It is permissible under UK law <https://www.theregister.com/2020/10/30/companies_house_xss_silliness/> to register a company name that, when inserted without escapes into a web page, will trigger certain ... interesting ... behaviour. Companies House blocked such an attempt, but frankly I don’t see why they don’t just allow it. It would serve as a wake-up call to a whole lot of lazy/naïve web developers, anyway.