From 60de8b6c245290115aadf53eb37443a40881262e Mon Sep 17 00:00:00 2001
From: Brady Miller <brady.g.miller@gmail.com>
Date: Fri, 16 Nov 2018 23:12:20 -0800
Subject: [PATCH] bug fixes (#1978)

---
 interface/patient_tracker/patient_tracker.php      | 703 +++++++++++----------
 .../patient_tracker/patient_tracker_status.php     |  15 +-
 library/ajax/drug_screen_completed.php             |  72 +--
 3 files changed, 398 insertions(+), 392 deletions(-)
 rewrite library/ajax/drug_screen_completed.php (69%)

diff --git a/interface/patient_tracker/patient_tracker.php b/interface/patient_tracker/patient_tracker.php
index 19c3a885f..a7600fb50 100644
--- a/interface/patient_tracker/patient_tracker.php
+++ b/interface/patient_tracker/patient_tracker.php
@@ -10,8 +10,9 @@
  * @link    http://www.open-emr.org
  * @author  Terry Hill <terry@lilysystems.com>
  * @author  Brady Miller <brady.g.miller@gmail.com>
+ * @author  Ray Magauran <magauran@medexbank.com>
  * @copyright Copyright (c) 2015-2017 Terry Hill <terry@lillysystems.com>
- * @copyright Copyright (c) 2017 Brady Miller <brady.g.miller@gmail.com>
+ * @copyright Copyright (c) 2017-2018 Brady Miller <brady.g.miller@gmail.com>
  * @copyright Copyright (c) 2017 Ray Magauran <magauran@medexbank.com>
  * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  */
@@ -25,6 +26,12 @@ require_once "$srcdir/MedEx/API.php";
 
 use OpenEMR\Core\Header;
 
+if (!empty($_POST)) {
+    if (!verifyCsrfToken($_POST["csrf_token_form"])) {
+        csrfNotVerified();
+    }
+}
+
 // These settings are sticky user preferences linked to a given page.
 // mdsupport - user_settings prefix
 $uspfx = substr(__FILE__, strlen($webserver_root)) . '.';
@@ -261,8 +268,9 @@ if (!$_REQUEST['flb_table']) {
                 ?>
                 <br/>
                 <form name="flb" id="flb" method="post">
+                    <input type="hidden" name="csrf_token_form" value="<?php echo attr(collectCsrfToken()); ?>" />
                     <div class=" text-center row divTable" style="width: 85%;padding: 10px 10px 0;margin: 10px auto;">
-                        <div class="col-sm-<?php echo $col_width; ?> text-center" style="margin-top:15px;">
+                        <div class="col-sm-<?php echo attr($col_width); ?> text-center" style="margin-top:15px;">
                             <select id="form_apptcat" name="form_apptcat" class="form-group ui-selectmenu-button ui-button ui-widget ui-selectmenu-button-closed ui-corner-all"
                                     onchange="refineMe('apptcat');" title="">
                                 <?php
@@ -300,7 +308,7 @@ if (!$_REQUEST['flb_table']) {
                                    value="<?php echo ($form_patient_name) ? attr($form_patient_name) : ""; ?>"
                                    onKeyUp="refineMe();">
                         </div>
-                        <div class="col-sm-<?php echo $col_width; ?> text-center" style="margin-top:15px;">
+                        <div class="col-sm-<?php echo attr($col_width); ?> text-center" style="margin-top:15px;">
                             <select class="form-group ui-selectmenu-button ui-button ui-widget ui-selectmenu-button-closed ui-corner-all" id="form_facility" name="form_facility"
                                 <?php
                                 $fac_sql = sqlStatement("SELECT * FROM facility ORDER BY id");
@@ -352,7 +360,7 @@ if (!$_REQUEST['flb_table']) {
                                    value="<?php echo ($form_patient_id) ? attr($form_patient_id) : ""; ?>"
                                    onKeyUp="refineMe();">
                         </div>
-                        <div class="col-sm-<?php echo $col_width; ?>">
+                        <div class="col-sm-<?php echo attr($col_width); ?>">
                             <div style="margin: 0 auto;" class="input-append">
                                 <table class="table-hover table-condensed" style="margin:0 auto;">
                                     <?php
@@ -387,7 +395,7 @@ if (!$_REQUEST['flb_table']) {
                                     </tr>
                                     <tr>
                                         <td class="text-center" colspan="2">
-                                            <a  id="filter_submit" class="btn btn-primary"><?php echo xla('Filter'); ?></a>
+                                            <a  id="filter_submit" class="btn btn-primary"><?php echo xlt('Filter'); ?></a>
                                             <input type="hidden" id="kiosk" name="kiosk"
                                                    value="<?php echo attr($_REQUEST['kiosk']); ?>">
                                         </td>
@@ -395,7 +403,7 @@ if (!$_REQUEST['flb_table']) {
                                 </table>
                             </div>
                         </div>
-                        <div class="col-sm-<?php echo $col_width . " " . $last_col_width; ?> text-center">
+                        <div class="col-sm-<?php echo attr($col_width) . " " . attr($last_col_width); ?> text-center">
                             <?php
                             if ($GLOBALS['medex_enable'] == '1') {
                                 ?>
@@ -462,7 +470,7 @@ if (!$_REQUEST['flb_table']) {
 
                   <label for='setting_new_window' id='settings'>
                     <input type='checkbox' name='setting_new_window' id='setting_new_window'
-                           value='<?php echo $setting_new_window; ?>' <?php echo $setting_new_window; ?> />
+                           value='<?php echo attr($setting_new_window); ?>' <?php echo attr($setting_new_window); ?> />
                         <?php echo xlt('Open Patient in New Window'); ?>
                   </label>
                   <a id='refreshme'><i class="fa fa-refresh fa-2x fa-fw">&nbsp;</i></a>
@@ -478,7 +486,7 @@ if (!$_REQUEST['flb_table']) {
 
