";
- print "
".xl('Billing Information').":
";
+ print "
".xlt('Billing Information').":
";
if (!empty($ar['newpatient']) && count($ar['newpatient']) > 0) {
$billings = array();
echo "
";
- echo "Code | ".xl('Fee')." |
\n";
+ echo "".xlt('Code')." | ".xlt('Fee')." |
\n";
$total = 0.00;
$copays = 0.00;
foreach ($ar['newpatient'] as $be) {
@@ -428,10 +428,10 @@ function postToGet($arin)
foreach ($billing as $b) {
echo "\n";
echo "";
- echo $b['code_type'] . ":\t" . $b['code'] . " ". $b['modifier'] . " " . htmlspecialchars($b['code_text']) . " ";
+ echo text($b['code_type']) . ":\t" . text($b['code']) . " ". text($b['modifier']) . " " . text($b['code_text']) . " ";
echo " | \n";
echo "";
- echo oeFormatMoney($b['fee']);
+ echo text(oeFormatMoney($b['fee']));
echo " | \n";
echo "
\n";
$total += $b['fee'];
@@ -442,9 +442,9 @@ function postToGet($arin)
}
echo " |
";
- echo "".xl('Sub-Total')." | " . oeFormatMoney($total + abs($copays)) . " |
";
- echo "".xl('Paid')." | " . oeFormatMoney(abs($copays)) . " |
";
- echo "".xl('Total')." | " . oeFormatMoney($total) . " |
";
+ echo "".xlt('Sub-Total')." | " . text(oeFormatMoney($total + abs($copays))) . " |
";
+ echo "".xlt('Paid')." | " . text(oeFormatMoney(abs($copays))) . " |
";
+ echo "".xlt('Total')." | " . text(oeFormatMoney($total)) . " |
";
echo "
";
echo "
";
//print_r($billings);
@@ -477,29 +477,29 @@ function postToGet($arin)
if (acl_check('patients', 'med')) {
echo "
";
echo "\n";
- print "
".xl('Patient Immunization').":
";
+ print "
" . xlt('Patient Immunization') . ":
";
$sql = "select i1.immunization_id, i1.administered_date, substring(i1.note,1,20) as immunization_note, c.code_text_short ".
" from immunizations i1 ".
" left join code_types ct on ct.ct_key = 'CVX' ".
" left join codes c on c.code_type = ct.ct_id AND i1.cvx_code = c.code ".
- " where i1.patient_id = '$pid' and i1.added_erroneously = 0 ".
+ " where i1.patient_id = ? and i1.added_erroneously = 0 ".
" order by administered_date desc";
- $result = sqlStatement($sql);
+ $result = sqlStatement($sql, array($pid));
while ($row=sqlFetchArray($result)) {
// Figure out which name to use (ie. from cvx list or from the custom list)
if ($GLOBALS['use_custom_immun_list']) {
$vaccine_display = generate_display_field(array('data_type'=>'1','list_id'=>'immunizations'), $row['immunization_id']);
} else {
if (!empty($row['code_text_short'])) {
- $vaccine_display = htmlspecialchars(xl($row['code_text_short']), ENT_NOQUOTES);
+ $vaccine_display = xlt($row['code_text_short']);
} else {
$vaccine_display = generate_display_field(array('data_type'=>'1','list_id'=>'immunizations'), $row['immunization_id']);
}
}
- echo $row['administered_date'] . " - " . $vaccine_display;
+ echo text($row['administered_date']) . " - " . $vaccine_display;
if ($row['immunization_note']) {
- echo " - " . $row['immunization_note'];
+ echo " - " . text($row['immunization_note']);
}
echo "
\n";
@@ -512,25 +512,25 @@ function postToGet($arin)
} elseif ($val == "batchcom") {
echo "
";
echo "
\n";
- print "
".xl('Patient Communication sent').":
";
- $sql="SELECT concat( 'Messsage Type: ', batchcom.msg_type, ', Message Subject: ', batchcom.msg_subject, ', Sent on:', batchcom.msg_date_sent ) AS batchcom_data, batchcom.msg_text, concat( users.fname, users.lname ) AS user_name FROM `batchcom` JOIN `users` ON users.id = batchcom.sent_by WHERE batchcom.patient_id='$pid'";
+ print "" . xlt('Patient Communication sent') . ":
";
+ $sql="SELECT concat( 'Messsage Type: ', batchcom.msg_type, ', Message Subject: ', batchcom.msg_subject, ', Sent on:', batchcom.msg_date_sent ) AS batchcom_data, batchcom.msg_text, concat( users.fname, users.lname ) AS user_name FROM `batchcom` JOIN `users` ON users.id = batchcom.sent_by WHERE batchcom.patient_id=?";
// echo $sql;
- $result = sqlStatement($sql);
+ $result = sqlStatement($sql, array($pid));
while ($row=sqlFetchArray($result)) {
- echo $row{'batchcom_data'}.", By: ".$row{'user_name'}."
