From 2832659d134dd690ea8441959eb3e79e782b043c Mon Sep 17 00:00:00 2001
From: bradymiller <bradymiller@users.sourceforge.net>
Date: Fri, 26 Feb 2016 02:33:54 -0800
Subject: [PATCH] Converted problem_encounter.php to standard security model,
 take 2.

---
 interface/patient_file/problem_encounter.php | 79 +++++++++++++++-------------
 1 file changed, 42 insertions(+), 37 deletions(-)

diff --git a/interface/patient_file/problem_encounter.php b/interface/patient_file/problem_encounter.php
index a7a0208d1..f604cc655 100644
--- a/interface/patient_file/problem_encounter.php
+++ b/interface/patient_file/problem_encounter.php
@@ -5,6 +5,7 @@
  *
  * Copyright (C) 2005 Rod Roark <rod@sunsetsystems.com>
  * Copyright (C) 2015 Roberto Vasquez <robertogagliotta@gmail.com>
+ * Copyright (C) 2015 Brady Miller <brady@sparmy.com>
  * 
  * LICENSE: This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -20,9 +21,13 @@
  * @package OpenEMR
  * @author  Rod Roark <rod@sunsetsystems.com>
  * @author  Roberto Vasquez <robertogagliotta@gmail.com>
+ * @author  Brady Miller <brady@sparmy.com>
  * @link    http://www.open-emr.org
  */
 
+ $fake_register_globals=false;
+ $sanitize_all_escapes=true;
+
  include_once("../globals.php");
  include_once("$srcdir/patient.inc");
  include_once("$srcdir/acl.inc");
@@ -39,7 +44,7 @@
 
  if (!$thisauth) {
   echo "<html>\n<body>\n";
-  echo "<p>" .xl('You are not authorized for this.'). "</p>\n";
+  echo "<p>" .xlt('You are not authorized for this.'). "</p>\n";
   echo "</body>\n</html>\n";
   exit();
  }
@@ -71,28 +76,28 @@
   }
 
   echo "<html><body><script language='JavaScript'>\n";
-  if ($alertmsg) echo " alert('$alertmsg');\n";
+  if ($alertmsg) echo " alert('" . addslashes($alertmsg) . "');\n";
   echo " window.close();\n";
   echo "</script></body></html>\n";
   exit();
  }
 
  // get problems
- $pres = sqlStatement("SELECT * FROM lists WHERE pid = $pid " .
-  "ORDER BY type, date");
+ $pres = sqlStatement("SELECT * FROM lists WHERE pid = ? " .
+  "ORDER BY type, date", array($pid));
 
  // get encounters
- $eres = sqlStatement("SELECT * FROM form_encounter WHERE pid = $pid " .
-  "ORDER BY date DESC");
+ $eres = sqlStatement("SELECT * FROM form_encounter WHERE pid = ? " .
+  "ORDER BY date DESC", array($pid));
 
  // get problem/encounter relations
- $peres = sqlStatement("SELECT * FROM issue_encounter WHERE pid = $pid");
+ $peres = sqlStatement("SELECT * FROM issue_encounter WHERE pid = ?", array($pid));
 ?>
 <html>
 <head>
 <?php html_header_show();?>
 <link rel=stylesheet href="<?php echo $css_header; ?>" type="text/css">
-<title><?php xl('Issues and Encounters','e'); ?></title>
+<title><?php echo xlt('Issues and Encounters'); ?></title>
 
 <style>
 tr.head   { font-size:10pt; background-color:#cccccc; text-align:center; }
@@ -136,7 +141,7 @@ function newIssue() {
 function newEncounter() {
  var f = document.forms[0];
  if (!f.form_save.disabled) {
-  if (!confirm('This will abandon your unsaved changes.  Are you sure?'))
+  if (!confirm('<?php echo xls('This will abandon your unsaved changes. Are you sure?'); ?>'))
    return;
  }
  top.restoreSession();
@@ -263,7 +268,7 @@ function doclick(pfx, id) {
     if (pfx == 'p') addPair(id, keyid); else addPair(keyid, id);
    }
   } else {
-   alert('You must first select an item in the section whose radio button is checked.');
+   alert('<?php echo xls('You must first select an item in the section whose radio button is checked.') ;?>');
   }
  }
 }
@@ -275,13 +280,13 @@ function doclick(pfx, id) {
  bgcolor='#ffffff' onunload='imclosing()'>
 <form method='post' action='problem_encounter.php' onsubmit='return top.restoreSession()'>
 <?php
- echo "<input type='hidden' name='form_pid' value='$pid' />\n";
+ echo "<input type='hidden' name='form_pid' value='" . attr($pid) . "' />\n";
  // pelist looks like /problem,encounter/problem,encounter/[...].
  echo "<input type='hidden' name='form_pelist' value='/";
  while ($row = sqlFetchArray($peres)) {
   // echo $row['list_id'] . "," . $row['encounter'] . "," .
   //  ($row['resolved'] ? "Y" : "N") . "/";
-  echo $row['list_id'] . "," . $row['encounter'] . "/";
+  echo text($row['list_id']) . "," . text($row['encounter']) . "/";
  }
  echo "' />\n";
 ?>
@@ -290,7 +295,7 @@ function doclick(pfx, id) {
 
  <tr>
   <td colspan='2' align='center'>
-   <b><?php xl('Issues and Encounters for','e'); ?> <?php echo $patdata['fname'] . " " . $patdata['lname'] . " ($pid)</b>\n"; ?>
+   <b><?php echo xlt('Issues and Encounters for'); ?> <?php echo text($patdata['fname']) . " " . text($patdata['lname']) . " (" . text($pid) . ")</b>\n"; ?>
   </td>
  </tr>
 