                 <?php if ($GLOBALS['new_tabs_layout']) { ?>
                   <a class='btn btn-primary' onclick="kiosk_FLB();"> <?php echo xlt('Kiosk'); ?> </a>
-                    <?php } ?>
+                <?php } ?>
                 </span>
             </div>
 
@@ -656,10 +664,11 @@ if (!$_REQUEST['flb_table']) {
                                 if (($row['msg_reply'] == "CALL") && (!$CALLED)) {
                                     $icon_here = '';
                                     $icon_4_CALL = $icons[$row['msg_type']]['CALL']['html'];
-                                    $icon_CALL = "<span onclick=\"doCALLback('" . attr($date_squash) . "','" . attr($appointment['eid']) . "','" . attr($appointment['pc_cattype']) . "')\">" . $icon_4_CALL . "</span>
+                                    $icon_CALL = "<span onclick=\"doCALLback(" . attr_js($date_squash) . "," . attr_js($appointment['eid']) . "," . attr_js($appointment['pc_cattype']) . ")\">" . $icon_4_CALL . "</span>
                                     <span class='hidden' name='progCALLback_" . attr($appointment['eid']) . "' id='progCALLback_" . attr($appointment['eid']) . "'>
                                       <form id='notation_" . attr($appointment['eid']) . "' method='post' 
                                       action='#'>
+                                        <input type='hidden' name='csrf_token_form' value='<?php echo attr(collectCsrfToken()); ?>' />
                                         <h4>" . xlt('Call Back Notes') . ":</h4>
                                         <input type='hidden' name='pc_eid' id='pc_eid' value='" . attr($appointment['eid']) . "'>
                                         <input type='hidden' name='pc_pid' id='pc_pid' value='" . attr($appointment['pc_pid']) . "'>
@@ -738,19 +747,19 @@ if (!$_REQUEST['flb_table']) {
                         ?>
                         <td class="detail text-center hidden-xs" name="kiosk_hide">
                             <a href="#"
-                               onclick="return topatient('<?php echo attr($appt_pid); ?>','<?php echo attr($appt_enc); ?>')">
+                               onclick="return topatient(<?php echo attr_js($appt_pid); ?>,<?php echo attr_js($appt_enc); ?>)">
                                 <?php echo text($ptname); ?></a>
                         </td>
                         <td class="detail text-center visible-xs hidden-sm hidden-md hidden-lg"
                             style="white-space: normal;" name="kiosk_hide">
                             <a href="#"
-                               onclick="return topatient('<?php echo attr($appt_pid); ?>','<?php echo attr($appt_enc); ?>')">
+                               onclick="return topatient(<?php echo attr_js($appt_pid); ?>,<?php echo attr_js($appt_enc); ?>)">
                                 <?php echo text($ptname_short); ?></a>
                         </td>
 
                         <td class="detail text-center" style="white-space: normal;" name="kiosk_show">
                             <a href="#"
-                               onclick="return topatient('<?php echo attr($appt_pid); ?>','<?php echo attr($appt_enc); ?>')">
+                               onclick="return topatient(<?php echo attr_js($appt_pid); ?>,<?php echo attr_js($appt_enc); ?>)">
                                 <?php echo text($ptname_short); ?></a>
                         </td>
 
@@ -762,40 +771,43 @@ if (!$_REQUEST['flb_table']) {
                         <?php } ?>
                         <?php if ($GLOBALS['ptkr_show_encounter']) { ?>
                             <td class="detail hidden-xs hidden-sm text-center" name="kiosk_hide">
-                                <?php if ($appt_enc != 0) {
+                                <?php
+                                if ($appt_enc != 0) {
                                     echo text($appt_enc);
-} ?>
+                                }
+                                ?>
                             </td>
-                        <?php }
-if ($GLOBALS['ptkr_date_range'] == '1') { ?>
+                        <?php } ?>
+                        <?php if ($GLOBALS['ptkr_date_range'] == '1') { ?>
                             <td class="detail hidden-xs text-center" name="kiosk_hide">
                                 <?php echo text(oeFormatShortDate($appointment['pc_eventDate']));
                                 ?>
                             </td>
                         <?php } ?>
                         <td class="detail" align="center">
-                            <?php echo oeFormatTime($appt_time) ?>
+                            <?php echo text(oeFormatTime($appt_time)); ?>
                         </td>
                         <td class="detail text-center">
                             <?php
                             if ($newarrive) {
-                                echo oeFormatTime($newarrive);
+                                echo text(oeFormatTime($newarrive));
                             }
                             ?>
                         </td>
                         <td class="detail hidden-xs text-center small">
                             <?php if (empty($tracker_id)) { //for appt not yet with tracker id and for recurring appt ?>
-                            <a onclick="return calendarpopup(<?php echo attr($appt_eid) . "," . attr($date_squash); // calls popup for add edit calendar event?>)">
-                                <?php } else { ?>
-                                <a onclick="return bpopup(<?php echo attr($tracker_id); // calls popup for patient tracker status?>)">
-                                    <?php }
-if ($appointment['room'] > '') {
-    echo getListItemTitle('patient_flow_board_rooms', $appt_room);
-} else {
-    echo text(getListItemTitle("apptstat", $status)); // drop down list for appointment status
-}
-                                    ?>
-                                </a>
+                            <a onclick="return calendarpopup(<?php echo attr_js($appt_eid) . "," . attr_js($date_squash); // calls popup for add edit calendar event?>)">
+                            <?php } else { ?>
+                                <a onclick="return bpopup(<?php echo attr_js($tracker_id); // calls popup for patient tracker status?>)">
+                            <?php } ?>
+                            <?php
+                            if ($appointment['room'] > '') {
+                                echo text(getListItemTitle('patient_flow_board_rooms', $appt_room));
+                            } else {
+                                echo text(getListItemTitle("apptstat", $status)); // drop down list for appointment status
+                            }
+                            ?>
+                            </a>
                         </td>
 
