[rev]

And someone will mention how a full-scale language inside a browser is the hugest attack vector of all. Soon as a binary delivery platform - yay!

[iLoch]

It's not a real environment though. It's a sandboxed environment with limited, user-authorized APIs.

[rev]

Nowadays even Wikipedia has a section on JavaScript sandbox implementation errors. Even without taking JS into account, browsers, colossal beasts they are, have had a history of security vulnerabilities in HTML, CSS and image decoding routines. With JS added... again, Wikipedia says it best: "JavaScript provides an interface to a wide range of browser capabilities, some of which may have flaws such as buffer overflows." Ergo, no amount of "sandboxing" will ever save you from trouble.