Is it possible to use PureScript to safely* run untrusted user-submitted code? Is it possible to reliably enforce purity and other constraints using the type system (like in Safe Haskell)?
In other words, is it possible to use PureScript to sanitize untrusted user code?
*) safe against XSS, no access to global objects etc.
I cannot give you a very definitive answer on this, but I am going to try to give you a sense of direction.
One thing that pops to mind automatically is that you need to sandbox the user's code so that they can only play around in the sandbox instead of in the browser. However, you need to be very careful as to how you set up that sandbox so that things will not leak to the sandbox. This can be a pretty big problem and I think you need to do some researching about this in the JavaScript side of things.
About the type system, PureScript is not directly executable by a browser. PureScript's compile target is mostly JavaScript which can be executed by the browser. However, if I recall correctly, the compiler of PureScript is actually written in Haskell. Since this is not runnable by a browser, you need a server to compile this for you.
All in all, I would say that accepting other user's PureScript code is a very risky option and I would advise you to reconsider your decision. You could go for an alternative like try.purescript.org which lets you write PureScript code snippets in the browser. I cannot guarantee you however that this will be completely safe.