Don’t Copy-Paste Directly from Website to Terminal

Good reminder and discussion on Hacker News about the danger of copy-paste from a website into terminal.

When copying from a website it is easy for hidden text to be included in the clipboard. If you paste that into terminal it can be executed before you see the code. Including new line commands in the copied text will automatically execute the commands (in most terminal applications).

The best solution is to paste the clipboard content into something to view the text before pasting into clipboard. The best way is probably to recopy it. I use this double copy method to get rid of formatting I don’t want (when the clipboard includes things like font styling info you don’t want – not relavent when pasting into terminal but the pasting [into say vim, which won’t include the extra formatting details] and recopying part is similar). It may be possible to have text hidden (write it in a way where it won’t show up on the screen but is in the clipboard – using some tricky unicode characters or something).

Some people put # before pasting into clipboard but that only protects the first “line.” Any new lines could still be run without you seeing them.

The discussion warns against a malicious website intentionally creating a problem but if you paste in multiple lines there is also just the danger from the lines executing immediately when you wanted to edit the line before it was executed.

Related: Customizing the Command Prompt for TerminalBash Profile Adjustments, Scrolling HistoryAdding a Key to Your Server for SSH Login