How to make copying command from website to terminal secure?

Today I found intriguing example website-terminal-copy-paste. For example you may need to clone git repository. In webpage it looks like:

git clone git://git.kernel.org/pub/scm/utils/kup/kup.git 

but when you copy it terminal it becomes:

git clone /dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e '!\nThat was a bad idea. Don'"'"'t copy code from websites you don'"'"'t trust!
Here'"'"'s the first line of your /etc/passwd: ';head -n1 /etc/passwd
git clone git://git.kernel.org/pub/scm/utils/kup/kup.git

because the rest is hidden:

<p class="codeblock">
      <!-- Oh noes, you found it! -->
      git clone
      <span style="position: absolute; left: -100px; top: -100px">/dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e '!\nThat was a bad idea. Don'"'"'t copy code from websites you don'"'"'t trust!<br>Here'"'"'s the first line of your /etc/passwd: ';head -n1 /etc/passwd<br>git clone </span>
      git://git.kernel.org/pub/scm/utils/kup/kup.git
    </p>

Of course it can be any command. So my question is how to make sure we don't get malicious code.

Is copying from website, pasting it to text editor(that show non-priniting character), checking the commands and copy-paste to terminal secure way to avoid this kind of attacks?

EDIT:

Probably the best way is never paste anything from website directly to terminal. Check this case:

<h1>Welcome on my tutorial site</h1>

<h3>Below code learn you how to use echo command. Copy both commands and paste it to your terminal</h6>

<hr/>
<p class="codeblock" >
      <!-- Oh noes, you found it! -->
      echo Line1;
      <pre style="position: absolute; left: -100px; top: -100px">echo "Owned";</pre>
      echo Line2;
    </p>
<hr/>

LiveDemo

When you copy and paste it to terminal, command 1 and hidden will be executed immediately. You won't get a chance to check it in terminal.


Solution 1:

It depends on how paranoid you want to be. But to be safe you should first make sure you understand the command and then type it in yourself.

If you don't trust the source do not accept any input from it without sanitizing it.