Only the following script is integrated on the malicious side:
If you copy any text from such a page, the unwanted string always ends up in the clipboard (in this implementation regardless of the copied text). Instead of "evil command" you can now come up with a lot of ugly things. The whole thing becomes fatal if a line break at the end of the line is used to execute the code immediately:
It is also easy to reset the console output so that the user does not immediately notice what he has entered. For example, it is conceivable that when copying a harmless code snippet, you can shoot your partitions in passing.
If you select the desired text, in the latest Firefox (v. 45.0), for example, it is not this text but the text behind it that ends up in the clipboard.
Both methods can be tried out live here. Here the JS variant:
As well as the CSS variant: