In addition to being obtuse from a syntax perspective, function constructors are also dangerous: their execution evaluates the constructor's string arguments similar to the way ``++eval++`` works, which could expose your program to random, unintended code which can be both slow and a security risk.


In general it is better to avoid it altogether, particularly when used to parse JSON data. You should use ECMAScript 5's built-in JSON functions or a dedicated library.


== Noncompliant Code Example

[source,javascript]
----
var obj =  new Function("return " + data)();  // Noncompliant
----


== Compliant Solution

[source,javascript]
----
var obj = JSON.parse(data);
----


== Exceptions

Function calls where the argument is a string literal (e.g. ``++(Function('return this'))()++``) are ignored. 


== See

* OWASP Top 10 2017 Category A1 - Injection


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::message.adoc[]

include::highlighting.adoc[]

'''
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]