Merge pull request RaspberryPiFoundation#43 from VitalBear/master

rik-cross · rik-cross · commit d1c0639c5afb · 2015-03-16T08:42:49.000Z
fixed potential security issue: eval is unsafe, use ast.literal_eval instead
diff --git a/en-GB/lessons/Pokedex/Project Resources/pokeapi.py b/en-GB/lessons/Pokedex/Project Resources/pokeapi.py
@@ -1,18 +1,19 @@
 import io
 import urllib.request
 from urllib.request import urlopen
+import ast
 from PIL import Image, ImageTk
 
 #function to get the data for a pokemon
 def getPokemonData(num):
     data = urllib.request.urlopen("http://pokeapi.co/api/v1/pokemon/"+str(num)).read()
-    pokemonDict = eval(data)
+    pokemonDict = ast.literal_eval(data.decode(encoding='UTF-8'))
     return pokemonDict
 
 #function to get the image for a pokemon
 def getPokemonImage(num):
     data = urllib.request.urlopen("http://pokeapi.co/api/v1/sprite/"+str(num)).read()
-    spriteDict = eval(data)
+    spriteDict = ast.literal_eval(data.decode(encoding='UTF-8'))
     imgURL = "http://pokeapi.co" + spriteDict["image"]
     image_bytes = urlopen(imgURL).read()
     data_stream = io.BytesIO(image_bytes)
