That's mostly a myth perpetuated in onionland. I don't know where it started, but I first noticed it on the Hidden Wiki, where clearnet links were labeled with big warnings. Then people did it on this forum. For some reason, people believe clearnet sites are more dangerous than hidden services. A hidden service could supply malicious scripts just as easily as a clearnet site, and a hidden service operator knows that his visitors don't want to be identified, so he may have more interest / reason to try to deanonymize them, whereas random clearnet sites don't give a shit about identifying proxy users. They just block them if they become a nuisance. The likelihood of getting pwned by some random JavaScript is vanishingly small, while blocking scripts will break a lot of functionality on clearnet sites. I've been using Tor for years, mostly without blocking scripts, and it hasn't been a problem so far. Of course it could be, but the cost-benefit analysis doesn't make me worry about it.