OP's solution isn't remote code execution though. It's all in-browser, which is why it's pretty cool. Assuming you're only running code that the client themselves are providing, you're in pretty good shape from a security perspective.