Text:
".$row{'msg_txt'}."
\n";
+ echo text($row{'batchcom_data'}) . ", By: " . text($row{'user_name'}) . "
Text:
" . text($row{'msg_txt'}) . "
\n";
}
echo "\n";
} elseif ($val == "notes") {
echo "
";
echo "
\n";
- print "
".xl('Patient Notes').":
";
+ print "" . xlt('Patient Notes') . ":
";
printPatientNotes($pid);
echo "";
} elseif ($val == "transactions") {
echo "
";
echo "
\n";
- print "
".xl('Patient Transactions').":
";
+ print "" . xlt('Patient Transactions') . ":
";
printPatientTransactions($pid);
echo "";
}
@@ -555,7 +555,7 @@ function postToGet($arin)
// the image_type_to_extension() is not working to identify pdf.
$extension = strtolower(substr($fname, strrpos($fname, ".")));
if ($extension != '.pdf') { // Will print pdf header within pdf import
- echo "
" . xl('Document') . " '" . $fname ."'
";
+ echo "
" . xlt('Document') . " '" . text($fname) ."'
";
}
$notes = $d->get_notes();
@@ -565,13 +565,13 @@ function postToGet($arin)
foreach ($notes as $note) {
echo '
';
- echo '' . xl('Note') . ' #' . $note->get_id() . ' | ';
+ echo '' . xlt('Note') . ' #' . text($note->get_id()) . ' | ';
echo '
';
echo '
';
- echo '' . xl('Date') . ': ' . text(oeFormatShortDate($note->get_date())) . ' | ';
+ echo '' . xlt('Date') . ': ' . text(oeFormatShortDate($note->get_date())) . ' | ';
echo '
';
echo '
';
- echo ''.$note->get_note().'
| ';
+ echo '' . text($note->get_note()) . '
| ';
echo '
';
}
@@ -625,7 +625,7 @@ function postToGet($arin)
} else {
echo "
";
+ attr_url($document_id) . "&as_file=false&original_file=true&disable_exit=false&show_original=true'>
";
}
} else {
// Most clinic documents are expected to be PDFs, and in that happy case
@@ -635,7 +635,7 @@ function postToGet($arin)
$content = getContent();
$pdf->writeHTML($content, false); // catch up with buffer.
$pdf->SetImportUse();
- $pg_header = "
" . xl('Document') . " " . $fname ."";
+ $pg_header = "
" . xlt('Document') . " " . text($fname) ."";
//$pdf->SetHTMLHeader ($pg_header,'left',false); // A header for imported doc, don't think we need but will keep.
$pagecount = $pdf->setSourceFile($from_file);
for ($i = 0; $i < $pagecount; ++$i) {
@@ -657,7 +657,7 @@ function postToGet($arin)
echo "";
} else {
if (! is_file($to_file)) {
- exec("convert -density 200 \"$from_file\" -append -resize 850 \"$to_file\"");
+ exec("convert -density 200 " . escapeshellarg($from_file) . " -append -resize 850 " . escapeshellarg($to_file));
}
if (is_file($to_file)) {
@@ -665,10 +665,10 @@ function postToGet($arin)
// OK to link to the image file because it will be accessed by the mPDF parser and not the browser.
echo "
";
} else {
- echo "
";
+ echo "
";
}
} else {
- echo "
NOTE: " . xl('Document') . "'" . $fname . "' " . xl('cannot be converted to JPEG. Perhaps ImageMagick is not installed?') . "
";
+ echo "
NOTE: " . xlt('Document') . "'" . text($fname) . "' " . xlt('cannot be converted to JPEG. Perhaps ImageMagick is not installed?') . "
";
if ($couch_docid && $couch_revid) {
unlink($from_file);
}
@@ -699,32 +699,32 @@ function postToGet($arin)
$prevIssueType = 'asdf1234!@#$'; // random junk so as to not match anything
$first_issue = 0;
echo "
";
- echo "
".xl("Issues")."
";
+ echo "
" . xlt("Issues") . "
";
}
preg_match('/^(.*)_(\d+)$/', $key, $res);
$rowid = $res[2];
$irow = sqlQuery("SELECT type, title, comments, diagnosis " .
