How can I convert a table-formatted string into a table without using load() or loadstring()?

Question

Another question (String to Table in Lua) has asked how to convert a string that is formatted as a table into a string, and the given answer was to use loadstring or load to convert the string into a chunk that is then executed.

I also have a program that downloads a file that is formatted like a lua table using http.request just like the other question:

yourTable = http.request("http://www.somesite.com/table.txt")
print(yourTable)

--yourTable is a string that is formatted like a lua table, but not a table:
a={
    b = {
      c = 1,
      d = {
        e = {
        },
      },
    },
}

functionThatExpectsATable(yourTable) --throws error because yourTable is a string

While I could use load or loadstring to get the table I want, that is a potential security vulnerability because my program, by design, allows the user to input any URL to load their table data from. If they pointed to lua code instead of a lua-formatted table, that code would be executed.

How can I convert the "table-formatted string" into a table without executing it?

Answer 1

Here is a sample implementation from the Penlight library:

https://github.com/stevedonovan/Penlight/blob/master/lua/pl/pretty.lua

See the pretty.read function