Update to warn against Function constructor

Added section 7.9 to warn against using the Function creator, as it opens similar vulnerabilities as eval. Originally suggested in pull request #395. No other lines were edited or removed.
2026-01-14 08:38:08 -05:00 · 2015-07-04 10:19:14 -07:00
parent 8d2a833857
commit 27d388d946
1 changed files with 8 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -567,6 +567,14 @@
  count();  // 3
  ```

+- [7.9](#7.9) <a name='7.9'></a> Never use the Function constructor to create a new function.
+
+  > Why? Creating a function in this way evaluates a string similarly to eval(), which opens vulnerabilities.
+
+  ```javascript
+  // bad
+  var add = new Function("a", "b", "return a + b");
+  ```

 **[⬆ back to top](#table-of-contents)**