regarding the ad widget

talking about this widget here:

it seems the users can insert anything in there, just had a user insert an iframe. what about javascript and php code? Does it fitler anything out? Does it allow php code execution?

Besides isn’t even an iframe dangerous? thanks for any hints on this issue.