From 718888c68ed39ff27ef38b9fb79bf63386849fd4 Mon Sep 17 00:00:00 2001 From: Brady Miller Date: Thu, 15 Nov 2018 14:56:54 -0800 Subject: [PATCH] bug fixins never stop (#1976) --- contrib/forms/scanned_notes/new.php | 2 +- controllers/C_Document.class.php | 1 + interface/orders/single_order_results.inc.php | 2 +- interface/patient_file/addr_appt_label.php | 22 ++-- interface/patient_file/addr_label.php | 10 +- interface/patient_file/barcode_label.php | 25 ++-- interface/patient_file/ccr_import.php | 14 ++- interface/patient_file/ccr_pending_approval.php | 38 +++--- interface/patient_file/ccr_review_approve.php | 63 +++++----- interface/patient_file/deleter.php | 42 +++---- interface/patient_file/download_template.php | 32 +++-- interface/patient_file/education.php | 22 ++-- interface/patient_file/encounter/forms.php | 2 +- interface/patient_file/erx_patient_portal_js.php | 22 ++-- interface/patient_file/front_payment.php | 96 ++++++++------- interface/patient_file/label.php | 21 +--- interface/patient_file/letter.php | 109 +++++++++-------- interface/patient_file/link_issue_to_encounter.php | 65 ---------- interface/patient_file/merge_patients.php | 67 +++++----- interface/patient_file/pos_checkout.php | 87 +++++++------ interface/patient_file/printed_fee_sheet.php | 109 +++++++++-------- interface/patient_file/problem_encounter.php | 68 +++++------ interface/patient_file/summary/add_edit_issue.php | 2 +- .../patient_file/summary/dashboard_header.php | 2 +- interface/patient_file/summary/demographics.php | 9 +- .../patient_file/transaction/add_transaction.php | 2 +- .../patient_file/transaction/transactions.php | 2 +- interface/patient_file/upload_dialog.php | 136 --------------------- library/formdata.inc.php | 44 +++---- templates/documents/general_upload.html | 1 + templates/documents/general_view.html | 2 +- 31 files changed, 442 insertions(+), 677 deletions(-) delete mode 100644 interface/patient_file/link_issue_to_encounter.php delete mode 100644 interface/patient_file/upload_dialog.php diff --git a/contrib/forms/scanned_notes/new.php b/contrib/forms/scanned_notes/new.php index 75aa795fb..c6abfa4d0 100644 --- a/contrib/forms/scanned_notes/new.php +++ b/contrib/forms/scanned_notes/new.php @@ -132,7 +132,7 @@ if ($formid) { // Process click on Delete button. function deleteme() { - dlgopen('../../patient_file/deleter.php?formid=', '_blank', 500, 450); + dlgopen('../../patient_file/deleter.php?formid=' + + '&csrf_token_form=' + , '_blank', 500, 450); return false; } diff --git a/controllers/C_Document.class.php b/controllers/C_Document.class.php index d241e02c5..b549732df 100644 --- a/controllers/C_Document.class.php +++ b/controllers/C_Document.class.php @@ -51,6 +51,7 @@ class C_Document extends Controller $this->assign("category_name", $category_name); $this->assign("hide_encryption", $GLOBALS['hide_document_encryption']); $this->assign("patient_id", $patient_id); + $this->assign("csrf_token_form", collectCsrfToken()); // Added by Rod to support document template download from general_upload.html. // Cloned from similar stuff in manage_document_templates.php. diff --git a/interface/orders/single_order_results.inc.php b/interface/orders/single_order_results.inc.php index abf2f9034..29cba5e45 100644 --- a/interface/orders/single_order_results.inc.php +++ b/interface/orders/single_order_results.inc.php @@ -428,7 +428,7 @@ function educlick(codetype, codevalue) { dlgopen('/interface/patient_file/education.php' + '?type=' + encodeURIComponent(codetype) + '&code=' + encodeURIComponent(codevalue) + - '&language=', + '&language=' + , '_blank', 1024, 750,true); // Force a new window instead of iframe to address cross site scripting potential } diff --git a/interface/patient_file/addr_appt_label.php b/interface/patient_file/addr_appt_label.php index 05510ee74..411c57868 100644 --- a/interface/patient_file/addr_appt_label.php +++ b/interface/patient_file/addr_appt_label.php @@ -6,24 +6,16 @@ * Program for displaying Address Labels * from the appointment report or the Recall Board * - * Copyright (C) 2016 Terry Hill + * The program example supplied with the Avery Label Print + * Class was used to produce this program * - * LICENSE: This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 3 - * of the License, or (at your option) any later version. - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * You should have received a copy of the GNU General Public License - * along with this program. If not, see ;. * - * @package OpenEMR - * @author Terry Hill - * @link http://www.open-emr.org + * @package OpenEMR + * @link http://www.open-emr.org + * @author Terry Hill + * @copyright 2016 Terry Hill + * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 */ -# I used the program example supplied with the Avery Label Print Class