Vulnerability in EPiServer.Forms
On our site we need the editor to be able to insert dynamic text snippets in the TinyMCE-editor. This could be, for example, a product price or a text that is used in multiple places. I know i can use a block to accomplish the task but the user experience for the editor would suffer as a block is rendered as, well, a block (a div). With the legacy dynamic content you could easily specify it to render as an inline element.
You can use a TinyMCE plugin to inject snippets of course, but the issue there is that it would become just injected HTML and you want dynamic behaviour. You could still achieve that by injecting a snippet with some kind of placeholder field and then setting the content at runtime - either by an AJAX call or, if you prefer to do on the server, by overriding the rendering of the XhtmlString (or by intercepting the HTTP pipleline, but that's a bit heavy!).
A better alternative might still be to use a block, but override the rendering of the XhtmlString so that it doesn't use a div. It gets messy if, for example, you want to play with attributes and not elements.
Personally, I'd always use a block if I can get the HTML to fit what I want with a block, but if you have to get more control then maybe a snippet is a better option. Hope this helps!
I would go with override the rendering of xhtmlstring. It's a little bit messy but there are some good blogs about it.
Did you find a solution to this? I have exactly the same problem.