User-generated web content is received prior to posting by a client system, such as a web content hosting system. The user-generated web content is executed in a virtual environment and monitored for malicious behavior. Execution of the web content in the virtual environment forces code in the web content to run such that the actions the code takes, especially malicious behavior, are not obfuscated. If malicious behavior is detected, the user-generated web content is blocked from posting to the web content hosting system. Alternatively, when malicious behavior is not detected, the user-generated web content is permitted to be posted to the web content hosting system.