Hi, this record has a broken or invalid company name THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD - Overview (free company information from Companies House)
Nice one, thanks for reporting this.
I will refer it to the incorporation department.
That company name is valid under the relevant legislation.
If you ask me the real problem here is all the websites who deal with company directors’ PII but who don’t anticipate one of the most widely known issues and basic issues in information security, present in the OWASP Top 10 every year from 2003 to today
I’m concerned that you’ve retroactively changed the electronic record of the company being incorporated. In particular:
https[:]//p.lukegb.com/raw/hc6u0dm3.png (I can’t include links or upload images because I’m new…)
appears to represent that the above information was authenticated by the Registrar of Companies. Can you confirm that this information was indeed the information received by the Registrar of Companies on the date indicated, and that the application to register a company was indeed that as electronically filed on that date?
@lukegb FYI I did agree to the renaming.
I had assumed I wouldn’t be the first person to use < and > (they are, after all, both explicitly whitelisted as legal characters) and that 99% of systems would already be escaping them. The same way company 10542519 didn’t cause any problems - I would just get a company with a playful name that would elicit a knowing chuckle from the kind of people we’d be doing business with!
Once it turned out there were non-trivial problems, and that fact became more widely publicised, we can’t expect every consumer of data to do a full XSS audit in only a few days
And while removing script tags from scanned images in PDFs seems a step beyond what I’d expect, who can object to a large holder of PII being especially energetic in their response to a security issue?
I think it’s completely fair to object when what’s supposed to be an immutable public record of company information is retroactively updated to (falsely) suggest a company had a different name at incorporation. Particularly when the PDF contains no text and presents no security risk whatsoever so there was no valid technical reason for the change, and it’s a document you electronically signed.
When did you agree to the company being renamed, and did you agree to it being renamed to “[NAME AVAILABLE ON REQUEST FROM COMPANIES HOUSE]”, or “THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD” - because I can only see one official change of name document on the public record?