to produce this program require_once("../globals.php"); diff --git a/interface/patient_file/addr_label.php b/interface/patient_file/addr_label.php index c04a6f3c2..9f9f08b12 100644 --- a/interface/patient_file/addr_label.php +++ b/interface/patient_file/addr_label.php @@ -4,13 +4,13 @@ * * Program for displaying Address Labels * -* @package OpenEMR -* @link http://www.open-emr.org -* @author Terry Hill -* @author Daniel Pflieger +* @package OpenEMR +* @link http://www.open-emr.org +* @author Terry Hill +* @author Daniel Pflieger * @copyright Copyright (c) 2014 Terry Hill * @copyright Copyright (c) 2017 Daniel Pflieger -* @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 +* @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 */ diff --git a/interface/patient_file/barcode_label.php b/interface/patient_file/barcode_label.php index 74aaa8e9c..80c3b93cb 100644 --- a/interface/patient_file/barcode_label.php +++ b/interface/patient_file/barcode_label.php @@ -5,26 +5,15 @@ * Program for displaying Barcode Label * via the popups on the left nav screen * - * Copyright (C) 2014 Terry Hill + * this is from the barcode-coder and FPDF website I used the examples and code snippets + * listed on the sites to create this program * - * LICENSE: This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 3 - * of the License, or (at your option) any later version. - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * You should have received a copy of the GNU General Public License - * along with this program. If not, see ;. - * - * @package OpenEMR - * @author Terry Hill - * @link http://www.open-emr.org - * - * this is from the barcode-coder and FPDF website I used the examples and code snippets listed on the sites - * to create this program * + * @package OpenEMR + * @link http://www.open-emr.org + * @author Terry Hill + * @copyright Copyright (c) 2014 Terry Hill + * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 */ diff --git a/interface/patient_file/ccr_import.php b/interface/patient_file/ccr_import.php index 13ac4fffe..611eade9b 100644 --- a/interface/patient_file/ccr_import.php +++ b/interface/patient_file/ccr_import.php @@ -4,15 +4,17 @@ * * Functions to upload the CCR XML and to parse and insert it into audit tables. * - * @package OpenEMR - * @link http://www.open-emr.org - * @author Eldho Chacko - * @author Ajil P M - * @author Jason 'Toolbox' Oettinger + * @package OpenEMR + * @link http://www.open-emr.org + * @author Eldho Chacko + * @author Ajil P M + * @author Jason 'Toolbox' Oettinger * @copyright Copyright (c) 2013 Z&H Consultancy Services Private Limited * @copyright Copyright (c) 2017 Jason Oettinger - * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 + * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 */ + + require_once(dirname(__FILE__) . "../../globals.php"); use OpenEMR\Core\Header; diff --git a/interface/patient_file/ccr_pending_approval.php b/interface/patient_file/ccr_pending_approval.php index f9d596f42..8fbe34eba 100644 --- a/interface/patient_file/ccr_pending_approval.php +++ b/interface/patient_file/ccr_pending_approval.php @@ -4,34 +4,26 @@ * * Approval screen for uploaded CCR XML. * - * Copyright (C) 2013 Z&H Consultancy Services Private Limited - * - * LICENSE: This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 3 - * of the License, or (at your option) any later version. - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * You should have received a copy of the GNU General Public License - * along with this program. If not, see ;. - * - * @package OpenEMR - * @author Eldho Chacko - * @author Ajil P M - * @link http://www.open-emr.org + * @package OpenEMR + * @link http://www.open-emr.org + * @author Eldho Chacko + * @author Ajil P M + * @copyright Copyright (c) 2013 Z&H Consultancy Services Private Limited + * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 */ - require_once(dirname(__FILE__) . "/../globals.php"); require_once(dirname(__FILE__) . "/../../library/options.inc.php"); require_once(dirname(__FILE__) . "/../../library/patient.inc"); require_once(dirname(__FILE__) . "/../../library/parse_patient_xml.php"); -if ($_REQUEST['approve'] == 1) { - insert_patient($_REQUEST['am_id']); +if ($_GET['approve'] == 1) { + if (!verifyCsrfToken($_GET["csrf_token_form"])) { + csrfNotVerified(); + } + + insert_patient($_GET['am_id']); ?