From 21e15cce4507d36c7ffd234f2c4f034b38d1087e Mon Sep 17 00:00:00 2001
From: bradymiller <bradymiller>
Date: Mon, 2 Aug 2010 20:26:55 +0000
Subject: [PATCH] Clean up and secure the messages-pnotes scripts and related
 functions-scripts (remove fake globals, run global undomagicquotes, integrate
 binding into sql queries to prevent sql-injection and integrate
 htmlspecialchars to prevent xss attacks). Also fixed several bugs and
 modularized some of the messages.php script.

---
 interface/main/messages/lab_results_messages.php   |   5 +-
 interface/main/messages/messages.php               | 194 ++++++++++++---------
 interface/patient_file/summary/pnotes.php          |  60 ++++---
 interface/patient_file/summary/pnotes_fragment.php |   2 +-
 interface/patient_file/summary/pnotes_full.php     | 128 ++++++++------
 interface/patient_file/summary/pnotes_full_add.php |  85 ++++-----
 interface/patient_file/summary/pnotes_print.php    |  22 ++-
 library/gprelations.inc.php                        |   8 +-
 library/pnotes.inc                                 |  49 ++++--
 9 files changed, 324 insertions(+), 229 deletions(-)

diff --git a/interface/main/messages/lab_results_messages.php b/interface/main/messages/lab_results_messages.php
index 42154c199..21ebd0b4e 100644
--- a/interface/main/messages/lab_results_messages.php
+++ b/interface/main/messages/lab_results_messages.php
@@ -12,6 +12,7 @@ require_once("$srcdir/auth.inc");
 include_once("$srcdir/formdata.inc.php");
 
 function lab_results_messages($set_pid, $rid, $provider_id="") {
+    global $userauthorized;
     if ($provider_id != "") {
         $where = "AND id = '".$provider_id."'";
     }
@@ -37,7 +38,6 @@ function lab_results_messages($set_pid, $rid, $provider_id="") {
 
             if ($thisauth) {
                 // Send lab result message to the ordering provider when there is a new lab report.
-                $userauthorized = formData("userauthorized");
                 $pname = getPatientName($set_pid);
                 $link = "<a href='../../orders/orders_results.php?review=1&set_pid=$set_pid'" .
                 " onclick='return top.restoreSession()'>here</a>";
@@ -45,8 +45,7 @@ function lab_results_messages($set_pid, $rid, $provider_id="") {
                 $note_type = "Lab Results";
                 $message_status = "New";
                 // Add pnote.
-                $noteid = addPnote($set_pid, $note, $userauthorized, '1', $note_type, $user_detail['username']);
-                sqlQ("update pnotes set message_status='".$message_status."' where id = '$noteid'");
+                $noteid = addPnote($set_pid, $note, $userauthorized, '1', $note_type, $user_detail['username'], '', $message_status);
             }
         }
     }
diff --git a/interface/main/messages/messages.php b/interface/main/messages/messages.php
index 7be5f8e91..0d1361097 100644
--- a/interface/main/messages/messages.php
+++ b/interface/main/messages/messages.php
@@ -5,6 +5,14 @@
 // as published by the Free Software Foundation; either version 2
 // of the License, or (at your option) any later version.
 
+//SANITIZE ALL ESCAPES
+$sanitize_all_escapes=true;
+//
+
+//STOP FAKE REGISTER GLOBALS
+$fake_register_globals=false;
+//
+
 require_once("../../globals.php");
 require_once("$srcdir/pnotes.inc");
 require_once("$srcdir/patient.inc");
@@ -29,82 +37,83 @@ require_once("$srcdir/formatting.inc.php");
 <body class="body_top">
 <?php
 // Check to see if the user has Admin rights, and if so, allow access to See All.
-$showall = formData('showall', 'G');
+$showall = $_GET['show_all'];
 if ($showall == "yes") {
     $show_all = $showall;
 }
 if (acl_check('admin', 'super'    )) {
 if ($show_all=='yes') {
     $showall = "yes";
-    $lnkvar="'messages.php?show_all=no' name='Just Mine' onclick=\"top.restoreSession()\"> (".xl('Just Mine').")";
+    $lnkvar="'messages.php?show_all=no' name='Just Mine' onclick=\"top.restoreSession()\"> (".htmlspecialchars( xl('Just Mine'), ENT_NOQUOTES).")";
 }
 else {
     $showall = "no";
-    $lnkvar="'messages.php?show_all=yes' name='See All' onclick=\"top.restoreSession()\"> (".xl('See All').")";
+    $lnkvar="'messages.php?show_all=yes' name='See All' onclick=\"top.restoreSession()\"> (".htmlspecialchars( xl('See All'), ENT_NOQUOTES).")";
 }
 }
 ?>
-<table><tr><td><span class="title"><?php xl('Messages','e'); ?></span> <a class='more' href=<?php echo $lnkvar; ?></a></td></tr></table><br>
+<table><tr><td><span class="title"><?php echo htmlspecialchars( xl('Messages'), ENT_NOQUOTES); ?></span> <a class='more' href=<?php echo $lnkvar; ?></a></td></tr></table><br>
 <?php
+//collect the task setting
+if (isset($_GET['task'])) $task=$_GET['task'];
+if (isset($_POST['task'])) $task=$_POST['task'];
+
 switch($task) {
     case "add" :
     {
         // Add a new message for a specific patient; the message is documented in Patient Notes.
         // Add a new message; it's treated as a new note in Patient Notes.
-        $note = strip_escape_custom($_POST['note']);
-        $noteid = formData("noteid");
-        $form_note_type = formData("form_note_type");
-        $assigned_to = formData("assigned_to");
-        $form_message_status = formData("form_message_status");
-        $reply_to = formData("reply_to");
-        $userauthorized = formData("userauthorized");
+        $note = $_POST['note'];
+        $noteid = $_POST['noteid'];
+        $form_note_type = $_POST['form_note_type'];
+        $assigned_to = $_POST['assigned_to'];
+        $form_message_status = $_POST['form_message_status'];
+        $reply_to = $_POST['reply_to'];
         if ($noteid) {
-          updatePnote($noteid, $note, $form_note_type, $assigned_to);
-          sqlQuery("update pnotes set message_status='".$form_message_status."' where id = '".$noteid."'");
+          updatePnote($noteid, $note, $form_note_type, $assigned_to, $form_message_status);
           $noteid = '';
         }
         else {
-          $noteid = addPnote($reply_to, $note, $userauthorized, '1', $form_note_type, $assigned_to);
-          sqlQuery("update pnotes set message_status='".$form_message_status."' where id = '$noteid'");
+          $noteid = addPnote($reply_to, $note, $userauthorized, '1', $form_note_type, $assigned_to, '', $form_message_status);
         }
     } break;
     case "save" : {
         // Update alert.
-        $noteid = formData("noteid");
-        $form_message_status = formData("form_message_status");
-        sqlQuery("update pnotes set message_status='".$form_message_status."' where id = '".$noteid."'");
+        $noteid = $_POST['noteid'];
+        $form_message_status = $_POST['form_message_status'];
+        updatePnoteMessageStatus($noteid,$form_message_status);
         $task = "edit";
-        $note = formData("note");
-        $title = formData("form_note_type");
-        $assigned_to = formData("assigned_to");
-        $reply_to = formData("reply_to");
+        $note = $_POST['note'];
+        $title = $_POST['form_note_type'];
+        $assigned_to = $_POST['assigned_to'];
+        $reply_to = $_POST['reply_to'];
     }
     case "edit" : {
         if ($noteid == "") {
-            $noteid = formData('noteid', 'G');
+            $noteid = $_GET['noteid'];
         }
         // Update the message if it already exists; it's appended to an existing note in Patient Notes.
-        $sql = "select title, assigned_to, body, pid, message_status from pnotes where id='$noteid'";
-        $result = sqlStatement($sql);
-        if ($myrow = sqlFetchArray($result)) {
+        $result = getPnoteById($noteid);
+        if ($result) {
             if ($title == ""){
-                $title = $myrow['title'];
+                $title = $result['title'];
             }
             if ($assigned_to == ""){
-                $assigned_to = $myrow['assigned_to'];
+                $assigned_to = $result['assigned_to'];
             }
-            $body = $myrow['body'];
+            $body = $result['body'];
             if ($reply_to == ""){
-                $reply_to = $myrow['pid'];
+                $reply_to = $result['pid'];
             }
-            $form_message_status = $myrow['message_status'];
+            $form_message_status = $result['message_status'];
         }
     } break;
     case "delete" : {
         // Delete selected message(s) from the Messages box (only).
         $delete_id = $_POST['delete_id'];
         for($i = 0; $i < count($delete_id); $i++) {
-            sqlQuery("delete from pnotes where id='$delete_id[$i]'");
+            deletePnote($delete_id[$i]);
+	    newEvent("delete", $_SESSION['authUser'], $_SESSION['authProvider'], 1, "pnotes: id ".$delete_id[$i]);
         }
     } break;
 }
@@ -113,23 +122,23 @@ if($task == "addnew" or $task == "edit") {
  // Display the Messages page layout.
 echo "
 <form name=new_note id=new_note action=\"messages.php?showall=$showall&sortby=$sortby&sortorder=$sortorder&begin=$begin\" method=post>
-<input type=hidden name=noteid id=noteid value=$noteid>
+<input type=hidden name=noteid id=noteid value=".htmlspecialchars( $noteid, ENT_QUOTES).">
 <input type=hidden name=task id=task value=add>";
 ?>
 <div id="pnotes"><center>
 <table border='0' cellspacing='8'>
  <tr>
   <td class='text' align='center'>
-   <b><?php xl('Type','e'); ?>:</b>
+   <b><?php echo htmlspecialchars( xl('Type'), ENT_NOQUOTES); ?>:</b>
    <?php
    if ($title == "") {
-       $title = "New Document";
+       $title = "Unassigned";
    }
    // Added 6/2009 by BM to incorporate the patient notes into the list_options listings.
     generate_form_field(array('data_type'=>1,'field_id'=>'note_type','list_id'=>'note_type','empty_title'=>'SKIP','order_by'=>'title'), $title);
    ?>
    &nbsp; &nbsp;
-   <b><?php xl('To','e'); ?>:</b>
+   <b><?php echo htmlspecialchars( xl('To'), ENT_QUOTES); ?>:</b>
    <select name='assigned_to'>
 
