Skip to content

Commit

Permalink
Fixes openemr#7635 appointment comments double escaped (openemr#7638)
Browse files Browse the repository at this point in the history
* Fixes openemr#7635 appointment comments double escaped

The day, month, and week appointments are showing html entities for
things like apostrophes, quotes, ampersands, etc because the data is
being double escaped.  We need to make sure we only do a single version
escape on the calendar.

The calendar uses the pcVarPrepHTMLDisplay function to escape this and
other fields which then get double escaped when passed through OpenEMR's
attr function.  We fix this issue by the removing the attr and relying
on the pcVarPrepHTMLDisplay.  This makes it so if anyone is using the
PostCalendar/pnuserapi.php to grab events it will still work properly.

Fixes openemr#7635

* Fix escaping on patient showImage

day/month/week escaping issue fix.
  • Loading branch information
adunsulag authored Sep 22, 2024
1 parent 4d8d535 commit f9e3158
Show file tree
Hide file tree
Showing 3 changed files with 53 additions and 28 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -729,7 +729,10 @@
if ($event['recurrtype'] > 0) {
$content .= "<img class='border-0' src='{$this->_tpl_vars['TPL_IMAGE_PATH']}/repeating8.png' style='margin: 0 2px 0 2px;' title='" . xla("Repeating event") . "' alt='" . xla("Repeating event") . "' />";
}
if ($comment) $content .= " " . text($comment);
if ($comment) {

