Apart from the generic rule "sanitize form input server-side before using it for anything", just applied to several specific scenarios (i.e. "sanitize HTML to avoid XSS", "sanitize SQL to avoid SQL injections", "sanitize before passing to loadstring()", "sanitize filenames", "sanitize input to os.system()"), the only two other things, somewhat interesting to me at least, seemed to be related to specfic modules:
1. CGILua: "weak (easily guessable) session IDs" - more details at: http://www.syhunt.com/?n=Advisories.Cgilua-weaksessionid
2. ngx_lua, mod_lua, CGILua: "CRLF injection" - overwriting HTTP headers by embedding %0d%0a in GET parameter values; this seems actually kinda weakness in the modules, although I'm not sure to what extent important headers can be overridden (such as e.g. HTTP_REFERER?)
