If you already know the necessary server-side coding, there are just a few really important points you need to know:
- run the game in an iframe on a different domain to your website. We run the games off static1-4.scirra.net, and the parent frame is scirra.com. These count as different domains, and the browser blocks the iframe accessing anything in a different domain, meaning the website's info is safe from the game. (This is the same principle that stops any website AJAX'ing Facebook in the background to get your personal info.) You can also try sandbox="allow-scripts" on the iframe for extra security.
- have a whitelist of allowed file extensions or filenames - do *not* allow anyone to upload any .aspx, .php files etc! Just have a whitelist of files that are allowed e.g. index.html, *.js, *.png, and reject anything else.
- it's best to manually verify all entries to ensure there's nothing obviously malicious going through.