A smart thing to do would be to run it in an iframe with the sandbox attribute so that it doesn't get access to the page's or origin's data, but that wouldn't protect from local denial-of-service attacks against the browser that infinitely loop or allocate tons of memory.

When I made my MediaWiki Plugin I don't think the sandbox attribute was not a thing.

What I did was run code in a worker with events and drawing commands passed through messages.

http://fingswotidun.com/code/index.php/Naughty_Bits

There's probably still a few more things to do to make it properly secure, but at least you can't just kill the page with while(true);