Supported Cleansing Functions

Results and Reports

The Veracode Platform recognizes the following functions that can cleanse data that might be tainted by an attacker before it reaches a potentially vulnerable location. Not every function is valid in every attack circumstance. For example, you may need to use a different function to protect against cross-site scripting attacks in an HTML attribute instead of in a form field. Be aware of the context in which you are using the function.

Security Leads can specify the default mitigation state for flaws with custom cleansers.

Supported .NET Cleansing Functions

Function Flaw Class
antixsslibrary_dll.Microsoft.Security.Application.AntiXss.GetSafeHtml CWE 80, 93, 117 and 113
antixsslibrary_dll.Microsoft.Security.Application.AntiXss.GetSafeHtmlFragment CWE 80, 93, 117 and 113
antixsslibrary_dll.Microsoft.Security.Application.AntiXss.HtmlAttributeEncode CWE 80, 93, 117 and 113
antixsslibrary_dll.Microsoft.Security.Application.AntiXss.HtmlEncode CWE 80, 93, 117 and 113
antixsslibrary_dll.Microsoft.Security.Application.AntiXss.JavaScriptEncode CWE 80, 93, 117 and 113
antixsslibrary_dll.Microsoft.Security.Application.AntiXss.UrlEncode CWE 80, 93, 117 and 113
antixsslibrary_dll.Microsoft.Security.Application.AntiXss.VisualBasicScriptEncode CWE 80, 93, 117 and 113
antixsslibrary_dll.Microsoft.Security.Application.AntiXss.XmlAttributeEncode CWE 80, 93, 117 and 113
antixsslibrary_dll.Microsoft.Security.Application.AntiXss.XmlEncode CWE 80, 93, 117 and 113
antixsslibrary_dll.Microsoft.Security.Application.AntiXssEncoder.HtmlAttributeEncode CWE 80, 93, 117 and 113
antixsslibrary_dll.Microsoft.Security.Application.AntiXssEncoder.HtmlEncode CWE 80, 93, 117 and 113
antixsslibrary_dll.Microsoft.Security.Application.AntiXssEncoder.UrlEncode CWE 80, 93, 117 and 113
antixsslibrary_dll.Microsoft.Security.Application.AntiXssEncoder.UrlPathEncode CWE 80, 93, 117 and 113
antixsslibrary_dll.Microsoft.Security.Application.AntiXSSLibrary.HtmlEncode CWE 80, 93, 117 and 113
antixsslibrary_dll.Microsoft.Security.Application.AntiXSSLibrary.UrlEncode CWE 80, 93, 117 and 113
antixsslibrary_dll.Microsoft.Security.Application.Encoder.CssEncode CWE 80, 93, 117 and 113
antixsslibrary_dll.Microsoft.Security.Application.Encoder.HtmlAttributeEncode CWE 80, 93, 117 and 113
antixsslibrary_dll.Microsoft.Security.Application.Encoder.HtmlEncode CWE 80, 93, 117 and 113
antixsslibrary_dll.Microsoft.Security.Application.Encoder.HtmlFormUrlEncode CWE 80, 93, 117 and 113
antixsslibrary_dll.Microsoft.Security.Application.Encoder.JavaScriptEncode CWE 80, 93, 117 and 113
antixsslibrary_dll.Microsoft.Security.Application.Encoder.LdapDistinguishedNameEncode CWE 90
antixsslibrary_dll.Microsoft.Security.Application.Encoder.LdapFilterEncode CWE 90
antixsslibrary_dll.Microsoft.Security.Application.Encoder.UrlEncode CWE 80, 93, 117 and 113
antixsslibrary_dll.Microsoft.Security.Application.Encoder.UrlPathEncode CWE 80, 93, 117 and 113
antixsslibrary_dll.Microsoft.Security.Application.Encoder.VisualBasicScriptEncode CWE 80, 93, 117 and 113
