I'm thinking of letting users share their own built Lua scripts through my server. However I am concerned for client side exploits caused by the Lua scripts. To my understanding, Lua is built to prevent this. However I've seen some Lua exploits. Should I maybe seek another way, with a sandbox maybe?
My framework is built on Qt and I was thinking of using QtLua.
Sandbox your script execution and make sure to forbid the loading and execution of pre-compiled bytecode on both the client and server sides. In your sand boxes, make sure to us a "white list" technique to provide only vetted and known safe (in your context) operations to the user scripts.
You might want to run scripts in a separate process (or thread) and use platform services to limit the amount of CPU time and memory a script is allowed to consume, otherwise a user who is tricked into running the script repeat until false will consume an entire CPU core and there are similarly simple attacks on memory.
Whether this is a concern is more of a perception issue IMHO, as the possibility of a simple denial of service attack on an individual's personal machine is not in the same league as enabling an exploit that results in theft of passwords or banking details.
