bugs getting fixed (openemr#1957)

DiscoverAndChange · Nov 5, 2018 · e10a691 · e10a691
1 parent 3edf170
commit e10a691
Show file tree

Hide file tree

Showing 16 changed files with 351 additions and 355 deletions.
diff --git a/ccr/createCCR.php b/ccr/createCCR.php
@@ -39,6 +39,8 @@
 require_once(dirname(__FILE__) . "/transmitCCD.php");
 require_once(dirname(__FILE__) . "/../custom/code_types.inc.php");
 
+use PHPMailer\PHPMailer\PHPMailer;
+
 function createCCR($action, $raw = "no", $requested_by = "")
 {
 

diff --git a/interface/orders/single_order_results.inc.php b/interface/orders/single_order_results.inc.php
@@ -183,8 +183,8 @@ function generate_result_row(&$ctx, &$row, &$rrow, $priors_omitted = false)
  array($lab_id, $procedure_code)
  );
  if (!empty($trow['standard_code'])) {
- $tmp = "<a href='javascript:educlick(\"LOINC\",\"" . attr($trow['standard_code']) .
- "\")'>$tmp</a>";
+ $tmp = "<a href='javascript:educlick(\"LOINC\"," . js_attr($trow['standard_code']) .
+ ")'>$tmp</a>";
  }
  }
 
@@ -225,8 +225,8 @@ function generate_result_row(&$ctx, &$row, &$rrow, $priors_omitted = false)
  if ($result_code !== '' || $result_document_id) {
  $tmp = myCellText($result_code);
  if (empty($GLOBALS['PATIENT_REPORT_ACTIVE']) && !empty($result_code)) {
- $tmp = "<a href='javascript:educlick(\"LOINC\",\"" . attr($result_code) .
- "\")'>$tmp</a>";
+ $tmp = "<a href='javascript:educlick(\"LOINC\"," . js_attr($result_code) .
+ ")'>$tmp</a>";
  }
 
  echo " <td>$tmp</td>\n";
@@ -248,7 +248,7 @@ function generate_result_row(&$ctx, &$row, &$rrow, $priors_omitted = false)
  echo " <td colspan='3'>";
  if (empty($GLOBALS['PATIENT_REPORT_ACTIVE'])) {
  echo "<a href='" . $GLOBALS['webroot'] . "/controller.php?document";
- echo "&retrieve&patient_id=$patient_id&document_id=$result_document_id' ";
+ echo "&retrieve&patient_id=" . attr_url($patient_id) . "&document_id=" . attr_url($result_document_id) . "' ";
  echo "onclick='top.restoreSession()'>";
  }
 
@@ -415,7 +415,7 @@ function showpnotes(orderid) {
  }
  var othername = (w.name == 'RTop') ? 'RBot' : 'RTop';
  w.parent.left_nav.forceDual();
- w.parent.left_nav.loadFrame('pno1', othername, 'patient_file/summary/pnotes_full.php?orderid=' + orderid);
+ w.parent.left_nav.loadFrame('pno1', othername, 'patient_file/summary/pnotes_full.php?orderid=' + encodeURIComponent(orderid));
  } else {
  let url = '../../patient_file/summary/pnotes_full.php?orderid=' + orderid;
  dlgopen(url, 'notes', 750, 500, '', '', {onClosed: 'reload'});
@@ -428,7 +428,7 @@ function educlick(codetype, codevalue) {
  dlgopen('<?php echo $GLOBALS['webroot']; ?>/interface/patient_file/education.php' +
  '?type=' + encodeURIComponent(codetype) +
  '&code=' + encodeURIComponent(codevalue) +
- '&language=<?php echo urlencode($language); ?>',
+ '&language=<?php echo attr_url($language); ?>',
  '_blank', 1024, 750,true); // Force a new window instead of iframe to address cross site scripting potential
 }
 
@@ -437,7 +437,7 @@ function educlick(codetype, codevalue) {
 <?php } // end if not patient report ?>
 