                         <?php
@@ -820,10 +832,10 @@ if ($appointment['room'] > '') {
                         if (($yestime == '1') && ($timecheck >= 1) && (strtotime($newarrive) != '')) {
                             echo text($timecheck . ' ' . ($timecheck >= 2 ? xl('minutes') : xl('minute')));
                         } else if ($icon_here || $icon2_here || $icon_CALL) {
-                            echo "<span style='font-size:0.7em;' onclick='return calendarpopup(" . attr($appt_eid) . "," . attr($date_squash) . ")'>" . implode($icon_here) . $icon2_here . "</span> " . $icon_CALL;
+                            echo "<span style='font-size:0.7em;' onclick='return calendarpopup(" . attr_js($appt_eid) . "," . attr_js($date_squash) . ")'>" . implode($icon_here) . $icon2_here . "</span> " . $icon_CALL;
                         } else if ($logged_in) {
                             $pat = $MedEx->display->possibleModalities($appointment);
-                            echo "<span style='font-size:0.7em;' onclick='return calendarpopup(" . attr($appt_eid) . "," . attr($date_squash) . ")'>" . $pat['SMS'] . $pat['AVM'] . $pat['EMAIL'] . "</span>";
+                            echo "<span style='font-size:0.7em;' onclick='return calendarpopup(" . attr_js($appt_eid) . "," . attr_js($date_squash) . ")'>" . $pat['SMS'] . $pat['AVM'] . $pat['EMAIL'] . "</span>";
                         }
                         //end time in current status
                         echo "</td>";
@@ -871,10 +883,10 @@ if ($appointment['room'] > '') {
                             if (strtotime($newarrive) != '') { ?>
                                 <td class="detail hidden-xs text-center" name="kiosk_hide">
                                     <?php
-                                    if (text($appointment['random_drug_test']) == '1') {
-                                        echo xl('Yes');
+                                    if ($appointment['random_drug_test'] == '1') {
+                                        echo xlt('Yes');
                                     } else {
-                                        echo xl('No');
+                                        echo xlt('No');
                                     } ?>
                                 </td>
                                 <?php
@@ -886,17 +898,13 @@ if ($appointment['room'] > '') {
                                     if (strtotime($newend) != '') {
                                         // the following block allows the check box for drug screens to be disabled once the status is check out ?>
                                         <input type=checkbox disabled='disable' class="drug_screen_completed"
-                                               id="<?php echo htmlspecialchars($appointment['pt_tracker_id'], ENT_NOQUOTES) ?>" <?php if ($appointment['drug_screen_completed'] == "1") {
-                                                    echo "checked";
-} ?>>
+                                               id="<?php echo attr($appointment['pt_tracker_id']) ?>" <?php echo ($appointment['drug_screen_completed'] == "1") ? "checked" : ""; ?>>
                                         <?php
                                     } else {
                                         ?>
                                         <input type=checkbox class="drug_screen_completed"
-                                               id='<?php echo htmlspecialchars($appointment['pt_tracker_id'], ENT_NOQUOTES) ?>'
-                                               name="drug_screen_completed" <?php if ($appointment['drug_screen_completed'] == "1") {
-                                                    echo "checked";
-} ?>>
+                                               id='<?php echo attr($appointment['pt_tracker_id']) ?>'
+                                               name="drug_screen_completed" <?php echo ($appointment['drug_screen_completed'] == "1") ? "checked" : ""; ?>>
                                         <?php
                                     } ?>
                                 </td>
@@ -923,7 +931,7 @@ if (!$_REQUEST['flb_table']) { ?>
     </div><?php //end container ?>
     <!-- form used to open a new top level window when a patient row is clicked -->
     <form name='fnew' method='post' target='_blank'
-          action='../main/main_screen.php?auth=login&site=<?php echo attr($_SESSION['site_id']); ?>'>
+          action='../main/main_screen.php?auth=login&site=<?php echo attr_url($_SESSION['site_id']); ?>'>
         <input type="hidden" name="csrf_token_form" value="<?php echo attr(collectCsrfToken()); ?>" />
         <input type='hidden' name='patientID' value='0'/>
         <input type='hidden' name='encounterID' value='0'/>
@@ -940,331 +948,328 @@ exit;
 
