confirm will run. This will only happen if the
.js file containing the script is included by the
It appears that the script is called via an embedded project page, because running
alert(location.href) will return the
project.glitch.me URL instead of the editor one.
This issue could possibly be used to run XSS on the editor, so it should probably be fixed.