antixsslibrary_dll.Microsoft.Security.Application.Encoder.XmlAttributeEncode CWE 80, 93, 117 and 113
antixsslibrary_dll.Microsoft.Security.Application.Encoder.XmlEncode CWE 80, 93, 117 and 113
htmlsanitizationlibrary_dll.Microsoft.Security.Application.Sanitizer.GetSafeHtml CWE 80, 93, 117 and 113
htmlsanitizationlibrary_dll.Microsoft.Security.Application.Sanitizer.GetSafeHtmlFragment CWE 80, 93, 117 and 113
microsoft_sharepoint_dll.Microsoft.SharePoint.Utilities.SPHttpUtility.HtmlEncode CWE 80, 93, 117 and 113
mscorlib_dll.System.Security.SecurityElement.Escape CWE 80, 93, 117 and 113
system_dll.System.Net.WebUtility.HtmlEncode CWE 80, 93, 117 and 113
system_dll.System.Net.WebUtility.UrlEncode CWE 80, 93, 117 and 113
system_dll.System.Net.WebUtility.UrlEncodeToBytes CWE 80, 93, 117 and 113
system_web_dll.System.Web.HttpServerUtility.HtmlEncode CWE 80, 93, 117 and 113
system_web_dll.System.Web.HttpServerUtility.UrlEncode CWE 80, 93, 117 and 113
system_web_dll.System.Web.HttpServerUtility.UrlTokenEncode CWE 80, 93, 117 and 113
system_web_dll.System.Web.HttpUtility.HtmlEncode CWE 80, 93, 117 and 113
system_web_dll.System.Web.HttpUtility.JavaScriptStringEncode CWE 80, 93, 117 and 113
system_web_dll.System.Web.HttpUtility.UrlEncode CWE 80, 93, 117 and 113
system_web_dll.System.Web.HttpUtility.UrlEncodeUnicode CWE 80, 93, 117 and 113
system_web_dll.System.Web.HttpUtility.UrlEncodeUnicodeToBytes CWE 80, 93, 117 and 113
system_web_dll.System.Web.HttpUtility.UrlEncodeToBytes CWE 80, 93, 117 and 113
system_web_dll.System.Web.Security.AntiXss.AntiXssEncoder.CssEncode CWE 80, 93, 117 and 113
system_web_dll.System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode CWE 80, 93, 117 and 113
system_web_dll.System.Web.Security.AntiXss.AntiXssEncoder.HtmlFormUrlEncode CWE 80, 93, 117 and 113
system_web_dll.System.Web.Security.AntiXss.AntiXssEncoder.UrlEncode CWE 80, 93, 117 and 113
system_web_dll.System.Web.Security.AntiXss.AntiXssEncoder.XmlAttributeEncode CWE 80, 93, 117 and 113
system_web_dll.System.Web.Security.AntiXss.AntiXssEncoder.XmlEncode CWE 80, 93, 117 and 113
system_web_dll.System.Web.Util.HttpEncoder.HtmlAttributeEncode CWE 80, 93, 117 and 113
system_web_dll.System.Web.Util.HttpEncoder.HtmlEncode CWE 80, 93, 117 and 113
system_web_dll.System.Web.Util.HttpEncoder.UrlEncode CWE 80, 93, 117 and 113
system_web_dll.System.Web.Util.HttpEncoder.UrlPathEncode CWE 80, 93, 117 and 113
system_web_mvc_dll.System.Web.Mvc.HtmlHelper.AttributeEncode CWE 80, 93, 117 and 113
system_web_mvc_dll.System.Web.Mvc.HtmlHelper.Encode CWE 80, 93, 117 and 113
system_web_mvc_dll.System.Web.Mvc.UrlHelper.Encode CWE 80, 93, 117 and 113
system_web_webpages_dll.System.Web.WebPages.RequestExtensions.IsUrlLocalToHost CWE 601
system_windows_browser_dll.System.Windows.Browser.HttpUtility.HtmlEncode CWE 80, 93, 117 and 113
system_windows_browser_dll.System.Windows.Browser.HttpUtility.UrlEncode CWE 80, 93, 117 and 113
system_windows_dll.System.Net.HttpUtility.HtmlEncode CWE 80, 93, 117 and 113
system_windows_dll.System.Net.HttpUtility.UrlEncode CWE 80, 93, 117 and 113

