I would like to be able to use the Custom HTML Plugin & the HTML Macro with my Confluence OnDemand instance. I know from this issue, there are security concerns with the plugin, so I suppose the focus of this feature request is to for the development team to mitigate the XSS attack vector.

I envision a solution that would involve server-side code to filter out the User-HTML-Block whenever a page is viewed by users with elevated privileged. I don't know a whole lot about XSS attacks, but is it not the case that the malicious JavaScript must be executed client-side for the attack to work? If the User-HTML is filtered out, then the JavaScript can't execute.

Ultimately, I want to use Custom HTML to include JavaScript snippets from various web services like DISQUS & Google Analytics, and the HTML macro for including raw HTML.

I suppose an alternative solution would be a series of plugins & macros similar to the Widget macro that would render predefined JavaScript snippets. That does solve my raw HTML issue.