Security Issues for allowing users to add own JavaScript to your site?

Question

I am planning to create an open source education web app where people can add and edit the content (a bit like Wikipedia).

However I wish to add another feature that

Answer 1

One big issue is cross-site scripting where users add code that tells the browser to open and run code from other sites. Say they add something that creates an iFrame or a hidden iFrame pointing to a site and starts downloading malicious code.

There's no simple way around it (thanks to Bergi in the comments) to make sure no elements are created and no ajax calls are made.

I've been a member of sites that provided this functionality, but for those sites I paid for my own space so any vulnerabilities I add are inconveniencing my own clients, in that case it's a little more okay to let that slip by since it's not a security leak for everyone.

One way around this is to create customizable controls for the users to use to add interactivity. The plus is that you control the javascript being added, the minus is that your user base will have to request and then wait for you to create them.