Supported Java Cleansing Functions

Function Flaw Class
android.net.Uri.encode CWE 80, 93, 117 and 113
com.google.gwt.safehtml.shared.SafeHtmlUtils.htmlEscape CWE 80, 93, 117 and 113
com.google.gwt.safehtml.shared.SafeHtmlUtils.htmlEscapeAllowEntities CWE 80, 93, 117 and 113
com.google.gwt.safehtml.shared.SafeHtmlUtils.fromString CWE 80, 93, 117 and 113
com.liferay.portal.kernel.util.HtmlUtil.escapeAttribute CWE 80, 93, 117 and 113
com.liferay.portal.kernel.util.HtmlUtil.escape CWE 80, 93, 117 and 113
com.liferay.portal.kernel.util.HtmlUtil.escapeCSS CWE 80, 93, 117 and 113
com.liferay.portal.kernel.util.HtmlUtil.escapeREF CWE 80, 93, 117 and 113
com.liferay.portal.kernel.util.HtmlUtil.escapeJS CWE 80, 93, 117 and 113
com.liferay.portal.kernel.util.HtmlUtil.escapeURL CWE 80, 93, 117 and 113
com.liferay.portal.kernel.util.HtmlUtil.escapeXPath CWE 80, 93, 117 and 231
com.liferay.portal.kernel.util.HtmlUtil.escapeXPathAttribute CWE 80, 93, 117 and 113
com.oreilly.servlet.Base64encoder.Encode CWE 80, 93, 117 and 113
java.net.URLencoder.Encode CWE 80, 93, 117 and 113
org.tuckey.web.filters.validation.utils.StringEscapeUtils.escapeHtml CWE 80
org.apache.axis.components.encoding.XMLEncoder.encode CWE 80, 93, 117 and 113
org.apache.commons.lang.StringEscapeUtils.escapeJava CWE 93, 117 and 113
org.apache.commons.lang.StringUtils.deleteWhitespace CWE 93, 117 and 113
org.apache.commons.lang.StringUtils.normalizeSpace CWE 93, 117 and 113
org.apache.xerces.impl.dv.util.Base64.encode CWE 80, 93, 117 and 113
org.apache.axis2.util.XMLUtils.base64encode CWE 80, 93, 117 and 113
org.apache.xerces.impl.dv.util.Base64.encode CWE 80, 93, 117 and 113
org.apache.xerces.impl.dv.util.HexBin.encode CWE 80, 93, 117 and 113
org.keyczar.util.Base64Coder.encode CWE 80, 93, 117 and 113
org.owasp.encoder.Encode.forCDATA CWE 80
org.owasp.encoder.Encode.forCssString CWE 80, 93, 117 and 113
org.owasp.encoder.Encode.forCssUrl CWE 80, 93, 117 and 113
org.owasp.encoder.Encode.forHtml CWE 80
org.owasp.encoder.Encode.forHtmlAttribute CWE 80
org.owasp.encoder.Encode.forHtmlContent CWE 80
org.owasp.encoder.Encode.forHtmlUnquotedAttribute CWE 80, 93, 117 and 113
org.owasp.encoder.Encode.forJava CWE 80, 93, 117 and 113
org.owasp.encoder.Encode.forJavaScript CWE 80, 93, 117 and 113
org.owasp.encoder.Encode.forJavaScriptAttribute CWE 80, 93, 117 and 113
org.owasp.encoder.Encode.forJavaScriptBlock CWE 80, 93, 117 and 113
org.owasp.encoder.Encode.forJavaScriptSource CWE 80, 93, 117 and 113
org.owasp.encoder.Encode.forUri CWE 80, 93, 117 and 113
org.owasp.encoder.Encode.forUriComponent CWE 80, 93, 117 and 113
org.owasp.encoder.Encode.forXml CWE 80
org.owasp.encoder.Encode.forXmlAttribute CWE 80
org.owasp.encoder.Encode.forXmlComment CWE 80
org.owasp.encoder.Encode.forXmlContent CWE 80
org.owasp.esapi.Encoder.encodeForBase64 CWE 80, 93, 117 and 113
