The remote server hacks can pretend to be your unsuspecting user, using the stolen credentials for whatever the cookies would reveal.
Last thoughts, don't even use it. If they have to add content on your site, let them add it as a link. That should free you from all responsibilities and conscience overload.
If you really want to have their page included on your site, then you can use an htmlDom parser, parse the page, and then clean it up really good, create a fresh copy of the remote page on your server ( the clean one), and then deliver it to your own iframe. At least, you will have a full control on what acceptable tags are allowed..
You pointed me in the right direction, I found some posts talking about making a whitelist array and then parsing the user submitted material and verifiying the src domain is in the whitelist array.
How would you go about making sure img tags are secure? I don't think whitelisting any websites or whitelisting filetypes would be the answer here. Or am I overthinking that and that's exactly what I need?