The engineers who wrote your browser already thought of this and made sure it wouldn't work.
In case anyone mocks you for this, though, it's not a stupid question at all: there have been 1-click and 0-click attacks with vectors barely more sophisticated than this. But I feel 100% confident that in 2025 no browser can be exploited just by copying a malicious string.
>But I feel 100% confident that in 2025 no browser can be exploited just by copying a malicious string.
that's a real far leap. Most OS have a shared clipboard, and a lot of them run processes that watch the thing for events. That attack surface is so large that 100% certainty is a very hard sell to me.
Just for the sake of arguement, say clipboard_manager.sh sees a malicious string copied from a site by the browser to the system clipboard that somehow poisons that process. clipboard_manager.sh then proceeds to exfiltrate browser data via the OS/fs rather than via the browser process at all, starts keylogging (trivial in most nix), and just for the sake of throwing gas on the fire it joins the local adversarial botnet and starts churnin captchas or coins or whatever.
Was the browser exploited? ehh. no -- but it most definitely facilitated the attack by which it became victimized. It feels like semantics at that point.
This is a good point and it completely fits serf's concern. So OK, I change my answer, it is reasonable to be concerned about exploits from just copying malicious content to the clipboard.
In case anyone mocks you for this, though, it's not a stupid question at all: there have been 1-click and 0-click attacks with vectors barely more sophisticated than this. But I feel 100% confident that in 2025 no browser can be exploited just by copying a malicious string.