Use Function Objects for deserialization, instead of eval

[tornikeshavishvili]

I confirm that this contribution is made under the terms of the license found in the root directory of this repository's source tree and that I have the authority necessary to make this contribution on behalf of its copyright owner.

[okuryu]

As noted in the description, deserialization is not a use case for this module. https://github.com/yahoo/serialize-javascript#deserializing

[tornikeshavishvili]

As noted in the description, deserialization is not a use case for this module. https://github.com/yahoo/serialize-javascript#deserializing

At least the provided example using eval would be nice to have been changed with Function objects. BUT . . . Yes noted but not backed with arguments and we humbly disagree. Why is this case? We are loading users with task to implement deserialization, which should not be the case, because it shifts their attention and energy from whatever they are doing to the task that could have been provided by this module. This is very uncomfortable from a lot of viewpoints.

[okuryu]

If you have a better way to deserialization, please update the example and suggest it instead of changing the code.

[tornikeshavishvili]

If you have a better way to deserialization, please update the example and suggest it instead of changing the code.

If you agree that deserialization with Function objects is better, then i will commit readme :|

[okuryu]

It depends on what perspective is better. My understanding is that neither eval() nor new Function() is necessarily safe. There are security risks in both. If you use them, it is a prerequisite that you know what data is passed to them.