 function myLocalJS()
 {
-                    ?>
-                    <script type="text/javascript">
-                        var auto_refresh = null;
-                        //this can be refined to redact HIPAA material using @media print options.
-                        top.restoreSession();
-                        if (top.tab_mode) {
-                            window.parent.$("[name='flb']").attr('allowFullscreen', 'true');
-                        } else {
-                             $(this).attr('allowFullscreen', 'true');
-                        }
-                        <?php
-                        if ($_REQUEST['kiosk'] == '1') { ?>
-                        $("[name='kiosk_hide']").hide();
-                        $("[name='kiosk_show']").show();
-                        <?php } else { ?>
-                        $("[name='kiosk_hide']").show();
-                        $("[name='kiosk_show']").hide();
-                        <?php  }   ?>
-                                    function print_FLB() {
-                                        window.print();
-                                    }
-
-                                    function toggleSelectors() {
-                                        if ($("#flb_selectors").css('display') === 'none') {
-                                            $.post("<?php echo $GLOBALS['webroot'] . "/interface/patient_tracker/patient_tracker.php"; ?>", {
-                                                'setting_selectors': 'block',
-                                                success: function (data) {
-
-                                                    $("#flb_selectors").slideToggle();
-                                                    $("#flb_caret").css('color', '#000');
-                                                }
-                                            });
-                                        } else {
-                                            $.post("<?php echo $GLOBALS['webroot'] . "/interface/patient_tracker/patient_tracker.php"; ?>", {
-                                                'setting_selectors': 'none',
-                                                success: function (data) {
-                                                    $("#flb_selectors").slideToggle();
-                                                    $("#flb_caret").css('color', 'red');
-                                                }
-                                            });
-                                        }
-                                        $("#print_caret").toggleClass('fa-caret-up').toggleClass('fa-caret-down');
-                                    }
-
-                                    /**
-                                     * This function refreshes the whole flb_table according to our to/from dates.
-                                     */
-                                    function refreshMe(fromTimer) {
-
-                                        if(typeof fromTimer === 'undefined' || !fromTimer) {
-                                            //Show loader in the first loading or manual loading not by timer
-                                            $("#flb_table").html('');
-                                            $('#loader').show();
-                                        }
-
-                                        var startRequestTime = Date.now();
-                                        top.restoreSession();
-                                        var posting = $.post('../patient_tracker/patient_tracker.php', {
-                                            flb_table: '1',
-                                            form_from_date: $("#form_from_date").val(),
-                                            form_to_date: $("#form_to_date").val(),
-                                            form_facility: $("#form_facility").val(),
-                                            form_provider: $("#form_provider").val(),
-                                            form_apptstatus: $("#form_apptstatus").val(),
-                                            form_patient_name: $("#form_patient_name").val(),
-                                            form_patient_id: $("#form_patient_id").val(),
-                                            form_apptcat: $("#form_apptcat").val(),
-                                            kiosk: $("#kiosk").val()
-                                        }).done(
-                                            function (data) {
-                                                //minimum 400 ms of loader (In the first loading or manual loading not by timer)
-                                                if((typeof fromTimer === 'undefined' || !fromTimer) && Date.now() - startRequestTime < 400 ){
-                                                    setTimeout(drawTable, 500, data);
-                                                } else {
-                                                    drawTable(data)
-                                                }
-                                            });
-                                    }
-
-                                    function drawTable(data) {
-
-                                        $('#loader').hide();
-                                        $("#flb_table").html(data);
-                                        if ($("#kiosk").val() === '') {
-                                        $("[name='kiosk_hide']").show();
-                                        $("[name='kiosk_show']").hide();
-                                        } else {
-                                        $("[name='kiosk_hide']").hide();
-                                        $("[name='kiosk_show']").show();
-                                        }
-
-                                        refineMe();
-
-                                        initTableButtons();
-
-                                    }
-
-                                    function refreshme() {
-                                        // Just need this to support refreshme call from the popup used for recurrent appt
-                                        refreshMe();
-                                    }
-
-                                    /**
-                                     * This function hides all then shows only the flb_table rows that match our selection, client side.
-                                     * It is called on initial load, on refresh and 'onchange/onkeyup' of a flow board parameter.
-                                     */
-                                    function refineMe() {
-                                        var apptcatV = $("#form_apptcat").val();
-                                        var apptstatV = $("#form_apptstatus").val();
-                                        var facV = $("#form_facility").val();
-                                        var provV = $("#form_provider").val();
-                                        var pidV = String($("#form_patient_id").val());
-                                        var pidRE = new RegExp(pidV, 'g');
-                                        var pnameV = $("#form_patient_name").val();
-                                        var pnameRE = new RegExp(pnameV, 'ig');
-
-                                        //and hide what we don't want to show
-                                        $('#flb_table tbody tr').hide().filter(function () {
-                                            var d = $(this).data();
-                                            meets_cat = (apptcatV === '') || (apptcatV == d.apptcat);
-                                            meets_stat = (apptstatV === '') || (apptstatV == d.apptstatus);
-                                            meets_fac = (facV === '') || (facV == d.facility);
-                                            meets_prov = (provV === '') || (provV == d.provider);
-                                            meets_pid = (pidV === '');
-                                            if ((pidV > '') && pidRE.test(d.pid)) {
-                                                meets_pid = true;
-                                            }
-                                            meets_pname = (pnameV === '');
-                                            if ((pnameV > '') && pnameRE.test(d.pname)) {
-                                                meets_pname = true;
-                                            }
-                                            return meets_pname && meets_pid && meets_cat && meets_stat && meets_fac && meets_prov;
-                                        }).show();
-                                    }
+?>
+    <script type="text/javascript">
+        var auto_refresh = null;
+        //this can be refined to redact HIPAA material using @media print options.
+        top.restoreSession();
+        if (top.tab_mode) {
+            window.parent.$("[name='flb']").attr('allowFullscreen', 'true');
+        } else {
+             $(this).attr('allowFullscreen', 'true');
+        }
+        <?php
+        if ($_REQUEST['kiosk'] == '1') { ?>
+            $("[name='kiosk_hide']").hide();
+            $("[name='kiosk_show']").show();
+        <?php } else { ?>
+            $("[name='kiosk_hide']").show();
+            $("[name='kiosk_show']").hide();
+        <?php  }   ?>
+        function print_FLB() {
+            window.print();
+        }
 
-                                    // popup for patient tracker status
-                                    function bpopup(tkid) {
-                                        top.restoreSession();
-                                        dlgopen('../patient_tracker/patient_tracker_status.php?tracker_id=' + tkid, '_blank', 500, 250);
-                                        return false;
-                                    }
+        function toggleSelectors() {
+            if ($("#flb_selectors").css('display') === 'none') {
+                $.post("<?php echo $GLOBALS['webroot'] . "/interface/patient_tracker/patient_tracker.php"; ?>", {
+                    setting_selectors: 'block',
+                    csrf_token_form: <?php echo js_escape(collectCsrfToken()); ?>
+                }).done(
+                    function (data) {
+                        $("#flb_selectors").slideToggle();
+                        $("#flb_caret").css('color', '#000');
+                });
+            } else {
+                $.post("<?php echo $GLOBALS['webroot'] . "/interface/patient_tracker/patient_tracker.php"; ?>", {
+                    setting_selectors: 'none',
+                    csrf_token_form: <?php echo js_escape(collectCsrfToken()); ?>
+                }).done(
+                    function (data) {
+                        $("#flb_selectors").slideToggle();
+                        $("#flb_caret").css('color', 'red');
+                });
+            }
+            $("#print_caret").toggleClass('fa-caret-up').toggleClass('fa-caret-down');
+        }
 
