Skip to content
Permalink
Browse files Browse the repository at this point in the history
security fixes (#1519)
  • Loading branch information
bradymiller committed Mar 22, 2018
1 parent efe3492 commit 699e3c2
Show file tree
Hide file tree
Showing 14 changed files with 243 additions and 213 deletions.
16 changes: 11 additions & 5 deletions interface/billing/get_claim_file.php
@@ -1,8 +1,14 @@
<?php
// This program is free software; you can redistribute it and/or
// modify it under the terms of the GNU General Public License
// as published by the Free Software Foundation; either version 2
// of the License, or (at your option) any later version.
/**
* get_claim_file.php
*
* @package OpenEMR
* @link http://www.open-emr.org
* @author Brady Miller <brady.g.miller@gmail.com>
* @copyright Copyright (c) 2018 Brady Miller <brady.g.miller@gmail.com>
* @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
*/


require_once(dirname(__FILE__) . "/../globals.php");
require_once $GLOBALS['OE_SITE_DIR'] . "/config.php";
Expand All @@ -22,7 +28,7 @@
$fname = $claim_file_dir . $fname;

if (!file_exists($fname)) {
echo xl("The claim file: ") . $_GET['key'] . xl(" could not be accessed.");
echo xl("The claim file: ") . text($_GET['key']) . xl(" could not be accessed.");
} else {
$fp = fopen($fname, 'r');

Expand Down
56 changes: 30 additions & 26 deletions interface/billing/sl_eob_process.php
@@ -1,15 +1,19 @@
<?php
// Copyright (C) 2006-2010 Rod Roark <rod@sunsetsystems.com>
//
// This program is free software; you can redistribute it and/or
// modify it under the terms of the GNU General Public License
// as published by the Free Software Foundation; either version 2
// of the License, or (at your option) any later version.

// This processes X12 835 remittances and produces a report.

// Buffer all output so we can archive it to a file.
ob_start();
/**
* This processes X12 835 remittances and produces a report.
*
* @package OpenEMR
* @link http://www.open-emr.org
* @author Rod Roark <rod@sunsetsystems.com>
* @author Brady Miller <brady.g.miller@gmail.com>
* @copyright Copyright (c) 2006-2010 Rod Roark <rod@sunsetsystems.com>
* @copyright Copyright (c) 2018 Brady Miller <brady.g.miller@gmail.com>
* @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
*/


// Buffer all output so we can archive it to a file.
ob_start();

require_once("../globals.php");
require_once("$srcdir/invoice_summary.inc.php");
Expand All @@ -20,15 +24,15 @@
require_once("remark_codes.php");
require_once("$srcdir/billing.inc");

$debug = $_GET['debug'] ? 1 : 0; // set to 1 for debugging mode
$paydate = parse_date($_GET['paydate']);
$encount = 0;
$debug = $_GET['debug'] ? 1 : 0; // set to 1 for debugging mode
$paydate = parse_date($_GET['paydate']);
$encount = 0;

$last_ptname = '';
$last_invnumber = '';
$last_code = '';
$invoice_total = 0.00;
$InsertionId;//last inserted ID of
$last_ptname = '';
$last_invnumber = '';
$last_code = '';
$invoice_total = 0.00;
$InsertionId;//last inserted ID of

///////////////////////// Assorted Functions /////////////////////////

Expand Down Expand Up @@ -640,7 +644,7 @@ function era_callback(&$out)
$fnreport = "$nameprefix$namesuffix.html";
$fhreport = fopen($fnreport, 'w');
if (!$fhreport) {
die(xl("Cannot create") . " '$fnreport'");
die(xl("Cannot create") . " '" . text($fnreport) . "'");
}
}

