Also, as to something like a javascript exploit in a URL itself, QRs can hold a surprising amount of data, enough to max out most URL browser limits around 2,048 bytes.
At least bitly lets you look before you keep. Add a + to the end of any bitly URL to see where it goes, when it was created, and how many peole clicked it.