-                                    // popup for calendar add edit
-                                    function calendarpopup(eid, date_squash) {
-                                        top.restoreSession();
-                                        dlgopen('../main/calendar/add_edit_event.php?eid=' + eid + '&date=' + date_squash, '_blank', 775, 500);
-                                        return false;
-                                    }
+        /**
+         * This function refreshes the whole flb_table according to our to/from dates.
+         */
+        function refreshMe(fromTimer) {
 
-                                    // used to display the patient demographic and encounter screens
-                                    function topatient(newpid, enc) {
-                                        if ($('#setting_new_window').val() === 'checked') {
-                                            openNewTopWindow(newpid, enc);
-                                        }
-                                        else {
-                                            top.restoreSession();
-                                            if (enc > 0) {
-                                                top.RTop.location = "<?php echo $GLOBALS['webroot']; ?>/interface/patient_file/summary/demographics.php?set_pid=" + newpid + "&set_encounterid=" + enc;
-                                            }
-                                            else {
-                                                top.RTop.location = "<?php echo $GLOBALS['webroot']; ?>/interface/patient_file/summary/demographics.php?set_pid=" + newpid;
-                                            }
-                                        }
-                                    }
+            if(typeof fromTimer === 'undefined' || !fromTimer) {
+                //Show loader in the first loading or manual loading not by timer
+                $("#flb_table").html('');
+                $('#loader').show();
+            }
 
-                                    function doCALLback(eventdate, eid, pccattype) {
-                                        $("#progCALLback_" + eid).parent().removeClass('js-blink-infinite').css('animation-name', 'none');
-                                        $("#progCALLback_" + eid).removeClass("hidden");
-                                        clearInterval(auto_refresh);
-                                    }
+            var startRequestTime = Date.now();
+            top.restoreSession();
+            var posting = $.post('../patient_tracker/patient_tracker.php', {
+                flb_table: '1',
+                form_from_date: $("#form_from_date").val(),
+                form_to_date: $("#form_to_date").val(),
+                form_facility: $("#form_facility").val(),
+                form_provider: $("#form_provider").val(),
+                form_apptstatus: $("#form_apptstatus").val(),
+                form_patient_name: $("#form_patient_name").val(),
+                form_patient_id: $("#form_patient_id").val(),
+                form_apptcat: $("#form_apptcat").val(),
+                kiosk: $("#kiosk").val(),
+                csrf_token_form: <?php echo js_escape(collectCsrfToken()); ?>
+            }).done(
+                function (data) {
+                    //minimum 400 ms of loader (In the first loading or manual loading not by timer)
+                    if((typeof fromTimer === 'undefined' || !fromTimer) && Date.now() - startRequestTime < 400 ){
+                        setTimeout(drawTable, 500, data);
+                    } else {
+                        drawTable(data)
+                    }
+                });
+        }
 
-                                    // opens the demographic and encounter screens in a new window
-                                    function openNewTopWindow(newpid, newencounterid) {
-                                        document.fnew.patientID.value = newpid;
-                                        document.fnew.encounterID.value = newencounterid;
-                                        top.restoreSession();
-                                        document.fnew.submit();
-                                    }
+        function drawTable(data) {
 
-                                    //opens the two-way SMS phone app
-                                    /**
-                                     * @return {boolean}
-                                     */
-                                    function SMS_bot(pid) {
-                                        top.restoreSession();
-                                        var from = '<?php echo attr($from_date); ?>';
-                                        var to = '<?php echo attr($to_date); ?>';
-                                        var oefrom = '<?php echo attr(oeFormatShortDate($from_date)); ?>';
-                                        var oeto = '<?php echo attr(oeFormatShortDate($to_date)); ?>';
-                                        window.open('../main/messages/messages.php?nomenu=1&go=SMS_bot&pid=' + pid + '&to=' + to + '&from=' + from + '&oeto=' + oeto + '&oefrom=' + oefrom, 'SMS_bot', 'width=370,height=600,resizable=0');
-                                        return false;
-                                    }
+            $('#loader').hide();
+            $("#flb_table").html(data);
+            if ($("#kiosk").val() === '') {
+            $("[name='kiosk_hide']").show();
+            $("[name='kiosk_show']").hide();
+            } else {
+            $("[name='kiosk_hide']").hide();
+            $("[name='kiosk_show']").show();
+            }
 
-                                    function kiosk_FLB() {
-                                        $("#kiosk").val('1');
-                                        $("[name='kiosk_hide']").hide();
-                                        $("[name='kiosk_show']").show();
-                                        var i = document.getElementById("flb_table");
-                                        // go full-screen
-                                        if (i.requestFullscreen) {
-                                            i.requestFullscreen();
-                                        } else if (i.webkitRequestFullscreen) {
-                                            i.webkitRequestFullscreen();
-                                        } else if (i.mozRequestFullScreen) {
-                                            i.mozRequestFullScreen();
-                                        } else if (i.msRequestFullscreen) {
-                                            i.msRequestFullscreen();
-                                        }
-                                        // refreshMe();
-                                    }
+            refineMe();
 
-                                    $(document).ready(function () {
-                                        refreshMe();
-                                        $("#kiosk").val('');
-                                        $("[name='kiosk_hide']").show();
-                                        $("[name='kiosk_show']").hide();
-
-                                        onresize = function () {
-                                            var state = 1 >= outerHeight - innerHeight ? "fullscreen" : "windowed";
-                                            if (window.state === state) return;
-                                            window.state = state;
-                                            var event = document.createEvent("Event");
-                                            event.initEvent(state, true, true);
-                                            window.dispatchEvent(event);
-                                        };
-
-                                        addEventListener('windowed', function (e) {
-                                            $("#kiosk").val('');
-                                            $("[name='kiosk_hide']").show();
-                                            $("[name='kiosk_show']").hide();
-                                            //alert(e.type);
-                                        }, false);
-                                        addEventListener('fullscreen', function (e) {
-                                            $("#kiosk").val('1');
-                                            $("[name='kiosk_hide']").hide();
-                                            $("[name='kiosk_show']").show();
-                                            //alert(e.type);
-                                        }, false);
+            initTableButtons();
 
