Is it possible (and allowed) to have some way for players to add/inject their own scripts in-game?

I’m working on a sandbox game, and I want a way for Players to add/create their own in-game scripts.
Is it possible (and allowed) to have some way for players to add/inject their own scripts in-game?

This is very dangerous and I don’t recommend it. But if you really want to, you can use loadstring() on what the player types in the script.

I heard that only works in Non-Filtering Enabled games, is this true?

This is not true, loadstring() works in Filtering-Enabled only I believe. You cannot change your game to Non-Filtering-Enabled as of currently too.

1 Like

Alright, thanks. I’ll give it a shot.

Just making sure, there’s no TOS violations by doing this, right?
And what concerns may I face by using this method?

There is no rule against the loadstring() function.

The concerns I have is that players can load in exploit scripts and crash game if they so feel. I recommend adding pre-made functions that the player can add.

You’d be allowing the exploiter to control your entire game, effectively being a backdoor. Major no-nos if it’s a multiplayer game as it could lead to them spawning inappropriate stuff.

  1. Enable LoadStringEnabled in ServerScriptService
  2. Create RemoteEvent in ReplicatedStorage
  3. Create this Script
game.ReplicatedStorage.YOUREVENTNAME.OnClientEvent:Connect(function(player, Code)

Now when your event is getting fired from client with 1 argument (Script) it will be executed on server

1 Like

The terms of service clearly states that external clients that impact the user’s experience is not allowed however I don’t see a problem with the loadstring() function.

I do not recommend doing this Alternatively, I recommend creating a block system that’ll create a type of script. This will allow you to have control over what players can script and what they can’t script such as malicious injections with requires or other types of malicious acts.

I would NOT recommend this. Giving them loadstring() gives them basically full control over the server, and if inappropriate content gets inserted, you will be held accountable by Roblox since it’s your game.

1 Like

I recommend you dont do this, its basically giving backdoor access to your game, and the Funny people can probably do some funny things which you will be held responsible for.

The easiest way to do this is to use loadstring with setfenv and strip out everything from Roblox’s standard library, then slowly put stuff back in that you deam worthy of keeping

local ENV = {
  --put stuff here that you want to expose to your executor
  math = math,
  string = string

local function RunUserCode(code): boolean, string?
  local f, err = loadstring(code, ENV)
  if not f then return false, err end
  local s, e = pcall(f)
  if not s then
    return s, e
    return s

You could even feed in a special version of game here using a sandboxed version of it?


You can do this, however I can’t see why you’d want to. You should also make your own sandboxed environment if you are. You can get more info on lua sandboxing here:

This is actually a relatively popular & common genre of game.