Looking at the source code of the code-editor [1], it seems to be embedding https://onecompiler.com via the iframe and delegating code compilation and execution to it. So I guess it's a question to onecompiler, whether they sanitize input or not. :)
[1]: https://github.com/shikaan/shikaan.github.io/blob/main/_incl...
Exactly this.
I have been planning on trying to glue up something with v86[1] as I did in OSle[2] but I did not get to it yet.
In that case, everything would run locally and sandboxes, so you would not have to care.
[1]: https://github.com/copy/v86
[2]: https://github.com/shikaan/osle