Another solution could be to activate raw HTML support via the literal tag.
You can do this in an override of content.ini. Here's what original content.ini says :
[literal]
AvailableClasses[]
# The class 'html' is disabled by default because it gives editors the
# possibility to insert html and javascript code in XML blocks.
# Don't enable the 'html' class unless you really trust all users who has
# privileges to edit objects containing XML blocks.
#AvailableClasses[]=html
This can be a solution, but since there is currently no security policy check on attributes, there might be a XSS security issue here...
But my users need to add more than JS. The should be able to add things like imagemap ou swf objects directly in the xmlblock.
I know that I can do this using object and embeded templates but it is very embarassing to have to create items before to insert them. So I would like to try "custom tag" instead.
So I suppose I will have no choice and create a new class named "custom_code" or something like that a create a kind of "piece of code library".
Another solution could be to activate raw HTML support via the literal tag.
You can do this in an override of content.ini. Here's what original content.ini says :
[literal]
AvailableClasses[]
# The class 'html' is disabled by default because it gives editors the
# possibility to insert html and javascript code in XML blocks.
# Don't enable the 'html' class unless you really trust all users who has
# privileges to edit objects containing XML blocks.
#AvailableClasses[]=html
This can be a solution, but since there is currently no security policy check on attributes, there might be a XSS security issue here...
literal.html is the only soulution that will accept raw html. If you want to use custom tag, then you will need to create one pr use case, one for image maps (with attributes for input), one for script (with url as attribute) and so on.
You can setup custom tag to behave as inline-block in oe with the following settings in content.ini:
## Displays the custom tag as an image so you cannot create sub content.
## Will use custom image if there is a custom attribute on the tag named 'image_url'
#IsInline[externalimage]=image
## Lets you specify 22x22 icon to use on custom image tag if it doesn't have 'image_url'
#InlineImageIconPath[mashup]=images/tango/image-x-generic22.png
Why not ? If this fits to the need, then this is the solution ! ;)
The only thing is that the website administrator has to trust his contributors, that's all ! Besides, this is the case for every CMS that propose such a feature...