 <?php if ($input_form) { ?>
-<form method='post' action='single_order_results.php?orderid=<?php echo $orderid; ?>'>
+<form method='post' action='single_order_results.php?orderid=<?php echo attr_url($orderid); ?>'>
 <?php } // end if input form ?>
 
 <div class='labres'>
@@ -452,7 +452,7 @@ function educlick(codetype, codevalue) {
 if (empty($GLOBALS['PATIENT_REPORT_ACTIVE'])) {
  echo " <a href='" . $GLOBALS['webroot'];
  echo "/interface/orders/order_manifest.php?orderid=";
- echo attr($orow['procedure_order_id']);
+ echo attr_url($orow['procedure_order_id']);
  echo "' target='_blank' onclick='top.restoreSession()'>";
 }
 
@@ -635,7 +635,7 @@ function educlick(codetype, codevalue) {
  echo " </tr>\n";
  foreach ($aNotes as $key => $value) {
  echo " <tr>\n";
- echo " <td valign='top'>" . ($key + 1) . "</td>\n";
+ echo " <td valign='top'>" . text(($key + 1)) . "</td>\n";
  // <pre> tag because white space and a fixed font are often used to line things up.
  echo " <td><pre style='white-space:pre-wrap;'>" . text($value) . "</pre></td>\n";
  echo " </tr>\n";
@@ -656,7 +656,7 @@ function educlick(codetype, codevalue) {
 <?php if (empty($GLOBALS['PATIENT_REPORT_ACTIVE'])) { ?>
  &nbsp;
  <input type='button' value='<?php echo xla('Related Patient Notes'); ?>'
- onclick='showpnotes(<?php echo $orderid; ?>)' />
+ onclick='showpnotes(<?php echo js_attr($orderid); ?>)' />
 <?php } ?>
 <?php if ($input_form && $ctx['sign_list']) { ?>
  &nbsp;

diff --git a/interface/patient_file/encounter/superbill_codes.php b/interface/patient_file/encounter/superbill_codes.php
@@ -62,7 +62,7 @@
 
 <a href="encounter_bottom.php" onclick="top.restoreSession()">
 
-<font class=more><?php echo $tback;?></font></a>
+<font class=more><?php echo text($tback); ?></font></a>
 
 </dt>
 </td></tr>

diff --git a/interface/patient_file/reminder/active_reminder_popup.php b/interface/patient_file/reminder/active_reminder_popup.php
@@ -5,7 +5,7 @@
  * @package OpenEMR
  * @link http:https://www.open-emr.org
  * @author Brady Miller <[email protected]>
- * @copyright Copyright (c) 2011-2017 Brady Miller <[email protected]>
+ * @copyright Copyright (c) 2011-2018 Brady Miller <[email protected]>
  * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  */
 
@@ -55,15 +55,15 @@
 </span>&nbsp;&nbsp;&nbsp;</td>
 <td>
  <a href="#" id="close" class="css_button large_button" onclick="dlgclose(); return false;">
- <span class='css_button_span large_button_span'><?php echo htmlspecialchars(xl('Close'), ENT_NOQUOTES);?></span>
+ <span class='css_button_span large_button_span'><?php echo xlt('Close');?></span>
  </a>
 </td>
 </tr>
 </table>
 <br>
 <?php
 foreach ($all_allergy_alerts as $allergy) {
- echo xlt("ALLERGY WARNING") . ":" . $allergy ."<br>";
+ echo xlt("ALLERGY WARNING") . ":" . text($allergy) ."<br>";
 }
 
 if (!empty($all_allergy_alerts)) {

diff --git a/interface/patient_file/reminder/clinical_reminders.php b/interface/patient_file/reminder/clinical_reminders.php
@@ -2,13 +2,13 @@
 /**
  * clinical reminders gui
  *
- * @package OpenEMR
- * @link http:https://www.open-emr.org
- * @author Brady Miller <[email protected]>
- * @author Ensofttek, LLC
- * @copyright Copyright (c) 2011-2017 Brady Miller <[email protected]>
+ * @package  OpenEMR
+ * @link  http:https://www.open-emr.org
+ * @author  Brady Miller <[email protected]>
+ * @author  Ensofttek, LLC
+ * @copyright Copyright (c) 2011-2018 Brady Miller <[email protected]>
  * @copyright Copyright (c) 2011 Ensofttek, LLC
- * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
+ * @license  https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  */
 
