search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
xss patient name vulnerability fix contributed by Andrew Moore
[openemr.git] / interface / patient_file / summary / pnotes_full.php
blob3471b1064b53ed4ab9afb67d29f004e6f1cd5487
1 <?php
2 // This program is free software; you can redistribute it and/or
3 // modify it under the terms of the GNU General Public License
4 // as published by the Free Software Foundation; either version 2
5 // of the License, or (at your option) any later version.
6
7 require_once("../../globals.php");
8 require_once("$srcdir/pnotes.inc");
9 require_once("$srcdir/patient.inc");
10 require_once("$srcdir/acl.inc");
11 require_once("$srcdir/log.inc");
12 require_once("$srcdir/options.inc.php");
13 require_once("$srcdir/classes/Document.class.php");
14 require_once("$srcdir/gprelations.inc.php");
15 require_once("$srcdir/formatting.inc.php");
16
17 if ($GLOBALS['concurrent_layout'] && $_GET['set_pid']) {
18 require_once("$srcdir/pid.inc");
19 setpid($_GET['set_pid']);
20 }
21
22 // Check authorization.
23 $thisauth = acl_check('patients', 'notes');
24 if ($thisauth != 'write' && $thisauth != 'addonly')
25 die(xl('Not authorized'));
26 $tmp = getPatientData($pid, "squad");
27 if ($tmp['squad'] && ! acl_check('squads', $tmp['squad']))
28 die(xl('Not authorized for this squad.'));
29
30 //the number of records to display per screen
31 $N = 25;
32
33 $mode = $_REQUEST['mode'];
34 $offset = $_REQUEST['offset'];
35 $form_active = $_REQUEST['form_active'];
36 $form_inactive = $_REQUEST['form_inactive'];
37 $noteid = $_REQUEST['noteid'];
38 $form_doc_only = isset($_POST['mode']) ? (empty($_POST['form_doc_only']) ? 0 : 1) : 1;
39
40 if (!isset($offset)) $offset = 0;
41
42 // if (!isset($active)) $active = "all";
43
44 $active = 'all';
45 if ($form_active) {
46 if (!$form_inactive) $active = '1';
47 }
48 else {
49 if ($form_inactive)
50 $active = '0';
51 else
52 $form_active = $form_inactive = '1';
53 }
54
55 // form parameter docid can be passed to restrict the display to a document.
56 $docid = empty($_REQUEST['docid']) ? 0 : 0 + $_REQUEST['docid'];
57
58 // this code handles changing the state of activity tags when the user updates
59 // them through the interface
60 if (isset($mode)) {
61 if ($mode == "update") {
62 foreach ($_POST as $var => $val) {
63 if (strncmp($var, 'act', 3) == 0) {
64 $id = str_replace("act", "", $var);
65 if ($_POST["chk$id"]) {
66 reappearPnote($id);
67 } else {
68 disappearPnote($id);
69 }
70 if ($docid) {
71 setGpRelation(1, $docid, 6, $id, !empty($_POST["lnk$id"]));
72 }
73 }
74 }
75 }
76 elseif ($mode == "new") {
77 $note = $_POST['note'];
78 // The subroutine will do its own addslashes().
79 if (get_magic_quotes_gpc()) $note = stripslashes($note);
80 if ($noteid) {
81 updatePnote($noteid, $note, $_POST['form_note_type'], $_POST['assigned_to']);
82 $noteid = '';
83 }
84 else {
85 addPnote($pid, $note, $userauthorized, '1', $_POST['form_note_type'],
86 $_POST['assigned_to']);
87 }
88 }
89 elseif ($mode == "delete") {
90 if ($noteid) {
91 deletePnote($noteid);
92 newEvent("delete", $_SESSION['authUser'], $_SESSION['authProvider'], 1, "pnotes: id ".$noteid);
93 }
94 $noteid = '';
95 }
96 }
97
98 $title = '';
99 $assigned_to = $_SESSION['authUser'];
100 if ($noteid) {
101 $prow = getPnoteById($noteid, 'title,assigned_to,body');
102 $title = $prow['title'];
103 $assigned_to = $prow['assigned_to'];
104 }
105
106 // Get the users list. The "Inactive" test is a kludge, we should create
107 // a separate column for this.
108 $ures = sqlStatement("SELECT username, fname, lname FROM users " .
109 "WHERE username != '' AND active = 1 AND " .
110 "( info IS NULL OR info NOT LIKE '%Inactive%' ) " .
