About Supported Cleansing Functions

Compilation Guide

The Veracode Platform recognizes the following functions that can cleanse data that might be tainted by an attacker before it reaches a potentially vulnerable location. Not every function is valid in every attack circumstance. For example, you may need to use a different function to protect against cross-site scripting attacks in an HTML attribute instead of in a form field. Be aware of the context in which you are using the function.

If you have the Security Lead role, you can specify the default mitigation state for flaws with custom cleansers.

Supported .NET Cleansing Functions

Function Flaw Class
antixsslibrary_dll.Microsoft.Security.Application.AntiXss.GetSafeHtml CWE-80, 93, 113, and 117
antixsslibrary_dll.Microsoft.Security.Application.AntiXss.GetSafeHtmlFragment CWE-80, 93, 113, and 117
antixsslibrary_dll.Microsoft.Security.Application.AntiXss.HtmlAttributeEncode CWE-80, 93, 113, and 117
antixsslibrary_dll.Microsoft.Security.Application.AntiXss.HtmlEncode CWE-80, 93, 113, and 117
antixsslibrary_dll.Microsoft.Security.Application.AntiXss.JavaScriptEncode CWE-80, 93, 113, and 117
antixsslibrary_dll.Microsoft.Security.Application.AntiXss.UrlEncode CWE-80, 93, 113, and 117
antixsslibrary_dll.Microsoft.Security.Application.AntiXss.VisualBasicScriptEncode CWE-80, 93, 113, and 117
antixsslibrary_dll.Microsoft.Security.Application.AntiXss.XmlAttributeEncode CWE-80, 93, 113, and 117
antixsslibrary_dll.Microsoft.Security.Application.AntiXss.XmlEncode CWE-80, 93, 113, and 117
antixsslibrary_dll.Microsoft.Security.Application.AntiXssEncoder.HtmlAttributeEncode CWE-80, 93, 113, and 117
antixsslibrary_dll.Microsoft.Security.Application.AntiXssEncoder.HtmlEncode CWE-80, 93, 113, and 117
antixsslibrary_dll.Microsoft.Security.Application.AntiXssEncoder.UrlEncode CWE-80, 93, 113, and 117
antixsslibrary_dll.Microsoft.Security.Application.AntiXssEncoder.UrlPathEncode CWE-80, 93, 113, and 117
antixsslibrary_dll.Microsoft.Security.Application.AntiXSSLibrary.HtmlEncode CWE-80, 93, 113, and 117
antixsslibrary_dll.Microsoft.Security.Application.AntiXSSLibrary.UrlEncode CWE-80, 93, 113, and 117
antixsslibrary_dll.Microsoft.Security.Application.Encoder.CssEncode CWE-80, 93, 113, and 117
antixsslibrary_dll.Microsoft.Security.Application.Encoder.HtmlAttributeEncode CWE-80, 93, 113, and 117
antixsslibrary_dll.Microsoft.Security.Application.Encoder.HtmlEncode CWE-80, 93, 113, and 117
antixsslibrary_dll.Microsoft.Security.Application.Encoder.HtmlFormUrlEncode CWE-80, 93, 113, and 117
antixsslibrary_dll.Microsoft.Security.Application.Encoder.JavaScriptEncode CWE-80, 93, 113, and 117
antixsslibrary_dll.Microsoft.Security.Application.Encoder.LdapDistinguishedNameEncode CWE-90
antixsslibrary_dll.Microsoft.Security.Application.Encoder.LdapFilterEncode CWE-90
antixsslibrary_dll.Microsoft.Security.Application.Encoder.UrlEncode CWE-80, 93, 113, and 117
antixsslibrary_dll.Microsoft.Security.Application.Encoder.UrlPathEncode CWE-80, 93, 113, and 117
antixsslibrary_dll.Microsoft.Security.Application.Encoder.VisualBasicScriptEncode CWE-80, 93, 113, and 117
