Dynamically constructing code with inputs from exported functions may inadvertently change the meaning of the code. Clients using the functions may use characters that have special meaning, such as quotes and spaces. This can result in the resulting code to misbehave, or in the worst case cause an attacker to execute arbitrary code on the system.

Avoid dynamically constructing code where possible.

The following example shows two methods implemented using `eval`: a simple deserialization routine and a getter method.

If untrusted inputs are used with these methods, then an attacker might be able to execute arbitrary code on the system.

To avoid this problem, use an alternative solution such as `JSON.parse` or another library that does not allow arbitrary code to be executed.

OWASP: Code Injection.

Wikipedia: Code Injection.