 <?php
@@ -139,10 +148,10 @@ $ures = sqlStatement("SELECT username, fname, lname FROM users " .
  "( info IS NULL OR info NOT LIKE '%Inactive%' ) " .
  "ORDER BY lname, fname");
  while ($urow = sqlFetchArray($ures)) {
-  echo "    <option value='" . $urow['username'] . "'";
+  echo "    <option value='" . htmlspecialchars( $urow['username'], ENT_QUOTES) . "'";
   if ($urow['username'] == $assigned_to) echo " selected";
-  echo ">" . $urow['lname'];
-  if ($urow['fname']) echo ", " . $urow['fname'];
+  echo ">" . htmlspecialchars( $urow['lname'], ENT_NOQUOTES);
+  if ($urow['fname']) echo ", " . htmlspecialchars( $urow['fname'], ENT_NOQUOTES);
   echo "</option>\n";
  }
 
@@ -152,19 +161,19 @@ $ures = sqlStatement("SELECT username, fname, lname FROM users " .
 </tr>
 <tr>
   <td class='text' align='center'>
-   <b class='<?php echo ($task=="addnew"?"required":"") ?>'><?php xl('Patient','e'); ?>:</b><?php
+   <b class='<?php echo ($task=="addnew"?"required":"") ?>'><?php echo htmlspecialchars( xl('Patient'), ENT_NOQUOTES); ?>:</b><?php
  if ($reply_to) {
   $prow = sqlQuery("SELECT lname, fname " .
-   "FROM patient_data WHERE pid = '" . $reply_to . "'");
+   "FROM patient_data WHERE pid = ?", array($reply_to) );
   $patientname = $prow['lname'] . ", " . $prow['fname'];
  }
    if ($patientname == "") {
        $patientname = xl('Click to select');
    } ?>
-   <input type='text' size='10' name='form_patient' style='width:150px;<?php echo ($task=="addnew"?"cursor:pointer;cursor:hand;":"") ?>' value='<?php echo htmlspecialchars($patientname, ENT_QUOTES); ?>' <?php echo ($task=="addnew"?"onclick='sel_patient()' readonly":"disabled") ?> title='<?php ($task=="addnew"?xl('Click to select patient','e'):"") ?>'  />
-   <input type='hidden' name='reply_to' value='<?php echo $reply_to ?>' />
+   <input type='text' size='10' name='form_patient' style='width:150px;<?php echo ($task=="addnew"?"cursor:pointer;cursor:hand;":"") ?>' value='<?php echo htmlspecialchars($patientname, ENT_QUOTES); ?>' <?php echo ($task=="addnew"?"onclick='sel_patient()' readonly":"disabled") ?> title='<?php echo ($task=="addnew"?(htmlspecialchars( xl('Click to select patient'), ENT_QUOTES)):"") ?>'  />
+   <input type='hidden' name='reply_to' value='<?php echo htmlspecialchars( $reply_to, ENT_QUOTES) ?>' />
    &nbsp; &nbsp;
-   <b><?php xl('Status','e'); ?>:</b>
+   <b><?php echo htmlspecialchars( xl('Status'), ENT_NOQUOTES); ?>:</b>
     <?php
    if ($form_message_status == "") {
        $form_message_status = 'New';
@@ -178,25 +187,25 @@ $ures = sqlStatement("SELECT username, fname, lname FROM users " .
 <?php
 
 if ($noteid) {
-    $body = nl2br($body);
+    $body = nl2br(htmlspecialchars( $body, ENT_NOQUOTES));
     echo "<div class='text' style='background-color:white; color: gray; border:1px solid #999; padding: 5px; width: 640px;'>".$body."</div>";
 }
 
 ?>
-   <textarea name='note' id='note' rows='8' style="width: 660px; "><?php echo $note ?></textarea>
+   <textarea name='note' id='note' rows='8' style="width: 660px; "><?php echo htmlspecialchars( $note, ENT_NOQUOTES) ?></textarea>
   </td>
  </tr>
 </table>
 
 <?php if ($noteid) { ?>
 <!-- This is for displaying an existing note. -->
-<input type="button" id="newnote" value="<?php xl('Send message','e'); ?>">
-<input type="button" id="printnote" value="<?php xl('Print message','e'); ?>">
-<input type="button" id="cancel" value="<?php xl('Cancel','e'); ?>">
+<input type="button" id="newnote" value="<?php echo htmlspecialchars( xl('Send message'), ENT_QUOTES); ?>">
+<input type="button" id="printnote" value="<?php echo htmlspecialchars( xl('Print message'), ENT_QUOTES); ?>">
+<input type="button" id="cancel" value="<?php echo htmlspecialchars( xl('Cancel'), ENT_QUOTES); ?>">
 <?php } else { ?>
 <!-- This is for displaying a new note. -->
-<input type="button" id="newnote" value="<?php xl('Send message','e'); ?>">
-<input type="button" id="cancel" value="<?php xl('Cancel','e'); ?>">
+<input type="button" id="newnote" value="<?php echo htmlspecialchars( xl('Send message'), ENT_QUOTES); ?>">
+<input type="button" id="cancel" value="<?php echo htmlspecialchars( xl('Cancel'), ENT_QUOTES); ?>">
 <?php } ?>
 
 <br>
@@ -216,7 +225,7 @@ $(document).ready(function(){
     var NewNote = function () {
         top.restoreSession();
       if (document.forms[0].reply_to.value.length == 0) {
-       alert('<?php xl('Please choose a patient', 'e') ?>');
+       alert('<?php echo htmlspecialchars( xl('Please choose a patient'), ENT_QUOTES); ?>');
       }
       else
       {
@@ -226,7 +235,7 @@ $(document).ready(function(){
 
     var PrintNote = function () {
         top.restoreSession();
-        window.open('../../patient_file/summary/pnotes_print.php?noteid=<?php echo $noteid; ?>', '_blank', 'resizable=1,scrollbars=1,width=600,height=500');
+        window.open('../../patient_file/summary/pnotes_print.php?noteid=<?php echo htmlspecialchars( $noteid, ENT_QUOTES); ?>', '_blank', 'resizable=1,scrollbars=1,width=600,height=500');
     }
 
