I'm using php and the twig template engine, i want my users to be able to design the complete html document that will be output. I need them to be able to include scripts, and css from external sources.
What do I need to do to completely lock down my app for security?
What steps do tumblr take?
There aren't any solutions to keep your project 100% secure. However, you could take some actions and check users html files for malware code by certain period of time. I am not completely sure, but I think there are some free good API's which will do that job for you. I don't know about Tumblr a lot, but I think they are using some kind of API for javascript check.