Why are iframes considered dangerous and a security risk?
As soon as you're displaying content from another domain, you're basically trusting that domain not to serve-up malware.
There's nothing wrong with iframes per se. If you control the content of the iframe, they're perfectly safe.
Security Risks of Including a 3rd Party iFrame
If you are implementing Iframes on your website, you could use the sandbox
tag in HTML5' iframe to prevent yourself/others on your website.
Source: http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox
I don't know how effective it is (the sandbox feature), but it states it can restrict scripts, forms etc inside the iframe.
<iframe sandbox="" src="www.example.com"/>
Although not a guaranteed and effective method, it's one of many different ways. On your end though, you could use add-ons such as NoScript to prevent certain/all scripts from running.
It's possible that the 3rd party iframe, as you said, could use exploits such as drive-by-downloads, browser exploits to gain access to your OS and possibly more.
See also here: Why are iframes considered dangerous and a security risk?
Hope this helps.
Are iframes considered 'bad practice'?
As with all technologies, it has its ups and downs. If you are using an iframe to get around a properly developed site, then of course it is bad practice. However sometimes an iframe is acceptable.
One of the main problems with an iframe has to do with bookmarks and navigation. If you are using it to simply embed a page inside your content, I think that is fine. That is what an iframe is for.
However I've seen iframes abused as well. It should never be used as an integral part of your site, but as a piece of content within a site.
Usually, if you can do it without an iframe, that is a better option. I'm sure others here may have more information or more specific examples, it all comes down to the problem you are trying to solve.
With that said, if you are limited to HTML and have no access to a backend like PHP or ASP.NET etc, sometimes an iframe is your only option.
What are the security vulnerabilities (if any) with using HTML5 iframes
HTML5 iframes have sandboxing technology built in, but you have to enable it first. This means that XSS won't be an option, so if you're making iframe widgets that handle personal information, like Facebook do, as long as you do the usual stuff, there's nothing you should be concerned about.
Related Topics
How to Fit an Image (Img) Inside a Div and Keep the Aspect Ratio
Align Labels in Form Next to Input
How to Escape Double Quotes in a Title Attribute
Remove Outline from Select Box in Ff
How to Put an Input Element on the Same Line as Its Label
How to Get Rid of Extra Space Below Svg in Div Element
How to Make Div Occupy Remaining Height
:Not(:Empty) CSS Selector Is Not Working
Border Style Do Not Work with Sticky Position Element
Div 100% Height Works on Firefox But Not in Ie
Second Line in Li Starts Under the Bullet After CSS-Reset
How to Position a Div Scrollbar on the Left Hand Side
How to Simulate Placeholder Functionality on Input Date Field