> @@ -125,7 +117,7 @@ tbody tr.odd { @@ -172,7 +164,7 @@ tbody tr.odd { - + - + - * - * LICENSE: This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 3 - * of the License, or (at your option) any later version. - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * You should have received a copy of the GNU General Public License - * along with this program. If not, see ;. - * - * @package OpenEMR - * @author Eldho Chacko - * @author Ajil P M - * @link http://www.open-emr.org + * @package OpenEMR + * @link http://www.open-emr.org + * @author Eldho Chacko + * @author Ajil P M + * @copyright Copyright (c) 2013 Z&H Consultancy Services Private Limited + * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 */ - require_once(dirname(__FILE__) . "/../globals.php"); require_once(dirname(__FILE__) . "/../../library/parse_patient_xml.php"); @@ -38,6 +26,10 @@ $patient_data = array( ); if ($_POST["setval"] == 'approve') { + if (!verifyCsrfToken($_POST["csrf_token_form"])) { + csrfNotVerified(); + } + insertApprovedData($_REQUEST); $query = "UPDATE audit_master SET approval_status = '2' WHERE id=?"; sqlQuery($query, array($_REQUEST['amid'])); @@ -54,6 +46,10 @@ if ($_POST["setval"] == 'approve') { @@ -70,6 +66,10 @@ if ($_POST["setval"] == 'approve') { exit; } +if (!verifyCsrfToken($_GET["csrf_token_form"])) { + csrfNotVerified(); +} + ?> @@ -118,6 +118,7 @@ function submit_form(val){

+ " . - "" . - ""; } else { echo "" . - "" . - ""; } @@ -210,11 +211,11 @@ function submit_form(val){ if (in_array($res_existing_prob['diagnosis'], $aud_res['lists1'][$k])) { $set = 1; - echo "" . + echo "" . "" . "" . - "" . + "" . "" . "" . @@ -242,7 +243,7 @@ function submit_form(val){ echo "" . "" . - "" . + "" . ""; } @@ -352,7 +353,7 @@ function submit_form(val){ echo "" . "" . - "" . " diff --git a/interface/patient_file/deleter.php b/interface/patient_file/deleter.php index ffaa16482..b35d617e0 100644 --- a/interface/patient_file/deleter.php +++ b/interface/patient_file/deleter.php @@ -4,26 +4,18 @@ * * Called from many different pages. * - * Copyright (C) 2005-2016 Rod Roark - * Copyright (C) 2015 Roberto Vasquez - * - * LICENSE: This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * You should have received a copy of the GNU General Public License - * along with this program. If not, see ;. - * - * @package OpenEMR - * @author Rod Roark - * @author Roberto Vasquez - * @link http://www.open-emr.org + * @package OpenEMR + * @link http://www.open-emr.org + * @author Rod Roark + * @author Roberto Vasquez + * @author Brady Miller + * @copyright Copyright (c) 2005-2016 Rod Roark + * @copyright Copyright (c) 2015 Roberto Vasquez + * @copyright Copyright (c) 2018 Brady Miller + * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 */ + require_once('../globals.php'); require_once($GLOBALS['srcdir'].'/log.inc'); require_once($GLOBALS['srcdir'].'/acl.inc'); @@ -31,6 +23,12 @@ require_once($GLOBALS['srcdir'].'/sl_eob.inc.php'); use OpenEMR\Core\Header; +if (!empty($_GET)) { + if (!verifyCsrfToken($_GET["csrf_token_form"])) { + csrfNotVerified(); + } +} + $patient = $_REQUEST['patient']; $encounterid = $_REQUEST['encounterid']; $formid = $_REQUEST['formid']; @@ -429,14 +427,14 @@ if ($_POST['form_submit']) { echo "\n"; @@ -444,7 +442,7 @@ if ($_POST['form_submit']) { } ?> - +

 
diff --git a/interface/patient_file/download_template.php b/interface/patient_file/download_template.php index e86d4569f..0cdec6981 100644 --- a/interface/patient_file/download_template.php +++ b/interface/patient_file/download_template.php @@ -2,32 +2,28 @@ /** * Document Template Download Module. * - * Copyright (C) 2013-2014 Rod Roark + * This module downloads a specified document template to the browser after + * substituting relevant patient data into its variables. * - * LICENSE: This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - * - * @package OpenEMR - * @author Rod Roark - * @link http://www.open-emr.org + * @package OpenEMR + * @link http://www.open-emr.org + * @author Rod Roark + * @author Brady Miller + * @copyright Copyright (c) 2013-2014 Rod Roark + * @copyright Copyright (c) 2018 Brady Miller + * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 */ -// This module downloads a specified document template to the browser after -// substituting relevant patient data into its variables. require_once('../globals.php'); require_once($GLOBALS['srcdir'] . '/acl.inc'); require_once($GLOBALS['srcdir'] . '/appointments.inc.php'); require_once($GLOBALS['srcdir'] . '/options.inc.php'); +if (!verifyCsrfToken($_POST["csrf_token_form"])) { + csrfNotVerified(); +} + $nextLocation = 0; // offset to resume scanning $keyLocation = false; // offset of a potential {string} to replace $keyLength = 0; // length of {string} to replace @@ -317,7 +313,7 @@ if ($encounter) { $form_filename = $_REQUEST['form_filename']; $templatedir = "$OE_SITE_DIR/documents/doctemplates"; -$templatepath = "$templatedir/$form_filename"; +$templatepath = "$templatedir/" . check_file_dir_name($form_filename); // Create a temporary file to hold the output. $fname = tempnam($GLOBALS['temporary_files_dir'], 'OED'); diff --git a/interface/patient_file/education.php b/interface/patient_file/education.php index 8df06a9f4..eb300d64a 