I want to implement something in my game where a player on a whitelist can use a script editor in-game. I know that you can use a “lexer” for syntax highlighting, but I was wondering if there was a safe option to running this code through a remote event without risking security be enabling LoadStringEnabled.
2 Likes
Running arbitrary code in general isn’t safe.
You could sandbox the code using setfenv although that disables some of Luau’s optimizations
By safe option do you mean preventing exploiters from using the remote event, or just stopping the code itself from being harmful? If you mean the former, then that pretty easy to do by just checking the userid or name or something, but the latter is pretty much impossible unless you make some sort of whitelist on what code it allowed, and would be very complicated.
It’s generally unsafe to compile and execute code at run-time, especially when user input is involved. Make sure you verify that the person wanting to run the script is on that whitelist.
An alternative to enabling loadstring would be to use a VM. You may have better control over the code being run that way.
1 Like