Is this jquery code secure?

Question

Is the following code secure?

$iframe = $('<iframe id="iframe" src="' + $(this).attr('rel') + '" name="iframe">');
$area = $("#ajax-area");
$area.empty().append($iframe);

Where:

1. $(this) is the link clicked.
2. attr('rel') holds the src for the iframe and rel is created by PHP (no user input here).
3. And $iframe holds a form to upload.

My concern is, since in this case the iframe's src is a variable I fear that a malicious user somehow manages to edit the 'rel' attribute and open an iframe that he or she wants. Is this possible?

EDIT

Thanks for your valuable answers.

php uses the following to populate the rel:

App::basePath . '/some/path/to/my/folder';

Where basePath is a constant that the developer chooses.

I'll redesign my jquery in a more proper way as you guys suggested.

Answer 1

Theoretically, if the rel attribute is based on a server constant, there should be no additional security issues other than the ones you can't control, such as MiTM.

However, you should always be on the safe side with these things; and jQuery provides that safety by allowing the attributes for a tag to be passed as the second argument to the constructor:

$iframe = $('<iframe />', {
    id: "iframe",
    src=: $(this).attr('rel'),
    name: "iframe"
});