$content .= " " . text($comment);
}
}
else {
// some sort of patient appointment
Expand All @@ -742,19 +745,24 @@
if ($event['recurrtype'] > 0) $content .= "<img src='{$this->_tpl_vars['TPL_IMAGE_PATH']}/repeating8.png' border='0' style='margin:0px 2px 0px 2px;' title='" . xla("Repeating event") . "' alt='" . xla("Repeating event") . "'>";
$content .= '&nbsp;' . text($event['apptstatus']);
if ($patientid) {
$link_title = $fname . " " . $lname . " \n";
$link_title .= xl('Age') . ": " . $patient_age . "\n" . xl('DOB') . ": " . $patient_dob . " $comment" . "\n";
$link_title .= "(" . xl('Click to view') . ")";
$content .= "<a class='link_title' data-pid='". attr($patientid) . "' href='javascript:goPid(" . attr_js($patientid) . ")' title='" . attr($link_title) . "'>";
$content .= "<i class='fas fa-user text-success' onmouseover=\"javascript:ShowImage(" . attr_js($GLOBALS['webroot']."/controller.php?document&retrieve&patient_id=".attr($patientid)."&document_id=-1&as_file=false&original_file=true&disable_exit=false&show_original=true&context=patient_picture") . ");\" onmouseout=\"javascript:HideImage();\" title='" . attr($link_title) . "'></i>";
// include patient name and link to their details
$link_title = attr($fname) . " " . attr($lname) . " \n";
// note we don't escape comment as its already been escaped in pnuserapi
$link_title .= xla('Age') . ": " . attr($patient_age) . "\n" . xla('DOB') . ": " . attr($patient_dob) . " $comment" . "\n";
$link_title .= "(" . xla('Click to view') . ")";
$content .= "<a class='link_title' data-pid='". attr($patientid) . "' href='javascript:goPid(" . attr_js($patientid) . ")' title='" . $link_title . "'>";
$content .= "<i class='fas fa-user text-success' onmouseover=\"javascript:ShowImage(" . attr_js($GLOBALS['webroot']."/controller.php?document&retrieve&patient_id=".urlencode($patientid)."&document_id=-1&as_file=false&original_file=true&disable_exit=false&show_original=true&context=patient_picture") . ");\" onmouseout=\"javascript:HideImage();\" title='" . $link_titles . "'></i>";
if ($catid == 1) $content .= "<s>";
$content .= text($lname);
if ($GLOBALS['calendar_appt_style'] != 1) {
$content .= "," . text($fname);
if ($event['title'] && $GLOBALS['calendar_appt_style'] >= 3) {
$content .= "(" . text($event['title']);
if ($event['hometext'] && $GLOBALS['calendar_appt_style'] >= 4)
$content .= ": <span class='text-success'>" . text(trim($event['hometext'])) . "</span>";
if ($event['hometext'] && $GLOBALS['calendar_appt_style'] >= 4) {
// note hometext is already escaped in pnuserapi.php via the pcVarPrepHTMLDisplay function
// we don't double escape it here.
$content .= ": <span class='text-success'>" . trim($event['hometext']) . "</span>";
}
$content .= ")";
}
}
Expand All @@ -773,8 +781,11 @@
if ($GLOBALS['calendar_appt_style'] != 1) {
if ($event['title'] && $GLOBALS['calendar_appt_style'] >= 3) {
$content .= "(" . text($event['title']);
if ($event['hometext'] && $GLOBALS['calendar_appt_style'] >= 4)
$content .= ": <span class='text-success'>" . text(trim($event['hometext'])) . "</span>";
if ($event['hometext'] && $GLOBALS['calendar_appt_style'] >= 4) {
// note hometext is already escaped in pnuserapi.php via the pcVarPrepHTMLDisplay function
// we don't double escape it here.
$content .= ": <span class='text-success'>" . trim($event['hometext']) . "</span>";
}
$content .= ")";
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -549,19 +549,23 @@
$content .= create_event_time_anchor($displayTime);
if ($patientid) {
// include patient name and link to their details
$link_title = $fname . " " . $lname . " \n";
$link_title .= xl('Age') . ": " . $patient_age . "\n" . xl('DOB') . ": " . $patient_dob . $comment . "\n";
$link_title .= "(" . xl('Click to view') . ")";
$content .= "<a class='link_title' data-pid='". attr($patientid) . "' href='javascript:goPid(" . attr_js($patientid) . ")' title='" . attr($link_title) . "'>";
$content .= "<img src='{$this->_tpl_vars['TPL_IMAGE_PATH']}/user-green.gif' onmouseover=\"javascript:ShowImage(" . attr_js($GLOBALS['webroot']."/controller.php?document&retrieve&patient_id=".$patientid."&document_id=-1&as_file=false&original_file=true&disable_exit=false&show_original=true&context=patient_picture") . ");\" onmouseout=\"javascript:HideImage();\" border='0' title='" . attr($link_title) . "' alt='View Patient' />";
$link_title = attr($fname) . " " . attr($lname) . " \n";
// note we don't escape comment as its already been escaped in pnuserapi
$link_title .= xla('Age') . ": " . attr($patient_age) . "\n" . xla('DOB') . ": " . attr($patient_dob) . " $comment" . "\n";
$link_title .= "(" . xla('Click to view') . ")";
$content .= "<a class='link_title' data-pid='". attr($patientid) . "' href='javascript:goPid(" . attr_js($patientid) . ")' title='" . $link_title . "'>";
$content .= "<img src='{$this->_tpl_vars['TPL_IMAGE_PATH']}/user-green.gif' onmouseover=\"javascript:ShowImage(" . attr_js($GLOBALS['webroot']."/controller.php?document&retrieve&patient_id=".urlencode($patientid)."&document_id=-1&as_file=false&original_file=true&disable_exit=false&show_original=true&context=patient_picture") . ");\" onmouseout=\"javascript:HideImage();\" border='0' title='" . $link_title . "' alt='View Patient' />";
if ($catid == 1) $content .= "<s>";
$content .= text($lname);
if ($GLOBALS['calendar_appt_style'] != 1) {
$content .= "," . text($fname);
if ($event['title'] && $GLOBALS['calendar_appt_style'] >= 3) {
$content .= "(" . text($event['title']);
if ($event['hometext'] && $GLOBALS['calendar_appt_style'] >= 4)
$content .= ": <span class='text-success'>" . text(trim($event['hometext'])) . "</span>";
if ($event['hometext'] && $GLOBALS['calendar_appt_style'] >= 4) {
// note hometext is already escaped in pnuserapi.php via the pcVarPrepHTMLDisplay function
// we don't double escape it here.
$content .= ": <span class='text-success'>" . trim($event['hometext']) . "</span>";
}
$content .= ")";
}
}
Expand All @@ -580,8 +584,11 @@
if ($GLOBALS['calendar_appt_style'] != 1) {
if ($event['title'] && $GLOBALS['calendar_appt_style'] >= 3) {
$content .= "(" . text($event['title']);
if ($event['hometext'] && $GLOBALS['calendar_appt_style'] >= 4)
$content .= ": <span class='text-success'>" . text(trim($event['hometext'])) . "</span>";
if ($event['hometext'] && $GLOBALS['calendar_appt_style'] >= 4) {
// note hometext is already escaped in pnuserapi.php via the pcVarPrepHTMLDisplay function
// we don't double escape it here.
$content .= ": <span class='text-success'>" . trim($event['hometext']) . "</span>";
}
$content .= ")";
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -760,20 +760,24 @@
$content .= text($event['apptstatus']);
if ($patientid) {
// include patient name and link to their details
$link_title = $fname . " " . $lname . " \n";
$link_title .= xl('Age') . ": " . $patient_age . "\n" . xl('DOB') . ": " . $patient_dob . $comment . "\n";
$link_title .= "(" . xl('Click to view') . ")";
$content .= "<a class='link_title' data-pid='". attr($patientid) . "' href='javascript:goPid(" . attr_js($patientid) . ")' title='" . attr($link_title) . "'>";
$content .= "<i class='fas fa-user text-success' onmouseover=\"javascript:ShowImage(" . attr_js($GLOBALS['webroot']."/controller.php?document&retrieve&patient_id=".$patientid."&document_id=-1&as_file=false&original_file=true&disable_exit=false&show_original=true&context=patient_picture") . ");\" onmouseout=\"javascript:HideImage();\" title='". attr($link_title) . "'></i>";
$link_title = attr($fname) . " " . attr($lname) . " \n";
// note we don't escape comment as its already been escaped in pnuserapi
$link_title .= xla('Age') . ": " . attr($patient_age) . "\n" . xla('DOB') . ": " . attr($patient_dob) . " $comment" . "\n";
$link_title .= "(" . xla('Click to view') . ")";
$content .= "<a class='link_title' data-pid='". attr($patientid) . "' href='javascript:goPid(" . attr_js($patientid) . ")' title='" . $link_title . "'>";
$content .= "<i class='fas fa-user text-success' onmouseover=\"javascript:ShowImage(" . attr_js($GLOBALS['webroot']."/controller.php?document&retrieve&patient_id=".urlencode($patientid)."&document_id=-1&as_file=false&original_file=true&disable_exit=false&show_original=true&context=patient_picture") . ");\" onmouseout=\"javascript:HideImage();\" title='". $link_title . "'></i>";

