Companies House allows the characters “<” and “>” to be present in company names, which open doors for XSS attacks. I recently discovered the company 12956509 which is registered with Companies House. The full company name is as follows:
Redacted
If websites are not encoding the < > characters correctly (many aren’t) and displaying the company name, the visitor’s browser will load the JavaScript file “HTTPS://MJT.XSS.HT”.
Example:
DO NOT OPEN THE LINK BELOW ON YOUR BROWSER. THE XSS ATTACK IS NOT PROTECTED ON COMPANIES HOUSE.
Please review your regulations regarding what characters can be used in registered company names.
Thanks