I am working on a hosted CMS, and am thinking about allow site editors to add custom javascript and html (a much requested feature).
I am concerned that this will open up an attack vector - nasty js could make calls to the functions that our hosted CMS exposes (see the Samy worm for an example of what user scripts did to myspace), but I really want to give users control over their site (what's the point of a CMS you can't add your own clever stuff to?)
What is a good approach to fixing this issue? I can think of several which I would like commentary on, but am not going to list them for fear of the 'no list questions mods'!
I suspect that Caja is on your list, so I'll mention that this is squarely in Caja's use cases; for example, Google Sites is very like a CMS and uses Caja to embed arbitrary JS and HTML.
Caja host pages can provide arbitrary additional interfaces for use by the sandboxed content, which can include, for example, embedding widgets provided by your CMS inside the user-supplied HTML while maintaining encapsulation.
(Disclosure: I work for Google on the Caja team.)