In the Form Builder when using the HTML field for custom scripts:

The custom code security validator has a bug in its regex pattern for detecting dynamic function creation. The regex /(?:^|\W)(?:new\s+)?Function\s*\(/gi uses the case-insensitive flag (i), which causes it to match the standard JavaScript function keyword (always lowercase) in addition to the actually dangerous Function constructor (always uppercase). These are fundamentally different — function() {} is a normal function expression, while new Function("...") is dynamic code creation equivalent to eval(). As a result, any custom code containing basic JavaScript patterns like setTimeout(function() { ... }), .forEach(function(item) { ... }), or var x = function() {} is incorrectly rejected with the error "Dynamic function creation (new Function) is not allowed for security reasons." The fix is to remove the i flag from the regex, making it case-sensitive so it correctly targets only the uppercase Function constructor. This is in the validation logic found in index.ff0b8ec0.js (around byte offset ~3,778,500, within the array processed by function Ly).