|
|
|
|
|
|
by JadeNB
3579 days ago
|
|
|
> Just set dom.event.clipboardevents.enabled = false. Your parent's link's trickery is to do not with JavaScript (it just uses raw HTML), so this would not mitigate that attack: <p class="codeblock">
<!-- Oh noes, you found it! -->
git clone
<span style="position: absolute; left: -100px; top: -100px">/dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e '!\nThat was a bad idea. Don'"'"'t copy code from websites you don'"'"'t trust!<br>Here'"'"'s the first line of your /etc/passwd: ';head -n1 /etc/passwd<br>git clone </span>
git://git.kernel.org/pub/scm/utils/kup/kup.git
</p>
> Some shells also handle the paste and try to detect anything funny going on or at least let you review before you execute.The link also mentions that bracketed paste mode does not prevent this attack: > Please note that _Bracketed Paste Mode DOES NOT always fix this_ because the end sequence can be inside the text you paste unless your terminal emulator filters out the bracketed paste characters when pasting! |
|
|
> unless your terminal emulator filters out the bracketed paste characters when pasting!
Any sane terminal should already be doing that, if not there's not really any point in offering bracketed paste in the first place as any input could break out of it.
Of course, this should really be on the browser for not delivering the proper text that the user selected to the clipboard.