- "FROM lists WHERE id = '$rowid'");
+ "FROM lists WHERE id = ?", array($rowid));
$diagnosis = $irow['diagnosis'];
if ($prevIssueType != $irow['type']) {
// output a header for each Issue Type we encounter
$disptype = $ISSUE_TYPES[$irow['type']][0];
- echo "
" . $disptype . ":
\n";
+ echo "
" . text($disptype) . ":
\n";
$prevIssueType = $irow['type'];
}
echo "
";
- echo "
" . $irow['title'] . ":";
- echo "\n";
+ echo "
" . text($irow['title']) . ":";
+ echo "\n";
// Show issue's chief diagnosis and its description:
if ($diagnosis) {
echo "
";
- echo "
[".xl('Diagnosis')."]";
+ echo "
[" . xlt('Diagnosis') . "]";
$dcodes = explode(";", $diagnosis);
foreach ($dcodes as $dcode) {
- echo "
".$dcode.": ";
- echo lookup_code_descriptions($dcode)."
\n";
+ echo "
" . text($dcode) . ": ";
+ echo text(lookup_code_descriptions($dcode)) . "
\n";
}
//echo $diagnosis." -- ".lookup_code_descriptions($diagnosis)."\n";
@@ -734,11 +734,11 @@ function postToGet($arin)
// Supplemental data for GCAC or Contraception issues.
if ($irow['type'] == 'ippf_gcac') {
echo "
\n";
- display_layout_rows('GCA', sqlQuery("SELECT * FROM lists_ippf_gcac WHERE id = '$rowid'"));
+ display_layout_rows('GCA', sqlQuery("SELECT * FROM lists_ippf_gcac WHERE id = ?", array($rowid)));
echo "
\n";
} else if ($irow['type'] == 'contraceptive') {
echo "
\n";
- display_layout_rows('CON', sqlQuery("SELECT * FROM lists_ippf_con WHERE id = '$rowid'"));
+ display_layout_rows('CON', sqlQuery("SELECT * FROM lists_ippf_con WHERE id = ?", array($rowid)));
echo "
\n";
}
@@ -760,17 +760,17 @@ function postToGet($arin)
if ($res[1] == 'newpatient') {
echo "
\n";
- echo "
" . xl($formres["form_name"]) . "
";
+ echo "
" . xlt($formres["form_name"]) . "
";
} else {
echo "
";
- echo "
" . xl_form_title($formres["form_name"]) . "
";
+ echo "
" . text(xl_form_title($formres["form_name"])) . "
";
}
// show the encounter's date
- echo "(" . oeFormatSDFT(strtotime($dateres["date"])) . ") ";
+ echo "(" . text(oeFormatSDFT(strtotime($dateres["date"]))) . ") ";
if ($res[1] == 'newpatient') {
// display the provider info
- echo ' '. xl('Provider') . ': ' . text(getProviderName(getProviderIdOfEncounter($form_encounter)));
+ echo ' '. xlt('Provider') . ': ' . text(getProviderName(getProviderIdOfEncounter($form_encounter)));
}
echo "
\n";
@@ -808,8 +808,8 @@ function postToGet($arin)
array($pid, $form_encounter)
);
while ($brow=sqlFetchArray($bres)) {
- echo "
".xl('Procedure').":
" .
- $brow['code'] . " " . htmlspecialchars($brow['code_text']) . "
\n";
+ echo "
" . xlt('Procedure') . ":
" .
+ text($brow['code']) . " " . text($brow['code_text']) . "
\n";
}
}
@@ -820,7 +820,7 @@ function postToGet($arin)
} // end $ar loop
if ($printable && ! $PDF_OUTPUT) {// Patched out of pdf 04/20/2017 sjpadgett
- echo "
" . xl('Signature') . ": _______________________________
";
+ echo "
" . xlt('Signature') . ": _______________________________
";
}
?>
@@ -845,14 +845,14 @@ function postToGet($arin)
try {
$pdf->writeHTML($content, false); // convert html
} catch (MpdfException $exception) {
- die($exception);
+ die(text($exception));
}
if ($PDF_OUTPUT == 1) {
try {
$pdf->Output($fn, $GLOBALS['pdf_output']); // D = Download, I = Inline
} catch (MpdfException $exception) {
- die($exception);
+ die(text($exception));
}
} else {
// This is the case of writing the PDF as a message to the CMS portal.
