Please don't instruct users to paste directly into terminal
wkrsz opened this issue · 6 comments
http://thejh.net/misc/website-terminal-copy-paste
To promote good security habits, perhaps suggest visitors to paste commands into a text editor first.
👍
Good idea. I want to avoid clutter and confusion on the website if at all possible. I'll try to think about how to word this, but patches are welcome too.
I didn't read all the discussions in detail about that -- does it make a difference if people are copying from a <textarea>?
@micahflee TL;DR:
if you paste from a website you may be pasting malicious commands that were hidden from your view in the browser.
Here is a nice example of this in action. It's form the H online.
http://www.h-online.com/security/services/Copy-Paste-Tricks-1842855.html
Would link to a raw page work better, no mark up just text?
I believe that a help note side note somewhere that educates users is more than enough. There's no point in implementing a "safe" way of providing code for copying on a site that's, well, trustworthy. IMO it might even be just a button "(?) security" that opens ballon with below message:
As a matter you shouldn't paste anything copied from website directly into a terminal. Websites can make sneak something malicious into your clipboard – something that's executed automatically without you hitting Enter, and something completely different than what you selected and tried to copy. It's a good security habit to paste code into an editor to preview it before pasting into terminal where it might be executed automatically. Read more about this: http://www.h-online.com/security/services/Copy-Paste-Tricks-1842855.html