100644 --- a/interface/patient_file/education.php +++ b/interface/patient_file/education.php @@ -2,18 +2,19 @@ /** * This is called as a pop-up to display patient education materials. * - * @package OpenEMR - * @link http://www.open-emr.org - * @author Rod Roark - * @author Brady Miller + * @package OpenEMR + * @link http://www.open-emr.org + * @author Rod Roark + * @author Brady Miller * @copyright Copyright (c) 2014 Rod Roark - * @copyright Copyright (c) 2017 Brady Miller - * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 + * @copyright Copyright (c) 2017-2018 Brady Miller + * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 */ require_once("../globals.php"); require_once("$srcdir/options.inc.php"); + use OpenEMR\Core\Header; $educationdir = "$OE_SITE_DIR/documents/education"; @@ -26,6 +27,10 @@ $source = empty($_REQUEST['source' ]) ? '' : $_REQUEST['source' ]; $errmsg = ''; if ($_POST['bn_submit']) { + if (!verifyCsrfToken($_POST["csrf_token_form"])) { + csrfNotVerified(); + } + if ($source == 'MLP') { // MedlinePlus Connect Web Application. See: // http://www.nlm.nih.gov/medlineplus/connect/application.html @@ -59,12 +64,12 @@ if ($_POST['bn_submit']) { // have the browser do it. if (false) { $data = file_get_contents($url); - echo $data; + echo text($data); } else { // Removed opener because this is not a dialog. sjp 12/14/17 echo "" //."" . "\n"; } @@ -133,6 +138,7 @@ if ($_POST['bn_submit']) {

+ diff --git a/interface/patient_file/encounter/forms.php b/interface/patient_file/encounter/forms.php index c477a01f6..3878438ab 100644 --- a/interface/patient_file/encounter/forms.php +++ b/interface/patient_file/encounter/forms.php @@ -275,7 +275,7 @@ if (!isset($_GET['attachid'])) { // Process click on Delete link. function deleteme() { - dlgopen('../deleter.php?encounterid=' + , '_blank', 500, 200, '', '', { + dlgopen('../deleter.php?encounterid=' + + '&csrf_token_form=' + , '_blank', 500, 200, '', '', { buttons: [ {text: , close: true, style: 'primary btn-sm'} ], diff --git a/interface/patient_file/erx_patient_portal_js.php b/interface/patient_file/erx_patient_portal_js.php index cf9943ec7..9ac002c4c 100644 --- a/interface/patient_file/erx_patient_portal_js.php +++ b/interface/patient_file/erx_patient_portal_js.php @@ -1,13 +1,15 @@ - * @copyright Copyright (c) 2018 Ranganath Pathak - * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 - */ + * erx account status and patient portal username generator popup modals + * + * @package OpenEMR + * @link http://www.open-emr.org + * @author Ranganath Pathak + * @author Brady Miller + * @copyright Copyright (c) 2018 Ranganath Pathak + * @copyright Copyright (c) 2018 Brady Miller + * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 + */ ?> //erx account status and patient portal username generator popup modals $(document).ready(function(){ @@ -15,7 +17,7 @@ $(document).ready(function(){ e.preventDefault();e.stopPropagation(); dlgopen('', '', 350, 300, '', '', { buttons: [ - {text: '', close: true, style: 'default btn-sm'} + {text: , close: true, style: 'default btn-sm'} ], allowResize: true, allowDrag: true, @@ -29,7 +31,7 @@ $(document).ready(function(){ e.preventDefault();e.stopPropagation(); dlgopen('', '', 380, 200, '', '', { buttons: [ - {text: '', close: true, style: 'default btn-sm'} + {text: , close: true, style: 'default btn-sm'} ], allowResize: true, allowDrag: true, diff --git a/interface/patient_file/front_payment.php b/interface/patient_file/front_payment.php index fbc79e0cc..c47d571cd 100644 --- a/interface/patient_file/front_payment.php +++ b/interface/patient_file/front_payment.php @@ -7,9 +7,10 @@ * @author Rod Roark * @author Brady Miller * @copyright Copyright (c) 2006-2016 Rod Roark - * @copyright Copyright (c) 2017 Brady Miller + * @copyright Copyright (c) 2017-2018 Brady Miller * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 */ + require_once("../globals.php"); require_once("$srcdir/acl.inc"); require_once("$srcdir/patient.inc"); @@ -68,16 +69,16 @@ function echoLine($iname, $date, $charges, $ptpaid, $inspaid, $duept, $encounter $encounter = $encounter ? $encounter : ''; echo "