antixsslibrary_dll.Microsoft.Security.Application.Encoder.XmlAttributeEncode CWE-80, 93, 113, and 117
antixsslibrary_dll.Microsoft.Security.Application.Encoder.XmlEncode CWE-80, 93, 113, and 117
htmlsanitizationlibrary_dll.Microsoft.Security.Application.Sanitizer.GetSafeHtml CWE-80, 93, 113, and 117
htmlsanitizationlibrary_dll.Microsoft.Security.Application.Sanitizer.GetSafeHtmlFragment CWE-80, 93, 113, and 117
microsoft_sharepoint_dll.Microsoft.SharePoint.Utilities.SPHttpUtility.HtmlEncode CWE-80, 93, 113, and 117
mscorlib_dll.System.Security.SecurityElement.Escape CWE-80, 93, 113, and 117
system_dll.System.Net.WebUtility.HtmlEncode CWE-80, 93, 113, and 117
system_dll.System.Net.WebUtility.UrlEncode CWE-80, 93, 113, and 117
system_dll.System.Net.WebUtility.UrlEncodeToBytes CWE-80, 93, 113, and 117
system_web_dll.System.Web.HttpServerUtility.HtmlEncode CWE-80, 93, 113, and 117
system_web_dll.System.Web.HttpServerUtility.UrlEncode CWE-80, 93, 113, and 117
system_web_dll.System.Web.HttpServerUtility.UrlTokenEncode CWE-80, 93, 113, and 117
system_web_dll.System.Web.HttpUtility.HtmlEncode CWE-80, 93, 113, and 117
system_web_dll.System.Web.HttpUtility.JavaScriptStringEncode CWE-80, 93, 113, and 117
system_web_dll.System.Web.HttpUtility.UrlEncode CWE-80, 93, 113, and 117
system_web_dll.System.Web.HttpUtility.UrlEncodeUnicode CWE-80, 93, 113, and 117
system_web_dll.System.Web.HttpUtility.UrlEncodeUnicodeToBytes CWE-80, 93, 113, and 117
system_web_dll.System.Web.HttpUtility.UrlEncodeToBytes CWE-80, 93, 113, and 117
system_web_dll.System.Web.Security.AntiXss.AntiXssEncoder.CssEncode CWE-80, 93, 113, and 117
system_web_dll.System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode CWE-80, 93, 113, and 117
system_web_dll.System.Web.Security.AntiXss.AntiXssEncoder.HtmlFormUrlEncode CWE-80, 93, 113, and 117
system_web_dll.System.Web.Security.AntiXss.AntiXssEncoder.UrlEncode CWE-80, 93, 113, and 117
system_web_dll.System.Web.Security.AntiXss.AntiXssEncoder.XmlAttributeEncode CWE-80, 93, 113, and 117
system_web_dll.System.Web.Security.AntiXss.AntiXssEncoder.XmlEncode CWE-80, 93, 113, and 117
system_web_dll.System.Web.Util.HttpEncoder.HtmlAttributeEncode CWE-80, 93, 113, and 117
system_web_dll.System.Web.Util.HttpEncoder.HtmlEncode CWE-80, 93, 113, and 117
system_web_dll.System.Web.Util.HttpEncoder.UrlEncode CWE-80, 93, 113, and 117
system_web_dll.System.Web.Util.HttpEncoder.UrlPathEncode CWE-80, 93, 113, and 117
system_web_mvc_dll.System.Web.Mvc.HtmlHelper.AttributeEncode CWE-80, 93, 113, and 117
system_web_mvc_dll.System.Web.Mvc.HtmlHelper.Encode CWE-80, 93, 113, and 117
system_web_mvc_dll.System.Web.Mvc.UrlHelper.Encode CWE-80, 93, 113, and 117
system_web_webpages_dll.System.Web.WebPages.RequestExtensions.IsUrlLocalToHost CWE-601
system_windows_browser_dll.System.Windows.Browser.HttpUtility.HtmlEncode CWE-80, 93, 113, and 117
system_windows_browser_dll.System.Windows.Browser.HttpUtility.UrlEncode CWE-80, 93, 113, and 117
system_windows_dll.System.Net.HttpUtility.HtmlEncode CWE-80, 93, 113, and 117
system_windows_dll.System.Net.HttpUtility.UrlEncode CWE-80, 93, 113, and 117

