The load function is unsafe to expose to untrusted code as-is. Because of this, it's better to omit it from sandboxes. It would be best if the parser could operate without a dependency on load, but this means reimplementing escape handling.
Potential tool to help with fuzzing https://paste.sr.ht/~xerool/23a4b33fdb8f195a95456b5cd3bf7cc709e4877f
I've added the aforementioned fuzzing, and also I've updated the implementation. Due to the fuzzing, I'm pretty confident the behavior is correct, so the only concern left is comparing performance.
I went to benchmark this using the test suite, and it was significantly slower. I realized that could have been due to changes to the test suite, not just changes in the implementation. So I took
fennelandfennel.luafrom this branch and brought it into fennel-ls, and it wouldn't compile. So I think there are still some bugs in this branch:~/src/fennel-ls $ make test DEV=y XDG_DATA_HOME=test/data lua fennel --add-package-path "deps/?.lua" --add-fennel-path "src/?.fnl;deps/?.fnl" test/init.fnl src/fennel-ls/docs.fnl:42:10: Compile error: unknown identifier: lua-versions.lua53.math.fields (set (. lua-versions.lua53.math.fields f) (. lua-versions.lua52.math.fields f)))
The branch is on an old upstream; parse-no-load is based on 1.5.0, whereas the (set (. a.b c)) syntax was fixed in one of the later 1.5.x patches. If you want I can try to rebase it onto a newer version!