As repeatedly said, it is considered bad practice to use the Function constructor (also see the ECMAScript Language Specification, 5th edition, § 15.3.2.1):
new Function ([arg1[, arg2[, … argN]],] functionBody)
(where all arguments are strings containing argument names and the last (or only) string contains the function body).
To recapitulate, it is said to be slow, as explained by the Opera team:
Each time […] the Function
constructor is called on a string
representing source code, the script
engine must start the machinery that
converts the source code to executable
code. This is usually expensive for
performance – easily a hundred times
more expensive than a simple function
call, for example. (Mark ‘Tarquin’ Wilton-Jones)
Though it's not that bad, according to this post on MDC (I didn't test this myself using the current version of Firefox, though).
Crockford adds that
[t]he quoting conventions of the
language make it very difficult to
correctly express a function body as a
string. In the string form, early
error checking cannot be done. […] And
it is wasteful of memory because each
function requires its own independent
implementation.
Another difference is that
a function defined by a Function
constructor does not inherit any scope
other than the global scope (which all
functions inherit). (MDC)
Apart from this, you have to be attentive to avoid injection of malicious code, when you create a new Function
using dynamic contents.
That said, T.J. Crowder says in an answer that
[t]here's almost never any need for
the similar […] new Function(...),
either, again except for some advanced
edge cases.
So, now I am wondering: what are these “advanced edge cases”? Are there legitimate uses of the Function constructor?
See Question&Answers more detail:
os