diff --git a/interface/patient_file/report/patient_report.php b/interface/patient_file/report/patient_report.php
index 6ff94f232f4..0f5816de812 100644
--- a/interface/patient_file/report/patient_report.php
+++ b/interface/patient_file/report/patient_report.php
@@ -5,7 +5,7 @@
* @package OpenEMR
* @link http://www.open-emr.org
* @author Brady Miller
- * @copyright Copyright (c) 2017 Brady Miller
+ * @copyright Copyright (c) 2017-2018 Brady Miller
* @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
*/
@@ -130,7 +130,7 @@ function show_date_fun(){
- :
+ :
@@ -143,7 +143,7 @@ function show_date_fun(){
-
+
@@ -165,7 +165,7 @@ function show_date_fun(){
- :
+ :
@@ -197,7 +197,7 @@ function show_date_fun(){
[]
-->
-
+
@@ -264,8 +264,8 @@ function show_date_fun(){
\n";
echo " | \n";
echo " ";
- echo "$disptitle | \n";
- echo " " . $prow['begdate'];
+ echo " | " . text($prow['begdate']);
if ($prow['enddate']) {
- echo " - " . $prow['enddate'];
+ echo " - " . text($prow['enddate']);
} else {
echo " Active";
}
@@ -338,10 +338,10 @@ function show_date_fun(){
"forms.formdir, forms.date AS fdate, form_encounter.date " .
",form_encounter.reason ".
"FROM forms, form_encounter WHERE " .
- "forms.pid = '$pid' AND form_encounter.pid = '$pid' AND " .
+ "forms.pid = ? AND form_encounter.pid = ? AND " .
"form_encounter.encounter = forms.encounter " .
" AND forms.deleted=0 ". // --JRM--
- "ORDER BY form_encounter.encounter DESC, form_encounter.date DESC, fdate ASC");
+ "ORDER BY form_encounter.encounter DESC, form_encounter.date DESC, fdate ASC", array($pid, $pid));
$res2 = sqlStatement("SELECT name FROM registry ORDER BY priority");
$html_strings = array();
$registry_form_name = array();
@@ -367,9 +367,9 @@ function show_date_fun(){
$isfirst = 0;
echo "\n";
echo " ";
// show encounter reason, not just 'New Encounter'
@@ -379,8 +379,8 @@ function show_date_fun(){
// The default encoding for this mb_substr() call is set near top of globals.php
$result['reason'] = mb_substr($result['reason'], 0, $maxReasonLength) . " ... ";
}
- echo $result{"reason"}.
- " (" . date("Y-m-d", strtotime($result{"date"})) .
+ echo text($result{"reason"}) .
+ " (" . text(date("Y-m-d", strtotime($result{"date"}))) .
")\n";
echo " \n";
} else {
@@ -408,11 +408,11 @@ function show_date_fun(){
$html_strings[$form_name] = array();
}
array_push($html_strings[$form_name], " " . xl_form_title($result{"form_name"}) . " \n");
+ ">" . text(xl_form_title($result{"form_name"})) . " \n");
}
}
@@ -461,7 +461,7 @@ function show_date_fun(){
$poid = $row['procedure_order_id'];
echo " \n";
echo " " .
- " | \n";
+ " \n";
echo " " . text(oeFormatShortDate($row['date_ordered'])) . " | \n";
echo " " . text(oeFormatShortDate($row['date'])) . " | \n";
echo " ";
@@ -494,8 +494,8 @@ function show_date_fun(){
$sql = "SELECT d.id, d.url, c.name, c.aco_spec FROM documents AS d " .
"LEFT JOIN categories_to_documents AS ctd ON d.id=ctd.document_id " .
"LEFT JOIN categories AS c ON c.id = ctd.category_id WHERE " .
