Well, as far as I can see this is a security risk no matter how you do it, unless you restrict the feature to dev environments.
If it's for dev only, then you should probably be fine using eval etc.
What I would do is use the python qrcode module, and pass it the object (in json format) as a string. On the other end, get that string output from the qr decoder and run json.load to get your object.
I suppose if you very strictly check your JSON first you might be fine, so maybe I should revise "no matter how you do it" to "unless you're very careful."
Well, as far as I can see this is a security risk no matter how you do it, unless you restrict the feature to dev environments.
If it's for dev only, then you should probably be fine using eval etc.
What I would do is use the python qrcode module, and pass it the object (in json format) as a string. On the other end, get that string output from the qr decoder and run json.load to get your object.
Is that so? Why is it a security risk?
It could potentially be used for arbitrary code execution.
stackoverflow.com/questions/643439...
I suppose if you very strictly check your JSON first you might be fine, so maybe I should revise "no matter how you do it" to "unless you're very careful."
Ahh. Gotcha. So I'll need to strictly check the JSON if I'm going to implement QR code with json.