Clean up and secure patient history module and past encounters-docs l…

…isting module and related functions-scripts (remove fake globals, run global undomagicquotes, integrate binding into sql queries to prevent sql-injection and integrate htmlspecialchars to prevent xss attacks). Also removed encounters_full.php script, which is deprecated, not used, and not working.

interface/main/left_nav.php

@@ -40,7 +40,6 @@
  // * interface/patient_file/history/history_full.php: target changes.
  // * interface/patient_file/history/history_save.php: target change.
  // * interface/patient_file/history/encounters.php: link/target changes.
- // * interface/patient_file/history/encounters_full.php: link/target changes.
  // * interface/patient_file/encounter/encounter_top.php: another new frameset
  //   cloned from patient_encounter.php.
  // * interface/patient_file/encounter/forms.php: link target removal.

interface/patient_file/history/edit_billnote.php

@@ -6,6 +6,14 @@
  // as published by the Free Software Foundation; either version 2
  // of the License, or (at your option) any later version.
 
+//SANITIZE ALL ESCAPES
+$sanitize_all_escapes=true;
+//
+
+//STOP FAKE REGISTER GLOBALS
+$fake_register_globals=false;
+//
+
  include_once("../../globals.php");
  include_once("$srcdir/log.inc");
  include_once("$srcdir/acl.inc");
@@ -15,7 +23,7 @@
  $info_msg = "";
 
  $thisauth = (acl_check('acct', 'bill') == 'write');
- if (! $thisauth) die(xl('Not authorized'));
+ if (! $thisauth) die(htmlspecialchars(xl('Not authorized'),ENT_NOQUOTES));
 ?>
 <html>
 <head>
@@ -30,16 +38,18 @@
 <body>
 <?php
 if ($_POST['form_submit'] || $_POST['form_cancel']) {
-  $fenote = trim($_POST['form_note']); // TBD: might need addslashes
+  $fenote = trim($_POST['form_note']);
   if ($_POST['form_submit']) {
     sqlStatement("UPDATE form_encounter " .
-      "SET billing_note = '$fenote' WHERE id = '$feid'");
+      "SET billing_note = ? WHERE id = ?", array($fenote,$feid) );
   }
   else {
     $tmp = sqlQuery("SELECT billing_note FROM form_encounter " .
-      " WHERE id = '$feid'");
-    $fenote = addslashes($tmp['billing_note']);
+      " WHERE id = ?", array($feid) );
+    $fenote = $tmp['billing_note'];
   }
+  // escape and format note for viewing
+  $fenote = htmlspecialchars($fenote,ENT_QUOTES);
   $fenote = str_replace("\r\n", "<br />", $fenote);
   $fenote = str_replace("\n"  , "<br />", $fenote);
   if (! $fenote) $fenote = '['. xl('Add') . ']';
@@ -50,18 +60,18 @@
 }
 
 $tmp = sqlQuery("SELECT billing_note FROM form_encounter " .
-  " WHERE id = '$feid'");
+  " WHERE id = ?", array($feid) );
 $fenote = $tmp['billing_note'];
 ?>
 
-<form method='post' action='edit_billnote.php?feid=<?php echo $feid ?>'>
+<form method='post' action='edit_billnote.php?feid=<?php echo htmlspecialchars($feid,ENT_QUOTES); ?>'>
 
 <center>
-<textarea name='form_note' style='width:100%'><?php echo $fenote ?></textarea>
+<textarea name='form_note' style='width:100%'><?php echo htmlspecialchars($fenote,ENT_NOQUOTES); ?></textarea>
 <p>
-<input type='submit' name='form_submit' value=<?php xl('Save','e','\'','\''); ?> />
+<input type='submit' name='form_submit' value='<?php echo htmlspecialchars( xl('Save'), ENT_QUOTES); ?>' />
 &nbsp;&nbsp;
-<input type='submit' name='form_cancel' value=<?php xl('Cancel','e','\'','\''); ?> />
+<input type='submit' name='form_cancel' value='<?php echo htmlspecialchars( xl('Cancel'), ENT_QUOTES); ?>' />
 </center>
 </form>
 </body>

interface/patient_file/history/history.php

@@ -1,4 +1,13 @@
 <?php
+
+//SANITIZE ALL ESCAPES
+$sanitize_all_escapes=true;
+//
+
+//STOP FAKE REGISTER GLOBALS
+$fake_register_globals=false;
+//
+
  require_once("../../globals.php");
  require_once("$srcdir/patient.inc");
  require_once("history.inc.php");
@@ -32,7 +41,7 @@
    $thisauth = 0;
  }
  if (!$thisauth) {
-  echo "<p>(History not authorized)</p>\n";
+  echo "<p>(".htmlspecialchars(xl('History not authorized'),ENT_NOQUOTES).")</p>\n";
   echo "</body>\n</html>\n";
   exit();
  }
@@ -46,19 +55,19 @@
 
