I want to open my small platform to developers, so they can build applications that could be inserted in our site as iframe. Similar as facebook is doing. From what I understand developers can build facebook application using iframe.

Question: I am wondering how is about security from facebook user perspective. How Facebook prevent that application developer doesn't put malware javascript code inside iframe. I haven't noticed any automatically mechanism that prevent including something like that in iframe. But since iframe is shown on their site, this is risk. Do they just leave and if somebody report suspicious application they remove it? Or is there any other way to prevent this before it happens?

Tnx for any response