A British company had to change its name because it could inject code into web pages.
Source code of a website
He did not choose the company name to attack Companies House’s website, but rather thought it was “a funny, playful name” for his consulting firm, the company’s founder told the British newspaper Guardian. However, one can hardly imagine that with the original company name:
“><SCRIPT SRC=HTTPS://MJT.XSS.HT> LTD
If the HTML code, nothing else is the company name, is not properly validated and output in an HTML element in a web page, a script from the URL in the company name is executed in the context of the web page. The Guardian writes that the stored script has only issued a harmless warning. However, it could also have been used for attacks at a later time.
Now the company was renamed to “That Company whose Name used to contain HTML Script Tags LTD”. It is not the first time that a company name contains code, so the company name “; DROP TABLE “COMPANIES”;– LTD” should delete contents of the database using an SQL command. However, according to the Guardian, the companies were not forced to change their names. On the website of the authority, Companies House, instead of the name, the Guardian simply states “name of company available on request”.
Read the original article here.