Supported Java Cleansing Functions

Function Flaw Class
android.net.Uri.encode CWE-80, 93, 113, and 117
com.google.gwt.safehtml.shared.SafeHtmlUtils.htmlEscape CWE-80
com.google.gwt.safehtml.shared.SafeHtmlUtils.htmlEscapeAllowEntities CWE-80
com.google.gwt.safehtml.shared.SafeHtmlUtils.fromString CWE-80
com.liferay.portal.kernel.util.HtmlUtil.escapeAttribute CWE-80
com.liferay.portal.kernel.util.HtmlUtil.escape CWE-80
com.liferay.portal.kernel.util.HtmlUtil.escapeHREF CWE-80
com.liferay.portal.kernel.util.HtmlUtil.escapeCSS CWE-80, 93, 113, and 117
com.liferay.portal.kernel.util.HtmlUtil.escapeREF CWE-80, 93, 113, and 117
com.liferay.portal.kernel.util.HtmlUtil.escapeJS CWE-80, 93, 113, and 117
com.liferay.portal.kernel.util.HtmlUtil.escapeURL CWE-80
com.liferay.portal.kernel.util.HtmlUtil.escapeXPath CWE-80, 93, 113, and 117
com.liferay.portal.kernel.util.HtmlUtil.escapeXPathAttribute CWE-80, 93, 113, and 117
com.oreilly.servlet.Base64encoder.Encode CWE-80, 93, 113, and 117
java.net.URLEncoder.encode CWE-80, 93, 113, and 117
org.tuckey.web.filters.validation.utils.StringEscapeUtils.escapeHtml CWE-80
org.apache.axis.components.encoding.XMLEncoder.encode CWE-80
org.apache.commons.codec.net.URLCodec.encode CWE-80, 93, 113, and 117
org.apache.commons.lang.StringEscapeUtils.escapeJava CWE-93, 113, and 117
org.apache.commons.lang3.StringEscapeUtils.escapeJava CWE-93, 113, and 117
org.apache.commons.lang.StringEscapeUtils.escapeJavaScript CWE-93, 113, and 117
org.apache.commons.text.StringEscapeUtils.escapeEcmaScript CWE-93, 113, and 117
org.apache.commons.text.StringEscapeUtils.escapeJava CWE-93, 113, and 117
org.apache.commons.text.StringEscapeUtils.escapeJson CWE-93, 113, and 117
org.apache.commons.text.StringEscapeUtils.escapeXml10 CWE-80
org.apache.commons.text.StringEscapeUtils.escapeXml11 CWE-80
org.apache.commons.lang.StringUtils.deleteWhitespace CWE-93, 113, and 117
org.apache.commons.lang3.StringUtils.deleteWhitespace CWE-93, 113, and 117
org.apache.commons.lang.StringUtils.normalizeSpace CWE-93, 113, and 117
org.apache.commons.lang3.StringUtils.normalizeSpace CWE-93, 113, and 117
org.apache.xerces.impl.dv.util.Base64.encode CWE-80, 93, 113, and 117
org.apache.axis2.util.XMLUtils.base64encode CWE-80, 93, 113, and 117
org.apache.xerces.impl.dv.util.Base64.encode CWE-80, 93, 113, and 117
org.apache.xerces.impl.dv.util.HexBin.encode CWE-80, 93, 113, and 117
org.keyczar.util.Base64Coder.encode CWE-80, 93, 113, and 117
org.owasp.encoder.Encode.forCDATA CWE-80
org.owasp.encoder.Encode.forCssString CWE-80, 93, 113, and 117
org.owasp.encoder.Encode.forCssUrl CWE-80, 93, 113, and 117
org.owasp.encoder.Encode.forHtml CWE-80
org.owasp.encoder.Encode.forHtmlAttribute CWE-80
org.owasp.encoder.Encode.forHtmlContent CWE-80
org.owasp.encoder.Encode.forHtmlUnquotedAttribute CWE-80, 93, 113, and 117
org.owasp.encoder.Encode.forJava CWE-93, 113, and 117
org.owasp.encoder.Encode.forJavaScript CWE-80, 93, 113, and 117
org.owasp.encoder.Encode.forJavaScriptAttribute CWE-80, 93, 113, and 117
org.owasp.encoder.Encode.forJavaScriptBlock CWE-80, 93, 113, and 117
org.owasp.encoder.Encode.forJavaScriptSource CWE-80, 93, 113, and 117
org.owasp.encoder.Encode.forUri CWE-80, 93, 113, and 117
org.owasp.encoder.Encode.forUriComponent CWE-80, 93, 113, and 117
org.owasp.encoder.Encode.forXml CWE-80
org.owasp.encoder.Encode.forXmlAttribute CWE-80
org.owasp.encoder.Encode.forXmlComment CWE-80
org.owasp.encoder.Encode.forXmlContent CWE-80
org.owasp.esapi.Encoder.encodeForBase64 CWE-80, 93, 113, and 117
org.owasp.esapi.Encoder.encodeForCSS CWE-80, 93, 113, and 117
