Hello,
i like to include advanced modding features into my project.
The condition is that the features can use basic conditions, math, call c# functions.
It should also be safe ofcourse i want to be sure no malicious code can be included into mods.
I am thinking about something like lua but i dont know much about it.
I now found this: MoonSharp | Tools | Unity Asset Store
I dont really understand how the integration works. Does it satisfy the requirements especially the safety?
You have to be more specific when defining safety.
Scripting engines like moonsharp require you to pass in the libraries it can access, which gives you some degree of control over âsafetyâ in the sense of avoiding them hijacking the computer itself (like writing viruses or something). Although, there are still always potential for holes in safety.
But if by safety you mean avoiding other sorts of things. Like keeping them from running stuff in your game you donât want in your game. Well thatâs harder to say.
And if you mean safety in the sense of not crashing your game. Thatâs yet another thing.
Well safety is foremost avoiding someone sneaking a virus in.
But it should also only be able to access restricted parts of my program. I want the script only to be able to call defined functions and nothing else.
I dont care about crashing the program. That would only a minor issue i hope.
The script should otherwise only have access to itself and perform math, create functions and conditions, maybe some other stuff i am not aware of yet but not âcall outâ to the main app except for the few functions in the scripting class in my main app which i would define there specially for the scripting. I donât want it to do very âfancyâ stuff either. I think its best described like a virus safe sandbox which does only contact with the main app over the functions interface.
I like to know in which way i can make this best.
Maybe it would be best if i could keep the modding language in c# but it still would need to be restricted.
(This is really just a rehash of lordofductâs answer.) Lua, and other embeddable languages such as @JoeStrout 's MiniScript, can restrict what the modder can access. MoonSharp has âEasy opt-out of Lua standard library modules to sandbox what scripts can accessâ, which means you can prevent it from accessing file I/O functions that can delete disk files, etc. In your case, you could just allow access to the math and string libraries, and register your own custom functions to interface with your game, such as spawning new monsters or showing onscreen messages.
I was a big fan of Lua, until I got to know it better. Then the romance ended. 
I created MiniScript in part as a response to that, because I needed a safe, easy-to-use language that wasnât a festering horror.
Opinions may vary, of course. You should check out all the options and decide for yourself.
I started integrated MoonSharp now i did not find anything else i got working.
I am not sure about benefits of Lua but i dont want to spend more time on the question what to use and if i can integrate it at all.
Cities Skylines uses C# - https://skylines.paradoxwikis.com/Modding_API
Itâs interesting to note too that they donât bother with any form of security.
Which means the user has the choice between risking a virus, check the modcode himself and dont use mods at allâŚ
But it has millions of users and hasnât had a problem.
Youâre trying to solve a problem before it even exists. This is like many indie multiplayer developers worried about cheaters when the real problem will be getting people to even play the game.
As far you know it had no problem.
But really something like this can ruin a company in my opinion: imagine the Lawsuit if a virus which comes with a mod destroys all on the computer and the makers scam some money off the user. And this happens to a bunch of users.
Security holes are not a âproblem before it existsâ security holes are a problem on itself.
But honestly thats just my way to programming. i am trying to make everything perfect i see myself as artist and my programs are not in first place money machines but artwork. So its perfectly fine for you to program that way i just continue my way.
Only if their computer (and the hosting service) is unprotected. Since the C# implementation results in code that executes natively any malware protection software that is installed and running should be able to catch the virus before it can cause harm.
Itâs important to keep in mind that large companies always consult their legal staff before making a serious decision. If simply supporting mods had the potential to lead to serious damage to the company like you believe then their legal departments wouldnât have allowed hosting and distributing them let alone simply supporting them.