\n"; echo " \n"; - echo " \n"; - echo " \n"; - echo " \n"; - echo " \n"; - echo " \n"; - echo " \n"; - echo " \n"; - echo " \n"; + echo " \n"; + echo " \n"; + echo " \n"; + echo " \n"; + echo " \n"; + echo " \n"; + echo " \n"; + echo " \n"; echo " \n"; echo " \n"; } @@ -153,6 +154,10 @@ $alertmsg = ''; // anything here pops up in an alert box // If the Save button was clicked... if ($_POST['form_save']) { + if (!verifyCsrfToken($_POST["csrf_token_form"])) { + csrfNotVerified(); + } + $form_pid = $_POST['form_pid']; $form_method = trim($_POST['form_method']); $form_source = trim($_POST['form_source']); @@ -450,7 +455,7 @@ function printlog_before_print() { // Process click on Delete button. function deleteme() { - dlgopen('deleter.php?payment=', '_blank', 500, 450); + dlgopen('deleter.php?payment=' + + '&csrf_token_form=' + , '_blank', 500, 450); return false; } @@ -473,7 +478,7 @@ function toencounter(enc, datestr, topframe) { if(!top.tab_mode) { topframe.left_nav.forceDual(); topframe.left_nav.setEncounter(datestr, enc, ''); - topframe.left_nav.loadFrame('enc2', 'RBot', 'patient_file/encounter/encounter_top.php?set_encounter=' + enc); + topframe.left_nav.loadFrame('enc2', 'RBot', 'patient_file/encounter/encounter_top.php?set_encounter=' + encodeURIComponent(enc)); } else { top.goToEncounter(enc); } @@ -542,7 +547,7 @@ function toencounter(enc, datestr, topframe) { if ($todaysenc && $todaysenc != $encounter) { echo " \n"; + "onclick='toencounter(" . attr_js($todaysenc) . ", " . attr_js($today) . ", (opener ? opener.top : top))' />\n"; } ?> @@ -684,14 +689,14 @@ function validate() { } } if (flgempty) { - alert(""); + alert(); return false; } // continue validation. if (((document.getElementById('form_method').options[document.getElementById('form_method').selectedIndex].value == 'check_payment' || document.getElementById('form_method').options[document.getElementById('form_method').selectedIndex].value == 'bank_draft') && document.getElementById('check_number').value == '')) { - alert(""); + alert(); document.getElementById('check_number').focus(); return false; } @@ -699,7 +704,7 @@ function validate() { document.getElementById('radio_type_of_payment1').checked == false && document.getElementById('radio_type_of_payment2').checked == false && document.getElementById('radio_type_of_payment4').checked == false) { - alert(""); + alert(); return false; } if (document.getElementById('radio_type_of_payment_self1').checked == true || @@ -710,7 +715,7 @@ function validate() { if (ename.indexOf('form_upay[0') == 0) //Today is this text box. { if (elem.value * 1 > 0) {//A warning message, if the amount is posted with out encounter. - if (confirm("")) { + if (confirm()) { ok = 1; } else { elem.focus(); @@ -730,7 +735,7 @@ function validate() { if (ename.indexOf('form_upay[0]') == 0) {//Today is this text box. if (f.form_paytotal.value * 1 != elem.value * 1) {//Total CO-PAY is not posted against today //A warning message, if the amount is posted against an old encounter. - if (confirm("")) { + if (confirm()) { ok = 1; } else { elem.focus(); @@ -747,7 +752,7 @@ function validate() { var ename = elem.name; if (ename.indexOf('form_upay[0') == 0) { if (elem.value * 1 > 0) { - alert(""); + alert(); return false; } break; @@ -755,7 +760,7 @@ function validate() { } } if (ok == -1) { - if (confirm("")) { + if (confirm()) { return true; } else { @@ -952,7 +957,8 @@ function make_insurance() {
- + +
@@ -969,7 +975,7 @@ function make_insurance() { if ($brow1112['option_id']=='electronic' || $brow1112['option_id']=='bank_draft') { continue; } - echo ""; + echo ""; } ?> @@ -991,10 +997,10 @@ function make_insurance() {
@@ -1006,18 +1012,18 @@ function make_insurance() {
@@ -1025,7 +1031,7 @@ function make_insurance() {
- +
@@ -135,21 +136,21 @@ function submit_form(val){ while ($res_pd = sqlFetchArray($query_pd)) { if ($res_pd['field_name'] != 'lname' && $res_pd['field_name'] != 'fname' && $res_pd['field_name'] != 'DOB') { $i++; - $query_oldpd = sqlQuery("SELECT ".$res_pd['field_name']." AS val FROM patient_data WHERE pid = ?", array($_REQUEST['pid'])); + $query_oldpd = sqlQuery("SELECT " . escape_sql_column_name($res_pd['field_name'], array("patient_data")) . " AS val FROM patient_data WHERE pid = ?", array($_REQUEST['pid'])); if ($res_pd['field_name'] == 'sex') { echo "" . ($patient_data[$res_pd['field_name']] ? text($patient_data[$res_pd['field_name']]): text($res_pd['field_name'])) . "" . + "" . "" . text($query_oldpd['val']) . "" . ($patient_data[$res_pd['field_name']] ? text($patient_data[$res_pd['field_name']]): text($res_pd['field_name'])) . "" . + "" . "" . text($query_oldpd['val']) . "
" . xlt('Title') . "
" . xlt('Title') . "" . xlt('Code') . "" . "" . xlt('Status') . "" . xlt('Status') . "
 " . text($res_existing_prob['title']) . " 
" . xlt('Title') . "" . xlt('Code') . "" . xlt('Status') . "" . xlt('Status') . "
" . xlt('Name') . "" . xlt('Date') . "" . xlt('Status') . "" . + "" . xlt('Status') . "" . "
" . xlt('Form') . "" . @@ -455,12 +456,12 @@ function submit_form(val){
- - + + - +
" . text(oeFormatShortDate($date)) . "" . attr($encounter) . "" . attr(bucks($charges)) . "" . attr(bucks($inspaid * -1)) . "" . attr(bucks($ptpaid * -1)) . "" . attr(bucks($patcopay)) . "" . attr(bucks($copay)) . "" . attr(bucks($balance)) . "" . attr(bucks(round($duept, 2) * 1)) . "" . text($encounter) . "" . text(bucks($charges)) . "" . text(bucks($inspaid * -1)) . "" . text(bucks($ptpaid * -1)) . "" . text(bucks($patcopay)) . "" . text(bucks($copay)) . "" . text(bucks($balance)) . "" . text(bucks(round($duept, 2) * 1)) . "
