@a_5mith

The same origin policy would protect against most of that stuff, but I agree. Maybe having a url filter of some sort testing it against a whitelisted database which could be configure by the admins.