 <?php if ($thisauth == 'write' || $thisauth == 'addonly') { ?>
 <div>
-    <span class="title"><?php xl('Patient History / Lifestyle','e'); ?></span>
+    <span class="title"><?php echo htmlspecialchars(xl('Patient History / Lifestyle'),ENT_NOQUOTES); ?></span>
 </div>
 <div style='float:left;margin-right:10px'>
-<?php echo xl('for', 'e');?>&nbsp;<span class="title"><a href="../summary/demographics.php" onclick="top.restoreSession()"><?php echo htmlspecialchars( getPatientName($pid) ) ?></a></span>
+<?php echo htmlspecialchars(xl('for'),ENT_NOQUOTES);?>&nbsp;<span class="title"><a href="../summary/demographics.php" onclick="top.restoreSession()"><?php echo htmlspecialchars(getPatientName($pid),ENT_NOQUOTES) ?></a></span>
 </div>
 <div>
     <a href="history_full.php" <?php if (!$GLOBALS['concurrent_layout']) echo "target='Main'"; ?>
      class="css_button"
      onclick="top.restoreSession()">
-    <span><?php echo xl("Edit");?></span>
+    <span><?php echo htmlspecialchars(xl("Edit"),ENT_NOQUOTES);?></span>
     </a>
     <a href="../summary/demographics.php" <?php if (!$GLOBALS['concurrent_layout']) echo "target='Main'"; ?> class="css_button" onclick="top.restoreSession()">
-        <span><?php echo xl('Back To Patient','e');?></span>
+        <span><?php echo htmlspecialchars(xl('Back To Patient'),ENT_NOQUOTES);?></span>
     </a>
 </div>
 <br/>

interface/patient_file/history/history_full.php

@@ -1,4 +1,13 @@
 <?php
+
+//SANITIZE ALL ESCAPES
+$sanitize_all_escapes=true;
+//
+
+//STOP FAKE REGISTER GLOBALS
+$fake_register_globals=false;
+//
+
 require_once("../../globals.php");
 require_once("$srcdir/patient.inc");
 require_once("history.inc.php");
@@ -15,7 +24,7 @@
    $thisauth = 0;
 }
 if ($thisauth != 'write' && $thisauth != 'addonly')
-  die("Not authorized.");
+  die(htmlspecialchars(xl("Not authorized"),ENT_NOQUOTES));
 ?>
 <html>
 <head>
@@ -115,17 +124,17 @@ function submit_history() {
     <input type='hidden' name='mode' value='save'>
 
     <div>
-        <span class="title"><?php xl('Patient History / Lifestyle','e'); ?></span>
+        <span class="title"><?php echo htmlspecialchars(xl('Patient History / Lifestyle'),ENT_NOQUOTES); ?></span>
     </div>
     <div style='float:left;margin-right:10px'>
-  <?php echo xl('for', 'e');?>&nbsp;<span class="title"><a href="../summary/demographics.php"><?php echo htmlspecialchars( getPatientName($pid) ) ?></a></span>
+  <?php echo htmlspecialchars(xl('for'),ENT_NOQUOTES);?>&nbsp;<span class="title"><a href="../summary/demographics.php"><?php echo htmlspecialchars(getPatientName($pid),ENT_NOQUOTES); ?></a></span>
     </div>
     <div>
         <a href="" class="css_button" <?php if (!$GLOBALS['concurrent_layout']) echo "target='Main'"; ?> onclick="top.restoreSession(); submit_history();" >
-            <span><?php echo xl('Save','e');?></span>
+            <span><?php echo htmlspecialchars(xl('Save'),ENT_NOQUOTES); ?></span>
         </a>
         <a href="history.php" <?php if (!$GLOBALS['concurrent_layout']) echo "target='Main'"; ?> class="css_button" onclick="top.restoreSession()">
-            <span><?php echo xl('Back To View','e');?></span>
+            <span><?php echo htmlspecialchars(xl('Back To View'),ENT_NOQUOTES); ?></span>
         </a>
     </div>