search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
xss patient name vulnerability fix contributed by Andrew Moore
[openemr.git] / interface / patient_file / encounter / forms.php
blob72639bb9622d61a9c08eeb39344fbb9e4acec9e3
1 <?php
2 // This program is free software; you can redistribute it and/or
3 // modify it under the terms of the GNU General Public License
4 // as published by the Free Software Foundation; either version 2
5 // of the License, or (at your option) any later version.
6
7 require_once("../../globals.php");
8 require_once("$srcdir/forms.inc");
9 require_once("$srcdir/calendar.inc");
10 require_once("$srcdir/acl.inc");
11 require_once("$srcdir/formatting.inc.php");
12 ?>
13 <html>
14
15 <head>
16 <?php html_header_show();?>
17 <link rel="stylesheet" href="<?php echo $css_header;?>" type="text/css">
18
19 <!-- supporting javascript code -->
20 <script type="text/javascript" src="<?php echo $GLOBALS['webroot'] ?>/library/js/jquery.js"></script>
21
22 <script type="text/javascript" src="<?php echo $GLOBALS['webroot'] ?>/library/dialog.js"></script>
23
24
25
26 <link rel="stylesheet" href="<?php echo $css_header;?>" type="text/css">
27 <link rel="stylesheet" type="text/css" href="../../../library/js/fancybox/jquery.fancybox-1.2.6.css" media="screen" />
28 <style type="text/css">@import url(../../../library/dynarch_calendar.css);</style>
29 <script type="text/javascript" src="../../../library/textformat.js"></script>
30 <script type="text/javascript" src="../../../library/dynarch_calendar.js"></script>
31 <?php include_once("{$GLOBALS['srcdir']}/dynarch_calendar_en.inc.php"); ?>
32 <script type="text/javascript" src="../../../library/dynarch_calendar_setup.js"></script>
33 <script type="text/javascript" src="../../../library/dialog.js"></script>
34 <script type="text/javascript" src="../../../library/js/jquery.1.3.2.js"></script>
35 <script type="text/javascript" src="../../../library/js/common.js"></script>
36 <script type="text/javascript" src="../../../library/js/fancybox/jquery.fancybox-1.2.6.js"></script>
37
38 <script language="JavaScript">
39
40 // Process click on Delete link.
41 function deleteme() {
42 dlgopen('../deleter.php?encounterid=<?php echo $encounter; ?>', '_blank', 500, 450);
43 return false;
44 }
45
46 // Called by the deleter.php window on a successful delete.
47 function imdeleted() {
48 <?php if ($GLOBALS['concurrent_layout']) { ?>
49 parent.parent.left_nav.clearEncounter();
50 <?php } else { ?>
51 top.restoreSession();
52 top.Title.location.href = '../patient_file/encounter/encounter_title.php';
53 top.Main.location.href = '../patient_file/encounter/patient_encounter.php?mode=new';
54 <?php } ?>
55 }
56
57 </script>
58
59 <script language="javascript">
60 function expandcollapse(atr){
61 if(atr == "expand") {
62 for(i=1;i<15;i++){
63 var mydivid="divid_"+i;var myspanid="spanid_"+i;
64 var ele = document.getElementById(mydivid); var text = document.getElementById(myspanid);
65 ele.style.display = "block";text.innerHTML = "<?php xl('Collapse','e'); ?>";
66 }
67 }
68 else {
69 for(i=1;i<15;i++){
70 var mydivid="divid_"+i;var myspanid="spanid_"+i;
71 var ele = document.getElementById(mydivid); var text = document.getElementById(myspanid);
72 ele.style.display = "none"; text.innerHTML = "<?php xl('Expand','e'); ?>";
73 }
74 }
75
76 }
77
78 function divtoggle(spanid, divid) {
79 var ele = document.getElementById(divid);
80 var text = document.getElementById(spanid);
81 if(ele.style.display == "block") {
82 ele.style.display = "none";
83 text.innerHTML = "<?php xl('Expand','e'); ?>";
84 }
85 else {
86 ele.style.display = "block";
87 text.innerHTML = "<?php xl('Collapse','e'); ?>";
88 }
89 }
90 </script>
91
92 <style type="text/css">
93 div.tab {
94 min-height: 50px;
95 padding:8px;
96 }
97
98 div.form_header_controls {
99 float:left;margin-bottom:2px;
100 }
101
102 div.form_header {
103 float:left;
104 margin-left:6px;
105 }
106 </style>
107
108 </head>
109
110 <body class="body_top">
111
112 <div id="encounter_forms">
113
114
115 <?php
116 $dateres = getEncounterDateByEncounter($encounter);
117 $encounter_date = date("Y-m-d",strtotime($dateres["date"]));
118 ?>
119
120 <div style='float:left'>
121 <span class="title"><?php echo oeFormatShortDate($encounter_date) . " " . xl("Encounter"); ?> </span>
122 <?php
123 $auth_notes_a = acl_check('encounters', 'notes_a');
124 $auth_notes = acl_check('encounters', 'notes');
125 $auth_relaxed = acl_check('encounters', 'relaxed');
126
127 if (is_numeric($pid)) {
128 // Check for no access to the patient's squad.
