It would be nice to have something like a "sandboxed" mode in which Lua filters could run. This could be triggered by the existing --sandbox CLI option. What would have to be done to make this possible?

https://github.com/kikito/lua-sandbox gives a model for restricting unsafe functions.
We could modify to taste. In addition to what they exclude, we'd have to remove require, and we'd need special versions of many of the functions pandoc provides (which are basically hooks to code implemented in Haskell). This is a bit awkward, because Lua itself has to run in IO, but in principle we could use sandbox (T.P.Class) to lift pure operations into MonadIO. To avoid inefficiency, we'd probably need to change this function so that it takes an already-constructed FileTree rather than a list of FilePaths as argument. Then we could build the ersatz FileTree once and thread it through.

(Actually, thinking back, I wonder why I didn't implement the sandbox by using a new PandocSandboxed monad that is an instance of MonadIO but doesn't actually do any IO. That could be worth reconsidering.)

Anyway, I just wanted to put this up here so we can collect ideas, or at least catalog obstacles. This is getting more important the more people come to rely on Lua filters to extend pandoc.

PS. A safe mode for regular JSON filters would be impossible to implement; since these filters are separate programs, pandoc cannot control what they do in addition to spitting out JSON. But for Lua filters it does not seem impossible.