From 27d388d9469128c5ed44164a100d92fd25aa5c98 Mon Sep 17 00:00:00 2001 From: Ryan McBride Date: Sat, 4 Jul 2015 10:19:14 -0700 Subject: [PATCH 1/3] Update to warn against Function constructor Added section 7.9 to warn against using the Function creator, as it opens similar vulnerabilities as eval. Originally suggested in pull request #395. No other lines were edited or removed. --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 38aefa55..f75a3020 100644 --- a/README.md +++ b/README.md @@ -567,6 +567,14 @@ count(); // 3 ``` +- [7.9](#7.9) Never use the Function constructor to create a new function. + + > Why? Creating a function in this way evaluates a string similarly to eval(), which opens vulnerabilities. + + ```javascript + // bad + var add = new Function("a", "b", "return a + b"); + ``` **[⬆ back to top](#table-of-contents)** From f1d524369113e40e9f023c5e17a6f6f8baf7861d Mon Sep 17 00:00:00 2001 From: Ryan McBride Date: Tue, 14 Jul 2015 15:26:17 -0700 Subject: [PATCH 2/3] changed to single quotes to match style --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f75a3020..f014e192 100644 --- a/README.md +++ b/README.md @@ -573,7 +573,7 @@ ```javascript // bad - var add = new Function("a", "b", "return a + b"); + var add = new Function('a', 'b', 'return a + b'); ``` **[⬆ back to top](#table-of-contents)** From a048ebf22ec02415d2ce3dc6baf761afc3dc093d Mon Sep 17 00:00:00 2001 From: Ryan McBride Date: Tue, 14 Jul 2015 20:17:00 -0700 Subject: [PATCH 3/3] Added info on other implementation of Function constructor Added per comment in PR #396 --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index f014e192..9d9dccdc 100644 --- a/README.md +++ b/README.md @@ -574,6 +574,9 @@ ```javascript // bad var add = new Function('a', 'b', 'return a + b'); + + // still bad + var subtract = Function('a', 'b', 'return a - b'); ``` **[⬆ back to top](#table-of-contents)**