There’s no way you can let JavaScript through without creating some kind of vulnerability. But the same is true of any filtering of inputs. As a developer you have to weigh up functionality against risk.
The wp_kses() function is probably what you’re looking for. Have a read of Otto’s post to learn more about it.
It’s also on the Codex too.
Below is a rough example. Untested as I’ve strangely never had to add script tags before.
public function sanitize( $input )
{
$new_input = array();
$allowed = array(
'script' => array(
'src' => array()
)
);
if( isset( $input['code'] ) )
$new_input['code'] = wp_kses( $input['code'], $allowed );
return $new_input;
}