- - - - - - - - - - - - + + + + + + + + + + + + - +
@@ -1237,8 +1243,8 @@ function make_insurance() {
- - + + diff --git a/interface/patient_file/label.php b/interface/patient_file/label.php index 56db0f9a5..2924ce86d 100644 --- a/interface/patient_file/label.php +++ b/interface/patient_file/label.php @@ -5,24 +5,15 @@ * Program for displaying Chart Labels * via the popups on the left nav screen * - * Copyright (C) 2014 Terry Hill + * Used the program example supplied with the Avery Label Print Class to produce this program * - * LICENSE: This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 3 - * of the License, or (at your option) any later version. - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * You should have received a copy of the GNU General Public License - * along with this program. If not, see ;. * - * @package OpenEMR - * @author Terry Hill - * @link http://www.open-emr.org + * @package OpenEMR + * @link http://www.open-emr.org + * @author Terry Hill + * @copyright Copyright (c) 2014 Terry Hill + * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 */ -// I used the program example supplied with the Avery Label Print Class to produce this program require_once("../globals.php"); diff --git a/interface/patient_file/letter.php b/interface/patient_file/letter.php index bd24e7074..10f08045d 100644 --- a/interface/patient_file/letter.php +++ b/interface/patient_file/letter.php @@ -19,6 +19,18 @@ use OpenEMR\Core\Header; $template_dir = $GLOBALS['OE_SITE_DIR'] . "/letter_templates"; +if (!empty($_POST)) { + if (!verifyCsrfToken($_POST["csrf_token_form"])) { + csrfNotVerified(); + } +} + +if (!empty($_GET)) { + if (!verifyCsrfToken($_GET["csrf_token_form"])) { + csrfNotVerified(); + } +} + // array of field name tags to allow internationalization // of templates $FIELD_TAG = array( @@ -99,8 +111,8 @@ if ($_POST['formaction']=="generate") { } if (! fwrite($fh, $temp_bodytext)) { - echo xl('Error while saving to the file', '', '', ' ') . $template_dir."/autosaved" . - xl('Ensure OpenEMR has write privileges to directory', '', ' . ', ' ') . $template_dir . "/ ." ; + echo xlt('Error while saving to the file') . ' ' . text($template_dir) . "/autosaved" . ' . ' . + xlt('Ensure OpenEMR has write privileges to directory') . ' ' . text($template_dir) . "/ ." ; die; } @@ -192,7 +204,7 @@ if ($_POST['formaction']=="generate") {
- ' onclick='top.restoreSession()'>() + ' onclick='top.restoreSession()'>()
-
"; @@ -389,36 +392,36 @@ foreach ($pid_list as $pid) { if ($pages == 0) { // if this is the last page $html .= " "; - $html .= xl('Patient', 'r'); + $html .= xlt('Patient'); $html .= ":
"; if ($form_fill) { $html .= text($patdata['fname'] . ' ' . $patdata['mname'] . ' ' . $patdata['lname']) . "
\n"; - $html .= $patdata['street'] . "
\n"; - $html .= $patdata['city'] . ', ' . $patdata['state'] . ' ' . $patdata['postal_code'] . "\n"; + $html .= text($patdata['street']) . "
\n"; + $html .= text($patdata['city'] . ', ' . $patdata['state'] . ' ' . $patdata['postal_code']) . "\n"; } $html .= " "; - $html .= xl('DOB', 'r'); + $html .= xlt('DOB'); $html .= ":
"; if ($form_fill) { - $html .= $patdata['DOB']; + $html .= text($patdata['DOB']); } - $html .= xl('ID', 'r'); + $html .= xlt('ID'); $html .= ":
"; if ($form_fill) { - $html .= $patdata['pubpid']; + $html .= text($patdata['pubpid']); } $html .= " "; - $html .= xl('Doctor', 'r'); + $html .= xlt('Doctor'); $html .= ":
"; $encdata = false; @@ -427,9 +430,9 @@ foreach ($pid_list as $pid) { "FROM forms AS f " . "JOIN form_encounter AS fe ON fe.id = f.form_id " . "LEFT JOIN users AS u ON u.username = f.user " . - "WHERE f.pid = '$pid' AND f.encounter = '$encounter' AND f.formdir = 'newpatient' AND f.deleted = 0 " . + "WHERE f.pid = ? AND f.encounter = ? AND f.formdir = 'newpatient' AND f.deleted = 0 " . "ORDER BY f.id LIMIT 1"; - $encdata = sqlQuery($query); + $encdata = sqlQuery($query, array($pid, $encounter)); if (!empty($encdata['username'])) { $html .= $encdata['fname'] . ' ' . $encdata['mname'] . ' ' . $encdata['lname']; } @@ -437,11 +440,11 @@ foreach ($pid_list as $pid) { $html .= " "; - $html .= xl('Reason', 'r'); + $html .= xlt('Reason'); $html .= ":
