$wgPFEnableStringFunctions
Actually, I am not aware of any security risky by Extension:Lua. Making PHP directly available of course would be a huge risk! But with LUA it is more like the LUA interpreter is just like another parser ontop of the wiki-markup parser and therefore running within its restrictions. It makes html code-injection impossible as well as direct access to php.
Well, if it's possible to do things securely that way, I wonder if Lua would be the right choice. It seems a lot is being done with Python. Maybe there's a way to do PHP safely? The extensions seem to be giving access to portions of PHP, anyway.
Note sure about Python, but about PHP: Might be possible but it's not the prettiest language and offers too much server-specific stuff you wouldn't want anybody to use within templates. Certainly not the best choice. Basically, what LUA as well as any other half-hearted implementation of any programming language is missing would be some framework to access some MW specific stuff like you have in PHP using MWs base classes. That would be for example something like the MW Title class in php, access to some Parser functionality or even basic stuff like a function for accessing template parameters nicely. For realizing this, we would have to introduce some kind of wrappers into the PHP extension, connecting the new language (like LUA) with existing php functionality.
That sounds like a lot of glue code. Correct me if I'm wrong, but I think that would be very difficult to maintain since small changes in MediaWiki could break the entire extension - or worse, cause security holes. Does that sound right?
No Security holes, perhaps some stuff will break from time to time but you can have this problem with all MW extensions when a new MW version comes out. Its not like we'd have to to this for ALL MW classes, just for some so it wouldn't be too problematic I guess. I think there is just nobody developing this because everybody is depending on Parser Functions in their own wikis already, just like me.
