I can’t speak to Lua but for Javascript, Caja has tooling to create a proper sandbox, limiting access to only certain functions. It was originally created to build a sandbox for HTML/JS widgets (like those used on iGoogle).
http://code.google.com/p/google-caja/
Here’s a description of the project from their homepage:
Caja (pronounced “KA-ha”), is a
Spanish word that means box, bank,
cash register, vault; a container for
valuables. A web developer uses
traditional tools like HTML,
JavaScript, and CSS; and Caja provides
a compiler (a “cajoler”) that takes
the web application and produces a
“cajoled” HTML web application. The
cajoler tries to verify security
properties by doing static analysis,
and where it cannot it rewrites the
input to add runtime checks.Since web applications make common use
of browser APIs, e.g. the DOM APIs,
that give a huge amount of control
over the web page, Caja provides tamed
APIs that virtualize portions of the
DOM. A containing page can set up the
embedding application’s environment so
that the embedded application thinks
it is interacting with the DOM of a
full page, but is in fact only
manipulating a bounded portion of the
containing page via a mechanism called
virtual iframes.The JavaScript that a Caja application
uses is written in a fail stop subset
of JavaScript (actually EcmaScript5).
This subset, called “Valija”, includes
almost the entire JavaScript language,
but removes a few error-prone
constructs such as with and restricts
how eval may be used.