     var SaveNote = function () {
@@ -257,14 +266,14 @@ $(document).ready(function(){
 </script><?php
 }
 else {
-    $sortby = formData('sortby','R');
-    $sortorder = formData('sortorder','R');
-    $begin = formData('begin','R');
+    $sortby = $_REQUEST['sortby'];
+    $sortorder = $_REQUEST['sortorder'];
+    $begin = $_REQUEST['begin'];
     // This is for sorting the records.
     $sort = array("users.lname", "patient_data.lname", "pnotes.title", "pnotes.date", "pnotes.message_status");
-    $sortby = formData('sortby','R');
-    $sortorder = formData('sortorder','R');
-    $begin = formData('begin','R');
+    $sortby = $_REQUEST['sortby'];
+    $sortorder = $_REQUEST['sortorder'];
+    $begin = $_REQUEST['begin'];
     if($sortby == "") {
         $sortby = $sort[0];
     }
@@ -272,21 +281,25 @@ else {
         $sortorder = "asc";
     }
     for($i = 0; $i < count($sort); $i++) {
-        $sortlink[$i] = "<a href=\"messages.php?showall=$showall&sortby=$sort[$i]&sortorder=asc\" onclick=\"top.restoreSession()\"><img src=\"../../../images/sortdown.gif\" border=0 alt=\"".xl('Sort Up')."\"></a>";
+        $sortlink[$i] = "<a href=\"messages.php?showall=$showall&sortby=$sort[$i]&sortorder=asc\" onclick=\"top.restoreSession()\"><img src=\"../../../images/sortdown.gif\" border=0 alt=\"".htmlspecialchars( xl('Sort Up'), ENT_QUOTES)."\"></a>";
     }
     for($i = 0; $i < count($sort); $i++) {
         if($sortby == $sort[$i]) {
             switch($sortorder) {
-                case "asc"      : $sortlink[$i] = "<a href=\"messages.php?showall=$showall&sortby=$sortby&sortorder=desc\" onclick=\"top.restoreSession()\"><img src=\"../../../images/sortup.gif\" border=0 alt=\"".xl('Sort Up')."\"></a>"; break;
-                case "desc"     : $sortlink[$i] = "<a href=\"messages.php?showall=$showall&sortby=$sortby&sortorder=asc\" onclick=\"top.restoreSession()\"><img src=\"../../../images/sortdown.gif\" border=0 alt=\"".xl('Sort Down')."\"></a>"; break;
+                case "asc"      : $sortlink[$i] = "<a href=\"messages.php?showall=$showall&sortby=$sortby&sortorder=desc\" onclick=\"top.restoreSession()\"><img src=\"../../../images/sortup.gif\" border=0 alt=\"".htmlspecialchars( xl('Sort Up'), ENT_QUOTES)."\"></a>"; break;
+                case "desc"     : $sortlink[$i] = "<a href=\"messages.php?showall=$showall&sortby=$sortby&sortorder=asc\" onclick=\"top.restoreSession()\"><img src=\"../../../images/sortdown.gif\" border=0 alt=\"".htmlspecialchars( xl('Sort Down'), ENT_QUOTES)."\"></a>"; break;
             } break;
         }
     }
     // Manage page numbering and display beneath the Messages table.
     $listnumber = 25;
     $show_all=='yes' ? $usrvar='_%' : $usrvar=$_SESSION['authUser'] ;
-    $sql = "select pnotes.id, pnotes.user, pnotes.pid, pnotes.title, pnotes.date, pnotes.message_status, users.fname, users.lname, patient_data.fname, patient_data.lname FROM ((pnotes JOIN users ON pnotes.user = users.username) JOIN patient_data ON pnotes.pid = patient_data.pid) where pnotes.message_status != 'Done' and pnotes.assigned_to LIKE '$usrvar'";
-    $result = sqlStatement($sql);
+    $sql = "select pnotes.id, pnotes.user, pnotes.pid, pnotes.title, pnotes.date, " .
+           "pnotes.message_status, users.fname, users.lname, patient_data.fname, " .
+           "patient_data.lname FROM ((pnotes JOIN users ON pnotes.user = users.username) " .
+           "JOIN patient_data ON pnotes.pid = patient_data.pid) where pnotes.message_status != 'Done' " .
+           "and pnotes.deleted != '1' and pnotes.assigned_to LIKE ?";
+    $result = sqlStatement($sql, array($usrvar) );
     if(sqlNumRows($result) != 0) {
         $total = sqlNumRows($result);
     }
@@ -326,17 +339,31 @@ else {
     <input type=hidden name=task value=delete>
         <tr height=\"24\" style=\"background:lightgrey\">
             <td align=\"center\" width=\"25\" style=\"border-bottom: 1px #000000 solid; border-right: 1px #000000 solid;\"><input type=checkbox id=\"checkAll\" onclick=\"selectAll()\"></td>
-            <td width=\"20%\" style=\"border-bottom: 1px #000000 solid; border-right: 1px #000000 solid;\" class=bold>&nbsp;<b>".xl('From')."</b> $sortlink[0]</td>
-            <td width=\"20%\" style=\"border-bottom: 1px #000000 solid; border-right: 1px #000000 solid;\" class=bold>&nbsp;<b>".xl('Patient')."</b> $sortlink[1]</td>
-            <td style=\"border-bottom: 1px #000000 solid; border-right: 1px #000000 solid;\" class=bold>&nbsp;<b>".xl('Type')."</b> $sortlink[2]</td>
-            <td width=\"15%\" style=\"border-bottom: 1px #000000 solid; border-right: 1px #000000 solid;\" class=bold>&nbsp;<b>".xl('Date')."</b> $sortlink[3]</td>
-            <td width=\"15%\" style=\"border-bottom: 1px #000000 solid; \" class=bold>&nbsp;<b>".xl('Status')."</b> $sortlink[4]</td>
+            <td width=\"20%\" style=\"border-bottom: 1px #000000 solid; border-right: 1px #000000 solid;\" class=bold>&nbsp;<b>" .
+              htmlspecialchars( xl('From'), ENT_NOQUOTES) . "</b> $sortlink[0]</td>
+            <td width=\"20%\" style=\"border-bottom: 1px #000000 solid; border-right: 1px #000000 solid;\" class=bold>&nbsp;<b>" .
+              htmlspecialchars( xl('Patient'), ENT_NOQUOTES) . "</b> $sortlink[1]</td>
+            <td style=\"border-bottom: 1px #000000 solid; border-right: 1px #000000 solid;\" class=bold>&nbsp;<b>" .
+              htmlspecialchars( xl('Type'), ENT_NOQUOTES) . "</b> $sortlink[2]</td>
+            <td width=\"15%\" style=\"border-bottom: 1px #000000 solid; border-right: 1px #000000 solid;\" class=bold>&nbsp;<b>" .
+              htmlspecialchars( xl('Date'), ENT_NOQUOTES) . "</b> $sortlink[3]</td>
+            <td width=\"15%\" style=\"border-bottom: 1px #000000 solid; \" class=bold>&nbsp;<b>" .
+              htmlspecialchars( xl('Status'), ENT_NOQUOTES) . "</b> $sortlink[4]</td>
         </tr>";
         // Display the Messages table body.
         $count = 0;
         $show_all=='yes' ? $usrvar='_%' : $usrvar=$_SESSION['authUser'] ;
-        $sql = "select pnotes.id, pnotes.user, pnotes.pid, pnotes.title, pnotes.date, pnotes.message_status, users.fname AS users_fname, users.lname AS users_lname, patient_data.fname AS patient_data_fname, patient_data.lname AS patient_data_lname FROM ((pnotes JOIN users ON pnotes.user = users.username) JOIN patient_data ON pnotes.pid = patient_data.pid) where pnotes.message_status != 'Done' and pnotes.assigned_to LIKE '$usrvar' order by $sortby $sortorder limit $begin, $listnumber";
-        $result = sqlStatement($sql);
+        $sql = "select pnotes.id, pnotes.user, pnotes.pid, pnotes.title, " .
+               "pnotes.date, pnotes.message_status, users.fname " .
+               "AS users_fname, users.lname AS users_lname, patient_data.fname " .
+               "AS patient_data_fname, patient_data.lname AS patient_data_lname " .
+               "FROM ((pnotes JOIN users ON pnotes.user = users.username) " .
+               "JOIN patient_data ON pnotes.pid = patient_data.pid) " .
+               "where pnotes.message_status != 'Done' and pnotes.deleted != '1' " .
+               "and pnotes.assigned_to LIKE ? " .
+               "order by ".add_escape_custom($sortby)." ".add_escape_custom($sortorder).
+               " limit ".add_escape_custom($begin).", ".add_escape_custom($listnumber);
+        $result = sqlStatement($sql, array($usrvar) );
         while ($myrow = sqlFetchArray($result)) {
             $name = $myrow['user'];
             $name = $myrow['users_lname'];
@@ -351,12 +378,19 @@ else {
             $count++;
             echo "
             <tr id=\"row$count\" style=\"background:white\" height=\"24\">
-                <td align=\"center\" style=\"border-bottom: 1px #000000 solid; border-right: 1px #000000 solid;\"><input type=checkbox id=\"check$count\" name=\"delete_id[]\" value=\"".$myrow['id']."\" onclick=\"if(this.checked==true){ selectRow('row$count'); }else{ deselectRow('row$count'); }\"></td>
-                <td style=\"border-bottom: 1px #000000 solid; border-right: 1px #000000 solid;\"><table cellspacing=0 cellpadding=0 width=100%><tr><td width=5></td><td class=\"text\">$name</td><td width=5></td></tr></table></td>
-                <td style=\"border-bottom: 1px #000000 solid; border-right: 1px #000000 solid;\"><table cellspacing=0 cellpadding=0 width=100%><tr><td width=5></td><td class=\"text\"><a href=\"messages.php?showall=$showall&sortby=$sortby&sortorder=$sortorder&begin=$begin&task=edit&noteid=".$myrow['id']."\" onclick=\"top.restoreSession()\">$patient</a></td><td width=5></td></tr></table></td>
-                <td style=\"border-bottom: 1px #000000 solid; border-right: 1px #000000 solid;\"><table cellspacing=0 cellpadding=0 width=100%><tr><td width=5></td><td class=\"text\">".$myrow['title']."</td><td width=5></td></tr></table></td>
-                <td style=\"border-bottom: 1px #000000 solid; border-right: 1px #000000 solid;\"><table cellspacing=0 cellpadding=0 width=100%><tr><td width=5></td><td class=\"text\">" . oeFormatShortDate(substr($myrow['date'], 0, strpos($myrow['date'], " "))) . "</td><td width=5></td></tr></table></td>
-                <td style=\"border-bottom: 1px #000000 solid;\"><table cellspacing=0 cellpadding=0 width=100%><tr><td width=5></td><td class=\"text\">".$myrow['message_status']."</td><td width=5></td></tr></table></td>
+                <td align=\"center\" style=\"border-bottom: 1px #000000 solid; border-right: 1px #000000 solid;\"><input type=checkbox id=\"check$count\" name=\"delete_id[]\" value=\"" .
+	          htmlspecialchars( $myrow['id'], ENT_QUOTES) . "\" onclick=\"if(this.checked==true){ selectRow('row$count'); }else{ deselectRow('row$count'); }\"></td>
+                <td style=\"border-bottom: 1px #000000 solid; border-right: 1px #000000 solid;\"><table cellspacing=0 cellpadding=0 width=100%><tr><td width=5></td><td class=\"text\">" .
+	          htmlspecialchars( $name, ENT_NOQUOTES) . "</td><td width=5></td></tr></table></td>
+                <td style=\"border-bottom: 1px #000000 solid; border-right: 1px #000000 solid;\"><table cellspacing=0 cellpadding=0 width=100%><tr><td width=5></td><td class=\"text\"><a href=\"messages.php?showall=$showall&sortby=$sortby&sortorder=$sortorder&begin=$begin&task=edit&noteid=" .
+	          htmlspecialchars( $myrow['id'], ENT_QUOTES) . "\" onclick=\"top.restoreSession()\">" .
+		  htmlspecialchars( $patient, ENT_NOQUOTES) . "</a></td><td width=5></td></tr></table></td>
+                <td style=\"border-bottom: 1px #000000 solid; border-right: 1px #000000 solid;\"><table cellspacing=0 cellpadding=0 width=100%><tr><td width=5></td><td class=\"text\">" .
+	          htmlspecialchars( $myrow['title'], ENT_NOQUOTES) . "</td><td width=5></td></tr></table></td>
+                <td style=\"border-bottom: 1px #000000 solid; border-right: 1px #000000 solid;\"><table cellspacing=0 cellpadding=0 width=100%><tr><td width=5></td><td class=\"text\">" .
+	          htmlspecialchars( oeFormatShortDate(substr($myrow['date'], 0, strpos($myrow['date'], " "))), ENT_NOQUOTES) . "</td><td width=5></td></tr></table></td>
+                <td style=\"border-bottom: 1px #000000 solid;\"><table cellspacing=0 cellpadding=0 width=100%><tr><td width=5></td><td class=\"text\">" .
+	          htmlspecialchars( $myrow['message_status'], ENT_NOQUOTES) . "</td><td width=5></td></tr></table></td>
             </tr>";
         }
     // Display the Messages table footer.
@@ -364,14 +398,16 @@ else {
     </form></table>
     <table border=0 cellpadding=5 cellspacing=0 width=90%>
         <tr>
-            <td class=\"text\"><a href=\"messages.php?showall=$showall&sortby=$sortby&sortorder=$sortorder&begin=$begin&task=addnew\" onclick=\"top.restoreSession()\">".xl('Add New')."</a> &nbsp; <a href=\"javascript:confirmDeleteSelected()\" onclick=\"top.restoreSession()\">".xl('Delete')."</a></td>
+            <td class=\"text\"><a href=\"messages.php?showall=$showall&sortby=$sortby&sortorder=$sortorder&begin=$begin&task=addnew\" onclick=\"top.restoreSession()\">" .
+              htmlspecialchars( xl('Add New'), ENT_NOQUOTES) . "</a> &nbsp; <a href=\"javascript:confirmDeleteSelected()\" onclick=\"top.restoreSession()\">" .
+              htmlspecialchars( xl('Delete'), ENT_NOQUOTES) . "</a></td>
             <td align=right class=\"text\">$prevlink &nbsp; $end of $total &nbsp; $nextlink</td>
         </tr>
     </table></td></tr></table><br>"; ?>
 <script language="javascript">
 // This is to confirm delete action.
 function confirmDeleteSelected() {
-    if(confirm("<?php xl('Do you really want to delete the selection?', 'e') ?>")) {
+    if(confirm("<?php echo htmlspecialchars( xl('Do you really want to delete the selection?'), ENT_QUOTES); ?>")) {
         document.wikiList.submit();
     }
 }
diff --git a/interface/patient_file/summary/pnotes.php b/interface/patient_file/summary/pnotes.php
index 60e230bfc..d4fc063af 100644
--- a/interface/patient_file/summary/pnotes.php
+++ b/interface/patient_file/summary/pnotes.php
@@ -1,4 +1,13 @@
 <?php
+
+//SANITIZE ALL ESCAPES
+$sanitize_all_escapes=true;
+//
+
+//STOP FAKE REGISTER GLOBALS
+$fake_register_globals=false;
+//
+
  require_once("../../globals.php");
  require_once("$srcdir/pnotes.inc");
  require_once("$srcdir/acl.inc");
@@ -27,7 +36,7 @@
    $thisauth = 0;
  }
  if (!$thisauth) {
-  echo "<p>(" . xl('Notes not authorized') . ")</p>\n";
+  echo "<p>(" . htmlspecialchars( xl('Notes not authorized'), ENT_NOQUOTES) . ")</p>\n";
   echo "</body>\n</html>\n";
   exit();
  }
@@ -38,21 +47,21 @@
 <?php if ($thisauth == 'write' || $thisauth == 'addonly'): ?>
 