129 $result = getPatientData($pid, "fname,lname,squad");
130 echo htmlspecialchars( xl('for','',' ',' ') . $result['fname'] . " " . $result['lname'] );
131 if ($result['squad'] && ! acl_check('squads', $result['squad'])) {
132 $auth_notes_a = $auth_notes = $auth_relaxed = 0;
133 }
134 // Check for no access to the encounter's sensitivity level.
135 $result = sqlQuery("SELECT sensitivity FROM form_encounter WHERE " .
136 "pid = '$pid' AND encounter = '$encounter' LIMIT 1");
137 if ($result['sensitivity'] && !acl_check('sensitivities', $result['sensitivity'])) {
138 $auth_notes_a = $auth_notes = $auth_relaxed = 0;
139 }
140 }
141 ?>
142 </div>
143 <div style='float:left;margin-left:10px'>
144 <?php if (acl_check('admin', 'super')) { ?>
145 <a href='toggledivs(this.id,this.id);' class='css_button' onclick='return deleteme()'><span><?php echo xl('Delete') ?></span></a>
146 &nbsp;&nbsp;&nbsp;<a href="#" onClick='expandcollapse("expand");' style="font-size:80%;"><?php xl('Expand All','e'); ?></a>
147 &nbsp;&nbsp;&nbsp;<a style="font-size:80%;" href="#" onClick='expandcollapse("collapse");'><?php xl('Collapse All','e'); ?></a>
148 <?php } ?>
149 </div>
150 <br/>
151 <br/>
152
153 <?php
154 if ($result = getFormByEncounter($pid, $encounter, "id, date, form_id, form_name, formdir, user, deleted")) {
155 echo "<table width='100%' id='partable'>";
156 $divnos=1;
157 foreach ($result as $iter) {
158 $formdir = $iter['formdir'];
159
160 // skip forms whose 'deleted' flag is set to 1
161 if ($iter['deleted'] == 1) continue;
162
163 // Skip forms that we are not authorized to see.
164 if (($auth_notes_a) ||
165 ($auth_notes && $iter['user'] == $_SESSION['authUser']) ||
166 ($auth_relaxed && ($formdir == 'sports_fitness' || $formdir == 'podiatry'))) ;
167 else continue;
168
169 // $form_info = getFormInfoById($iter['id']);
170 if (strtolower(substr($iter['form_name'],0,5)) == 'camos') {
171 //CAMOS generates links from report.php and these links should
172 //be clickable without causing view.php to come up unexpectedly.
173 //I feel that the JQuery code in this file leading to a click
174 //on the report.php content to bring up view.php steps on a
175 //form's autonomy to generate it's own html content in it's report
176 //but until any other form has a problem with this, I will just
177 //make an exception here for CAMOS and allow it to carry out this
178 //functionality for all other forms. --Mark
179 echo '<tr title="' . xl('Edit form') . '" '.
180 'id="'.$formdir.'~'.$iter['form_id'].'">';
181 } else {
182 echo '<tr title="' . xl('Edit form') . '" '.
183 'id="'.$formdir.'~'.$iter['form_id'].'" class="text onerow">';
184 }
185 $user = getNameFromUsername($iter['user']);
186
187 $form_name = ($formdir == 'newpatient') ? xl('Patient Encounter') : xl_form_title($iter['form_name']);
188
189 echo "<tr>";
190 echo "<td style='border-bottom:1px solid'>";
191 // a link to edit the form
192 echo "<div class='form_header_controls'>";
193 echo "<a target='".
194 ($GLOBALS['concurrent_layout'] ? "_parent" : "Main") .
195 "' href='$rootdir/patient_file/encounter/view_form.php?" .
