According to The Register, an enterprising individual in the UK registered a cross-site scripting attack as a company name in the official UK register, Companies House.
The company name, without the brackets, was
"> SCRIPT SRC[=]HTTPS[:]//MJT.XSS.HT" LTD
Its name didn’t contain the square brackets, meaning anyone reading company names off the Companies House API would potentially run a script from the web address above.