How is that better than purely HTML/CSS attack (or even telling a person to use `curl blahblah | sh` command)?
This particular attack doesn't work when not using keyboard to copy (think select to copy (traditional X behavior) or using a context menu), it causes text to unselect after busy loop ends, causes fans in my laptop to start working (because of busy new Date loop), causes cursor to cease changing for a certain period of time, requires me to enable JavaScript, requires support for "copy" command (which isn't universal), and requires the user to press CTRL+C either way (otherwise the webpage won't be able to copy into a clipboard).
I guess you could paste an output after a certain time, but because of hijacking on Ctrl key, nothing can be copied before busy loop ends, and as a result, it doesn't prevent "pasting the command into Notepad" just to ensure it's safe - as either what previously was in pastebin or malicious command will be pasted.
https://xfix.github.io/mystery-zone/command.html (disclaimer: I made this page) doesn't have any of those problems (other than requiring the user to copy text in any way (CTRL+C, text selection, context menu, whatever odd interface do you have)), and it still can break vim (and for that matter, bash, zsh (including zsh with paste protection), fish, and emacs).
This particular attack doesn't work when not using keyboard to copy (think select to copy (traditional X behavior) or using a context menu), it causes text to unselect after busy loop ends, causes fans in my laptop to start working (because of busy new Date loop), causes cursor to cease changing for a certain period of time, requires me to enable JavaScript, requires support for "copy" command (which isn't universal), and requires the user to press CTRL+C either way (otherwise the webpage won't be able to copy into a clipboard).
I guess you could paste an output after a certain time, but because of hijacking on Ctrl key, nothing can be copied before busy loop ends, and as a result, it doesn't prevent "pasting the command into Notepad" just to ensure it's safe - as either what previously was in pastebin or malicious command will be pasted.
https://xfix.github.io/mystery-zone/command.html (disclaimer: I made this page) doesn't have any of those problems (other than requiring the user to copy text in any way (CTRL+C, text selection, context menu, whatever odd interface do you have)), and it still can break vim (and for that matter, bash, zsh (including zsh with paste protection), fish, and emacs).