JS is safe for the server. I was thinking of some prankster making an NPC that injects a keylogger, link loader, or some other background cross-site scripting or confusion like changing links into clients. This typically wouldn't amount to much in practice, and the strange code would likely be easy to catch by a JS novice. I just like to avoid such complications.
I think we can go ahead with the raw edit, at least for some editors, and an interface shouldn't be too hard to add on, if needed.
To support more editors, I would probably prefer a simple interface that lets players choose client and server calls and set parameters, and have a simple server module write the script from that. Trusted people could still edit the raw script to try new creative things before they are added to the interface. Though it may be handy for some, if only trusted people edit, such an interface would be unneeded. Raw editing is fine for those editing raw code, already.
For inserting server calls, the chat system has a start. The data it uses could actually be loaded from a server module for use by both client and server, and as a programming reference. Actually, that sounds like a really good idea, anyway. It could be part of the main cgi, as an extension of the module code.
-QuaCzar : SysOp | P2P Guide | Anarchy Leader | #1 Magic