Security considerations using “new Function(…)” (during rendertime, expression coming from my Javascript sources)

Question

I\'d like to use new Function(...) to generate a function from very reduced code. I\'l like to do this to

• avoid parsing the expression on my own

Answer 1

As you have said that you will only be doing this on code you wrote yourself - I'd say that it's fine. new Function() is definitely better than using eval() in any case. You won't be messing with any local variables and you're enforcing your own context by using fn.call.

It seems to me that the problem you are trying to solve would be fairly straight forward if you were using an MVC or MVVM framework that supports 2 way data binding. I.e. changing the UI updates a backing model and updating the model will automatically refresh the UI for you.

For example, knockout.js. In this case the visible databinding would be appropriate.