Merge pull request #396 from Ryan-McBride/patch-2

Update to warn against Function constructor
2026-01-14 06:48:05 -05:00 · 2015-07-20 11:46:55 -07:00
parent d35c81cd7d a048ebf22e
commit 6317e6b3e2
1 changed files with 11 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -566,6 +566,17 @@
  count();  // 3
  ```

+- [7.9](#7.9) <a name='7.9'></a> Never use the Function constructor to create a new function.
+
+  > Why? Creating a function in this way evaluates a string similarly to eval(), which opens vulnerabilities.
+
+  ```javascript
+  // bad
+  var add = new Function('a', 'b', 'return a + b');
+  
+  // still bad
+  var subtract = Function('a', 'b', 'return a - b');
+  ```

 **[⬆ back to top](#table-of-contents)**