 <?php if ($GLOBALS['concurrent_layout']) { ?>
-<a href="pnotes_full.php?docid=<?php echo $docid; ?>" onclick="top.restoreSession()">
+<a href="pnotes_full.php?docid=<?php echo htmlspecialchars( $docid, ENT_QUOTES); ?>" onclick="top.restoreSession()">
 <?php } else { ?>
-<a href="pnotes_full.php?docid=<?php echo $docid; ?>" target="Main" onclick="top.restoreSession()">
+<a href="pnotes_full.php?docid=<?php echo htmlspecialchars( $docid, ENT_QUOTES); ?>" target="Main" onclick="top.restoreSession()">
 <?php } ?>
 
-<span class="title"><?php xl('Notes','e'); ?>
+<span class="title"><?php echo htmlspecialchars( xl('Notes'), ENT_NOQUOTES); ?>
 <?php
   if ($docid) {
-    echo " " . xl("linked to document") . " ";
+    echo " " . htmlspecialchars( xl("linked to document"), ENT_NOQUOTES) . " ";
     $d = new Document($docid);	
     echo $d->get_url_file();
   }
 ?>
 </span>
-<span class=more><?php echo $tmore;?></span>
+<span class=more><?php echo htmlspecialchars( $tmore, ENT_NOQUOTES);?></span>
 </a>
 <?php endif; ?>
 
@@ -64,17 +73,15 @@
 //display all of the notes for the day, as well as others that are active from previous dates, up to a certain number, $N
 $N = 15;
 
-$conn = $GLOBALS['adodb']['db'];
-
 // Get the billing note if there is one.
 $billing_note = "";
 $colorbeg = "";
 $colorend = "";
 $sql = "select genericname2, genericval2 " .
-    "from patient_data where pid = '$pid' limit 1";
-$resnote = $conn->Execute($sql);
-if($resnote && !$resnote->EOF && $resnote->fields['genericname2'] == 'Billing') {
-  $billing_note = $resnote->fields['genericval2'];
+    "from patient_data where pid = ? limit 1";
+$resnote = sqlQuery($sql, array($pid) );
+if($resnote && $resnote['genericname2'] == 'Billing') {
+  $billing_note = $resnote['genericval2'];
   $colorbeg = "<span style='color:red'>";
   $colorend = "</span>";
 }
@@ -84,13 +91,17 @@ $balance = get_patient_balance($pid);
 if ($balance != "0") {
   $formatted = sprintf((xl('$').'%01.2f'), $balance);
   echo " <tr class='text billing'>\n";
-  echo "  <td>".$colorbeg.xl('Balance Due').$colorend."</td><td>".$colorbeg.$formatted.$colorend."</td>\n";
+  echo "  <td>" . $colorbeg . htmlspecialchars( xl('Balance Due'), ENT_NOQUOTES) .
+    $colorend . "</td><td>" . $colorbeg . 
+    htmlspecialchars( $formatted, ENT_NOQUOTES) . $colorend."</td>\n";
   echo " </tr>\n";
 }
 
 if ($billing_note) {
   echo " <tr class='text billing'>\n";
-  echo "  <td>".$colorbeg.xl('Billing Note').$colorend."</td><td>".$colorbeg.$billing_note.$colorend."</td>\n";
+  echo "  <td>" . $colorbeg . htmlspecialchars( xl('Billing Note'), ENT_NOQUOTES) .
+    $colorend . "</td><td>" . $colorbeg .
+    htmlspecialchars( $billing_note, ENT_NOQUOTES) . $colorend . "</td>\n";
   echo " </tr>\n";
 }
 
@@ -108,10 +119,11 @@ if ($result != null) {
       echo "  <td colspan='3' align='center'>\n";
       echo "   <a ";
       if (!$GLOBALS['concurrent_layout']) echo "target='Main' ";
-      echo "href='pnotes_full.php?active=1&docid=$docid' class='alert' " .
-        "onclick='top.restoreSession()'>";
-      echo xl('Some notes were not displayed.','','',' ') .
-        xl('Click here to view all.') . "</a>\n";
+      echo "href='pnotes_full.php?active=1&docid=" .
+	htmlspecialchars( $docid, ENT_QUOTES) . 
+	"' class='alert' onclick='top.restoreSession()'>";
+      echo htmlspecialchars( xl('Some notes were not displayed.','','',' '), ENT_NOQUOTES) .
+        htmlspecialchars( xl('Click here to view all.'), ENT_NOQUOTES) . "</a>\n";
       echo "  </td>\n";
       echo " </tr>\n";
       break;
@@ -119,13 +131,13 @@ if ($result != null) {
 
     $body = $iter['body'];
     if (preg_match('/^\d\d\d\d-\d\d-\d\d \d\d\:\d\d /', $body)) {
-      $body = nl2br($body);
+      $body = nl2br(htmlspecialchars( $body, ENT_NOQUOTES));
     } else {
-      $body = date('Y-m-d H:i', strtotime($iter['date'])) .
-        ' (' . $iter['user'] . ') ' . nl2br($body);
+      $body = htmlspecialchars( date('Y-m-d H:i', strtotime($iter['date'])), ENT_NOQUOTES) .
+        ' (' . htmlspecialchars( $iter['user'], ENT_NOQUOTES) . ') ' . nl2br(htmlspecialchars( $body, ENT_NOQUOTES));
     }
 
-    echo " <tr class='text noterow' id='".$iter['id']."'>\n";
+    echo " <tr class='text noterow' id='".htmlspecialchars( $iter['id'], ENT_QUOTES)."'>\n";
       
     // Modified 6/2009 by BM to incorporate the patient notes into the list_options listings  
     echo "  <td valign='top' class='bold'>";
@@ -161,11 +173,11 @@ var EditNote = function(note) {
     <?php if (!$GLOBALS['concurrent_layout']): ?>
     top.Main.location.href = "pnotes_full.php?docid=<?php echo $docid; ?>&noteid=" + note.id + "&active=1";
     <?php else: ?>
-    location.href = "pnotes_full.php?docid=<?php echo $docid; ?>noteid=" + note.id + "&active=1";
+    location.href = "pnotes_full.php?docid=<?php echo $docid; ?>&noteid=" + note.id + "&active=1";
     <?php endif; ?>
 <?php else: ?>
     // no-op
-    alert("<?php xl('You do not have access to view/edit this note','e'); ?>");
+    alert("<?php echo htmlspecialchars( xl('You do not have access to view/edit this note'), ENT_QUOTES); ?>");
 <?php endif; ?>
 }
 
diff --git a/interface/patient_file/summary/pnotes_fragment.php b/interface/patient_file/summary/pnotes_fragment.php
index 08e4bdb51..6e79f0b18 100644
--- a/interface/patient_file/summary/pnotes_fragment.php
+++ b/interface/patient_file/summary/pnotes_fragment.php
@@ -97,7 +97,7 @@ $fake_register_globals=false;
 
         $body = $iter['body'];
         if (preg_match('/^\d\d\d\d-\d\d-\d\d \d\d\:\d\d /', $body)) {
-          $body = nl2br(oeFormatPatientNote($body));
+          $body = nl2br(htmlspecialchars(oeFormatPatientNote($body),ENT_NOQUOTES);
         } else {
           $body = htmlspecialchars(oeFormatSDFT(strtotime($iter['date'])) . date(' H:i', strtotime($iter['date'])) .
             ' (' . $iter['user'] . ') ',ENT_NOQUOTES) .
diff --git a/interface/patient_file/summary/pnotes_full.php b/interface/patient_file/summary/pnotes_full.php
index 3471b1064..20bd9455d 100644
--- a/interface/patient_file/summary/pnotes_full.php
+++ b/interface/patient_file/summary/pnotes_full.php
@@ -4,6 +4,14 @@
 // as published by the Free Software Foundation; either version 2
 // of the License, or (at your option) any later version.
 
