are you afraid of users that want to harm you? then the answer is, you can’t do anything about it. they can control the source in their browser anway as they want. you have to do your security server side.

but if you want to protect your clients from mailicous code that is on 3rd party websites that get loaded via the iframe the answer is:
iframe is quite safe. xss/same-source-origin policies are pretty good theese days.

well of course such a thing is always a risk.
you don’t have to be afraid of the content in the iframe.
what i would rather recommend is to validate the content or the src tag.
make it a valid url and then you should be fine.

the only thing that the page in the iframe could probably do is to redirect your page to a bad site. (as the document.location attribute is manipualteable and readable in an iframe from a different origin). there are ways to prevent that but they are not reliable.

you could load the source of the extermal website to your server and output it setting a base href attribute to the external site, so everything will load properly, then you have the ability to check/manipulate the document. but thats pretty complicated if you want to maintain advanced stuff like javascript etc.

to sum it up: the site cant really harm you. but the user. but if the user specifies a bad site, well its really her/his problem….