196 "formname=" . $formdir . "&id=" . $iter['form_id'] .
197 "' onclick='top.restoreSession()' class='css_button_small'><span>" . xl('Edit') . "</span></a>";
198
199 if (acl_check('admin', 'super') ) {
200 if ( $formdir != 'newpatient') {
201 // a link to delete the form from the encounter
202 echo "<a target='".
203 ($GLOBALS['concurrent_layout'] ? "_parent" : "Main") .
204 "' href='$rootdir/patient_file/encounter/delete_form.php?" .
205 "formname=" . $formdir .
206 "&id=" . $iter['id'] .
207 "&encounter=". $encounter.
208 "&pid=".$pid.
209 "' class='css_button_small' title='" . xl('Delete this form') . "' onclick='top.restoreSession()'><span>" . xl('Delete') . "</span></a>";
210 } else {
211 ?><a href='javascript:;' class='css_button_small' style='color:gray'><span><?php xl('Delete','e'); ?></span></a><?php
212 }
213 }
214
215 echo "<div class='form_header'>";
216 echo "<a href='#' onclick='divtoggle(\"spanid_$divnos\",\"divid_$divnos\");' class='small' id='aid_$divnos'><b>$form_name</b> <span class='text'>by " . htmlspecialchars( $user['fname'] . " " . $user['lname'] ) . "</span> (<span id=spanid_$divnos class=\"indicator\">" . xl('Collapse') . "</span>)</a></div>";
217 echo "</td>\n";
218 echo "</tr>";
219 echo "<tr>";
220 echo "<td valign='top' class='formrow'><div class='tab' id='divid_$divnos' style='display:block'>";
221
222 // Use the form's report.php for display. Forms with names starting with LBF
223 // are list-based forms sharing a single collection of code.
224 //
225 if (substr($formdir,0,3) == 'LBF') {
226 include_once($GLOBALS['incdir'] . "/forms/LBF/report.php");
227 call_user_func("lbf_report", $pid, $encounter, 2, $iter['form_id'], $formdir);
228 }
229 else {
230 include_once($GLOBALS['incdir'] . "/forms/$formdir/report.php");
231 call_user_func($formdir . "_report", $pid, $encounter, 2, $iter['form_id']);
232 }
233
234 echo "</div></td></tr>";
235 $divnos=$divnos+1;
236 }
237 echo "</table>";
238 }
239 ?>
240
241 <?php if ($GLOBALS['athletic_team'] && $GLOBALS['concurrent_layout'] == 2) { ?>
242 <script language='JavaScript'>
243 // If this is the top frame then show the encounters list in the bottom frame.
244 var n = parent.parent.left_nav;
245 var nf = n.document.forms[0];
246 if (parent.window.name == 'RTop' && nf.cb_bot.checked) {
247 var othername = 'RBot';
248 n.setRadio(othername, 'ens');
249 n.loadFrame('ens1', othername, 'patient_file/history/encounters.php');
250 }
251 </script>
252 <?php } ?>
253
254 </div> <!-- end large encounter_forms DIV -->
255 </body>
256
257 <script language="javascript">
258 // jQuery stuff to make the page a little easier to use
259
260 $(document).ready(function(){
261 $(".save").click(function() { top.restoreSession(); document.my_form.submit(); });
262 $(".dontsave").click(function() { location.href='<?php echo "$rootdir/patient_file/encounter/$returnurl";?>'; });
263
264 $(".onerow").mouseover(function() { $(this).toggleClass("highlight"); });
265 $(".onerow").mouseout(function() { $(this).toggleClass("highlight"); });
266 $(".onerow").click(function() { GotoForm(this); });
267
268 // $(".deleteme").click(function(evt) { deleteme(); evt.stopPropogation(); });
269
270 var GotoForm = function(obj) {
271 var parts = $(obj).attr("id").split("~");
272 top.restoreSession();
273 <?php if ($GLOBALS['concurrent_layout']): ?>
274 parent.location.href = "<?php echo $rootdir; ?>/patient_file/encounter/view_form.php?formname="+parts[0]+"&id="+parts[1];
275 <?php else: ?>
276 top.Main.location.href = "<?php echo $rootdir; ?>/patient_file/encounter/view_form.php?formname="+parts[0]+"&id="+parts[1];
277 <?php endif; ?>
278 }
279 });
280
281 </script>
282
283 </html>
Mirror of official OpenEMR Sourceforge repository