Does browser 'view-source' mode avoid scripting attacks?
Yes, it is absolutely safe (in Google Chrome) to open an untrusted website in view-source
mode. The key point to note here is that you should "open" the page in view-source
mode, meaning you should not allow any rendering to happen by normally loading the webpage first and then viewing the source.
An example in Google Chrome would be view-source:http://www.badjs.com/
By design, Google Chrome will initiate a new GET request to the server and provide the client browser with the unrendered version of the webpage when in view-source
mode.
You could also use a No-Script extension or add-on for your specific browser to prevent any scripting attacks.
While it is currently safe on Chrome you should not base your future checks on that. Things may change anytime and I have not seen the lack of rendering as being a specifically documented feature.
If you want to look at the code, it is much better to download the page via a command-line tool (curl for instance) and analyze what was loaded and saved in a file. This also has the added value of easily testing various pages which may be possibly served in response to different User-Agents.