Expand Down Expand Up @@ -738,12 +742,12 @@ function era_callback(&$out)
}
?>
</script>
<input type="hidden" name="paydate" value="<?php echo DateToYYYYMMDD($_REQUEST['paydate']);?>" />
<input type="hidden" name="post_to_date" value="<?php echo DateToYYYYMMDD($_REQUEST['post_to_date']);?>" />
<input type="hidden" name="deposit_date" value="<?php echo DateToYYYYMMDD($_REQUEST['deposit_date']);?>" />
<input type="hidden" name="debug" value="<?php echo $_REQUEST['debug'];?>" />
<input type="hidden" name="InsId" value="<?php echo $_REQUEST['InsId'];?>" />
<input type="hidden" name="eraname" value="<?php echo $eraname?>" />
<input type="hidden" name="paydate" value="<?php echo attr(DateToYYYYMMDD($_REQUEST['paydate'])); ?>" />
<input type="hidden" name="post_to_date" value="<?php echo attr(DateToYYYYMMDD($_REQUEST['post_to_date'])); ?>" />
<input type="hidden" name="deposit_date" value="<?php echo attr(DateToYYYYMMDD($_REQUEST['deposit_date'])); ?>" />
<input type="hidden" name="debug" value="<?php echo attr($_REQUEST['debug']); ?>" />
<input type="hidden" name="InsId" value="<?php echo attr($_REQUEST['InsId']); ?>" />
<input type="hidden" name="eraname" value="<?php echo attr($eraname); ?>" />
</form>
</body>
</html>
Expand Down
51 changes: 22 additions & 29 deletions interface/billing/sl_eob_search.php
Expand Up @@ -2,28 +2,21 @@
/**
* This the first of two pages to support posting of EOBs.
* The second is sl_eob_invoice.php.
* Windows compatibility and statement downloading:
* 2009 Bill Cernansky and Tony McCormick [mi-squared.com]
*
* Copyright (C) 2005-2010 Rod Roark <rod@sunsetsystems.com>
*
* LICENSE: This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
*
* @package OpenEMR
* @author Rod Roark <rod@sunsetsystems.com>
* @author Roberto Vasquez <robertogagliotta@gmail.com>
* @author Jerry Padgett <sjpadgett@gmail.com>
* @link http://www.open-emr.org
* @package OpenEMR
* @link http://www.open-emr.org
* @author Rod Roark <rod@sunsetsystems.com>
* @author Bill Cernansky
* @author Tony McCormick
* @author Roberto Vasquez <robertogagliotta@gmail.com>
* @author Jerry Padgett <sjpadgett@gmail.com>
* @author Brady Miller <brady.g.miller@gmail.com>
* @copyright Copyright (c) 2005-2010 Rod Roark <rod@sunsetsystems.com>
* @copyright Copyright (c) 2018 Brady Miller <brady.g.miller@gmail.com>
* @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
*/


