Quick escape issues fix (openemr#7873)

* Quick escape issues fix Thanks staus needs to preserve html for dusplay missed endings for refactor escapting and translations. * make comment required if email * Relax permissions.
bradymiller · Dec 17, 2024 · fc24e07 · fc24e07
1 parent 2c8f0ff
commit fc24e07
Show file tree

Hide file tree

Showing 10 changed files with 19 additions and 19 deletions.
diff --git a/interface/main/calendar/find_patient_popup.php b/interface/main/calendar/find_patient_popup.php
@@ -145,9 +145,9 @@
                                            } ?>><?php echo xlt('DOB'); ?></option>
                     </select>
                     <label for="searchparm" class="col-form-label col-form-label-sm col"><?php echo text(xl('for:')); ?></label>
-                    <input type='text' class="form-control form-control-sm col" id='searchparm' name='searchparm' size='12' value='<?php echo attr($_REQUEST['searchparm'] ?? ''); ?>' title='<?php echo text(xl('If name, any part of lastname or lastname,firstname'), ENT_QUOTES); ?>' />
+                    <input type='text' class="form-control form-control-sm col" id='searchparm' name='searchparm' size='12' value='<?php echo attr($_REQUEST['searchparm'] ?? ''); ?>' title='<?php echo xla('If name, any part of lastname or lastname,firstname'); ?>' />
                     <div class="col">
-                        <input class='btn btn-primary btn-sm' type='submit' id="submitbtn" value='<?php echo text(xl('Search'), ENT_QUOTES); ?>' />
+                        <input class='btn btn-primary btn-sm' type='submit' id="submitbtn" value='<?php echo xla('Search'); ?>' />
                         <div id="searchspinner"><img src="<?php echo $GLOBALS['webroot'] ?>/interface/pic/ajax-loader.gif" /></div>
                     </div>
                 </div>
@@ -206,7 +206,7 @@
                         }
 
                         echo " <tr class='" . $trClass . "' id='" .
-                            text($iterpid . "~" . $iterlname . "~" . $iterfname . "~" . $iterdob, ENT_QUOTES) . "'>";
+                            attr($iterpid . "~" . $iterlname . "~" . $iterfname . "~" . $iterdob) . "'>";
                         echo "  <td class='srName'>" . text($iterlname . ", " . $iterfname . " " . $itermname);
                         if (!empty($iter['billing_note'])) {
                             echo "<br />" . text($iter['billing_note']);
@@ -269,7 +269,7 @@
 
             function selpid(pid, lname, fname, dob) {
                 if (opener.closed || !opener.setpatient)
-                    alert("<?php echo text(xl('The destination form was closed; I cannot act on your selection.'), ENT_QUOTES); ?>");
+                    alert(<?php echo xlj('The destination form was closed; I cannot act on your selection.'); ?>);
                 else
                     opener.setpatient(pid, lname, fname, dob);
                 dlgclose();

diff --git a/interface/modules/custom_modules/oe-module-faxsms/contact.php b/interface/modules/custom_modules/oe-module-faxsms/contact.php
@@ -271,8 +271,8 @@ function (data) {
             <input type="hidden" id="form_isDocuments" name="isDocuments" value='<?php echo attr($isDoc ?? ''); ?>'>
             <input type="hidden" id="form_isQueue" name="isQueue" value='<?php echo attr($isQueue ?? ''); ?>'>
             <input type="hidden" id="form_isSMS" name="isSMS" value='<?php echo attr($isSMS ?? ''); ?>'>
-            <input type="hidden" id="form_isSMS" name="isFax" value='<?php echo attr($isFax ?? ''); ?>'>
-            <input type="hidden" id="form_isSMS" name="isEmail" value='<?php echo attr($isEmail ?? ''); ?>'>
+            <input type="hidden" id="form_isFax" name="isFax" value='<?php echo attr($isFax ?? ''); ?>'>
+            <input type="hidden" id="form_isEmail" name="isEmail" value='<?php echo attr($isEmail ?? ''); ?>'>
             <input type="hidden" id="form_mime" name="mime" value='<?php echo attr($file_mime ?? ''); ?>'>
             <input type="hidden" id="form_file" name="templateName" value='<?php echo attr($template_name ?? ''); ?>'>
             <input type="hidden" id="form_details" name="details" value='<?php echo attr_js($details ?? ''); ?>'>
@@ -331,7 +331,7 @@ function (data) {
                     <?php if ($service == "1" || $isSMS || $isForward || $isEmail) { ?>
                         <div class="form-group">
                             <label for="form_message"><?php echo xlt('Message') ?></label>
-                            <textarea id="form_message" name="comments" class="form-control" placeholder="
+                            <textarea id="form_message" name="comments" class="form-control" <?php echo($isEmail ? 'required' : ''); ?> placeholder="
                             <?php echo "\n" . xla('Add a note for the recipient or cover sheet if supported. Double click to use Text Templates if enabled.'); ?>" rows="6"><?php echo $default_message; ?></textarea>
                         </div>
                     <?php } ?>