 
@@ -30,17 +30,17 @@
 
 <body class='body_top'>
 <div>
- <span class='title'><?php echo htmlspecialchars(xl('Clinical Reminders'), ENT_NOQUOTES); ?></span>
+ <span class='title'><?php echo xlt('Clinical Reminders'); ?></span>
 </div>
 <div id='namecontainer_creminders' class='namecontainer_creminders' style='float:left;margin-right:10px'>
- <?php echo htmlspecialchars(xl('for'), ENT_NOQUOTES);?>&nbsp;
+ <?php echo xlt('for');?>&nbsp;
  <span class="title">
- <a href="../summary/demographics.php" onclick="top.restoreSession()"><?php echo htmlspecialchars(getPatientName($pid), ENT_NOQUOTES); ?></a>
+ <a href="../summary/demographics.php" onclick="top.restoreSession()"><?php echo text(getPatientName($pid)); ?></a>
  </span>
 </div>
 <div>
  <a href="../summary/demographics.php" class="css_button" onclick="top.restoreSession()">
- <span><?php echo htmlspecialchars(xl('Back To Patient'), ENT_NOQUOTES);?></span>
+ <span><?php echo xlt('Back To Patient');?></span>
  </a>
 </div>
 
@@ -55,9 +55,9 @@
 ?>
 
 <ul class="tabNav">
- <li class='current'><a href='#' onclick='top.restoreSession()'><?php echo htmlspecialchars(xl('Main'), ENT_NOQUOTES); ?></a></li>
- <li><a href='#' onclick='top.restoreSession()'><?php echo htmlspecialchars(xl('Plans'), ENT_NOQUOTES); ?></a></li>
- <li><a href='#' onclick='top.restoreSession()'><?php echo htmlspecialchars(xl('Admin'), ENT_NOQUOTES); ?></a></li>
+ <li class='current'><a href='#' onclick='top.restoreSession()'><?php echo xlt('Main'); ?></a></li>
+ <li><a href='#' onclick='top.restoreSession()'><?php echo xlt('Plans'); ?></a></li>
+ <li><a href='#' onclick='top.restoreSession()'><?php echo xlt('Admin'); ?></a></li>
 </ul>
 