"; if (!empty($encdata)) { - $html .= $encdata['reason']; + $html .= text($encdata['reason']); } $html .= " @@ -450,13 +453,13 @@ foreach ($pid_list as $pid) { "; if (empty($GLOBALS['ippf_specific'])) { - $html .= xl('Insurance', 'r').":"; + $html .= xlt('Insurance').":"; if ($form_fill) { foreach (array('primary', 'secondary', 'tertiary') as $instype) { $query = "SELECT * FROM insurance_data WHERE " . - "pid = '$pid' AND type = '$instype' " . + "pid = ? AND type = ? " . "ORDER BY date DESC LIMIT 1"; - $row = sqlQuery($query); + $row = sqlQuery($query, array($pid, $instype)); if ($row['provider']) { $icobj = new InsuranceCompany($row['provider']); $adobj = $icobj->get_address(); @@ -466,7 +469,7 @@ foreach ($pid_list as $pid) { } if ($insco_name) { - $html .= " $insco_name"; + $html .= " " . text($insco_name); } else { $html .= " Missing Name"; } @@ -475,10 +478,10 @@ foreach ($pid_list as $pid) { } } else { // IPPF wants a visit date box with the current date in it. - $html .= xl('Visit date', 'r'); + $html .= xlt('Visit date'); $html .= ":
\n"; if (!empty($encdata)) { - $html .= substr($encdata['date'], 0, 10); + $html .= text(substr($encdata['date'], 0, 10)); } else { $html .= text(oeFormatShortDate(date('Y-m-d'))) . "\n"; } @@ -488,25 +491,25 @@ foreach ($pid_list as $pid) { "; - $html .= xl('Prior Visit', 'r'); + $html .= xlt('Prior Visit'); $html .= ":
"; - $html .= xl('Today\'s Charges', 'r'); + $html .= xlt('Today\'s Charges'); $html .= ":
"; - $html .= xl('Today\'s Balance', 'r'); + $html .= xlt('Today\'s Balance'); $html .= ":
"; - $html .= xl('Notes', 'r'); + $html .= xlt('Notes'); $html .= ":
"; @@ -528,7 +531,7 @@ foreach ($pid_list as $pid) { if ($pages == 0) { // if this is the last page $html .= " "; - $html .= xl('Notes', 'r'); + $html .= xlt('Notes'); $html .= ":
"; @@ -555,7 +558,7 @@ foreach ($pid_list as $pid) { "; - $html .= xl('Signature', 'r'); + $html .= xlt('Signature'); $html .= ":
"; diff --git a/interface/patient_file/problem_encounter.php b/interface/patient_file/problem_encounter.php index f982667d5..b1f96e87e 100644 --- a/interface/patient_file/problem_encounter.php +++ b/interface/patient_file/problem_encounter.php @@ -1,34 +1,23 @@ - * Copyright (C) 2015 Roberto Vasquez - * Copyright (C) 2015 Brady Miller - * - * LICENSE: This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * You should have received a copy of the GNU General Public License - * along with this program. If not, see ;. - * - * @package OpenEMR - * @author Rod Roark - * @author Roberto Vasquez - * @author Brady Miller - * @link http://www.open-emr.org + * @package OpenEMR + * @link http://www.open-emr.org + * @author Rod Roark + * @author Roberto Vasquez + * @author Brady Miller + * @copyright Copyright (c) 2005 Rod Roark + * @copyright Copyright (c) 2015 Roberto Vasquez + * @copyright Copyright (c) 2015-2018 Brady Miller + * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 */ -include_once("../globals.php"); -include_once("$srcdir/patient.inc"); -include_once("$srcdir/acl.inc"); -include_once("$srcdir/lists.inc"); + +require_once("../globals.php"); +require_once("$srcdir/patient.inc"); +require_once("$srcdir/acl.inc"); +require_once("$srcdir/lists.inc"); use OpenEMR\Core\Header; @@ -54,6 +43,10 @@ $endjs = ""; // holds javascript to write at the end // If the Save button was clicked... if ($_POST['form_save']) { + if (!verifyCsrfToken($_POST["csrf_token_form"])) { + csrfNotVerified(); + } + $form_pid = $_POST['form_pid']; $form_pelist = $_POST['form_pelist']; // $pattern = '|/(\d+),(\d+),([YN])|'; @@ -79,7 +72,7 @@ if ($_POST['form_save']) { ."" . " diff --git a/interface/patient_file/summary/add_edit_issue.php b/interface/patient_file/summary/add_edit_issue.php index e6c1e0799..50fa45dac 100644 --- a/interface/patient_file/summary/add_edit_issue.php +++ b/interface/patient_file/summary/add_edit_issue.php @@ -494,7 +494,7 @@ if ($ISSUE_TYPES['ippf_gcac'] && !$_POST['form_save']) { // Process click on Delete link. function deleteme() { - dlgopen('../deleter.php?issue=', '_blank', 500, 450); + dlgopen('../deleter.php?issue=' + + '&csrf_token_form=' + , '_blank', 500, 450); return false; } diff --git a/interface/patient_file/summary/dashboard_header.php b/interface/patient_file/summary/dashboard_header.php index 8d7330492..650462298 100644 --- a/interface/patient_file/summary/dashboard_header.php +++ b/interface/patient_file/summary/dashboard_header.php @@ -66,7 +66,7 @@ if ($days_deceased) { ?> if (acl_check('admin', 'super') && $GLOBALS['allow_pat_delete']) { ?> diff --git a/interface/patient_file/summary/demographics.php b/interface/patient_file/summary/demographics.php index cef70d873..65554e319 100644 --- a/interface/patient_file/summary/demographics.php +++ b/interface/patient_file/summary/demographics.php @@ -186,7 +186,7 @@ if ($result3['provider']) { // Use provider in case there is an ins record w/ // Process click on Delete link. function deleteme() { // @todo don't think this is used any longer!! - dlgopen('../deleter.php?patient=', '_blank', 500, 450, '', '',{ + dlgopen('../deleter.php?patient=' + + '&csrf_token_form=' + , '_blank', 500, 450, '', '',{ allowResize: false, allowDrag: false, dialogId: 'patdel', @@ -211,13 +211,6 @@ if ($result3['provider']) { // Use provider in case there is an ins record w/ return false; } -function sendimage(pid, what) { - // alert('Not yet implemented.'); return false; - dlgopen('../upload_dialog.php?patientid=' + encodeURIComponent(pid) + '&file=' + encodeURIComponent(what), - '_blank', 500, 400); - return false; -} - - - - - -&1"); - if ($tmp) - $errmsg = "This is not a valid image, or its format is unsupported."; - ***************************************************************/ - - if (!move_uploaded_file($_FILES['userfile']['tmp_name'], $filename)) { - $errmsg = "Internal error accessing uploaded file!"; - } - } - } - - // Write JavaScript for final disposition by the browser. - // - echo "\n\n\n"; - - exit; -} -?> - -
