JavaScript - Avoid use of Function Constructors - UI Policy scriptTrue
Impact area
Security
Severity
High
Affected element
UI Policy
Rule number
SN-034
Impact
In addition to being obtuse from a syntax perspective, function constructors are also dangerous: their execution evaluates the constructor string arguments similar to the way eval works, which could expose your program to random, unintended code which can be both slow and a security risk.
Remediation
Avoid function constructors altogether.
Time to fix
30 min
References
This rule is linked to Common Weakness Enumeration CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (Eval Injection).
Code examples
Noncompliant code
var obj = new Function("return " + data)(); // Noncompliant
Compliant code
var obj = JSON.parse(data);