On Wed, Dec 17, 2014 at 5:03 PM, Meae Flowright <scratchnloved@xxxxxxxxx> wrote: > By not passing default string operators, most of which aren't safe, to the > environment. The sandbox overloads the string type metatable with the > environment's string table if provided, otherwise it uses an empty table. That's the sensible thing to do (e.g Penlight's pretty.load has a paranoid option) Roberto pointed out that one can still cause mayhem with simple string concatenation: L = "lol" L = L..L..L..L..L..L..L L = L..L..L..L..L..L..L L = L..L..L..L..L..L..L .... What kinds of space/time contraints can you impose on the running scripts?