[JadeNB]

If you C&P it, at least you see what's being C&P'd (although it's up to you to take the trouble to understand it). `| bash`ing it runs it automatically, without even giving you a chance to see it.

EDIT: This comment was based on the assumption that my parent hadn't read carefully. My facile point ignores both the specific vulnerability pointed out by [czinck](https://news.ycombinator.com/item?id=12406080) below, and the general vulnerability that you just can't trust anything pulled in from an external source. I think that re-directing to a file, and viewing the file with something like `:set list` set in `vim`, will work, at least in the sense of showing you the code that will actually be executed (although nothing can save you from not understanding the code), as long as you can trust your own stack. However, it is a near-certainty that this edit will prompt someone to explain how to exploit that. (That may sound like whingeing, but it's just a (happy) acknowledgement of the hacker mentality; unexpected exploitations, as PsoC rather than attacks, are pretty neat, too!)

[czinck]

C&P is not really more secure than curl as with some javascript you can easily mislead users as to what they're copying. Check https://thejh.net/misc/website-terminal-copy-paste and similar PoCs.

[ultramancool]

Yeah, I keep stuff like that disabled for this reason, and because random sites like to add urls when you copy text.

Just set dom.event.clipboardevents.enabled = false.

Some shells also handle the paste and try to detect anything funny going on or at least let you review before you execute.

[JadeNB]

> Just set dom.event.clipboardevents.enabled = false.

Your parent's link's trickery is to do not with JavaScript (it just uses raw HTML), so this would not mitigate that attack:

    <p class="codeblock">
      <!-- Oh noes, you found it! -->
      git clone
      <span style="position: absolute; left: -100px; top: -100px">/dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e '!\nThat was a bad idea. Don'"'"'t copy code from websites you don'"'"'t trust!<br>Here'"'"'s the first line of your /etc/passwd: ';head -n1 /etc/passwd<br>git clone </span>
      git://git.kernel.org/pub/scm/utils/kup/kup.git
    </p>

> Some shells also handle the paste and try to detect anything funny going on or at least let you review before you execute.

The link also mentions that bracketed paste mode does not prevent this attack:

> Please note that _Bracketed Paste Mode DOES NOT always fix this_ because the end sequence can be inside the text you paste unless your terminal emulator filters out the bracketed paste characters when pasting!

[ultramancool]

You missed a key point:

> unless your terminal emulator filters out the bracketed paste characters when pasting!

Any sane terminal should already be doing that, if not there's not really any point in offering bracketed paste in the first place as any input could break out of it.

Of course, this should really be on the browser for not delivering the proper text that the user selected to the clipboard.

[JadeNB]

> Any sane terminal should already be doing that, if not there's not really any point in offering bracketed paste in the first place as any input could break out of it.

I wanted to test whether the Mac OS Terminal.app does that, but can't even figure out how to turn on bracketed paste mode in the first place. (All a Google search turns up is an SO result assuring me that Terminal.app supports BPM. I can't find it anywhere in the settings.)

> Of course, this should really be on the browser for not delivering the proper text that the user selected to the clipboard.

On the other hand, it's hard to give an argument for how the browser should know that the user didn't mean to select the extra portion of the text. I know that I am always resistant to solutions where my software insists that it knows better than I do. Maybe a prompt if the selection includes invisible text? (I guess the browser can tell whether some of the text being selected is out of the view window.)