if ($catid == 1) $content .= "<s>";
$content .= text($lname);
if ($GLOBALS['calendar_appt_style'] != 1) {
$content .= "," . text($fname);
if ($event['title'] && $GLOBALS['calendar_appt_style'] >= 3) {
$content .= "(" . text($event['title']);
if ($event['hometext'] && $GLOBALS['calendar_appt_style'] >= 4)
$content .= ": <span class='text-success'>" . text(trim($event['hometext'])) . "</span>";
if ($event['hometext'] && $GLOBALS['calendar_appt_style'] >= 4) {
// note hometext is already escaped in pnuserapi.php via the pcVarPrepHTMLDisplay function
// we don't double escape it here.
$content .= ": <span class='text-success'>" . trim($event['hometext']) . "</span>";
}
$content .= ")";
}
}
Expand All @@ -793,8 +797,11 @@
if ($GLOBALS['calendar_appt_style'] != 1) {
if ($event['title'] && $GLOBALS['calendar_appt_style'] >= 3) {
$content .= "(" . text($event['title']);
if ($event['hometext'] && $GLOBALS['calendar_appt_style'] >= 4)
$content .= ": <span class='text-success'>" . text(trim($event['hometext'])) . "</span>";
if ($event['hometext'] && $GLOBALS['calendar_appt_style'] >= 4) {
// note hometext is already escaped in pnuserapi.php via the pcVarPrepHTMLDisplay function
// we don't double escape it here.
$content .= ": <span class='text-success'>" . trim($event['hometext']) . "</span>";
}
$content .= ")";
}
}
Expand Down

0 comments on commit f9e3158

Please sign in to comment.