> Another thought... something that occasionally gets discussed on this list > is the possibility of defining a "data-only" subset of Lua. The idea is > that we could use Lua as a general data format without running the risk of > malicious Lua code being executed inside the host program. However, there > has never been any agreement on exactly which subset of Lua should be used. If you can restrict yourself to Lua data files containing just a few table constructors, then prepending "return " to the file (and separating the constructors with commas) ensures that it cannot execute malicious code (as long as you do not export any functions that you consider dangerous). For other approaches and more discussion on this topic, see http://lua-users.org/lists/lua-l/2005-08/msg00689.html http://lua-users.org/lists/lua-l/2005-08/msg00639.html http://lua-users.org/lists/lua-l/2005-08/msg00592.html http://lua-users.org/lists/lua-l/2004-12/msg00016.html http://lua-users.org/lists/lua-l/2004-11/msg00497.html http://lua-users.org/lists/lua-l/2004-12/msg00000.html --lhf