+//SANITIZE ALL ESCAPES
+$sanitize_all_escapes=true;
+//
+
+//STOP FAKE REGISTER GLOBALS
+$fake_register_globals=false;
+//
+
 require_once("../../globals.php");
 require_once("$srcdir/pnotes.inc");
 require_once("$srcdir/patient.inc");
@@ -22,10 +30,10 @@ if ($GLOBALS['concurrent_layout'] && $_GET['set_pid']) {
 // Check authorization.
 $thisauth = acl_check('patients', 'notes');
 if ($thisauth != 'write' && $thisauth != 'addonly')
-    die(xl('Not authorized'));
+    die(htmlspecialchars( xl('Not authorized'), ENT_NOQUOTES));
 $tmp = getPatientData($pid, "squad");
 if ($tmp['squad'] && ! acl_check('squads', $tmp['squad']))
-    die(xl('Not authorized for this squad.'));
+    die(htmlspecialchars( xl('Not authorized for this squad.'), ENT_NOQUOTES));
 
 //the number of records to display per screen
 $N = 25;
@@ -75,8 +83,7 @@ if (isset($mode)) {
   }
   elseif ($mode == "new") {
     $note = $_POST['note'];
-    // The subroutine will do its own addslashes().
-    if (get_magic_quotes_gpc()) $note = stripslashes($note);
+      
     if ($noteid) {
       updatePnote($noteid, $note, $_POST['form_note_type'], $_POST['assigned_to']);
       $noteid = '';
@@ -151,19 +158,20 @@ $(document).ready(function(){
 
 <div id="pnotes"> <!-- large outer DIV -->
 
-<form border='0' method='post' name='new_note' id="new_note" action='pnotes_full.php?docid=<?php echo $docid; ?>'>
+<form border='0' method='post' name='new_note' id="new_note" action='pnotes_full.php?docid=<?php echo htmlspecialchars( $docid, ENT_QUOTES); ?>'>
 
 
     <div>
-        <span class="title"><?php xl('Patient Notes','e'); ?></span>
+        <span class="title"><?php echo htmlspecialchars( xl('Patient Notes'), ENT_NOQUOTES); ?></span>
     </div>
     <div style='float:left;margin-right:10px'>
-        <?php echo xl('for', 'e');?>&nbsp;<span class="title"><a href="../summary/demographics.php" onclick="top.restoreSession()"><?php echo htmlspecialchars( getPatientName($pid) ) ?></a></span>
+        <?php echo htmlspecialchars( xl('for'), ENT_NOQUOTES);?>&nbsp;<span class="title">
+	<a href="../summary/demographics.php" onclick="top.restoreSession()"><?php echo htmlspecialchars( getPatientName($pid), ENT_NOQUOTES); ?></a></span>
     </div>
     <div>
-        <a href="pnotes_full_add.php" class="css_button iframe"><span><?php xl('Add','e'); ?></span></a>
+        <a href="pnotes_full_add.php" class="css_button iframe"><span><?php echo htmlspecialchars( xl('Add'), ENT_NOQUOTES); ?></span></a>
         <a href="demographics.php" <?php if (!$GLOBALS['concurrent_layout']) echo "target='Main'"; ?> class="css_button" onclick="top.restoreSession()">
-            <span><?php echo xl('View Patient','e');?></span>
+            <span><?php echo htmlspecialchars( xl('View Patient'), ENT_NOQUOTES);?></span>
         </a>
     </div>
     <br/>
@@ -171,17 +179,17 @@ $(document).ready(function(){
     <?php
     $title_docname = "";
     if ($docid) {
-      $title_docname = " " . xl("linked to document") . " ";
+      $title_docname = " " . htmlspecialchars( xl("linked to document"), ENT_NOQUOTES) . " ";
       $d = new Document($docid);
       $title_docname .= $d->get_url_file();
     }
     ?>
     <input type='hidden' name='mode' id="mode" value="new">
     <input type='hidden' name='offset' id="offset" value="<?php echo $offset ?>">
-    <input type='hidden' name='form_active' id="form_active" value="<?php echo $form_active ?>">
-    <input type='hidden' name='form_inactive' id="form_inactive" value="<?php echo $form_inactive ?>">
-    <input type='hidden' name='noteid' id="noteid" value="<?php echo $noteid ?>">
-    <input type='hidden' name='form_doc_only' id="form_doc_only" value="<?php echo $form_doc_only ?>">
+    <input type='hidden' name='form_active' id="form_active" value="<?php echo htmlspecialchars( $form_active, ENT_QUOTES); ?>">
+    <input type='hidden' name='form_inactive' id="form_inactive" value="<?php echo htmlspecialchars( $form_inactive, ENT_QUOTES); ?>">
+    <input type='hidden' name='noteid' id="noteid" value="<?php echo htmlspecialchars( $noteid, ENT_QUOTES); ?>">
+    <input type='hidden' name='form_doc_only' id="form_doc_only" value="<?php echo htmlspecialchars( $form_doc_only, ENT_QUOTES); ?>">
 </form>
 
 
@@ -189,17 +197,15 @@ $(document).ready(function(){
 //display all of the notes for the day, as well as others that are active from previous dates, up to a certain number, $N
 $N = 15;
 
-$conn = $GLOBALS['adodb']['db'];
-
 // Get the billing note if there is one.
 $billing_note = "";
 $colorbeg = "";
 $colorend = "";
 $sql = "select genericname2, genericval2 " .
-    "from patient_data where pid = '$pid' limit 1";
-$resnote = $conn->Execute($sql);
-if($resnote && !$resnote->EOF && $resnote->fields['genericname2'] == 'Billing') {
-  $billing_note = $resnote->fields['genericval2'];
+    "from patient_data where pid = ? limit 1";
+$resnote = sqlQuery($sql, array($pid) );
+if($resnote && $resnote['genericname2'] == 'Billing') {
+  $billing_note = $resnote['genericval2'];
   $colorbeg = "<span style='color:red'>";
   $colorend = "</span>";
 }
@@ -217,13 +223,17 @@ if ($balance != "0") {
   // $formatted = sprintf((xl('$').'%01.2f'), $balance);
   $formatted = oeFormatMoney($balance);
   echo " <tr class='text billing'>\n";
-  echo "  <td>".$colorbeg.xl('Balance Due').$colorend."&nbsp;".$colorbeg.$formatted.$colorend."</td>\n";
+  echo "  <td>".$colorbeg . htmlspecialchars( xl('Balance Due'), ENT_NOQUOTES) .
+    $colorend."&nbsp;".$colorbeg. htmlspecialchars( $formatted, ENT_NOQUOTES) .
+    $colorend."</td>\n";
   echo " </tr>\n";
 }
 
 if ($billing_note) {
   echo " <tr class='text billing'>\n";
-  echo "  <td>".$colorbeg.xl('Billing Note').$colorend."&nbsp;".$colorbeg.$billing_note.$colorend."</td>\n";
+  echo "  <td>".$colorbeg . htmlspecialchars( xl('Billing Note'), ENT_NOQUOTES) .
+    $colorend."&nbsp;".$colorbeg . htmlspecialchars( $billing_note, ENT_NOQUOTES) .
+    $colorend."</td>\n";
   echo " </tr>\n";
 }
 ?>
@@ -233,7 +243,7 @@ if ($billing_note) {
 <?php } ?>
 
 <form border='0' method='post' name='update_activity' id='update_activity'
- action="pnotes_full.php?docid=<?php echo $docid; ?>">
+ action="pnotes_full.php?docid=<?php echo htmlspecialchars( $docid, ENT_QUOTES); ?>">
 <!-- start of previous notes DIV -->
 <div class=pat_notes>
 <input type='hidden' name='mode' value="update">
@@ -243,9 +253,9 @@ if ($billing_note) {
 <?php if ($result != ""): ?>
  <tr>
   <td colspan='5' style="padding: 5px;" >
-    <a href="#" class="change_activity" ><span><?php xl('Update Active','e'); ?></span></a>
+    <a href="#" class="change_activity" ><span><?php echo htmlspecialchars( xl('Update Active'), ENT_NOQUOTES); ?></span></a>
     |
-    <a href="pnotes_full.php" class="" id='Submit'><span><?php xl('Refresh','e'); ?></span></a>
+    <a href="pnotes_full.php" class="" id='Submit'><span><?php echo htmlspecialchars( xl('Refresh'), ENT_NOQUOTES); ?></span></a>
   </td>
  </tr></table>
 <?php endif; ?>
@@ -259,10 +269,10 @@ if ($billing_note) {
 if ($result != "") {
   echo " <tr class=showborder_head align='left'>\n";
   echo "  <th style='width:100px';>&nbsp;</th>\n";
-  echo "  <th>" . xl('Active') . "&nbsp;</th>\n";
-  echo "  <th>" . ($docid ? xl('Linked') : '') . "</th>\n";
-  echo "  <th>" . xl('Type') . "</th>\n";
-  echo "  <th>" . xl('Content') . "</th>\n";
+  echo "  <th>" . htmlspecialchars( xl('Active'), ENT_NOQUOTES) . "&nbsp;</th>\n";
+  echo "  <th>" . ($docid ? htmlspecialchars( xl('Linked'), ENT_NOQUOTES) : '') . "</th>\n";
+  echo "  <th>" . htmlspecialchars( xl('Type'), ENT_NOQUOTES) . "</th>\n";
+  echo "  <th>" . htmlspecialchars( xl('Content'), ENT_NOQUOTES) . "</th>\n";
   echo " </tr>\n";
 
   $result_count = 0;
@@ -283,10 +293,10 @@ if ($result != "") {
 
     $body = $iter['body'];
     if (preg_match('/^\d\d\d\d-\d\d-\d\d \d\d\:\d\d /', $body)) {
-      $body = nl2br(oeFormatPatientNote($body));
+      $body = nl2br(htmlspecialchars( oeFormatPatientNote($body), ENT_NOQUOTES));
     } else {
-      $body = oeFormatSDFT(strtotime($iter['date'])) . date(' H:i', strtotime($iter['date'])) .
-        ' (' . $iter['user'] . ') ' . nl2br(oeFormatPatientNote($body));
+      $body = htmlspecialchars( oeFormatSDFT(strtotime($iter['date'])).date(' H:i', strtotime($iter['date'])), ENT_NOQUOTES) .
+        ' (' . htmlspecialchars( $iter['user'], ENT_NOQUOTES) . ') ' . nl2br(htmlspecialchars( oeFormatPatientNote($body), ENT_NOQUOTES));
     }
 
     if ($iter{"activity"}) {
@@ -297,41 +307,45 @@ if ($result != "") {
 
     // highlight the row if it's been selected for updating
     if ($_REQUEST['noteid'] == $row_note_id) {
-        echo " <tr height=20 class='noterow highlightcolor' id='$row_note_id'>\n";
+        echo " <tr height=20 class='noterow highlightcolor' id='".htmlspecialchars( $row_note_id, ENT_QUOTES)."'>\n";
     }
     else {
-        echo " <tr class='noterow' id='$row_note_id'>\n";
+        echo " <tr class='noterow' id='".htmlspecialchars( $row_note_id, ENT_QUOTES)."'>\n";
     }
 
 
-	echo "  <td><a href='pnotes_full_add.php?trigger=edit&noteid=$row_note_id' class='css_button_small iframe'><span>". xl('Edit') ."</span></a>\n";
+	echo "  <td><a href='pnotes_full_add.php?trigger=edit&noteid=".htmlspecialchars( $row_note_id, ENT_QUOTES).
+	  "' class='css_button_small iframe'><span>". htmlspecialchars( xl('Edit'), ENT_NOQUOTES) ."</span></a>\n";
 