- "d.foreign_id = " . $db->qstr($pid);
- $result = $db->Execute($sql);
+ "d.foreign_id = ?";
+ $result = $db->Execute($sql, array($pid));
if ($db->ErrorMsg()) {
echo $db->ErrorMsg();
}
@@ -503,9 +503,9 @@ function show_date_fun(){
if (empty($result->fields['aco_spec']) || acl_check_aco_spec($result->fields['aco_spec'])) {
echo "";
echo '';
- echo ' ' . xl_document_category($result->fields['name']) . "";
- echo ' ' . xl('Name') . ': ' . basename($result->fields['url']) . "";
+ attr($result->fields['id']) . '">';
+ echo ' ' . text(xl_document_category($result->fields['name'])) . "";
+ echo ' ' . xlt('Name') . ': ' . text(basename($result->fields['url'])) . "";
echo '';
}
$result->MoveNext();
@@ -524,7 +524,7 @@ function show_date_fun(){
-
+
');
+ alert();
return false;
}
}
@@ -600,7 +600,7 @@ function() {
function() {
if(document.getElementById('show_date').checked == true){
if(document.getElementById('Start').value == '' || document.getElementById('End').value == ''){
- alert('');
+ alert();
return false;
}
}
@@ -655,21 +655,26 @@ function() {
var raw = document.getElementsByName('raw');
raw[0].value = 'send '+ccrRecipient;
if(ccrRecipient=="") {
- $("#ccr_send_message").html("");
+ $("#ccr_send_message").html();
$("#ccr_send_result").show();
} else {
$(".viewCCR_transmit").attr('disabled','disabled');
- $("#ccr_send_message").html("");
+ $("#ccr_send_message").html();
$("#ccr_send_result").show();
var action=$("#ccr_form").attr('action');
- $.post(action, {ccrAction:'generate',raw:'send '+ccrRecipient,requested_by:'user'},
+ $.post(action,
+ {
+ ccrAction:'generate',
+ raw:'send '+ccrRecipient,
+ requested_by:'user'
+ },
function(data) {
if(data=="SUCCESS") {
- $("#ccr_send_message").html(" "+ccrRecipient);
+ $("#ccr_send_message").html(+ " " + ccrRecipient);
$("#ccr_send_to").val("");
} else {
$("#ccr_send_message").html(data);
@@ -694,21 +699,26 @@ function() {
var raw = document.getElementsByName('raw');
raw[0].value = 'send '+ccdRecipient;
if(ccdRecipient=="") {
- $("#ccd_send_message").html("");
+ $("#ccd_send_message").html();
$("#ccd_send_result").show();
} else {
$(".viewCCD_transmit").attr('disabled','disabled');
- $("#ccd_send_message").html("");
+ $("#ccd_send_message").html();
$("#ccd_send_result").show();
var action=$("#ccr_form").attr('action');
- $.post(action, {ccrAction:'viewccd',raw:'send '+ccdRecipient,requested_by:'user'},
+ $.post(action,
+ {
+ ccrAction:'viewccd',
+ raw:'send '+ccdRecipient,
+ requested_by:'user'
+ },
function(data) {
if(data=="SUCCESS") {
- $("#ccd_send_message").html(" "+ccdRecipient);
+ $("#ccd_send_message").html( + " " + ccdRecipient);
$("#ccd_send_to").val("");
} else {
$("#ccd_send_message").html(data);
@@ -753,7 +763,7 @@ function issueClick(issue) {
});
}
-var listId = '#' + '';
+var listId = '#' + ;
$(document).ready(function(){
$(listId).addClass("active");
});
diff --git a/interface/patient_file/rules/patient_data.php b/interface/patient_file/rules/patient_data.php
index 51383e2d46e..9ae1fc9499f 100644
--- a/interface/patient_file/rules/patient_data.php
+++ b/interface/patient_file/rules/patient_data.php
@@ -5,7 +5,7 @@
* @package OpenEMR
* @link http://www.open-emr.org
* @author Brady Miller
- * @copyright Copyright (c) 2010-2017 Brady Miller
+ * @copyright Copyright (c) 2010-2018 Brady Miller
* @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
*/
@@ -29,7 +29,7 @@
function validate(f) {
var bValid = true;
if (f.form_date.value == "") {
- alert("");
+ alert();
f.form_date.focus();
f.form_date.style.backgroundColor="red";
return false;
@@ -41,7 +41,7 @@ function validate(f) {
var now = new Date();
if ( d > now &&
f.form_complete.value == "YES" ) {
- alert("");
+ alert();
f.form_date.focus();
f.form_date.style.backgroundColor="red";
return false;
@@ -82,16 +82,20 @@ function submitme() {
// Ensure user is authorized
if (!acl_check('patients', 'med')) {
- echo " (" . htmlspecialchars(xl('Not authorized'), ENT_NOQUOTES) . ") \n";
+ echo "(" . xlt('Not authorized') . ") \n";
echo "\n\n";
exit();
}
if ($_POST['form_complete']) {
- // Save that form as a row in rule_patient_data table
- // and then close the window/modul.
+ if (!verifyCsrfToken($_POST["csrf_token_form"])) {
+ csrfNotVerified();
+ }
+
+ // Save that form as a row in rule_patient_data table
+ // and then close the window/modul.
- // Collect and trim variables
+ // Collect and trim variables
if (isset($_POST['form_entryID'])) {
$form_entryID = trim($_POST['form_entryID']);
}
@@ -113,7 +117,7 @@ function submitme() {
"WHERE `id`=?", array($form_date,$form_complete,$form_result,$form_entryID));
}
- // Close this window and refresh the patient summary display.
+ // Close this window and refresh the patient summary display.
echo "\n\n | | | |