org.owasp.esapi.Encoder.encodeForDN CWE-90
org.owasp.esapi.Encoder.encodeForHTML CWE-80, 93, 113, and 117
org.owasp.esapi.Encoder.encodeForHTMLAttribute CWE-80, 93, 113, and 117
org.owasp.esapi.Encoder.encodeForJavaScript CWE-80, 93, 113, and 117
org.owasp.esapi.Encoder.encodeForLDAP CWE-90
org.owasp.esapi.Encoder.encodeForURL CWE-80, 93, 113, and 117
org.owasp.esapi.Encoder.encodeForXML CWE-80, 93, 113, and 117
org.owasp.esapi.Encoder.encodeForXMLAttribute CWE-80, 93, 113, and 117
org.owasp.esapi.interfaces.IEncoder.encodeForDN CWE-90
org.owasp.esapi.interfaces.IEncoder.encodeForLDAP CWE-90
org.owasp.esapi.StringUtilities.replaceLinearWhiteSpace CWE-93, 113, and 117
org.owasp.esapi.StringUtilities.stripControls CWE-93, 113, and 117
org.owasp.reform.Reform.HtmlAttributeEncode CWE-80, 93, 113, and 117
org.owasp.reform.Reform.HtmlEncode CWE-80, 93, 113, and 117
org.owasp.reform.Reform.JsString CWE-80, 93, 113, and 117
org.owasp.reform.Reform.VbsString CWE-80, 93, 113, and 117
org.owasp.reform.Reform.XmlAttributeEncode CWE-80, 93, 113, and 117
org.owasp.reform.Reform.XmlEncode CWE-80, 93, 113, and 117
org.owasp.esapi.interfaces.IEncoder.encodeForHTML CWE-80, 93, 113, and 117
org.owasp.esapi.interfaces.IEncoder.encodeForHTMLAttribute CWE-80, 93, 113, and 117
org.owasp.esapi.interfaces.IEncoder.encodeForJavascript CWE-80, 93, 113, and 117
org.owasp.esapi.interfaces.IEncoder.encodeForXML CWE-80, 93, 113, and 117
org.owasp.esapi.interfaces.IEncoder.encodeForXMLAttribute CWE-80, 93, 113, and 117
org.owasp.esapi.interfaces.IEncoder.encodeForURL CWE-80, 93, 113, and 117
org.owasp.esapi.interfaces.IEncoder.encodeForBase64 CWE-80, 93, 113, and 117
org.owasp.esapi.reference.DefaultEncoder.encodeForBase64 CWE-80, 93, 113, and 117
org.owasp.esapi.reference.DefaultEncoder.encodeForCSS CWE-80, 93, 113, and 117
org.owasp.esapi.reference.DefaultEncoder.encodeForHTML CWE-80, 93, 113, and 117
org.owasp.esapi.reference.DefaultEncoder.encodeForHTMLAttribute CWE-80, 93, 113, and 117
org.owasp.esapi.reference.DefaultEncoder.encodeForJavaScript CWE-80, 93, 113, and 117
org.owasp.esapi.reference.DefaultEncoder.encodeForURL CWE-80, 93, 113, and 117
org.owasp.esapi.reference.DefaultEncoder.encodeForXML CWE-80, 93, 113, and 117
org.owasp.esapi.reference.DefaultEncoder.encodeForXMLAttribute CWE-80, 93, 113, and 117
org.w3c.tidy.servlet.util.HTMLEncode.Encode CWE-80
org.w3c.tidy.servlet.util.HTMLEncode.EncodeHREFQuery CWE-80
org.springframework.util.StringUtils.trimAllWhitespace CWE-93, 113, and 117
org.springframework.web.util.HtmlUtils.htmlEscape CWE-80
org.springframework.web.util.HtmlUtils.htmlEscapeDecimal CWE-80
org.springframework.web.util.HtmlUtils.htmlEscapeHex CWE-80
org.springframework.web.util.UriUtils.encode CWE-80, 93, 113, and 117
org.springframework.web.util.UriUtils.encodeAuthority CWE-93, 113, and 117
org.springframework.web.util.UriUtils.encodeFragment CWE-93, 113, and 117
org.springframework.web.util.UriUtils.encodeHost CWE-93, 113, and 117
org.springframework.web.util.UriUtils.encodePath CWE-93, 113, and 117
org.springframework.web.util.UriUtils.encodePathSegment CWE-93, 113, and 117
org.springframework.web.util.UriUtils.encodePort CWE-80, 93, 113, and 117
org.springframework.web.util.UriUtils.encodeQuery CWE-93, 113, and 117
org.springframework.web.util.UriUtils.encodeQueryParam CWE-93, 113, and 117
org.springframework.web.util.UriUtils.encodeScheme CWE-80, 93, 113, and 117
org.springframework.web.util.UriUtils.encodeUserInfo CWE-93, 113, and 117
sun.misc.BASE64encoder.Encode CWE-80, 93, 113, and 117
sun.misc.BASE64encoder.EncodeString CWE-80, 93, 113, and 117