     // display, or not, a button to delete the note
     // if the user is an admin or if they are the author of the note, they can delete it
     $thisauth = acl_check('admin', 'super');
     if (($iter['user'] == $_SESSION['authUser']) || ($thisauth == 'write')) {
-	  echo " <a href='#' class='deletenote css_button_small' id='del$row_note_id' title='" . xl('Delete this note') . "'><span>" . xl('Delete') . "</span>\n";
+	  echo " <a href='#' class='deletenote css_button_small' id='del" . htmlspecialchars( $row_note_id, ENT_QUOTES) .
+	    "' title='" . htmlspecialchars( xl('Delete this note'), ENT_QUOTES) . "'><span>" .
+	    htmlspecialchars( xl('Delete'), ENT_NOQUOTES) . "</span>\n";
     }
     echo "  </td>\n";
 
 
     echo "  <td class='text bold'>\n";
-    echo "   <input type='hidden' name='act$row_note_id' value='1' />\n";
-    echo "   <input type='checkbox' name='chk$row_note_id' $checked />\n";
+    echo "   <input type='hidden' name='act".htmlspecialchars( $row_note_id, ENT_QUOTES)."' value='1' />\n";
+    echo "   <input type='checkbox' name='chk".htmlspecialchars( $row_note_id, ENT_QUOTES)."' $checked />\n";
     echo "  </td>\n";
 
     echo "  <td class='text bold'>\n";
     if ($docid) {
-      echo "   <input type='checkbox' name='lnk$row_note_id' $linked />\n";
+      echo "   <input type='checkbox' name='lnk".htmlspecialchars( $row_note_id, ENT_QUOTES)."' $linked />\n";
     }
     echo "  </td>\n";
 
-    echo "  <td class='bold notecell' id='$row_note_id'><a href='pnotes_full_add.php?trigger=edit&noteid=$row_note_id' class='iframe'>\n";
+    echo "  <td class='bold notecell' id='".htmlspecialchars( $row_note_id, ENT_QUOTES)."'>" .
+      "<a href='pnotes_full_add.php?trigger=edit&noteid=".htmlspecialchars( $row_note_id, ENT_QUOTES)."' class='iframe'>\n";
     // Modified 6/2009 by BM to incorporate the patient notes into the list_options listings
     echo generate_display_field(array('data_type'=>'1','list_id'=>'note_type'), $iter['title']);
     echo "  </a></td>\n";
 
-    echo "  <td class='notecell' id='$row_note_id'>\n";
+    echo "  <td class='notecell' id='".htmlspecialchars( $row_note_id, ENT_QUOTES)."'>\n";
     echo "   $body";
     echo "  </td>\n";
     echo " </tr>\n";
@@ -340,7 +354,7 @@ if ($result != "") {
   }
 } else {
   //no results
-  print "<tr><td colspan='3' class='text'>" . xl('None') . ".</td></tr>\n";
+  print "<tr><td colspan='3' class='text'>" . htmlspecialchars( xl('None'), ENT_NOQUOTES) . ".</td></tr>\n";
 }
 
 ?>
@@ -355,12 +369,12 @@ if ($result != "") {
 <?php
 if ($offset > ($N-1)) {
   echo "   <a class='link' href='pnotes_full.php" .
-    "?docid=$docid" .
-    "&form_active=$form_active" .
-    "&form_inactive=$form_inactive" .
-    "&form_doc_only=$form_doc_only" .
+    "?docid=" . htmlspecialchars( $docid, ENT_QUOTES) .
+    "&form_active=" . htmlspecialchars( $form_active, ENT_QUOTES) .
+    "&form_inactive=" . htmlspecialchars( $form_inactive, ENT_QUOTES) .
+    "&form_doc_only=" . htmlspecialchars( $form_doc_only, ENT_QUOTES) .
     "&offset=" . ($offset-$N) . "' onclick='top.restoreSession()'>[" .
-    xl('Previous') . "]</a>\n";
+    htmlspecialchars( xl('Previous'), ENT_NOQUOTES) . "]</a>\n";
 }
 ?>
   </td>
@@ -368,12 +382,12 @@ if ($offset > ($N-1)) {
 <?php
 if ($result_count == $N) {
   echo "   <a class='link' href='pnotes_full.php" .
-    "?docid=$docid" .
-    "&form_active=$form_active" .
-    "&form_inactive=$form_inactive" .
-    "&form_doc_only=$form_doc_only" .
+    "?docid=" . htmlspecialchars( $docid, ENT_QUOTES) .
+    "&form_active=" . htmlspecialchars( $form_active, ENT_QUOTES) .
+    "&form_inactive=" . htmlspecialchars( $form_inactive, ENT_QUOTES) .
+    "&form_doc_only=" . htmlspecialchars( $form_doc_only, ENT_QUOTES) .
     "&offset=" . ($offset+$N) . "' onclick='top.restoreSession()'>[" .
-    xl('Next') . "]</a>\n";
+    htmlspecialchars( xl('Next'), ENT_NOQUOTES) . "]</a>\n";
 }
 ?>
   </td>
@@ -390,7 +404,8 @@ if ($result_count == $N) {
 if ($GLOBALS['concurrent_layout'] && $_GET['set_pid']) {
   $ndata = getPatientData($pid, "fname, lname, pubpid");
 ?>
- parent.left_nav.setPatient(<?php echo "'" . addslashes($ndata['fname']) . " " . addslashes($ndata['lname']) . "',$pid,'" . addslashes($ndata['pubpid']) . "',window.name"; ?>);
+ parent.left_nav.setPatient(<?php echo "'" . htmlspecialchars( $ndata['fname']." ".$ndata['lname'], ENT_QUOTES) . "'," .
+   htmlspecialchars( $pid, ENT_QUOTES) . ",'" . htmlspecialchars( $ndata['pubpid'], ENT_QUOTES) . "',window.name"; ?>);
  parent.left_nav.setRadio(window.name, 'pno');
 <?php
 }
@@ -404,7 +419,7 @@ if ($noteid /* && $title == 'New Document' */ ) {
     $docid = $matches[1];
     $docname = $matches[2];
 ?>
- window.open('../../../controller.php?document&retrieve&patient_id=<?php echo $pid ?>&document_id=<?php echo $docid ?>&<?php echo $docname?>&as_file=true',
+ window.open('../../../controller.php?document&retrieve&patient_id=<?php echo htmlspecialchars( $pid, ENT_QUOTES); ?>&document_id=<?php echo htmlspecialchars( $docid, ENT_QUOTES); ?>&<?php echo htmlspecialchars( $docname, ENT_QUOTES);?>&as_file=true',
   '_blank', 'resizable=1,scrollbars=1,width=600,height=500');
 <?php
   }
@@ -456,11 +471,12 @@ $(document).ready(function(){
 
     var PrintNote = function () {
         top.restoreSession();
-        window.open('pnotes_print.php?noteid=<?php echo $noteid; ?>', '_blank', 'resizable=1,scrollbars=1,width=600,height=500');
+        window.open('pnotes_print.php?noteid=<?php echo htmlspecialchars( $noteid, ENT_QUOTES); ?>', '_blank', 'resizable=1,scrollbars=1,width=600,height=500');
     }
 
     var DeleteNote = function(note) {
-        if (confirm("<?php xl('Are you sure you want to delete this note?','e','','\n ') . xl('This action CANNOT be undone.','e'); ?>")) {
+        if (confirm("<?php echo htmlspecialchars( xl('Are you sure you want to delete this note?','','','\n '), ENT_QUOTES) .
+	  htmlspecialchars( xl('This action CANNOT be undone.'), ENT_QUOTES); ?>")) {
             top.restoreSession();
             // strip the 'del' part of the object's ID
             $("#noteid").val(note.id.replace(/del/, ""));
diff --git a/interface/patient_file/summary/pnotes_full_add.php b/interface/patient_file/summary/pnotes_full_add.php
index 567d94740..b62b4cb5a 100644
--- a/interface/patient_file/summary/pnotes_full_add.php
+++ b/interface/patient_file/summary/pnotes_full_add.php
@@ -4,6 +4,14 @@
 // as published by the Free Software Foundation; either version 2
 // of the License, or (at your option) any later version.
 
+//SANITIZE ALL ESCAPES
+$sanitize_all_escapes=true;
+//
+
+//STOP FAKE REGISTER GLOBALS
+$fake_register_globals=false;
+//
+
 require_once("../../globals.php");
 require_once("$srcdir/pnotes.inc");
 require_once("$srcdir/patient.inc");
@@ -20,10 +28,10 @@ if ($GLOBALS['concurrent_layout'] && $_GET['set_pid']) {
 // Check authorization.
 $thisauth = acl_check('patients', 'notes');
 if ($thisauth != 'write' && $thisauth != 'addonly')
-    die(xl('Not authorized'));
+    die(htmlspecialchars( xl('Not authorized'), ENT_NOQUOTES));
 $tmp = getPatientData($pid, "squad");
 if ($tmp['squad'] && ! acl_check('squads', $tmp['squad']))
-    die(xl('Not authorized for this squad.'));
+    die(htmlspecialchars( xl('Not authorized for this squad.'), ENT_NOQUOTES));
 
 //the number of records to display per screen
 $N = 25;
@@ -73,8 +81,6 @@ if (isset($mode)) {
   }
   elseif ($mode == "new") {
     $note = $_POST['note'];
-    // The subroutine will do its own addslashes().
-    if (get_magic_quotes_gpc()) $note = stripslashes($note);
     if ($noteid) {
       updatePnote($noteid, $note, $_POST['form_note_type'], $_POST['assigned_to']);
       $noteid = '';
@@ -137,19 +143,19 @@ document.forms[0].submit();
 
 <div id="pnotes"> <!-- large outer DIV -->
 
-<form border='0' method='post' name='new_note' id="new_note" target="_parent" action='pnotes_full.php?docid=<?php echo $docid; ?>'>
+<form border='0' method='post' name='new_note' id="new_note" target="_parent" action='pnotes_full.php?docid=<?php echo htmlspecialchars( $docid, ENT_QUOTES); ?>'>
 