- -

Upload Image File

- -
- - - - -
- - - - - - - -
- Send this file: - - -
- -

- - - - -

- - - - - diff --git a/library/formdata.inc.php b/library/formdata.inc.php index 24c9919a5..a8fe45538 100644 --- a/library/formdata.inc.php +++ b/library/formdata.inc.php @@ -20,9 +20,9 @@ */ function add_escape_custom($s) { - //prepare for safe mysql insertion - $s = mysqli_real_escape_string($GLOBALS['dbh'], $s); - return $s; + //prepare for safe mysql insertion + $s = mysqli_real_escape_string($GLOBALS['dbh'], $s); + return $s; } /** @@ -39,9 +39,9 @@ function add_escape_custom($s) */ function escape_limit($s) { - //prepare for safe mysql insertion - $s = (int)$s; - return $s; + //prepare for safe mysql insertion + $s = (int)$s; + return $s; } /** @@ -56,7 +56,7 @@ function escape_limit($s) */ function escape_sort_order($s) { - return escape_identifier(strtolower($s), array("asc","desc")); + return escape_identifier(strtolower($s), array("asc","desc")); } /** @@ -76,7 +76,7 @@ function escape_sort_order($s) function escape_sql_column_name($s, $tables, $long = false) { - // If the $tables is empty, then process them all + // If the $tables is empty, then process them all if (empty($tables)) { $res = sqlStatementNoLog("SHOW TABLES"); $tables = array(); @@ -86,14 +86,14 @@ function escape_sql_column_name($s, $tables, $long = false) } } - // First need to escape the $tables - $tables_escaped = array(); + // First need to escape the $tables + $tables_escaped = array(); foreach ($tables as $table) { $tables_escaped[] = escape_table_name($table); } - // Collect all the possible sql columns from the tables - $columns_options = array(); + // Collect all the possible sql columns from the tables + $columns_options = array(); foreach ($tables_escaped as $table_escaped) { $res = sqlStatementNoLog("SHOW COLUMNS FROM ".$table_escaped); while ($row=sqlFetchArray($res)) { @@ -105,8 +105,8 @@ function escape_sql_column_name($s, $tables, $long = false) } } - // Now can escape(via whitelisting) the sql column name - return escape_identifier($s, $columns_options, true); + // Now can escape(via whitelisting) the sql column name + return escape_identifier($s, $columns_options, true); } /** @@ -131,15 +131,15 @@ function escape_sql_column_name($s, $tables, $long = false) */ function escape_table_name($s) { - $res = sqlStatementNoLog("SHOW TABLES"); - $tables_array = array(); + $res = sqlStatementNoLog("SHOW TABLES"); + $tables_array = array(); while ($row=sqlFetchArray($res)) { $keys_return = array_keys($row); $tables_array[]=$row[$keys_return[0]]; } - // Now can escape(via whitelisting) the sql table name - return escape_identifier($s, $tables_array, true, false); + // Now can escape(via whitelisting) the sql table name + return escape_identifier($s, $tables_array, true, false); } /** @@ -250,12 +250,12 @@ function formData($name, $type = 'P', $isTrim = false) */ function formDataCore($s, $isTrim = false) { - //trim if selected + //trim if selected if ($isTrim) { $s = trim($s); } - //add escapes for safe database insertion - $s = add_escape_custom($s); - return $s; + //add escapes for safe database insertion + $s = add_escape_custom($s); + return $s; } diff --git a/templates/documents/general_upload.html b/templates/documents/general_upload.html index 347476928..03bf32afb 100644 --- a/templates/documents/general_upload.html +++ b/templates/documents/general_upload.html @@ -55,6 +55,7 @@
+

{xl t="Download document template for this patient and visit"|escape:'html'} diff --git a/templates/documents/general_view.html b/templates/documents/general_view.html index 49adaac9c..246b5f05a 100644 --- a/templates/documents/general_view.html +++ b/templates/documents/general_view.html @@ -21,7 +21,7 @@ // Process click on Delete link. function deleteme(docid) {literal}{{/literal} - dlgopen('interface/patient_file/deleter.php?document=' + docid, '_blank', 500, 450); + dlgopen('interface/patient_file/deleter.php?document=' + encodeURIComponent(docid) + '&csrf_token_form=' + "{$csrf_token_form|urlencode|escape:'javascript'}", '_blank', 500, 450); return false; {literal}}{/literal} -- 2.11.4.GIT