Supported C Cleansing Functions

Function Flaw Class
base64_encode CWE-113
UrlEscape CWE-113

Supported Classic ASP Cleansing Functions

Veracode recognizes several functions native to Classic ASP that provide adequate protection against injection-type attacks:

Function Flaw Class
Server.HTMLEncode() CWE-80 and 113
Server.URLEncode() CWE-80 and 113
escape() CWE-80 and 113

Supported ColdFusion Cleansing Functions

Function Flaw Class
coldfusion.runtime.CFPage.EncodeForCSS CWE-80
coldfusion.runtime.CFPage.EncodeForHTML CWE-80
coldfusion.runtime.CFPage.EncodeForHTMLAttribute CWE-80
coldfusion.runtime.CFPage.EncodeForJavaScript CWE-80
coldfusion.runtime.CFPage.EncodeForURL CWE-80
coldfusion.runtime.CFPage.EncodeForXML CWE-80
coldfusion.runtime.CFPage.EncodeForXMLAttribute CWE-80
coldfusion.runtime.CFPage.EncodeForXpath CWE-80
coldfusion.runtime.CfJspPage.HTMLCodeFormat CWE-80
coldfusion.runtime.CfJspPage.HTMLEditFormat CWE-80
coldfusion.runtime.CFPage.HTMLCodeFormat CWE-80
coldfusion.runtime.CFPage.HTMLEditFormat CWE-80
coldfusion.runtime.CFPage.URLEncodedFormat CWE-80
coldfusion.runtime.CfJspPage.XMLFormat CWE-80
coldfusion.runtime.CFPage.XMLFormat CWE-80

