We have a large Classic ASP/C# site which has a few custom rules to mark strings as XSS safe, etc. Lately the custom rules are being ignored. In particular, one ASP file includes a function defined in another, and that function was removing the taint beforehand, but now the Anaysis Evidence is coming back with taint "DATABASE, XSS". I opened the FPR file in Audit Workbench and verified it was reading in the custom rule files. I then went to the offending function and said "Generate Rule For Function" and inserted it into the existing custom rule file. That new rule is also being ignored. What am I doing wrong here? New rule below. Note I change the default language from "dotnet" to "vb" by hand. Neither work.
<DataflowCleanseRule formatVersion="19.10" language="vb">
<TaintFlags> VALIDATED_CROSS_SITE_SCRIPTING_REFLECTED, VALIDATED_CROSS_SITE_SCRIPTING_PERSISTENT, VALIDATED_CROSS_SITE_SCRIPTING_DOM, VALIDATED_CROSS_SITE_SCRIPTING_POOR_VALIDATION</TaintFlags>
<ApplyTo implements="true" overrides="true" extends="true"/>