 <div class="tabContainer">
@@ -77,12 +77,12 @@
  <div id='report_results'>
  <table>
  <tr>
- <th rowspan="2"><?php echo htmlspecialchars(xl('Plan'), ENT_NOQUOTES); ?></th>
- <th colspan="2"><?php echo htmlspecialchars(xl('Show'), ENT_NOQUOTES); ?></th>
+ <th rowspan="2"><?php echo xlt('Plan'); ?></th>
+ <th colspan="2"><?php echo xlt('Show'); ?></th>
  </tr>
  <tr>
- <th><?php echo htmlspecialchars(xl('Patient Setting'), ENT_NOQUOTES); ?></th>
- <th style="left-margin:1em;"><?php echo htmlspecialchars(xl('Practice Default Setting'), ENT_NOQUOTES); ?></th>
+ <th><?php echo xlt('Patient Setting'); ?></th>
+ <th style="left-margin:1em;"><?php echo xlt('Practice Default Setting'); ?></th>
  </tr>
  <?php foreach ($plans_default as $plan) { ?>
  <?php
@@ -111,24 +111,20 @@
  $select = "default";
  }
  } ?>
- <select class="plan_show" name="<?php echo htmlspecialchars($plan['id'], ENT_NOQUOTES); ?>">
- <option value="default" <?php if ($select == "default") {
- echo "selected";
-} ?>><?php echo htmlspecialchars(xl('Default'), ENT_NOQUOTES); ?></option>
- <option value="on" <?php if ($select == "on") {
- echo "selected";
-} ?>><?php echo htmlspecialchars(xl('On'), ENT_NOQUOTES); ?></option>
- <option value="off" <?php if ($select == "off") {
- echo "selected";
-} ?>><?php echo htmlspecialchars(xl('Off'), ENT_NOQUOTES); ?></option>
+ <select class="plan_show" name="<?php echo attr($plan['id']); ?>">
+ <option value="default" <?php echo ($select == "default") ? "selected" : ""; ?>><?php echo xlt('Default'); ?></option>
+ <option value="on" <?php echo ($select == "on") ? "selected" : ""; ?>><?php echo xlt('On'); ?></option>
+ <option value="off" <?php echo ($select == "off") ? "selected" : ""; ?>><?php echo xlt('Off'); ?></option>
  </select>
  </td>
  <td align="center" style="border-right:1px solid black;">
- <?php if ($plan['normal_flag'] == "1") {
- echo htmlspecialchars(xl('On'), ENT_NOQUOTES);
-} else {
- echo htmlspecialchars(xl('Off'), ENT_NOQUOTES);
-} ?>
+ <?php
+ if ($plan['normal_flag'] == "1") {
+ echo xlt('On');
+ } else {
+ echo xlt('Off');
+ }
+ ?>
  </td>
  </tr>
  <?php } ?>
@@ -137,15 +133,15 @@
  <br>
  <table>
  <tr>
- <th rowspan="2"><?php echo htmlspecialchars(xl('Rule'), ENT_NOQUOTES); ?></th>
- <th colspan="2"><?php echo htmlspecialchars(xl('Passive Alert'), ENT_NOQUOTES); ?></th>
- <th colspan="2"><?php echo htmlspecialchars(xl('Active Alert'), ENT_NOQUOTES); ?></th>
+ <th rowspan="2"><?php echo xlt('Rule'); ?></th>
+ <th colspan="2"><?php echo xlt('Passive Alert'); ?></th>
+ <th colspan="2"><?php echo xlt('Active Alert'); ?></th>
  </tr>
  <tr>
- <th><?php echo htmlspecialchars(xl('Patient Setting'), ENT_NOQUOTES); ?></th>
- <th style="left-margin:1em;"><?php echo htmlspecialchars(xl('Practice Default Setting'), ENT_NOQUOTES); ?></th>
- <th><?php echo htmlspecialchars(xl('Patient Setting'), ENT_NOQUOTES); ?></th>
- <th style="left-margin:1em;"><?php echo htmlspecialchars(xl('Practice Default Setting'), ENT_NOQUOTES); ?></th>
+ <th><?php echo xlt('Patient Setting'); ?></th>
+ <th style="left-margin:1em;"><?php echo xlt('Practice Default Setting'); ?></th>
+ <th><?php echo xlt('Patient Setting'); ?></th>
+ <th style="left-margin:1em;"><?php echo xlt('Practice Default Setting'); ?></th>
  </tr>
  <?php foreach ($rules_default as $rule) { ?>
  <tr>
@@ -165,24 +161,20 @@
  $select = "default";
  }
  } ?>
- <select class="passive_alert" name="<?php echo htmlspecialchars($rule['id'], ENT_NOQUOTES); ?>">
- <option value="default" <?php if ($select == "default") {
- echo "selected";
-} ?>><?php echo htmlspecialchars(xl('Default'), ENT_NOQUOTES); ?></option>