org.owasp.esapi.Encoder.encodeForCSS CWE 80, 93, 117 and 113
org.owasp.esapi.Encoder.encodeForDN CWE 90
org.owasp.esapi.Encoder.encodeForHTML CWE 80, 93, 117 and 113
org.owasp.esapi.Encoder.encodeForHTMLAttribute CWE 80, 93, 117 and 113
org.owasp.esapi.Encoder.encodeForJavaScript CWE 80, 93, 117 and 113
org.owasp.esapi.Encoder.encodeForLDAP CWE 90
org.owasp.esapi.Encoder.encodeForURL CWE 80, 93, 117 and 113
org.owasp.esapi.Encoder.encodeForXML CWE 80, 93, 117 and 113
org.owasp.esapi.Encoder.encodeForXMLAttribute CWE 80, 93, 117 and 113
org.owasp.esapi.interfaces.IEncoder.encodeForDN CWE 90
org.owasp.esapi.interfaces.IEncoder.encodeForLDAP CWE 90
org.owasp.esapi.StringUtilities.replaceLinearWhiteSpace CWE 93, 117 and 113
org.owasp.esapi.StringUtilities.stripControls CWE 93, 117 and 113
org.owasp.reform.Reform.HtmlAttributeEncode CWE 80, 93, 117 and 113
org.owasp.reform.Reform.HtmlEncode CWE 80, 93, 117 and 113
org.owasp.reform.Reform.JsString CWE 80, 93, 117 and 113
org.owasp.reform.Reform.VbsString CWE 80, 93, 117 and 113
org.owasp.reform.Reform.XmlAttributeEncode CWE 80, 93, 117 and 113
org.owasp.reform.Reform.XmlEncode CWE 80, 93, 117 and 113
org.owasp.esapi.interfaces.IEncoder.encodeForHTML CWE 80, 93, 117 and 113
org.owasp.esapi.interfaces.IEncoder.encodeForHTMLAttribute CWE 80, 93, 117 and 113
org.owasp.esapi.interfaces.IEncoder.encodeForJavascript CWE 80, 93, 117 and 113
org.owasp.esapi.interfaces.IEncoder.encodeForXML CWE 80, 93, 117 and 113
org.owasp.esapi.interfaces.IEncoder.encodeForXMLAttribute CWE 80, 93, 117 and 113
org.owasp.esapi.interfaces.IEncoder.encodeForURL CWE 80, 93, 117 and 113
org.owasp.esapi.interfaces.IEncoder.encodeForBase64 CWE 80, 93, 117 and 113
org.owasp.esapi.reference.DefaultEncoder.encodeForBase64 CWE 80, 93, 117 and 113
org.owasp.esapi.reference.DefaultEncoder.encodeForCSS CWE 80, 93, 117 and 113
org.owasp.esapi.reference.DefaultEncoder.encodeForHTML CWE 80, 93, 117 and 113
org.owasp.esapi.reference.DefaultEncoder.encodeForHTMLAttribute CWE 80, 93, 117 and 113
org.owasp.esapi.reference.DefaultEncoder.encodeForJavaScript CWE 80, 93, 117 and 113
org.owasp.esapi.reference.DefaultEncoder.encodeForURL CWE 80, 93, 117 and 113
org.owasp.esapi.reference.DefaultEncoder.encodeForXML CWE 80, 93, 117 and 113
org.owasp.esapi.reference.DefaultEncoder.encodeForXMLAttribute CWE 80, 93, 117 and 113
org.w3c.tidy.servlet.util.HTMLEncode.Encode CWE 80
org.w3c.tidy.servlet.util.HTMLEncode.EncodeHREFQuery CWE 80
org.springframework.util.StringUtils.trimAllWhitespace CWE 93, 117 and 113
org.springframework.web.util.HtmlUtils.htmlEscape CWE 80, 93, 117, and 113
org.springframework.web.util.HtmlUtils.htmlEscapeDecimal CWE 80, 93, 117, and 113
org.springframework.web.util.HtmlUtils.htmlEscapeHex CWE 80, 93, 117, and 113
sun.misc.BASE64encoder.Encode CWE 80, 93, 117 and 113
sun.misc.BASE64encoder.EncodeString CWE 80, 93, 117 and 113

