lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

> Another thought... something that occasionally gets discussed on this list
> is the possibility of defining a "data-only" subset of Lua. The idea is
> that we could use Lua as a general data format without running the risk of
> malicious Lua code being executed inside the host program. However, there
> has never been any agreement on exactly which subset of Lua should be used.

If you can restrict yourself to Lua data files containing just a
few table constructors, then prepending "return " to the file (and
separating the constructors with commas) ensures that it cannot execute
malicious code (as long as you do not export any functions that you
consider dangerous).

For other approaches and more discussion on this topic, see