111 "ORDER BY lname, fname");
112
113 //retrieve all notes
114 $result = getPnotesByDate("", $active, 'id,date,body,user,activity,title,assigned_to',
115 $pid, $N, $offset);
116 ?>
117
118 <html>
119 <head>
120 <?php html_header_show();?>
121
122 <link rel='stylesheet' href="<?php echo $css_header;?>" type="text/css">
123
124 <!-- supporting javascript code -->
125 <script type="text/javascript" src="<?php echo $GLOBALS['webroot'] ?>/library/js/jquery.js"></script>
126 <link rel="stylesheet" type="text/css" href="../../../library/js/fancybox/jquery.fancybox-1.2.6.css" media="screen" />
127 <script type="text/javascript" src="../../../library/dialog.js"></script>
128 <script type="text/javascript" src="../../../library/js/jquery.1.3.2.js"></script>
129 <script type="text/javascript" src="../../../library/js/common.js"></script>
130 <script type="text/javascript" src="../../../library/js/fancybox/jquery.fancybox-1.2.6.js"></script>
131 <script type="text/javascript">
132 /// todo, move this to a common library
133
134 $(document).ready(function(){
135
136 $("#dem_view").click( function() {
137 toggle( $(this), "#DEM" );
138 });
139
140 // load divs
141 $("#stats_div").load("stats.php");
142 $("#notes_div").load("pnotes_fragment.php");
143
144 // fancy box
145 enable_modals();
146 });
147
148 </script>
149 </head>
150 <body class="body_top">
151
152 <div id="pnotes"> <!-- large outer DIV -->
153
154 <form border='0' method='post' name='new_note' id="new_note" action='pnotes_full.php?docid=<?php echo $docid; ?>'>
155
156
157 <div>
158 <span class="title"><?php xl('Patient Notes','e'); ?></span>
159 </div>
160 <div style='float:left;margin-right:10px'>
161 <?php echo xl('for', 'e');?>&nbsp;<span class="title"><a href="../summary/demographics.php" onclick="top.restoreSession()"><?php echo htmlspecialchars( getPatientName($pid) ) ?></a></span>
162 </div>
163 <div>
164 <a href="pnotes_full_add.php" class="css_button iframe"><span><?php xl('Add','e'); ?></span></a>
165 <a href="demographics.php" <?php if (!$GLOBALS['concurrent_layout']) echo "target='Main'"; ?> class="css_button" onclick="top.restoreSession()">
166 <span><?php echo xl('View Patient','e');?></span>
167 </a>
168 </div>
169 <br/>
170
171 <?php
172 $title_docname = "";
173 if ($docid) {
174 $title_docname = " " . xl("linked to document") . " ";
175 $d = new Document($docid);
176 $title_docname .= $d->get_url_file();
177 }
178 ?>
179 <input type='hidden' name='mode' id="mode" value="new">
180 <input type='hidden' name='offset' id="offset" value="<?php echo $offset ?>">
181 <input type='hidden' name='form_active' id="form_active" value="<?php echo $form_active ?>">
182 <input type='hidden' name='form_inactive' id="form_inactive" value="<?php echo $form_inactive ?>">
183 <input type='hidden' name='noteid' id="noteid" value="<?php echo $noteid ?>">
184 <input type='hidden' name='form_doc_only' id="form_doc_only" value="<?php echo $form_doc_only ?>">
185 </form>
186
187
188 <?php
189 //display all of the notes for the day, as well as others that are active from previous dates, up to a certain number, $N
190 $N = 15;
191
192 $conn = $GLOBALS['adodb']['db'];
193
194 // Get the billing note if there is one.
195 $billing_note = "";
196 $colorbeg = "";
197 $colorend = "";
198 $sql = "select genericname2, genericval2 " .
