Merge branch 'master' of https://github.com/openemr/openemr into weno…

…_last_minute

* 'master' of https://github.com/openemr/openemr:
  escape strings - brady's comment on pr openemr#7359 (openemr#7400)
  Added fix for zip bomb (openemr#7407)
  Phantom date showing at the top of all reports. (openemr#7433)
  feat: show collection balance in billing widget (openemr#7454)

interface/patient_file/history/encounters.php

@@ -314,7 +314,7 @@ function changePageSize() {
  $name = getPatientNameFirstLast($pid);
  $dob = text(oeFormatShortDate(getPatientData($pid, "DOB")['DOB']));
  $external_id = getPatientData($pid, "pubpid")['pubpid'];
- echo $name . " (" . $external_id . ")" . "    DOB: " . $dob ;
+ echo text($name) . " (" . text($external_id) . ")" . "    DOB: " . $dob ;
  }
  ?>
  </span>

interface/patient_file/report/custom_report.php

@@ -782,9 +782,10 @@ function zip_content($source, $destination, $content = '', $create = true)
  echo "<div class='text encounter_form'>";
  echo "<h4>" . text(xl_form_title($formres["form_name"])) . "</h4>";
  }
-
+ if (!empty($dateres['date'])) {
  // show the encounter's date
- echo "(" . text(oeFormatSDFT(strtotime($dateres["date"]))) . ") ";
+ echo "(" . text(oeFormatSDFT(strtotime($dateres["date"]))) . ") ";
+ }
  if ($res[1] == 'newpatient') {
  // display the provider info
  echo ' ' . xlt('Provider') . ': ' . text(getProviderName(getProviderIdOfEncounter($form_encounter)));

interface/super/manage_document_templates.php

@@ -99,8 +99,32 @@
  die(xlt('Cannot determine a destination filename'));
  }
  $path_parts = pathinfo($form_dest_filename);
- if (!in_array(strtolower($path_parts['extension'] ?? ''), array('odt', 'txt', 'docx', 'zip'))) {
- die(text(strtolower($path_parts['extension'] ?? '')) . ' ' . xlt('filetype is not accepted'));
+ $extension = strtolower($path_parts['extension'] ?? '');
+
+ if (!in_array($extension, array('odt', 'txt', 'docx', 'zip'))) {
+ die(text($extension) . ' ' . xlt('filetype is not accepted'));
+ }
+
+ // Check if the uploaded file is a zip file
+ if ($extension === 'zip') {
+ $maxZipSize = 1048576; // 1 MB (adjust the size as needed)
+ if ($_FILES['form_file']['size'] > $maxZipSize) {
+ die(xlt('Zip file size exceeds the maximum allowed size'));
+ }
+
+ // Check for nested zip files
+ $zip = new ZipArchive;
+ if ($zip->open($tmp_name) === true) {
+ for ($i = 0; $i < $zip->numFiles; $i++) {
+ $nestedFile = $zip->getNameIndex($i);
+ if (pathinfo($nestedFile, PATHINFO_EXTENSION) === 'zip') {
+ die(xlt('Nested zip files are not allowed'));
+ }
+ }
+ $zip->close();
+ } else {
+ die(xlt('Failed to open the zip file'));
+ }
  }
 
  $templatepath = "$templatedir/$form_dest_filename";

library/patient.inc.php

@@ -1598,7 +1598,7 @@ function getAllinsurances($pid)
  * @param int Optional encounter id. If value is passed, will fetch only bills from specified encounter.
  * @return number The balance.
  */
-function get_patient_balance($pid, $with_insurance = false, $eid = false)
+function get_patient_balance($pid, $with_insurance = false, $eid = false, $in_collection = false)
 {
  $balance = 0;
  $bindarray = array($pid);
@@ -1609,6 +1609,11 @@ function get_patient_balance($pid, $with_insurance = false, $eid = false)
  $sqlstatement .= " AND encounter = ?";
  array_push($bindarray, $eid);
  }
+
+ if ($in_collection) {
+ $sqlstatement .= " AND in_collection = ?";
+ array_push($bindarray, 1);
+ }
  $feres = sqlStatement($sqlstatement, $bindarray);
  while ($ferow = sqlFetchArray($feres)) {
  $encounter = $ferow['encounter'];
@@ -1641,10 +1646,16 @@ function get_patient_balance($pid, $with_insurance = false, $eid = false)
  $balance += $ptbal;
  }
  } else {
- // Including insurance or not out to insurance, everything is due.
- $brow = sqlQuery("SELECT SUM(fee) AS amount FROM billing WHERE " .
- "pid = ? AND encounter = ? AND " .
- "activity = 1", array($pid, $encounter));
+ if (!$with_insurance && $ferow['last_level_closed'] >= $inscount && $in_collection) {
+ $brow = sqlQuery("SELECT SUM(fee) AS amount FROM billing WHERE " .
+ "pid = ? AND encounter = ? AND " .
+ "activity = 1", array($pid, $encounter));
+ } else {
+ // Including insurance or not out to insurance, everything is due.
+ $brow = sqlQuery("SELECT SUM(fee) AS amount FROM billing WHERE " .
+ "pid = ? AND encounter = ? AND " .
+ "activity = 1", array($pid, $encounter));
+ }
  $drow = sqlQuery("SELECT SUM(pay_amount) AS payments, " .
  "SUM(adj_amount) AS adjustments FROM ar_activity WHERE " .
  "deleted IS NULL AND pid = ? AND encounter = ?", array($pid, $encounter));

src/Patient/Cards/BillingViewCard.php

@@ -67,6 +67,7 @@ private function setupBillingData()
  $insurancebalance = get_patient_balance($pid, true) - $patientbalance;
  $totalbalance = $patientbalance + $insurancebalance;
  $unallocated_amt = get_unallocated_patient_balance($pid);
+ $collectionbalance = get_patient_balance($pid, false, false, true);
 
  $id = self::CARD_ID . "_ps_expand";
  $dispatchResult = $ed->dispatch(new RenderEvent('billing'), RenderEvent::EVENT_HANDLE);
@@ -79,6 +80,7 @@ private function setupBillingData()
  'patientBalance' => $patientbalance,
  'insuranceBalance' => $insurancebalance,
  'totalBalance' => $totalbalance,
+ 'collectionBalance' => $collectionbalance,
  'unallocated' => $unallocated_amt,
  'forceAlwaysOpen' => $forceBillingExpandAlways,
  'prependedInjection' => $dispatchResult->getPrependedInjection(),

templates/patient/card/billing.html.twig

@@ -22,6 +22,13 @@
  </div>
  {% endif %}
 
+ {% if collectionBalance > 0 %}
+ <div class="row alert-danger">
+ <div class="col-4">{{ "Collection Balance"|xlt }}</div>
+ <div class="col">{{ collectionBalance|money|text }}</font></div>
+ </div>
+ {% endif %}
+
  {% if billingNote %}
  <div class="row">
  <div class="col-4">{{ "Billing Note"|xlt }}</div>