Well theoretically any Turing complete language is going to be a problem, as it cannot be proved to be secure.
There's a really interesting presentation about these issues here http://boingboing.net/2011/12/28/linguistics-turing-completene.html It's a keynote speech at the 28th Chaos Computer Congress (28C3) by Meredith Patterson on "The Science of Insecurity". I highly recommend it, it's definitely worth watching.
So I think you have to write your own language, and only including the functionally that is needed, and keeping it as simple as possible. Parse::RecDescent is a good place to start, it makes working with grammars quite easy :)
The key issue is the complexity of the allowed expressions, if you can keep to a context-free grammar the you might get away with it. But my guess is that you will need to have a human in the loop to check and approve each submission before they go live.