There are several problems with this feature. For example, long running scripts and infinitely long running scripts which will hang / crash the browser.
But more importantly, while this feature might be secure for Stackoverflow's servers, it is definitely unsecure for Stackoverflow's users unless we can solve the phishing problem as demonstrated by my post on snippet sandbox which requires nothing but the innocuous window.location.href.
(A phishing demonstration is not a technological demonstration but a social engineering one. As such, if the demonstration is worded like John's post, bfrohs' post or nhinkle's post, it doesn't demonstrate the dangers of a phishing attack.)
While there are certainly users who may spot these in-domain phishing attacks and flag them for removal, it might indeed be already too late.
Phishers can get extremely creative, but I suppose all in-domain phishing attacks can be prevented by
disallowing all external redirections —window.open, window.location, a href, etc— and all external embedsall external embeds —iframe src, frame src, script src, img src, object, embed, and CSS / favicon's link href, etc—.