Supported Perl Cleansing Functions

Veracode recognizes these cleansing functions for CWE-80 in Perl CGI applications:

Function Flaw Class
escapeHTML() from the CGI module for HTML markup escaping CWE-80
escape() from the CGI module for URL escaping CWE-80
encode_entities($scalar) from the HTML::Entities module for HTML markup escaping CWE-80

If Autoescape mode is enabled, which is the default since CGI.pm version 1.57, then the following CGI functions automatically escape the output HTML:

Function Flaw Class
textfield() CWE-80
textarea() CWE-80
password_field() CWE-80
filefield() CWE-80
popup_menu() CWE-80
optgroup() CWE-80
scrolling_list() CWE-80
checkbox_group() CWE-80
checkbox() CWE-80
radio_group() CWE-80
submit() CWE-80
defaults() CWE-80
hidden() CWE-80

Supported PHP Cleansing Functions

Function Flaw Class
db2_escape_string CWE-89
dbx_escape_string CWE-89
ingres_escape_string CWE-89
maxdb_escape_string CWE-89
maxdb_real_escape_string CWE-89
maxdb.real_escape_string CWE-89
mysqli.escape_string CWE-89
mysqli.real_escape_string CWE-89
mysqli_real_escape_string CWE-89
mysql_real_escape_string CWE-89
sqlite_escape_string CWE-89
pg_escape_string CWE-89
PDO.quote CWE-89
SQLite3.escapeString CWE-89
escapeshellarg CWE-89
escapeshellcmd CWE-89
escapeshellarg CWE-78
escapeshellcmd CWE-78
urlencode CWE-80
rawurlencode CWE-80
htmlentities CWE-80
htmlspecialchars CWE-80
HTMLPurifier CWE-80

Supported Ruby Cleansing Functions

Function Flaw Class
base64.!class.encode64 CWE-80, 93, 113, and 117
base64.!class.strict_encode64 CWE-80, 93, 113, and 117
base64.!class.urlsafe_encode64 CWE-80, 93, 113, and 117
CGI.!class.escape CWE-80, 93, 113, and 117
CGI.!class.escapeHTML CWE-80, 93, 113, and 117
CGI.!class.escape_html CWE-80, 93, 113, and 117
digest.class.!class.base64digest CWE-80, 93, 113, and 117
ERB.Util.!class.h CWE-80, 93, 113, and 117
ERB.Util.!class.html_escape CWE-80, 93, 113, and 117
ERB.Util.!class.u CWE-80, 93, 113, and 117
ERB.Util.!class.url_encode CWE-80, 93, 113, and 117
RSS.Converter.h CWE-80, 93, 113, and 117
RSS.Converter.html_escape CWE-80, 93, 113, and 117
RSS.Element.h CWE-80, 93, 113, and 117
RSS.Element.html_escape CWE-80, 93, 113, and 117
shellwords.!class.escape CWE-80, 93, 113, and 117
shellwords.!class.shellescape CWE-80, 93, 113, and 117
string.shellescape() CWE-80, 93, 113, and 117
URI.!class.encode_www_form CWE-80, 93, 113, and 117
URI.!class.encode_www_form_component CWE-80, 93, 113, and 117
URI.Parser.escape CWE-80, 93, 113, and 117
WEBrick.HTMLUtils.escape CWE-80, 93, 113, and 117
WEBrick.HTTPUtils.!class.escape_form CWE-80, 93, 113, and 117
WEBrick.HTTPUtils.!class.escape_path CWE-80, 93, 113, and 117
XMLRPC.Base64.!class.encode CWE-80, 93, 113, and 117
XMLRPC.Base64.encode CWE-80, 93, 113, and 117