@@ -300,23 +305,23 @@ function doclick(pfx, id) {
     <tr class='head'>
      <td colspan='3' align='center'>
       <input type='radio' name='form_key' value='p' onclick='clearall()' checked />
-      <b><?php xl('Issues Section','e'); ?></b>
+      <b><?php echo xlt('Issues Section'); ?></b>
      </td>
     </tr>
     <tr class='head'>
-     <td><?php xl('Type','e'); ?></td>
-     <td><?php xl('Title','e'); ?></td>
-     <td><?php xl('Description','e'); ?></td>
+     <td><?php echo xlt('Type'); ?></td>
+     <td><?php echo xlt('Title'); ?></td>
+     <td><?php echo xlt('Description'); ?></td>
     </tr>
 <?php
  while ($row = sqlFetchArray($pres)) {
   $rowid = $row['id'];
-  echo "    <tr class='detail' id='p_$rowid' onclick='doclick(\"p\", $rowid)'>\n";
-  echo "     <td valign='top'>" . $ISSUE_TYPES[($row['type'])][1] . "</td>\n";
-  echo "     <td valign='top'>" . $row['title'] . "</td>\n";
-  echo "     <td valign='top'>" . $row['comments'] . "</td>\n";
+  echo "    <tr class='detail' id='p_" . attr($rowid) . "' onclick='doclick(\"p\", " . attr(addslashes($rowid)) . ")'>\n";
+  echo "     <td valign='top'>" . text($ISSUE_TYPES[($row['type'])][1]) . "</td>\n";
+  echo "     <td valign='top'>" . text($row['title']) . "</td>\n";
+  echo "     <td valign='top'>" . text($row['comments']) . "</td>\n";
   echo "    </tr>\n";
-  $endjs .= "pselected['$rowid'] = '';\n";
+  $endjs .= "pselected['" . attr($rowid) . "'] = '';\n";
  }
 ?>
    </table>
@@ -326,21 +331,21 @@ function doclick(pfx, id) {
     <tr class='head'>
      <td colspan='2' align='center'>
       <input type='radio' name='form_key' value='e' onclick='clearall()' />
-      <b><?php xl('Encounters Section','e'); ?></b>
+      <b><?php echo xlt('Encounters Section'); ?></b>
      </td>
     </tr>
     <tr class='head'>
-     <td><?php xl('Date','e'); ?></td>
-     <td><?php xl('Presenting Complaint','e'); ?></td>
+     <td><?php echo xlt('Date'); ?></td>
+     <td><?php echo xlt('Presenting Complaint'); ?></td>
     </tr>
 <?php
  while ($row = sqlFetchArray($eres)) {
   $rowid = $row['encounter'];
-  echo "    <tr class='detail' id='e_$rowid' onclick='doclick(\"e\", $rowid)'>\n";
-  echo "     <td valign='top'>" . substr($row['date'], 0, 10) . "</td>\n";
-  echo "     <td valign='top'>" . $row['reason'] . "</td>\n";
+  echo "    <tr class='detail' id='e_" . attr($rowid) . "' onclick='doclick(\"e\", " . attr(addslashes($rowid)) . ")'>\n";
+  echo "     <td valign='top'>" . text(substr($row['date'], 0, 10)) . "</td>\n";
+  echo "     <td valign='top'>" . text($row['reason']) . "</td>\n";
   echo "    </tr>\n";
-  $endjs .= "eselected['$rowid'] = '';\n";
+  $endjs .= "eselected['" . attr($rowid) . "'] = '';\n";
  }
 ?>
    </table>
@@ -349,12 +354,12 @@ function doclick(pfx, id) {
 
  <tr>
   <td colspan='2' align='center'>
-   <input type='submit' name='form_save' value='<?php xl('Save','e'); ?>' disabled /> &nbsp;
-   <input type='button' value='<?php xl('Add Issue','e'); ?>' onclick='newIssue()' />
+   <input type='submit' name='form_save' value='<?php echo xla('Save'); ?>' disabled /> &nbsp;
+   <input type='button' value='<?php echo xla('Add Issue'); ?>' onclick='newIssue()' />
 <?php if (!$GLOBALS['concurrent_layout']) { ?>
-   <input type='button' value='<?php xl('Add Encounter','e'); ?>' onclick='newEncounter()' />
+   <input type='button' value='<?php echo xla('Add Encounter'); ?>' onclick='newEncounter()' />
 <?php } ?>
-   <input type='button' value='<?php xl('Cancel','e'); ?>' onclick='window.close()' />
+   <input type='button' value='<?php echo xla('Cancel'); ?>' onclick='window.close()' />
   </td>
  </tr>
 
@@ -362,18 +367,18 @@ function doclick(pfx, id) {
 
 </form>
 
-<p><b><?php xl('Instructions:','e'); ?></b> <?php xl('Choose a section and click an item within it; then in
+<p><b><?php echo xlt('Instructions:'); ?></b> <?php echo xlt('Choose a section and click an item within it; then in
 the other section you will see the related items highlighted, and you can click
-in that section to add and delete relationships.','e'); ?>
+in that section to add and delete relationships.'); ?>
 </p>
 
 <script>
 <?php
  echo $endjs;
  if ($_REQUEST['issue']) {
-  echo "doclick('p', " . attr($_REQUEST['issue']) . ");\n";
+  echo "doclick('p', " . attr(addslashes($_REQUEST['issue'])) . ");\n";
  }
- if ($alertmsg) echo "alert('$alertmsg');\n";
+ if ($alertmsg) echo "alert('" . addslashes($alertmsg) . "');\n";
 ?>
 </script>
 </body>
-- 
2.11.4.GIT