     <div>
         <div style='float:left; margin-right: 5px'>
-            <span class="title"><?php xl('Patient Note','e'); ?></span>
+            <span class="title"><?php echo htmlspecialchars( xl('Patient Note'), ENT_NOQUOTES); ?></span>
         </div>
         <div>
             <?php if ($noteid) { ?>
             <!-- existing note -->
-            <a href="#" class="css_button" id="printnote"><span><?php xl('Print','e'); ?></span></a>
+            <a href="#" class="css_button" id="printnote"><span><?php echo htmlspecialchars( xl('Print'), ENT_NOQUOTES); ?></span></a>
             <?php } ?>
             <a class="css_button large_button" id='cancel' href='javascript:;'>
-            <span class='css_button_span large_button_span'><?php xl('Cancel','e');?></span>
+            <span class='css_button_span large_button_span'><?php echo htmlspecialchars( xl('Cancel'), ENT_NOQUOTES);?></span>
             </a>
         </div>
     </div>
@@ -167,19 +173,20 @@ if ($docid) {
 <input type='hidden' name='mode' id="mode" value="new">
 <input type='hidden' name='trigger' id="trigger" value="add">
 <input type='hidden' name='offset' id="offset" value="<?php echo $offset ?>">
-<input type='hidden' name='form_active' id="form_active" value="<?php echo $form_active ?>">
-<input type='hidden' name='form_inactive' id="form_inactive" value="<?php echo $form_inactive ?>">
-<input type='hidden' name='noteid' id="noteid" value="<?php echo $noteid ?>">
-<input type='hidden' name='form_doc_only' id="form_doc_only" value="<?php echo $form_doc_only ?>">
+<input type='hidden' name='form_active' id="form_active" value="<?php echo htmlspecialchars( $form_active, ENT_QUOTES) ?>">
+<input type='hidden' name='form_inactive' id="form_inactive" value="<?php echo htmlspecialchars( $form_inactive, ENT_QUOTES) ?>">
+<input type='hidden' name='noteid' id="noteid" value="<?php echo htmlspecialchars( $noteid, ENT_QUOTES) ?>">
+<input type='hidden' name='form_doc_only' id="form_doc_only" value="<?php echo htmlspecialchars( $form_doc_only, ENT_QUOTES) ?>">
 <table border='0' cellspacing='8'>
  <tr>
   <td class='text'>
     <?php
      if ($noteid) {
        // Modified 6/2009 by BM to incorporate the patient notes into the list_options listings
-       echo xl('Amend Existing Note')."<b> &quot;" . generate_display_field(array('data_type'=>'1','list_id'=>'note_type'), $title) . "&quot;</b>\n";
+       echo htmlspecialchars( xl('Amend Existing Note'), ENT_NOQUOTES) . 
+         "<b> &quot;" . generate_display_field(array('data_type'=>'1','list_id'=>'note_type'), $title) . "&quot;</b>\n";
      } else {
-       echo xl('Add New Note')."\n";
+       echo htmlspecialchars( xl('Add New Note'), ENT_NOQUOTES) . "\n";
      }
     ?>
   </td>
@@ -188,21 +195,21 @@ if ($docid) {
   <td class='text'>
     <br/>
 
-   <b><?php xl('Type','e'); ?>:</b>
+   <b><?php echo htmlspecialchars( xl('Type'), ENT_NOQUOTES); ?>:</b>
    <?php
    // Added 6/2009 by BM to incorporate the patient notes into the list_options listings
     generate_form_field(array('data_type'=>1,'field_id'=>'note_type','list_id'=>'note_type','empty_title'=>'SKIP'), $title);
    ?>
    &nbsp; &nbsp;
-   <b><?php xl('To','e'); ?>:</b>
+   <b><?php echo htmlspecialchars( xl('To'), ENT_NOQUOTES); ?>:</b>
    <select name='assigned_to'>
-    <option value=''>** <?php xl('Close','e'); ?> **</option>
+    <option value=''>** <?php echo htmlspecialchars( xl('Close'), ENT_NOQUOTES); ?> **</option>
 <?php
  while ($urow = sqlFetchArray($ures)) {
-  echo "    <option value='" . $urow['username'] . "'";
+  echo "    <option value='" . htmlspecialchars( $urow['username'], ENT_QUOTES) . "'";
   if ($urow['username'] == $assigned_to) echo " selected";
-  echo ">" . $urow['lname'];
-  if ($urow['fname']) echo ", " . $urow['fname'];
+  echo ">" . htmlspecialchars( $urow['lname'], ENT_NOQUOTES);
+  if ($urow['fname']) echo htmlspecialchars( ", ".$urow['fname'], ENT_NOQUOTES);
   echo "</option>\n";
  }
 ?>
@@ -214,7 +221,7 @@ if ($docid) {
 <?php
 if ($noteid) {
     $body = $prow['body'];
-    $body = nl2br($body);
+    $body = nl2br(htmlspecialchars( $body, ENT_NOQUOTES));
     echo "<div class='text'>".$body."</div>";
 }
 ?>
@@ -223,10 +230,10 @@ if ($noteid) {
 
     <?php if ($noteid) { ?>
     <!-- existing note -->
-    <a href="#" class="css_button" id="newnote" title="<?php xl('Add as a new note','e'); ?>" ><span><?php xl('Save as new note','e'); ?></span></a>
-    <a href="#" class="css_button" id="appendnote" title="<?php xl('Append to the existing note','e'); ?>"><span><?php xl('Append this note','e'); ?></span></a>
+    <a href="#" class="css_button" id="newnote" title="<?php echo htmlspecialchars( xl('Add as a new note'), ENT_QUOTES); ?>" ><span><?php echo htmlspecialchars( xl('Save as new note'), ENT_NOQUOTES); ?></span></a>
+    <a href="#" class="css_button" id="appendnote" title="<?php echo htmlspecialchars( xl('Append to the existing note'), ENT_QUOTES); ?>"><span><?php echo htmlspecialchars( xl('Append this note'), ENT_NOQUOTES); ?></span></a>
     <?php } else { ?>
-    <a href="#" class="css_button" id="newnote" title="<?php xl('Add as a new note','e'); ?>" ><span><?php xl('Save as new note','e'); ?></span></a>
+    <a href="#" class="css_button" id="newnote" title="<?php echo htmlspecialchars( xl('Add as a new note'), ENT_QUOTES); ?>" ><span><?php echo htmlspecialchars( xl('Save as new note'), ENT_NOQUOTES); ?></span></a>
     <?php } ?>
 
   </td>
@@ -235,7 +242,7 @@ if ($noteid) {
 <br>
 </form>
 <form border='0' method='post' name='update_activity' id='update_activity'
- action="pnotes_full.php?docid=<?php echo $docid; ?>">
+ action="pnotes_full.php?docid=<?php echo htmlspecialchars( $docid, ENT_QUOTES); ?>">
 
 <!-- start of previous notes DIV -->
 <div class=pat_notes>
@@ -252,12 +259,12 @@ if ($noteid) {
 <?php
 if ($offset > ($N-1)) {
   echo "   <a class='link' href='pnotes_full.php" .
-    "?docid=$docid" .
-    "&form_active=$form_active" .
-    "&form_inactive=$form_inactive" .
-    "&form_doc_only=$form_doc_only" .
+    "?docid=" . htmlspecialchars( $docid, ENT_QUOTES) .
+    "&form_active=" . htmlspecialchars( $form_active, ENT_QUOTES) .
+    "&form_inactive=" . htmlspecialchars( $form_inactive, ENT_QUOTES) .
+    "&form_doc_only=" . htmlspecialchars( $form_doc_only, ENT_QUOTES) .
     "&offset=" . ($offset-$N) . "' onclick='top.restoreSession()'>[" .
-    xl('Previous') . "]</a>\n";
+    htmlspecialchars( xl('Previous'), ENT_NOQUOTES) . "]</a>\n";
 }
 ?>
   </td>
@@ -265,12 +272,12 @@ if ($offset > ($N-1)) {
 <?php
 if ($result_count == $N) {
   echo "   <a class='link' href='pnotes_full.php" .
-    "?docid=$docid" .
-    "&form_active=$form_active" .
-    "&form_inactive=$form_inactive" .
-    "&form_doc_only=$form_doc_only" .
+    "?docid=" . htmlspecialchars( $docid, ENT_QUOTES) .
+    "&form_active=" . htmlspecialchars( $form_active, ENT_QUOTES) .
+    "&form_inactive=" . htmlspecialchars( $form_inactive, ENT_QUOTES) .
+    "&form_doc_only=" . htmlspecialchars( $form_doc_only, ENT_QUOTES) .
     "&offset=" . ($offset+$N) . "' onclick='top.restoreSession()'>[" .
-    xl('Next') . "]</a>\n";
+    htmlspecialchars( xl('Next'), ENT_NOQUOTES) . "]</a>\n";
 }
 ?>
   </td>
@@ -285,7 +292,7 @@ if ($result_count == $N) {
 if ($GLOBALS['concurrent_layout'] && $_GET['set_pid']) {
   $ndata = getPatientData($pid, "fname, lname, pubpid");
 ?>
- parent.left_nav.setPatient(<?php echo "'" . addslashes($ndata['fname']) . " " . addslashes($ndata['lname']) . "',$pid,'" . addslashes($ndata['pubpid']) . "',window.name"; ?>);
+ parent.left_nav.setPatient(<?php echo "'" . htmlspecialchars( $ndata['fname']." ".$ndata['lname'], ENT_QUOTES) . "',$pid,'" . htmlspecialchars( $ndata['pubpid'], ENT_QUOTES) . "',window.name"; ?>);
  parent.left_nav.setRadio(window.name, 'pno');
 <?php
 }
@@ -299,7 +306,7 @@ if ($noteid /* && $title == 'New Document' */ ) {
     $docid = $matches[1];
     $docname = $matches[2];
 ?>
- window.open('../../../controller.php?document&retrieve&patient_id=<?php echo $pid ?>&document_id=<?php echo $docid ?>&<?php echo $docname?>&as_file=true',
+ window.open('../../../controller.php?document&retrieve&patient_id=<?php echo htmlspecialchars( $pid, ENT_QUOTES) ?>&document_id=<?php echo htmlspecialchars( $docid, ENT_QUOTES) ?>&<?php echo htmlspecialchars( $docname, ENT_QUOTES)?>&as_file=true',
   '_blank', 'resizable=1,scrollbars=1,width=600,height=500');
 <?php
   }
@@ -351,11 +358,11 @@ $(document).ready(function(){
 
