I have gone through this tutorial: http://lindsayjopson.com/using-an-rte-as-a-macro-parameter-in-umbraco-7/ to create a Rich Text Editor to be used within Macros.

It worked great, but when I tried to retrive the Text-field (with HTML) from the Rich Text Editor, it had a bad format (I needed to use WebUtility.HtmlDecode(var) to get the correct format).

Since I used the WebUtility.HtmlDecode(var) I needed to use Html.Raw() to render the HTML correctly. If I've understood correctly, Html.Raw() can be used to render malicious code. Is that correct?

I noticed that by writing <script>alert("hi");</script> and allowing the Macro to be rendered in the rich text editor and grid, it will execute the script. As far as I can see, the script will not be executed on the published site, but I still wonder if there might be a vulnerability?

Is there any way to get the correct format without using WebUtility.HtmlDecode(var)?