Comment by Blikkentrekker
6 days ago
It runs inside a web browser though. This is no different from visiting an arbitrary link and running whatever arbitrary code in the Javascript sandbox of that link and one already knows a q.r. code an take one to an arbitrary link.
That said, I wouldn't mind an upgrade to the standard of say say if the link be printed above the code in human readable form in some way, the reader would refuse to open it, or at least be configurable to refuse to open it if they not match.
This QR code does. But what about a QR using similar designed by someone less honorable? With QR codes, you have no idea what will happen until you scan it. At that point, it could be too late
As far as I know the only form of code execution they support is by the URL datatype which carries the same risks as wel already mentioned anyway.