I'm working on a CMS and I wonder how secure it needs to be when users are allowed to either include entire snippets of HTML-code (widgets) or just insert URLs into existing widgets.
My gut tells me to validate everything inside SRC-attributes and make sure it's of the form "http" with an approved domain. Is it enough or is it unneccessary?
I went through Wikipedia again about the same-origin policy for JS but I'm not enterily sure just what it means for the URLs posted in iframes etc. I mean aprently I allow iframes to access other domains through the SRC-attribute and it executes whatever page is there. Though that isn't harmful for my site it's just for users visiting my site? I'm imagining what would be harmful for my site would be the other way around if I would allow other sites' iframes to access one of my pages.
Of-course I shouldn't allow anything that's harmful for users but I'm thinking it's the same for IMG-tags? They've also got SRC-attributes that can access other sites' pages. Is there something built-in that protects or do I need to check all links just as much? I suppose I should do that anyway, I'm just thinking about different levels of users what they should be able to do.