loadstring vulnerability #3
Description
In your "string to table" function you are using setfenv which is good although I have read that it is possible to bypass this sort of sandboxing by loading Lua bytecode. In short, you may want to disallow loading strings containing bytecode if you plan to build a "high security" application:
if stringtoload:byte(1) == 27 then
return
end