In association with heise online

Copy&Paste Tricks

Copy and paste can be a problem – especially when the text being copied is pasted directly into a command-line application. What the user thinks they are copying is not necessarily what they are actually copying. A small, completely harmless example:

ls /dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e '!\nGotcha!!!\nThis is the first line of your /etc/passwd: ';head -n1 /etc/passwd

If this command's text is selected with the mouse, copied and then pasted with the middle mouse button or Ctrl-Shift-V into a terminal window on a Unix-like system, the user will have the shock of their life. This will cause the commands we have hidden in the copied text to be executed immediately. In principle, this also works with Windows and Mac OS X but users on those systems are less likely to open terminal windows and past commands. The problem in question is not new and was documented years ago.

The trick being used is relatively simple. All of the commands are included in one line; but by using special HTML tags they are being displayed at a position off-screen (<span style="position: ...">).

The command sequence also includes line breaks which the command-line shell interprets as if the user had entered a confirming return key. Paste the text into this text field to see what is actually lurking in the system's clip board:

The result of pasting this snippet into a terminal looks something like this:


Never copy text from web sites that you do not trust – and especially never paste things into a context where commands can be directly executed without confirmation.


  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit