In addition to being obtuse from a syntax perspective, function constructors are also dangerous: their execution evaluates the constructor’s string
arguments similar to the way
eval works, which could expose your program to random, unintended code which can be both slow and a security
In general it is better to avoid it altogether, particularly when used to parse JSON data. You should use ECMAScript 5’s built-in JSON functions or
a dedicated library.
Noncompliant Code Example
var obj = new Function("return " + data)(); // Noncompliant
var obj = JSON.parse(data);
Function calls where the argument is a string literal (e.g.
(Function('return this'))()) are ignored.
- OWASP Top 10 2017 Category A1 - Injection