Your line downloads and executes the latest version of the gist, it could have changed from a file check to a virus installer by the author (unlikely, but I have to point it out). To be a bit more safe (while trusting that GitHub is not compromised) pin a known, verified version:
As a general pattern, please do not do this. In this specific case I think most people trust the service (GitHub) and their DNS recursor + SSL library. Attacking these is not on the level of "random drive-by phishing", more like "targeted high value state sponsored".
To avoid this discussion I did not include the curl version in my original posting.
Yeah, let's download and blindly run stuff directly from the internet (that may have changed since we last saw it) without saving and trying to read what it does first.
If you can copy/paste the curl | bash, is it really more difficult to copy/paste the original snippet into a text editor[0], and from there, into bash?
If you C&P it, at least you see what's being C&P'd (although it's up to you to take the trouble to understand it). `| bash`ing it runs it automatically, without even giving you a chance to see it.
EDIT: This comment was based on the assumption that my parent hadn't read carefully. My facile point ignores both the specific vulnerability pointed out by [czinck](https://news.ycombinator.com/item?id=12406080) below, and the general vulnerability that you just can't trust anything pulled in from an external source. I think that re-directing to a file, and viewing the file with something like `:set list` set in `vim`, will work, at least in the sense of showing you the code that will actually be executed (although nothing can save you from not understanding the code), as long as you can trust your own stack. However, it is a near-certainty that this edit will prompt someone to explain how to exploit that. (That may sound like whingeing, but it's just a (happy) acknowledgement of the hacker mentality; unexpected exploitations, as PsoC rather than attacks, are pretty neat, too!)
> Just set dom.event.clipboardevents.enabled = false.
Your parent's link's trickery is to do not with JavaScript (it just uses raw HTML), so this would not mitigate that attack:
<p class="codeblock">
<!-- Oh noes, you found it! -->
git clone
<span style="position: absolute; left: -100px; top: -100px">/dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e '!\nThat was a bad idea. Don'"'"'t copy code from websites you don'"'"'t trust!<br>Here'"'"'s the first line of your /etc/passwd: ';head -n1 /etc/passwd<br>git clone </span>
git://git.kernel.org/pub/scm/utils/kup/kup.git
</p>
> Some shells also handle the paste and try to detect anything funny going on or at least let you review before you execute.
The link also mentions that bracketed paste mode does not prevent this attack:
> Please note that _Bracketed Paste Mode DOES NOT always fix this_ because the end sequence can be inside the text you paste unless your terminal emulator filters out the bracketed paste characters when pasting!