[stefanorri]

If you apply the sandbox attribute to the iframes it should be ok. It allows fine grained control of what the iframe is allowed to do. Scripts, navigation, popups, etc. are forbidden except explicitly allowed.

[TheLoneWolfling]

Also, please don't enable JS within the "sandbox".

JS is nowhere near as secure as it is often toted as being. You don't want to find yourself being host to a zero-day attack.

[TheLoneWolfling]

I'd be wary about that.

If nothing else, what happens if someone visits the site without support for `sandbox`? You best option (not displaying it if the browser doesn't support it) breaks the site for users without JS, or that don't have support `sandbox`.

[stefanorri]

Good point. But the sandbox attribute is around 90% [1] of browsers. The number of browsers which don't support it and don't run javascript may be too low to make supporting them practical, but YMMV.

[1] http://caniuse.com/#feat=iframe-sandbox

[TheLoneWolfling]

It's IE 8 and 9 that I'd be most worried about in terms of malice.

And I'd be one of those users who would be cut out by JS requirements. Just so you know, that number is not zero.