-                                        <?php
-                                        if ($GLOBALS['pat_trkr_timer'] != '0') {
-                                        ?>
-                                        var reftime = "<?php echo attr($GLOBALS['pat_trkr_timer']); ?>";
-                                        var parsetime = reftime.split(":");
-                                        parsetime = (parsetime[0] * 60) + (parsetime[1] * 1) * 1000;
-                                        if (auto_refresh) clearInteral(auto_refresh);
-                                        auto_refresh = setInterval(function () {
-                                            refreshMe(true) // this will run after every parsetime seconds
-                                        }, parsetime);
-                            <?php
-                                        }
-                                        ?>
+        }
 
-                                        $('.js-blink-infinite').each(function () {
-                                            // set up blinking text
-                                            var elem = $(this);
-                                            setInterval(function () {
-                                                if (elem.css('visibility') === 'hidden') {
-                                        elem.css('visibility', 'visible');
-                                                } else {
-                                        elem.css('visibility', 'hidden');
-                                                }
-                                            }, 500);
-                                        });
-                                        // toggle of the check box status for drug screen completed and ajax call to update the database
-                                        $(".drug_screen_completed").change(function () {
-                                            top.restoreSession();
-                                            if (this.checked) {
-                                                testcomplete_toggle = "true";
-                                            } else {
-                                                testcomplete_toggle = "false";
-                                            }
-                                            $.post("../../library/ajax/drug_screen_completed.php", {
-                                                trackerid: this.id,
-                                                testcomplete: testcomplete_toggle
-                                            });
-                                        });
-
-                                        // mdsupport - Immediately post changes to setting_new_window
-                                        $('#setting_new_window').click(function () {
-                                            $('#setting_new_window').val(this.checked ? 'checked' : ' ');
-                                            $.post("<?php echo basename(__FILE__) ?>", {
-                                    'setting_new_window': $('#setting_new_window').val(),
-                                    success: function (data) {
-                                    }
-                                });
-                            });
+        function refreshme() {
+            // Just need this to support refreshme call from the popup used for recurrent appt
+            refreshMe();
+        }
 
+        /**
+         * This function hides all then shows only the flb_table rows that match our selection, client side.
+         * It is called on initial load, on refresh and 'onchange/onkeyup' of a flow board parameter.
+         */
+        function refineMe() {
+            var apptcatV = $("#form_apptcat").val();
+            var apptstatV = $("#form_apptstatus").val();
+            var facV = $("#form_facility").val();
+            var provV = $("#form_provider").val();
+            var pidV = String($("#form_patient_id").val());
+            var pidRE = new RegExp(pidV, 'g');
+            var pnameV = $("#form_patient_name").val();
+            var pnameRE = new RegExp(pnameV, 'ig');
+
+            //and hide what we don't want to show
+            $('#flb_table tbody tr').hide().filter(function () {
+                var d = $(this).data();
+                meets_cat = (apptcatV === '') || (apptcatV == d.apptcat);
+                meets_stat = (apptstatV === '') || (apptstatV == d.apptstatus);
+                meets_fac = (facV === '') || (facV == d.facility);
+                meets_prov = (provV === '') || (provV == d.provider);
+                meets_pid = (pidV === '');
+                if ((pidV > '') && pidRE.test(d.pid)) {
+                    meets_pid = true;
+                }
+                meets_pname = (pnameV === '');
+                if ((pnameV > '') && pnameRE.test(d.pname)) {
+                    meets_pname = true;
+                }
+                return meets_pname && meets_pid && meets_cat && meets_stat && meets_fac && meets_prov;
+            }).show();
+        }
 
-                            $('#filter_submit').click(function (e) {
-                                e.preventDefault;
-                                top.restoreSession;
-                                refreshMe();
-                            });
+        // popup for patient tracker status
+        function bpopup(tkid) {
+            top.restoreSession();
+            dlgopen('../patient_tracker/patient_tracker_status.php?tracker_id=' + encodeURIComponent(tkid) + '&csrf_token_form=' + <?php echo js_url(collectCsrfToken()); ?>, '_blank', 500, 250);
+            return false;
+        }
 
-                            $('[data-toggle="tooltip"]').tooltip();
+        // popup for calendar add edit
+        function calendarpopup(eid, date_squash) {
+            top.restoreSession();
+            dlgopen('../main/calendar/add_edit_event.php?eid=' + encodeURIComponent(eid) + '&date=' + encodeURIComponent(date_squash), '_blank', 775, 500);
+            return false;
+        }
 
-                            $('.datepicker').datetimepicker({
-                                <?php $datetimepicker_timepicker = false; ?>
-                                <?php $datetimepicker_showseconds = false; ?>
-                                <?php $datetimepicker_formatInput = true; ?>
-                                <?php require($GLOBALS['srcdir'] . '/js/xl/jquery-datetimepicker-2-5-4.js.php'); ?>
-                                <?php // can add any additional javascript settings to datetimepicker here; need to prepend first setting with a comma ?>
-                            });
+        // used to display the patient demographic and encounter screens
+        function topatient(newpid, enc) {
+            if ($('#setting_new_window').val() === 'checked') {
+                openNewTopWindow(newpid, enc);
+            }
+            else {
+                top.restoreSession();
+                if (enc > 0) {
+                    top.RTop.location = "<?php echo $GLOBALS['webroot']; ?>/interface/patient_file/summary/demographics.php?set_pid=" + encodeURIComponent(newpid) + "&set_encounterid=" + encodeURIComponent(enc);
+                }
+                else {
+                    top.RTop.location = "<?php echo $GLOBALS['webroot']; ?>/interface/patient_file/summary/demographics.php?set_pid=" + encodeURIComponent(newpid);
+                }
+            }
+        }
 
