Nonsense, this is how all browsers work - they blindly execute incoming scripts. I'm not saying there have never been any security issues doing this, but they've been few and far between. Why? Because the Javascript environment provided by browsers don't expose any potentially harmful system calls. For example, there does not exist a function in browsers' Javascript APIs which deletes a file from the filesystem.

Of course, non-browser implementations of Javascript may expose whatever additional system functionality they like.