Do you think there are security concerns? Me no.
the interesting suggestion to use
variable_set('allow_insecure_uploads',1); because of munge mechanism make me curious about what is mounge. That is from file.inc:1074 (drupal 7.22):
/** * Modifies a filename as needed for security purposes. * * Munging a file name prevents unknown file extensions from masking exploit * files. When web servers such as Apache decide how to process a URL request, * they use the file extension. If the extension is not recognized, Apache * skips that extension and uses the previous file extension. For example, if * the file being requested is exploit.php.pps, and Apache does not recognize * the '.pps' extension, it treats the file as PHP and executes it. To make * this file name safe for Apache and prevent it from executing as PHP, the * .php extension is "munged" into .php_, making the safe file name * exploit.php_.pps. * * Specifically, this function adds an underscore to all extensions that are * between 2 and 5 characters in length, internal to the file name, and not * included in $extensions. ...
so, be warned on this apache behaviour that can make things unstable. Note: it is Apache filter behaviour not php, so it work with anything else that has an Apache module. (The use of a dedicated data directory is the best practice).
I decided to let it be and go with drupal security, changing the src attribute to load that .txt file, that is perfectly legal.
The module would be named runyourjs, I have just done the upload file part, then I want to add a default load button (interactive), then just upload it to a drupal sandbox.