-                                    });
+        function doCALLback(eventdate, eid, pccattype) {
+            $("#progCALLback_" + eid).parent().removeClass('js-blink-infinite').css('animation-name', 'none');
+            $("#progCALLback_" + eid).removeClass("hidden");
+            clearInterval(auto_refresh);
+        }
 
-                            function initTableButtons() {
-                                $('#refreshme').click(function () {
-                                    refreshMe();
-                                    refineMe();
-                                });
+        // opens the demographic and encounter screens in a new window
+        function openNewTopWindow(newpid, newencounterid) {
+            document.fnew.patientID.value = newpid;
+            document.fnew.encounterID.value = newencounterid;
+            top.restoreSession();
+            document.fnew.submit();
+        }
 
-                                $('#setting_cog').click(function () {
-                                    $(this).css("display", "none");
-                                    $('#settings').css("display", "inline");
-                                });
+        //opens the two-way SMS phone app
+        /**
+         * @return {boolean}
+         */
+        function SMS_bot(pid) {
+            top.restoreSession();
+            var from = <?php echo js_escape($from_date); ?>;
+            var to = <?php echo js_escape($to_date); ?>;
+            var oefrom = <?php echo js_escape(oeFormatShortDate($from_date)); ?>;
+            var oeto = <?php echo js_escape(oeFormatShortDate($to_date)); ?>;
+            window.open('../main/messages/messages.php?nomenu=1&go=SMS_bot&pid=' + encodeURIComponent(pid) + '&to=' + encodeURIComponent(to) + '&from=' + encodeURIComponent(from) + '&oeto=' + encodeURIComponent(oeto) + '&oefrom=' + encodeURIComponent(oefrom), 'SMS_bot', 'width=370,height=600,resizable=0');
+            return false;
+        }
 
-                                 $('#settings').css("display", "none");
-                            }
+        function kiosk_FLB() {
+            $("#kiosk").val('1');
+            $("[name='kiosk_hide']").hide();
+            $("[name='kiosk_show']").show();
+            var i = document.getElementById("flb_table");
+            // go full-screen
+            if (i.requestFullscreen) {
+                i.requestFullscreen();
+            } else if (i.webkitRequestFullscreen) {
+                i.webkitRequestFullscreen();
+            } else if (i.mozRequestFullScreen) {
+                i.mozRequestFullScreen();
+            } else if (i.msRequestFullscreen) {
+                i.msRequestFullscreen();
+            }
+            // refreshMe();
+        }
 
-                            initTableButtons();
+        $(document).ready(function () {
+            refreshMe();
+            $("#kiosk").val('');
+            $("[name='kiosk_hide']").show();
+            $("[name='kiosk_show']").hide();
+
+            onresize = function () {
+                var state = 1 >= outerHeight - innerHeight ? "fullscreen" : "windowed";
+                if (window.state === state) return;
+                window.state = state;
+                var event = document.createEvent("Event");
+                event.initEvent(state, true, true);
+                window.dispatchEvent(event);
+            };
+
+            addEventListener('windowed', function (e) {
+                $("#kiosk").val('');
+                $("[name='kiosk_hide']").show();
+                $("[name='kiosk_show']").hide();
+                //alert(e.type);
+            }, false);
+            addEventListener('fullscreen', function (e) {
+                $("#kiosk").val('1');
+                $("[name='kiosk_hide']").hide();
+                $("[name='kiosk_show']").show();
+                //alert(e.type);
+            }, false);
+
+            <?php if ($GLOBALS['pat_trkr_timer'] != '0') { ?>
+                var reftime = <?php echo js_escape($GLOBALS['pat_trkr_timer']); ?>;
+                var parsetime = reftime.split(":");
+                parsetime = (parsetime[0] * 60) + (parsetime[1] * 1) * 1000;
+                if (auto_refresh) clearInteral(auto_refresh);
+                auto_refresh = setInterval(function () {
+                    refreshMe(true) // this will run after every parsetime seconds
+                }, parsetime);
+            <?php } ?>
+
+            $('.js-blink-infinite').each(function () {
+                // set up blinking text
+                var elem = $(this);
+                setInterval(function () {
+                    if (elem.css('visibility') === 'hidden') {
+                        elem.css('visibility', 'visible');
+                    } else {
+                        elem.css('visibility', 'hidden');
+                    }
+                }, 500);
+            });
+            // toggle of the check box status for drug screen completed and ajax call to update the database
+            $('body').on('click', '.drug_screen_completed', function () {
+                top.restoreSession();
+                if (this.checked) {
+                    testcomplete_toggle = "true";
+                } else {
+                    testcomplete_toggle = "false";
+                }
+                $.post("../../library/ajax/drug_screen_completed.php", {
+                    trackerid: this.id,
+                    testcomplete: testcomplete_toggle,
+                    csrf_token_form: <?php echo js_escape(collectCsrfToken()); ?>
+                });
+            });
+
+            // mdsupport - Immediately post changes to setting_new_window
+            $('body').on('click', '#setting_new_window', function () {
+                $('#setting_new_window').val(this.checked ? 'checked' : ' ');
+                $.post("<?php echo $GLOBALS['webroot'] . "/interface/patient_tracker/patient_tracker.php"; ?>", {
+                    setting_new_window: $('#setting_new_window').val(),
+                    csrf_token_form: <?php echo js_escape(collectCsrfToken()); ?>
+                }).done(
+                    function (data) {
+                });
+            });
+
+
+            $('#filter_submit').click(function (e) {
+                e.preventDefault;
+                top.restoreSession;
+                refreshMe();
+            });
+
+            $('[data-toggle="tooltip"]').tooltip();
+
+            $('.datepicker').datetimepicker({
+                <?php $datetimepicker_timepicker = false; ?>
+                <?php $datetimepicker_showseconds = false; ?>
+                <?php $datetimepicker_formatInput = true; ?>
+                <?php require($GLOBALS['srcdir'] . '/js/xl/jquery-datetimepicker-2-5-4.js.php'); ?>
+                <?php // can add any additional javascript settings to datetimepicker here; need to prepend first setting with a comma ?>
+            });
+
+        });
+
+        function initTableButtons() {
+            $('#refreshme').click(function () {
+                refreshMe();
+                refineMe();
+            });
+
+            $('#setting_cog').click(function () {
+                $(this).css("display", "none");
+                $('#settings').css("display", "inline");
+            });
+
+             $('#settings').css("display", "none");
+        }
 
