It depends on what you are customizing. Anything that appears in the code can be edited and changed. That is why the hosted buttons don't have all of the settings like price, so that the end user can't change those values. You can always check the transaction to be sure the correct price was paid and only ship items to people that paid the correct price. There isn't a security issue that would have any long term implications, just that they could complete the process and pay you a different amount or change the item name in the payment, but you could just be careful to not ship items when this is done. It isn't a true security hole that might effect your computer or install malware.