199 "from patient_data where pid = '$pid' limit 1";
200 $resnote = $conn->Execute($sql);
201 if($resnote && !$resnote->EOF && $resnote->fields['genericname2'] == 'Billing') {
202 $billing_note = $resnote->fields['genericval2'];
203 $colorbeg = "<span style='color:red'>";
204 $colorend = "</span>";
205 }
206
207 //Display what the patient owes
208 $balance = get_patient_balance($pid);
209 ?>
210
211 <?php if ($billing_note || $balance ) { ?>
212
213 <div style='margin-top:3px'>
214 <table width='80%'>
215 <?php
216 if ($balance != "0") {
217 // $formatted = sprintf((xl('$').'%01.2f'), $balance);
218 $formatted = oeFormatMoney($balance);
219 echo " <tr class='text billing'>\n";
220 echo " <td>".$colorbeg.xl('Balance Due').$colorend."&nbsp;".$colorbeg.$formatted.$colorend."</td>\n";
221 echo " </tr>\n";
222 }
223
224 if ($billing_note) {
225 echo " <tr class='text billing'>\n";
226 echo " <td>".$colorbeg.xl('Billing Note').$colorend."&nbsp;".$colorbeg.$billing_note.$colorend."</td>\n";
227 echo " </tr>\n";
228 }
229 ?>
230 </table>
231 </div>
232 <br>
233 <?php } ?>
234
235 <form border='0' method='post' name='update_activity' id='update_activity'
236 action="pnotes_full.php?docid=<?php echo $docid; ?>">
237 <!-- start of previous notes DIV -->
238 <div class=pat_notes>
239 <input type='hidden' name='mode' value="update">
240 <input type='hidden' name='offset' id='noteid' value="<?php echo $offset;?>">
241 <input type='hidden' name='noteid' id='noteid' value="0">
242 <table border='0' cellpadding="1" class="text">
243 <?php if ($result != ""): ?>
244 <tr>
245 <td colspan='5' style="padding: 5px;" >
246 <a href="#" class="change_activity" ><span><?php xl('Update Active','e'); ?></span></a>
247 |
248 <a href="pnotes_full.php" class="" id='Submit'><span><?php xl('Refresh','e'); ?></span></a>
249 </td>
250 </tr></table>
251 <?php endif; ?>
252
253 <div>
254 <table border='0' cellpadding="1" class="text" width = "80%">
255 <?php
256 // display all of the notes for the day, as well as others that are active
257 // from previous dates, up to a certain number, $N
258
259 if ($result != "") {
260 echo " <tr class=showborder_head align='left'>\n";
261 echo " <th style='width:100px';>&nbsp;</th>\n";
262 echo " <th>" . xl('Active') . "&nbsp;</th>\n";
263 echo " <th>" . ($docid ? xl('Linked') : '') . "</th>\n";
264 echo " <th>" . xl('Type') . "</th>\n";
265 echo " <th>" . xl('Content') . "</th>\n";
266 echo " </tr>\n";
267
268 $result_count = 0;
269 foreach ($result as $iter) {
270 $result_count++;
271 $row_note_id = $iter['id'];
272
273 $linked = "";
274 if ($docid) {
275 if (isGpRelation(1, $docid, 6, $row_note_id)) {
276 $linked = "checked";
277 }
278 else {
279 // Skip unlinked notes if that is requested.
280 if ($form_doc_only) continue;
281 }
282 }
283
284 $body = $iter['body'];
285 if (preg_match('/^\d\d\d\d-\d\d-\d\d \d\d\:\d\d /', $body)) {
286 $body = nl2br(oeFormatPatientNote($body));
287 } else {
288 $body = oeFormatSDFT(strtotime($iter['date'])) . date(' H:i', strtotime($iter['date'])) .
289 ' (' . $iter['user'] . ') ' . nl2br(oeFormatPatientNote($body));
290 }
291
292 if ($iter{"activity"}) {
293 $checked = "checked";
294 } else {
295 $checked = "";
296 }
297
298 // highlight the row if it's been selected for updating
299 if ($_REQUEST['noteid'] == $row_note_id) {
300 echo " <tr height=20 class='noterow highlightcolor' id='$row_note_id'>\n";
301 }
302 else {
303 echo " <tr class='noterow' id='$row_note_id'>\n";
304 }
305
306
307 echo " <td><a href='pnotes_full_add.php?trigger=edit&noteid=$row_note_id' class='css_button_small iframe'><span>". xl('Edit') ."</span></a>\n";
308
309 // display, or not, a button to delete the note
310 // if the user is an admin or if they are the author of the note, they can delete it
311 $thisauth = acl_check('admin', 'super');
312 if (($iter['user'] == $_SESSION['authUser']) || ($thisauth == 'write')) {
313 echo " <a href='#' class='deletenote css_button_small' id='del$row_note_id' title='" . xl('Delete this note') . "'><span>" . xl('Delete') . "</span>\n";
314 }
315 echo " </td>\n";
316
317
318 echo " <td class='text bold'>\n";
319 echo " <input type='hidden' name='act$row_note_id' value='1' />\n";
320 echo " <input type='checkbox' name='chk$row_note_id' $checked />\n";
321 echo " </td>\n";
322
323 echo " <td class='text bold'>\n";
324 if ($docid) {
325 echo " <input type='checkbox' name='lnk$row_note_id' $linked />\n";
326 }
327 echo " </td>\n";
328
329 echo " <td class='bold notecell' id='$row_note_id'><a href='pnotes_full_add.php?trigger=edit&noteid=$row_note_id' class='iframe'>\n";
330 // Modified 6/2009 by BM to incorporate the patient notes into the list_options listings
331 echo generate_display_field(array('data_type'=>'1','list_id'=>'note_type'), $iter['title']);
332 echo " </a></td>\n";
333
334 echo " <td class='notecell' id='$row_note_id'>\n";
335 echo " $body";
336 echo " </td>\n";
337 echo " </tr>\n";
338
339 $notes_count++;
340 }
341 } else {
342 //no results
343 print "<tr><td colspan='3' class='text'>" . xl('None') . ".</td></tr>\n";
344 }
345
346 ?>
347
348 </table>
349 </div>
350 </form>
351
352 <table width='400' border='0' cellpadding='0' cellspacing='0'>
353 <tr>
354 <td>
355 <?php
356 if ($offset > ($N-1)) {
357 echo " <a class='link' href='pnotes_full.php" .