Supported C Cleansing Functions

Function Flaw Class
base64_encode CWE 113
UrlEscape CWE 113

Supported Classic ASP Cleansing Functions

Veracode recognizes several functions native to Classic ASP that provide adequate protection against injection-type attacks:

Function Flaw Class
Server.HTMLEncode() CWE 80, CWE 113
Server.URLEncode() CWE 80, CWE 113
escape() CWE 80, CWE 113

Supported ColdFusion Cleansing Functions

Function Flaw Class
coldfusion.runtime.CFPage.EncodeForCSS CWE 80
coldfusion.runtime.CFPage.EncodeForHTML CWE 80
coldfusion.runtime.CFPage.EncodeForHTMLAttribute CWE 80
coldfusion.runtime.CFPage.EncodeForJavaScript CWE 80
coldfusion.runtime.CFPage.EncodeForURL CWE 80
coldfusion.runtime.CFPage.EncodeForXML CWE 80
coldfusion.runtime.CFPage.EncodeForXMLAttribute CWE 80
coldfusion.runtime.CFPage.EncodeForXpath CWE 80
coldfusion.runtime.CfJspPage.HTMLCodeFormat CWE 80
coldfusion.runtime.CfJspPage.HTMLEditFormat CWE 80
coldfusion.runtime.CFPage.HTMLCodeFormat CWE 80
coldfusion.runtime.CFPage.HTMLEditFormat CWE 80
coldfusion.runtime.CFPage.URLEncodedFormat CWE 80
coldfusion.runtime.CfJspPage.XMLFormat CWE 80
coldfusion.runtime.CFPage.XMLFormat CWE 80

Supported Perl Cleansing Functions

Veracode recognizes several functions native to Perl CGI that provide adequate protection against injection type attacks:

Function Flaw Class
escapeHTML() CWE 80
escape() CWE 80

If Autoescape mode is enabled, which is the default since CGI.pm version 1.57, then the following CGI functions automatically escape the output HTML:

Function Flaw Class
textfield() CWE 80
textarea() CWE 80
password_field() CWE 80
filefield() CWE 80
popup_menu() CWE 80
optgroup() CWE 80
scrolling_list() CWE 80
checkbox_group() CWE 80
checkbox() CWE 80
radio_group() CWE 80
submit() CWE 80
defaults() CWE 80
hidden() CWE 80

Supported PHP Cleansing Functions

Function Flaw Class
db2_escape_string CWE 89
dbx_escape_string CWE 89
ingres_escape_string CWE 89
maxdb_escape_string CWE 89
maxdb_real_escape_string CWE 89
maxdb.real_escape_string CWE 89
mysqli.escape_string CWE 89
mysqli.real_escape_string CWE 89
mysqli_real_escape_string CWE 89
mysql_real_escape_string CWE 89
sqlite_escape_string CWE 89
pg_escape_string CWE 89
PDO.quote CWE 89
SQLite3.escapeString CWE 89
escapeshellarg CWE 89
escapeshellcmd CWE 89
escapeshellarg CWE 78
escapeshellcmd CWE 78
urlencode CWE 80
rawurlencode CWE 80
htmlentities CWE 80
htmlspecialchars CWE 80
HTMLPurifier CWE 80

Supported Ruby Cleansing Functions

Function Flaw Class
base64.!class.encode64 CWE 80, 93, 113 and 117
base64.!class.strict_encode64 CWE 80, 93, 113 and 117
base64.!class.urlsafe_encode64 CWE 80, 93, 113 and 117
CGI.!class.escape CWE 80, 93, 113 and 117
CGI.!class.escapeHTML CWE 80, 93, 113 and 117
CGI.!class.escape_html CWE 80, 93, 113 and 117
digest.class.!class.base64digest CWE 80, 93, 113 and 117
ERB.Util.!class.h CWE 80, 93, 113 and 117
ERB.Util.!class.html_escape CWE 80, 93, 113 and 117
ERB.Util.!class.u CWE 80, 93, 113 and 117
ERB.Util.!class.url_encode CWE 80, 93, 113 and 117
RSS.Converter.h CWE 80, 93, 113 and 117
RSS.Converter.html_escape CWE 80, 93, 113 and 117
RSS.Element.h CWE 80, 93, 113 and 117
RSS.Element.html_escape CWE 80, 93, 113 and 117
shellwords.!class.escape CWE 80, 93, 113 and 117
shellwords.!class.shellescape CWE 80, 93, 113 and 117
string.shellescape() CWE 80, 93, 113 and 117
URI.!class.encode_www_form CWE 80, 93, 113 and 117
URI.!class.encode_www_form_component CWE 80, 93, 113 and 117
URI.Parser.escape CWE 80, 93, 113 and 117
WEBrick.HTMLUtils.escape CWE 80, 93, 113 and 117
WEBrick.HTTPUtils.!class.escape_form CWE 80, 93, 113 and 117
WEBrick.HTTPUtils.!class.escape_path CWE 80, 93, 113 and 117
XMLRPC.Base64.!class.encode CWE 80, 93, 113 and 117
XMLRPC.Base64.encode CWE 80, 93, 113 and 117