Thread:Extension talk:ParserFunctions/$wgPFEnableStringFunctions/reply (7)

Actually, I am not aware of any security risky by Extension:Lua. Making PHP directly available of course would be a huge risk! But with LUA it is more like the LUA interpreter is just like another parser ontop of the wiki-markup parser and therefore running within its restrictions. It makes html code-injection impossible as well as direct access to php.