358 "?docid=$docid" .
359 "&form_active=$form_active" .
360 "&form_inactive=$form_inactive" .
361 "&form_doc_only=$form_doc_only" .
362 "&offset=" . ($offset-$N) . "' onclick='top.restoreSession()'>[" .
363 xl('Previous') . "]</a>\n";
364 }
365 ?>
366 </td>
367 <td align='right'>
368 <?php
369 if ($result_count == $N) {
370 echo " <a class='link' href='pnotes_full.php" .
371 "?docid=$docid" .
372 "&form_active=$form_active" .
373 "&form_inactive=$form_inactive" .
374 "&form_doc_only=$form_doc_only" .
375 "&offset=" . ($offset+$N) . "' onclick='top.restoreSession()'>[" .
376 xl('Next') . "]</a>\n";
377 }
378 ?>
379 </td>
380 </tr>
381 </table>
382
383 </div> <!-- close the previous-notes DIV -->
384
385 </center>
386
387 <script language='JavaScript'>
388
389 <?php
390 if ($GLOBALS['concurrent_layout'] && $_GET['set_pid']) {
391 $ndata = getPatientData($pid, "fname, lname, pubpid");
392 ?>
393 parent.left_nav.setPatient(<?php echo "'" . addslashes($ndata['fname']) . " " . addslashes($ndata['lname']) . "',$pid,'" . addslashes($ndata['pubpid']) . "',window.name"; ?>);
394 parent.left_nav.setRadio(window.name, 'pno');
395 <?php
396 }
397
398 // If this note references a new patient document, pop up a display
399 // of that document.
400 //
401 if ($noteid /* && $title == 'New Document' */ ) {
402 $prow = getPnoteById($noteid, 'body');
403 if (preg_match('/New scanned document (\d+): [^\n]+\/([^\n]+)/', $prow['body'], $matches)) {
404 $docid = $matches[1];
405 $docname = $matches[2];
406 ?>
407 window.open('../../../controller.php?document&retrieve&patient_id=<?php echo $pid ?>&document_id=<?php echo $docid ?>&<?php echo $docname?>&as_file=true',
408 '_blank', 'resizable=1,scrollbars=1,width=600,height=500');
409 <?php
410 }
411 }
412 ?>
413
414 </script>
415
416 </div> <!-- end outer 'pnotes' -->
417
418 </body>
419
420 <script language="javascript">
421
422 // jQuery stuff to make the page a little easier to use
423
424 $(document).ready(function(){
425 $("#appendnote").click(function() { AppendNote(); });
426 $("#newnote").click(function() { NewNote(); });
427 $("#printnote").click(function() { PrintNote(); });
428
429 $(".change_activity").click(function() { top.restoreSession(); $("#update_activity").submit(); });
430
431 $(".deletenote").click(function() { DeleteNote(this); });
432
433 $(".noterow").mouseover(function() { $(this).toggleClass("highlight"); });
434 $(".noterow").mouseout(function() { $(this).toggleClass("highlight"); });
435 $(".notecell").click(function() { EditNote(this); });
436
437 $("#note").focus();
438
439 var EditNote = function(note) {
440 top.restoreSession();
441 $("#noteid").val(note.id);
442 $("#mode").val("");
443 $("#new_note").submit();
444 }
445
446 var NewNote = function () {
447 top.restoreSession();
448 $("#noteid").val('');
449 $("#new_note").submit();
450 }
451
452 var AppendNote = function () {
453 top.restoreSession();
454 $("#new_note").submit();
455 }
456
457 var PrintNote = function () {
458 top.restoreSession();
459 window.open('pnotes_print.php?noteid=<?php echo $noteid; ?>', '_blank', 'resizable=1,scrollbars=1,width=600,height=500');
460 }
461
462 var DeleteNote = function(note) {
463 if (confirm("<?php xl('Are you sure you want to delete this note?','e','','\n ') . xl('This action CANNOT be undone.','e'); ?>")) {
464 top.restoreSession();
465 // strip the 'del' part of the object's ID
466 $("#noteid").val(note.id.replace(/del/, ""));
467 $("#mode").val("delete");
468 $("#new_note").submit();
469 }
470 }
471
472 });
473
474 </script>
475
476
477 </html>
Mirror of official OpenEMR Sourceforge repository