diff --git a/interface/modules/custom_modules/oe-module-faxsms/messageUI.php b/interface/modules/custom_modules/oe-module-faxsms/messageUI.php
@@ -679,7 +679,7 @@ function createPatient(e, faxId, recordId, data) {
                             <button type="button" class="btn btn-primary btn-search" onclick="retrieveMsgs(event,this)" title="<?php echo xla('Click to get current history.') ?>"></button>
                         </div>
                     </form>
-                    <?php if ($clientApp->verifyAcl('admin', 'demo')) { ?>
+                    <?php if ($clientApp->verifyAcl('patients', 'appt')) { ?>
                         <div class="nav-item dropdown ml-auto">
                             <button class="btn btn-lg btn-link dropdown-toggle" data-toggle="dropdown" role="button" aria-expanded="false">
                                 <?php echo xlt('Account Actions'); ?><span class="caret"></span>

diff --git a/interface/modules/custom_modules/oe-module-faxsms/src/Controller/ClickatellSMSClient.php b/interface/modules/custom_modules/oe-module-faxsms/src/Controller/ClickatellSMSClient.php
@@ -112,7 +112,7 @@ public function getCallLogs()
      * @param $acl
      * @return int
      */
-    function authenticate($acl = ['admin', 'doc']): int
+    function authenticate($acl = ['patients', 'appt']): int
     {
         list($s, $v) = $acl;
         return $this->verifyAcl($s, $v);

diff --git a/interface/modules/custom_modules/oe-module-faxsms/src/Controller/EmailClient.php b/interface/modules/custom_modules/oe-module-faxsms/src/Controller/EmailClient.php
@@ -79,7 +79,7 @@ public function sendFax(): string|bool
      * @param $acl
      * @return int
      */
-    public function authenticate($acl = ['patient', 'doc']): int
+    public function authenticate($acl = ['patients', 'appt']): int
     {
         list($s, $v) = $acl;
         return $this->verifyAcl($s, $v);

diff --git a/interface/modules/custom_modules/oe-module-faxsms/src/Controller/EtherFaxActions.php b/interface/modules/custom_modules/oe-module-faxsms/src/Controller/EtherFaxActions.php
@@ -239,7 +239,7 @@ public function sendFax(): string
      * @param $acl
      * @return int
      */
-    public function authenticate($acl = ['admin', 'doc']): int
+    public function authenticate($acl = ['patients', 'appt']): int
     {
         if (empty($this->credentials)) {
             $this->credentials = $this->getCredentials();

diff --git a/interface/modules/custom_modules/oe-module-faxsms/src/Controller/TwilioSMSClient.php b/interface/modules/custom_modules/oe-module-faxsms/src/Controller/TwilioSMSClient.php
@@ -132,7 +132,7 @@ public function formatPhone($number): string
      * @param array $acl
      * @return int
      */
-    public function authenticate(array $acl = ['admin', 'doc']): int
+    public function authenticate(array $acl = ['patients', 'appt']): int
     {
         // did construct happen...
         if (empty($this->credentials)) {

diff --git a/interface/modules/custom_modules/oe-module-faxsms/src/Events/NotificationEventListener.php b/interface/modules/custom_modules/oe-module-faxsms/src/Events/NotificationEventListener.php
@@ -105,7 +105,7 @@ public function onNotifyDocumentRenderOneTime(SendNotificationEvent $event)
         }
 
         if ($patient['hipaa_allowsms'] == 'YES' && $includeSMS) {
-            $status .= "Sending SMS to $recipientPhone" . ': ';
+            $status .= "Sending SMS to " .  text($recipientPhone) . ': ';
             $clientApp = AppDispatch::getApiService('sms');
             $status_api = $clientApp->sendSMS(
                 $recipientPhone,
@@ -125,12 +125,12 @@ public function onNotifyDocumentRenderOneTime(SendNotificationEvent $event)
             && ($includeEmail)
             && ($patient['hipaa_allowemail'] == 'YES')
         ) {
-            $status .= "Sending email to $recipientEmail" . ': ';
-            $status .= $this->emailNotification($recipientEmail, $html_message);
+            $status .= "Sending email to " . text($recipientEmail) . ': ';
+            $status .= text($this->emailNotification($recipientEmail, $html_message));
         }
         $status .= "\n";
-        echo (nl2br($status));
-        return $status;
+        echo (nl2br($status)); //preserve html for alert status
+        return 'okay';
     }
 
     /**

diff --git a/src/Events/Messaging/SendNotificationEvent.php b/src/Events/Messaging/SendNotificationEvent.php
@@ -84,7 +84,7 @@ public function getPid(): string
      * @param $u
      * @return bool
      */
-    public function verifyAcl($sect = 'admin', $v = 'docs', $u = ''): bool
+    public function verifyAcl($sect = 'patients', $v = 'docs', $u = ''): bool
     {
         return AclMain::aclCheckCore($sect, $v, $u);
     }

diff --git a/src/Events/Messaging/SendSmsEvent.php b/src/Events/Messaging/SendSmsEvent.php
@@ -73,7 +73,7 @@ public function getRecipientPhone(): string
      * @param $u
      * @return bool
      */
-    public function verifyAcl($sect = 'admin', $v = 'docs', $u = ''): bool
+    public function verifyAcl($sect = 'patients', $v = 'docs', $u = ''): bool
     {
         return AclMain::aclCheckCore($sect, $v, $u);
     }