Is this jquery code secure?

Question

Is the following code secure?

$iframe = $('<iframe id="iframe" src="' + $(this).attr('rel') + '" name="iframe">');
$area = $("#ajax-area");
$area.empty().append($iframe);

Where:

1. $(this) is the link clicked.
2. attr('rel') holds the src for the iframe and rel is created by PHP (no user input here).
3. And $iframe holds a form to upload.

My concern is, since in this case the iframe's src is a variable I fear that a malicious user somehow manages to edit the 'rel' attribute and open an iframe that he or she wants. Is this possible?

EDIT

Thanks for your valuable answers.

php uses the following to populate the rel:

App::basePath . '/some/path/to/my/folder';

Where basePath is a constant that the developer chooses.

I'll redesign my jquery in a more proper way as you guys suggested.

Answer 1

Theoretically, if the rel attribute is based on a server constant, there should be no additional security issues other than the ones you can't control, such as MiTM.

However, you should always be on the safe side with these things; and jQuery provides that safety by allowing the attributes for a tag to be passed as the second argument to the constructor:

$iframe = $('<iframe />', {
    id: "iframe",
    src=: $(this).attr('rel'),
    name: "iframe"
});

Answer 2

Unless the attacker can get to the rel attribute of the link then it should be safe.

However it is hard to say wether a piece of code is safe or not without a detailed look at the environment where it runs. It may be possible to access a "safe" piece of code from a different button, instantly making your assumption that the rel attribute is controled invalid.

However, so long as you take care not to allow user code to be rendered anywhere in your page you should be safe. This means you have to escape every user supplied input, especially if that input is outputed somewhere else in your site (for example, a comment on a news article).