they are saved again).

I think this is a really good improvement! Signoff at user/sandbergja/lp1869971_defang_css-signoff / https://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/sandbergja/lp1869971_defang_css-signoff

I exercised the patch as follows:
1. Set the value of the opac.patron.custom_css library setting to the string here: https://gist.githubusercontent.com/sandbergja/b27ba0b7afeaefd5c989fc7f93274b6c/raw/296c2d313cacefba1684195cf83e32e911566bb3/bad.css (launchpad won't let me put it in the ticket verbatim -- it's: body { background-color: purple; }, then a closing style tag, then a script tag with a javascript alert in it)
2. Confirmed that, when I went to the OPAC, the purple displayed (good) but a javascript alert also displayed (bad).
3. Removed the setting
4. Applied Rogan's commit
5. Repeated step 1
6. Checked the OPAC again. It's purple still (good), but the arbitrary javascript doesn't affect the user, it gets commented out.