Unless you are willing to sacrifice a lot of time to make an application flexible AND secure, you will have to choose one or the other. In this example, I compare Myspace profiles and Facebook profiles.
Myspace offers very much flexibility for users on their personal profiles. Unfortunately, they chose to allow users to embed HTML code, which opened the door for countless security violations. They saved development time at the expense of security.
On the other hand, Facebook left users with fewer options for their profiles. Therefore, they insured security, but saved development time at the expense of flexibility.
Fast-forward a couple of years to Facebook’s release of their application platform. This time around, they sacrificed development time for a combination of flexibility and security.