Are Eval() and New Function() the Same Thing

Are eval() and new Function() the same thing?

No, they are not the same.

• eval() evaluates a string as a JavaScript expression within the current execution scope and can access local variables.
• new Function() parses the JavaScript code stored in a string into a function object, which can then be called. It cannot access local variables because the code runs in a separate scope.

Consider this code:

function test1() {
    var a = 11;
    eval('(a = 22)');
    alert(a);            // alerts 22
}

If new Function('return (a = 22);')() were used, the local variable a would retain its value. Nevertheless, some JavaScript programmers such as Douglas Crockford believe that neither should be used unless absolutely necessary, and evaling/using the Function constructor on untrusted data is insecure and unwise.

eval vs function constructor

From the MDN page:

However, unlike eval, the Function constructor creates functions which execute in the global scope only.

If you wrap all of your code in a closure, secret objects cannot be accessed from the evaluated function body.

(() => {  let secret = 42;  eval("console.log(secret)"); // 42  let fn = new Function("console.log(secret)");  fn(); // secret is not defined})();

Why new Function not work as eval?

I think it's impossible to use function call with template string for calculating, it works only with single quotes or double quotes

const result = new Function('return 2+2')();
console.log(result); // 4

Converting eval() to new Function()

No, this is indeed impossible with Function(). The eval function is the only JavaScript feature that takes statement results into account.

different between eval(string) and eval(function)

You sure can. It'll be like simulating dynamic scoping in JavaScript. A few things to be aware of:

1. You can't just directly eval a function. You need to convert it to a string. Use eval(String(f)).
2. Give the function f a name. You can't do var g = eval(String(f)). Use the function name.
3. Be careful. The function f will have access to all your local variables.

For example:

eval(String(getAdder()));

alert(add(2, 3));

function getAdder() {
    return function add(a, b) {
        return a + b;
    };
}

You can see the demo here: http://jsfiddle.net/5LXUf/

Just a thought - instead of evaluating the function object why not just call it? That'll give you your stack trace and it's much simpler and safer (the function won't have access to your local variables).

Why is using the JavaScript eval function a bad idea?

1. Improper use of eval opens up your
   code for injection attacks

2. Debugging can be more challenging
   (no line numbers, etc.)

3. eval'd code executes slower (no opportunity to compile/cache eval'd code)

Edit: As @Jeff Walden points out in comments, #3 is less true today than it was in 2008. However, while some caching of compiled scripts may happen this will only be limited to scripts that are eval'd repeated with no modification. A more likely scenario is that you are eval'ing scripts that have undergone slight modification each time and as such could not be cached. Let's just say that SOME eval'd code executes more slowly.

---

Related Topics