     var PrintNote = function () {
         top.restoreSession();
-        window.open('pnotes_print.php?noteid=<?php echo $noteid; ?>', '_blank', 'resizable=1,scrollbars=1,width=600,height=500');
+        window.open('pnotes_print.php?noteid=<?php echo htmlspecialchars( $noteid, ENT_QUOTES); ?>', '_blank', 'resizable=1,scrollbars=1,width=600,height=500');
     }
 
     var DeleteNote = function(note) {
-        if (confirm("<?php xl('Are you sure you want to delete this note?','e','','\n ') . xl('This action CANNOT be undone.','e'); ?>")) {
+        if (confirm("<?php echo htmlspecialchars( xl('Are you sure you want to delete this note?','','','\n ').xl('This action CANNOT be undone.'), ENT_QUOTES); ?>")) {
             top.restoreSession();
             // strip the 'del' part of the object's ID
             $("#noteid").val(note.id.replace(/del/, ""));
diff --git a/interface/patient_file/summary/pnotes_print.php b/interface/patient_file/summary/pnotes_print.php
index 316ef91a4..ab8e5859b 100644
--- a/interface/patient_file/summary/pnotes_print.php
+++ b/interface/patient_file/summary/pnotes_print.php
@@ -1,4 +1,13 @@
 <?php
+
+//SANITIZE ALL ESCAPES
+$sanitize_all_escapes=true;
+//
+
+//STOP FAKE REGISTER GLOBALS
+$fake_register_globals=false;
+//
+
  include_once("../../globals.php");
  include_once("$srcdir/pnotes.inc");
  include_once("$srcdir/patient.inc");
@@ -10,9 +19,9 @@
  // Check authorization.
  $thisauth = acl_check('patients', 'notes');
  if (!$thisauth)
-  die(xl('Not authorized'));
+  die(htmlspecialchars( xl('Not authorized'), ENT_NOQUOTES));
  if ($prow['squad'] && ! acl_check('squads', $prow['squad']))
-  die(xl('Not authorized for this squad.'));
+  die(htmlspecialchars( xl('Not authorized for this squad.'), ENT_NOQUOTES));
 
 $noteid = $_REQUEST['noteid'];
 
@@ -41,13 +50,14 @@ if ($noteid) {
 
 <p><?php echo "<b>" .
   generate_display_field(array('data_type'=>'1','list_id'=>'note_type'), $title) .
-  "</b>" . xl('for','',' ',' ') . "<b>$ptname</b>"; ?></p>
+  "</b>" . htmlspecialchars( xl('for','',' ',' '), ENT_NOQUOTES) .
+  "<b>" . htmlspecialchars( $ptname, ENT_NOQUOTES) . "</b>"; ?></p>
 
-<p><?php xl('Assigned To','e'); ?>: <?php echo $assigned_to; ?></p>
+<p><?php echo htmlspecialchars( xl('Assigned To'), ENT_NOQUOTES); ?>: <?php echo htmlspecialchars( $assigned_to, ENT_NOQUOTES); ?></p>
 
-<p><?php xl('Active','e'); ?>: <?php echo $activity ? xl('Yes') : xl('No'); ?></p>
+<p><?php echo htmlspecialchars( xl('Active'), ENT_NOQUOTES); ?>: <?php echo htmlspecialchars( ($activity ? xl('Yes') : xl('No')), ENT_NOQUOTES); ?></p>
 
-<p><?php echo nl2br($body); ?></p>
+<p><?php echo nl2br(htmlspecialchars( $body, ENT_NOQUOTES)); ?></p>
 
 <script language='JavaScript'>
 window.print();
diff --git a/library/gprelations.inc.php b/library/gprelations.inc.php
index 78d2ad8b3..406e0c0b6 100644
--- a/library/gprelations.inc.php
+++ b/library/gprelations.inc.php
@@ -27,8 +27,8 @@
 
 function isGpRelation($type1, $id1, $type2, $id2) {
   $tmp = sqlQuery("SELECT count(*) AS count FROM gprelations WHERE " .
-    "type1 = $type1 AND id1 = $id1 AND " .
-    "type2 = $type2 AND id2 = $id2");
+    "type1 = ? AND id1 = ? AND " .
+    "type2 = ? AND id2 = ?", array($type1, $id1, $type2, $id2) );
   return !empty($tmp['count']);
 }
 
@@ -36,14 +36,14 @@ function setGpRelation($type1, $id1, $type2, $id2, $set=TRUE) {
   if (isGpRelation($type1, $id1, $type2, $id2)) {
     if (!$set) {
       sqlStatement("DELETE FROM gprelations WHERE " .
-        "type1 = $type1 AND id1 = $id1 AND type2 = $type2 AND id2 = $id2");
+        "type1 = ? AND id1 = ? AND type2 = ? AND id2 = ?", array($type1, $id1, $type2, $id2) );
     }
   }
   else {
     if ($set) {
       sqlStatement("INSERT INTO gprelations " .
         "( type1, id1, type2, id2 ) VALUES " .
-        "( $type1, $id1, $type2, $id2 )");
+        "( ?, ?, ?, ? )", array($type1, $id1, $type2, $id2) );
     }
   }
 }
diff --git a/library/pnotes.inc b/library/pnotes.inc
index 3a302b37d..286734b82 100644
--- a/library/pnotes.inc
+++ b/library/pnotes.inc
@@ -10,9 +10,9 @@ require_once("{$GLOBALS['srcdir']}/sql.inc");
 
 function getPnoteById($id, $cols = "*")
 {
-  return sqlQuery("SELECT $cols FROM pnotes WHERE id='$id' " .
+  return sqlQuery("SELECT $cols FROM pnotes WHERE id=? " .
     " AND deleted != 1 ". // exclude ALL deleted notes
-    "order by date DESC limit 0,1");
+    "order by date DESC limit 0,1", array($id) );
 }
 
 function getPnotesByDate($date, $activity = "1", $cols = "*", $pid = "%",
@@ -31,8 +31,10 @@ $sqlParameterArray = array();
     array_push($sqlParameterArray, '%'.$date.'%', $pid);
   }
   $sql .= " AND deleted != 1"; // exclude ALL deleted notes
-  if ($activity != "all")
-    $sql .= " AND activity = '$activity'";
+  if ($activity != "all") {
+    $sql .= " AND activity = ?";
+    array_push($sqlParameterArray, $activity);
+  }
   if ($username) {
     $sql .= " AND assigned_to LIKE ?";
     array_push($sqlParameterArray, $username);
@@ -62,21 +64,20 @@ function getPnotesByPid ($pid, $activity = "1", $cols = "*", $limit=10, $start=0
 }
 
 function addPnote($pid, $newtext, $authorized = '0', $activity = '1',
-  $title='Unassigned', $assigned_to = '', $datetime = '')
+  $title='Unassigned', $assigned_to = '', $datetime = '', $message_status = "New")
 {
   if (empty($datetime)) $datetime = date('Y-m-d H:i:s');
 
   $body = date('Y-m-d H:i') . ' (' . $_SESSION['authUser'];
   if ($assigned_to) $body .= " to $assigned_to";
-  $body = addslashes($body . ') ' . $newtext);
+  $body = $body . ') ' . $newtext;
 
   return sqlInsert("INSERT INTO pnotes (date, body, pid, user, groupname, " .
-    "authorized, activity, title, assigned_to) VALUES ('$datetime', '$body', '$pid', '" .
-    $_SESSION['authUser'] . "', '". $_SESSION['authProvider'] .
-    "', '$authorized', '$activity', '$title', '$assigned_to')");
+    "authorized, activity, title, assigned_to, message_status) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",
+    array($datetime, $body, $pid, $_SESSION['authUser'], $_SESSION['authProvider'], $authorized, $activity, $title, $assigned_to, $message_status) );
 }
 
-function updatePnote($id, $newtext, $title, $assigned_to)
+function updatePnote($id, $newtext, $title, $assigned_to, $message_status = "")
 {
   $row = getPnoteById($id);
   if (! $row) die("updatePnote() did not find id '$id'");
@@ -85,11 +86,25 @@ function updatePnote($id, $newtext, $title, $assigned_to)
   $body = $row['body'] . "\n" . date('Y-m-d H:i') .
     ' (' . $_SESSION['authUser'];
   if ($assigned_to) $body .= " to $assigned_to";
-  $body = addslashes($body . ') ' . $newtext);
+  $body = $body . ') ' . $newtext;
 
-  sqlStatement("UPDATE pnotes SET " .
-    "body = '$body', activity = '$activity', title='$title', " .
-    "assigned_to = '$assigned_to' WHERE id = '$id'");
+  if ($message_status) {
+    sqlStatement("UPDATE pnotes SET " .
+      "body = ?, activity = ?, title= ?, " .
+      "assigned_to = ?, message_status = ? WHERE id = ?",
+      array($body, $activity, $title, $assigned_to, $message_status, $id) );
+  }
+  else {
+    sqlStatement("UPDATE pnotes SET " .
+      "body = ?, activity = ?, title= ?, " .
+      "assigned_to = ? WHERE id = ?",
+      array($body, $activity, $title, $assigned_to, $id) );
+  }
+}
+
+function updatePnoteMessageStatus($id, $message_status)
+{
+  sqlStatement("update pnotes set message_status = ? where id = ?", array($message_status, $id) );
 }
 
 function authorizePnote($id, $authorized = "1")
@@ -99,19 +114,19 @@ function authorizePnote($id, $authorized = "1")
 
 function disappearPnote($id)
 {
-  sqlStatement("UPDATE pnotes SET activity = '0' WHERE id='$id'");
+  sqlStatement("UPDATE pnotes SET activity = '0' WHERE id=?", array($id) );
   return true;
 }
 
 function reappearPnote ($id)
 {
-  sqlStatement("UPDATE pnotes SET activity = '1' WHERE id='$id'");
+  sqlStatement("UPDATE pnotes SET activity = '1' WHERE id=?", array($id) );
   return true;
 }
 
 function deletePnote($id)
 {
-  sqlStatement("UPDATE pnotes SET deleted = '1' WHERE id='$id'");
+  sqlStatement("UPDATE pnotes SET deleted = '1' WHERE id=?", array($id) );
   return true;
 }
 ?>
-- 
2.11.4.GIT