I'm going to allow my users to make iframed HTML pages on my site. They will input text including markup and I will create the .html file using fwrite().
Are there reasons not to make the file permission for these .html files 0777?
Obviously I don't want people executing javascript but other markup should be fine. Should I do 0766 instead then?
I'm not very familiar with permissions so general advice would be appreciated too.
0777 is inappropriate for data files such as HTML. They should likely be set as 0644 (owner read+write, group/others read only).
Note that the executable bit on an HTML file has absolutely no bearing on what permissions it will have when loaded in a browser. For instance, Javascript will run just fine out of any HTML file, regardless of its permissions -- if you do not want to allow Javascript to run from these files, you will need to filter the content yourself. Good luck.