safe-paste plugin

[ConradIrwin]

Pasting into a terminal can be dangerous (see http://thejh.net/misc/website-terminal-copy-paste). I certainly do it accidentally all the time.

Luckily many terminal emulators can indicate to their containing programs when pasting is happening. This plugin (shamelessly copied from http://www.zsh.org/mla/users/2011/msg00367.html) allows you to paste into zsh runnings inside xterm/urxvt/iTerm2 safely.

It does this by preventing any code from actually running while pasting, so you have a chance to review what was actually pasted before running it.

[schneckenschnabel]

somehow I can't get this to work at all, pasting is still the same as before

[thejh]

Actually, I just remembered that someone wrote on reddit (I think) that you can embed escape sequences in HTML... and bracketed paste uses escape sequences... so this is actually not a solution. See http://thejh.net/misc/website-terminal-copy-paste (now updated) for a variant that also works on people who have safe-paste activated.

[thejh]

Well, I guess this is still useful against accidential multiline pastes.

[ConradIrwin]

@Agony, which terminal are you using? echo $TERM.

@theTJ, nice!. I mainly use this because I've pasted totally random stuff into my terminal a bucket-load of times. BTW, you should try and make double-click to copy work.

[thejh]

@ConradIrwin You mean triple-click? Hmm... I could just add a JS script to make it work for people who have JS enabled, but I don't know any way to make it work for people with JS disabled.

[ConradIrwin]

@thejh Yes. At least I'm safe for now then :).

[thejh]

@ConradIrwin Hmm, actually... triple-clicking selects the newline in the end, so if there's a one-liner with some hidden evil stuff like this, you'd probably be affected:

git clone git://git.kernel.org/pub/scm/utils/kup/kup.git a b; evil_command

However, those who just drag the mouse to select the command would then probably often not copy the newline at the end.

[schneckenschnabel]

@ConradIrwin currently rxvt-unicode, but I also tried xterm, nothing. shift+insert just pastes as it always had

[ConradIrwin]

@Agony interesting, it works for me under rxvt-unicode. Do you have the latest oh-my-zsh code? (You can get it by running upgrade_oh_my_zsh)

[schneckenschnabel]

yeah, just updated today

[talex5]

For me, only the first paste worked. Adding this to the end of _end_paste() fixed it for me:

bindkey '^[[200~' _start_paste

Edit: Sorry, my fault. My default keymap was (implicitly) set to viins, not emacs, because my $EDITOR included the substring "vi".

[stephane-chazelas]

Note that this plugin is safe (at least with regards to \e[201~ in the copied text) in the default configuration of recent versions of xterm, that don't allow pasting control characters other than newline (transformed to carriage-return), backspace, carriage-return, del and tab.

There's a problem only on terminals that don't do that like gnome-terminal or older versions of xterm, or xterm configured with allowPasteControls enabled.

See http://security.stackexchange.com/a/52655 for details.

[Smasherr]

Doesn't seem to work out of the box on WSL. Has anybody got it running..?

[mcornella]

Can you test #7887?

[Smasherr]

@mcornella The behavior is the same, the lines get executed right after they are pasted