Say I browse with tor browser to a website I trust and it require enabling java script for, say, logging in. So I enable java script. The question is can anyone else (maybe along the route to and from the website) except the website itself exploits the fact that I enabled java script, or only the website itself?
In a word yes. They can inject into your traffic from a MITM or man on the side attack. Actually the NSA has such a thing called quantum insert.
But there are mitigations to make this harder. First is the use of HTTPs. The second would be connecting to hidden services which adds layers of encryption too.
When your using Tor or if you consider what you doing high risk you have to assume the browser can be compromised. So mitigate by adding isolation and compartmentalization.