- <option value="on" <?php if ($select == "on") {
- echo "selected";
-} ?>><?php echo htmlspecialchars(xl('On'), ENT_NOQUOTES); ?></option>
- <option value="off" <?php if ($select == "off") {
- echo "selected";
-} ?>><?php echo htmlspecialchars(xl('Off'), ENT_NOQUOTES); ?></option>
+ <select class="passive_alert" name="<?php echo attr($rule['id']); ?>">
+ <option value="default" <?php echo ($select == "default") ? "selected" : ""; ?>><?php echo xlt('Default'); ?></option>
+ <option value="on" <?php echo ($select == "on") ? "selected" : ""; ?>><?php echo xlt('On'); ?></option>
+ <option value="off" <?php echo ($select == "off") ? "selected" : ""; ?>><?php echo xlt('Off'); ?></option>
  </select>
  </td>
  <td align="center" style="border-right:1px solid black;">
- <?php if ($rule['passive_alert_flag'] == "1") {
- echo htmlspecialchars(xl('On'), ENT_NOQUOTES);
-} else {
- echo htmlspecialchars(xl('Off'), ENT_NOQUOTES);
-} ?>
+ <?php
+ if ($rule['passive_alert_flag'] == "1") {
+ echo xlt('On');
+ } else {
+ echo xlt('Off');
+ }
+ ?>
  </td>
  <td align="center">
  <?php
@@ -198,24 +190,20 @@
  $select = "default";
  }
  } ?>
- <select class="active_alert" name="<?php echo htmlspecialchars($rule['id'], ENT_NOQUOTES); ?>">
- <option value="default" <?php if ($select == "default") {
- echo "selected";
-} ?>><?php echo htmlspecialchars(xl('Default'), ENT_NOQUOTES); ?></option>
- <option value="on" <?php if ($select == "on") {
- echo "selected";
-} ?>><?php echo htmlspecialchars(xl('On'), ENT_NOQUOTES); ?></option>
- <option value="off" <?php if ($select == "off") {
- echo "selected";
-} ?>><?php echo htmlspecialchars(xl('Off'), ENT_NOQUOTES); ?></option>
+ <select class="active_alert" name="<?php echo attr($rule['id']); ?>">
+ <option value="default" <?php echo ($select == "default") ? "selected" : ""; ?>><?php echo xlt('Default'); ?></option>
+ <option value="on" <?php echo ($select == "on") ? "selected" : ""; ?>><?php echo xlt('On'); ?></option>
+ <option value="off" <?php echo ($select == "off") ? "selected" : ""; ?>><?php echo xlt('Off'); ?></option>
  </select>
  </td>
  <td align="center">
- <?php if ($rule['active_alert_flag'] == "1") {
- echo htmlspecialchars(xl('On'), ENT_NOQUOTES);
-} else {
- echo htmlspecialchars(xl('Off'), ENT_NOQUOTES);
-} ?>
+ <?php
+ if ($rule['active_alert_flag'] == "1") {
+ echo xlt('On');
+ } else {
+ echo xlt('Off');
+ }
+ ?>
  </td>
  </tr>
  <?php } ?>
@@ -235,7 +223,8 @@
  rule: this.name,
  type: 'passive_alert',
  setting: this.value,
- patient_id: '<?php echo htmlspecialchars($patient_id, ENT_QUOTES); ?>'
+ patient_id: <?php echo js_escape($patient_id); ?>,
+ csrf_token_form: <?php echo js_escape(collectCsrfToken()); ?>
  });
  });
 
@@ -245,7 +234,8 @@
  rule: this.name,
  type: 'active_alert',
  setting: this.value,
- patient_id: '<?php echo htmlspecialchars($patient_id, ENT_QUOTES); ?>'
+ patient_id: <?php echo js_escape($patient_id); ?>,
+ csrf_token_form: <?php echo js_escape(collectCsrfToken()); ?>
  });
  });
 
@@ -255,7 +245,8 @@
  plan: this.name,
  type: 'normal',
  setting: this.value,
- patient_id: '<?php echo htmlspecialchars($patient_id, ENT_QUOTES); ?>'
+ patient_id: <?php echo js_escape($patient_id); ?>,
+ csrf_token_form: <?php echo js_escape(collectCsrfToken()); ?>
  });
  });
 
@@ -270,7 +261,7 @@ function refreshme() {
  e.preventDefault();e.stopPropagation();
  dlgopen('', '', 800, 200, '', '', {
  buttons: [
- {text: '<?php echo xla('Close'); ?>', close: true, style: 'default btn-sm'}
+ {text: <?php echo xlj('Close'); ?>, close: true, style: 'default btn-sm'}
  ],
  onClosed: 'refreshme',
  allowResize: true,