-                                </script>
-                                <?php
-}
+        initTableButtons();
 
-?>
+    </script>
+<?php } ?>
diff --git a/interface/patient_tracker/patient_tracker_status.php b/interface/patient_tracker/patient_tracker_status.php
index a314bd3f6..930c1144c 100644
--- a/interface/patient_tracker/patient_tracker_status.php
+++ b/interface/patient_tracker/patient_tracker_status.php
@@ -10,7 +10,7 @@
  * @author    Terry Hill <terry@lillysystems.com>
  * @author    Brady Miller <brady.g.miller@gmail.com>
  * @copyright Copyright (c) 2015 Terry Hill <terry@lillysystems.com>
- * @copyright Copyright (c) 2017 Brady Miller <brady.g.miller@gmail.com>
+ * @copyright Copyright (c) 2017-2018 Brady Miller <brady.g.miller@gmail.com>
  * @license   https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  */
 
@@ -23,6 +23,12 @@ require_once("$srcdir/patient_tracker.inc.php");
 
 use OpenEMR\Core\Header;
 
+if (!empty($_GET)) {
+    if (!verifyCsrfToken($_GET["csrf_token_form"])) {
+        csrfNotVerified();
+    }
+}
+
 # Get the information for fields
 $tracker_id = $_GET['tracker_id'];
 $trow = sqlQuery("SELECT apptdate, appttime, patient_tracker_element.room AS lastroom, " .
@@ -47,6 +53,10 @@ $theroom = '';
 
 <?php
 if ($_POST['statustype'] !='') {
+    if (!verifyCsrfToken($_POST["csrf_token_form"])) {
+        csrfNotVerified();
+    }
+
     $status = $_POST['statustype'];
     if (strlen($_POST['roomnum']) != 0) {
          $theroom = $_POST['roomnum'];
@@ -90,7 +100,8 @@ $row = sqlQuery("select fname, lname " .
                 <h2><?php echo xlt('Change Status for'). " " . text($row['fname']) . " " . text($row['lname']); ?></h2>
             </div>
         </div>
-        <form id="form_note" method="post" action="patient_tracker_status.php?tracker_id=<?php echo attr($tracker_id) ?>" enctype="multipart/form-data" >
+        <form id="form_note" method="post" action="patient_tracker_status.php?tracker_id=<?php echo attr_url($tracker_id) ?>&csrf_token_form=<?php echo attr_url(collectCsrfToken()); ?>" enctype="multipart/form-data" >
+            <input type="hidden" name="csrf_token_form" value="<?php echo attr(collectCsrfToken()); ?>" />
             <div class="form-group">
                 <label for="statustype"><?php echo xlt('Status Type'); ?></label>
                 <?php echo generate_select_list('statustype', 'apptstat', $trow['laststatus'], xl('Status Type')); ?>
diff --git a/library/ajax/drug_screen_completed.php b/library/ajax/drug_screen_completed.php
dissimilarity index 69%
index 1983cfc04..6585e2727 100644
--- a/library/ajax/drug_screen_completed.php
+++ b/library/ajax/drug_screen_completed.php
@@ -1,41 +1,31 @@
-<?php
-/**
- *
- * Drug Screen Complete Update Database
- *
- * LICENSE: This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 3
- * of the License, or (at your option) any later version.
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
- *
- * @package OpenEMR
- *
- * @author  Terry Hill <terry@lillysystems.com>
- * @link    http://www.open-emr.org
- *
- * Please help the overall project by sending changes you make to the author and to the OpenEMR community.
- *
- */
-
-
-
-
-require_once("../../interface/globals.php");
-
-$drugval = '0';
-if ($_POST['testcomplete'] =='true') {
-    $drugval = '1';
-}
-
-$tracker_id = $_POST['trackerid'];
-if ($tracker_id != 0) {
-       sqlStatement("UPDATE patient_tracker SET " .
-           "drug_screen_completed = ? " .
-           "WHERE id =? ", array($drugval,$tracker_id));
-}
+<?php
+/**
+ * Drug Screen Complete Update Database
+ *
+ * @package   OpenEMR
+ * @link      http://www.open-emr.org
+ * @author    Terry Hill <terry@lillysystems.com>
+ * @author    Brady Miller <brady.g.miller@gmail.com>
+ * @copyright Copyright (c) 2015 Terry Hill <terry@lillysystems.com>
+ * @copyright Copyright (c) 2018 Brady Miller <brady.g.miller@gmail.com>
+ * @license   https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
+ */
+
+
+require_once("../../interface/globals.php");
+
+if (!verifyCsrfToken($_POST["csrf_token_form"])) {
+    csrfNotVerified();
+}
+
+$drugval = '0';
+if ($_POST['testcomplete'] =='true') {
+    $drugval = '1';
+}
+
+$tracker_id = $_POST['trackerid'];
+if ($tracker_id != 0) {
+       sqlStatement("UPDATE patient_tracker SET " .
+           "drug_screen_completed = ? " .
+           "WHERE id =? ", array($drugval,$tracker_id));
+}
-- 
2.11.4.GIT