They still return code that runs javascript in the main codecademy domain, so you could potentially modify the servers to return tainted data to steal cookies and whatnot.
They don't return code that run JavaScript. All code is executed on the server and only a string of the result is returned. For web courses, evaluation is done client-side and is properly sandbox. See [1] to learn more about the client-side sandboxing.