require_once("../globals.php");
require_once("$srcdir/patient.inc");
require_once("$srcdir/invoice_summary.inc.php");
Expand Down Expand Up @@ -642,14 +635,14 @@ function npopup(pid) {
<?php xl('Source:', 'e'); ?>
</td>
<td>
<input type='text' name='form_source' size='10' value='<?php echo $_POST['form_source']; ?>'
<input type='text' name='form_source' size='10' value='<?php echo attr($_POST['form_source']); ?>'
title='<?php xl("A check number or claim number to identify the payment", "e"); ?>'>
</td>
<td>
<?php xl('Pay Date:', 'e'); ?>
</td>
<td>
<input type='text' name='form_paydate' size='10' value='<?php echo $_POST['form_paydate']; ?>'
<input type='text' name='form_paydate' size='10' value='<?php echo attr($_POST['form_paydate']); ?>'
onkeyup='datekeyup(this,mypcc)' onblur='dateblur(this,mypcc)'
title='<?php xl("Date of payment yyyy-mm-dd", "e"); ?>'>
</td>
Expand All @@ -658,7 +651,7 @@ function npopup(pid) {
<?php xl('Deposit Date:', 'e'); ?>
</td>
<td>
<input type='text' name='form_deposit_date' size='10' value='<?php echo $_POST['form_deposit_date']; ?>'
<input type='text' name='form_deposit_date' size='10' value='<?php echo attr($_POST['form_deposit_date']); ?>'
onkeyup='datekeyup(this,mypcc)' onblur='dateblur(this,mypcc)'
title='<?php xl("Date of bank deposit yyyy-mm-dd", "e"); ?>'>
</td>
Expand All @@ -667,7 +660,7 @@ function npopup(pid) {
<?php xl('Amount:', 'e'); ?>
</td>
<td>
<input type='text' name='form_amount' size='10' value='<?php echo $_POST['form_amount']; ?>'
<input type='text' name='form_amount' size='10' value='<?php echo attr($_POST['form_amount']); ?>'
title='<?php xl("Paid amount that you will allocate", "e"); ?>'>
</td>
<td align='right'>
Expand All @@ -684,35 +677,35 @@ function npopup(pid) {
<?php xl('Name:', 'e'); ?>
</td>
<td>
<input type='text' name='form_name' size='10' value='<?php echo $_POST['form_name']; ?>'
<input type='text' name='form_name' size='10' value='<?php echo attr($_POST['form_name']); ?>'
title='<?php xl("Any part of the patient name, or \"last,first\", or \"X-Y\"", "e"); ?>'>
</td>
<td>
<?php xl('Chart ID:', 'e'); ?>
</td>
<td>
<input type='text' name='form_pid' size='10' value='<?php echo $_POST['form_pid']; ?>'
<input type='text' name='form_pid' size='10' value='<?php echo attr($_POST['form_pid']); ?>'
title='<?php xl("Patient chart ID", "e"); ?>'>
</td>
<td>
<?php xl('Encounter:', 'e'); ?>
</td>
<td>
<input type='text' name='form_encounter' size='10' value='<?php echo $_POST['form_encounter']; ?>'
<input type='text' name='form_encounter' size='10' value='<?php echo attr($_POST['form_encounter']); ?>'
title='<?php xl("Encounter number", "e"); ?>'>
</td>
<td>
<?php xl('Svc Date:', 'e'); ?>
</td>
<td>
<input type='text' name='form_date' size='10' value='<?php echo $_POST['form_date']; ?>'
<input type='text' name='form_date' size='10' value='<?php echo attr($_POST['form_date']); ?>'
title='<?php xl("Date of service mm/dd/yyyy", "e"); ?>'>
</td>
<td>
<?php xl('To:', 'e'); ?>
</td>
<td>
<input type='text' name='form_to_date' size='10' value='<?php echo $_POST['form_to_date']; ?>'
<input type='text' name='form_to_date' size='10' value='<?php echo attr($_POST['form_to_date']); ?>'
title='<?php xl("Ending DOS mm/dd/yyyy if you wish to enter a range", "e"); ?>'>
</td>
<td>
Expand Down
70 changes: 33 additions & 37 deletions interface/de_identification_forms/find_code_popup.php
@@ -1,21 +1,17 @@
<?php
/********************************************************************************\
* Copyright (C) ViCarePlus, Visolve (vicareplus_engg@visolve.com) *
* *
* This program is free software; you can redistribute it and/or *
* modify it under the terms of the GNU General Public License *
* as published by the Free Software Foundation; either version 2 *
* of the License, or (at your option) any later version. *
* *
* This program is distributed in the hope that it will be useful, *
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
* GNU General Public License for more details. *
* *
* You should have received a copy of the GNU General Public License *
* along with this program; if not, write to the Free Software *
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. *
\********************************************************************************/
/**
* find_code_popup.php
*
* @package OpenEMR
* @link http://www.open-emr.org
* @author Visolve <vicareplus_engg@visolve.com>
* @author Brady Miller <brady.g.miller@gmail.com>
* @copyright Copyright (c) ViCarePlus, Visolve <vicareplus_engg@visolve.com>
* @copyright Copyright (c) 2018 Brady Miller <brady.g.miller@gmail.com>
* @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
*/


require_once("../globals.php");
require_once("$srcdir/patient.inc");
require_once("../../custom/code_types.inc.php");
Expand All @@ -37,14 +33,14 @@
<script language="JavaScript">
//pass value selected to the parent window
function window_submit(chk)
{
{
var str;
var len=chk.length;
if (len==undefined && chk.checked==1)
if (len==undefined && chk.checked==1)
{
if(!str)
str = chk.value;
else
else
str = "#"+chk.value;
}
else
Expand All @@ -55,7 +51,7 @@ function window_submit(chk)
{
if(!str)
str = chk[pr].value;
else
else
str = str+"#"+chk[pr].value;
}
}
Expand All @@ -66,16 +62,16 @@ function window_submit(chk)
alert("<?php echo xl('The destination form was closed');?>");
else
opener.set_related(str,"diagnosis");

window.close();

}

function window_close(chk)
{
window.close();
}

function chkbox_select_none(chk)
{
var len=chk.length;
Expand Down Expand Up @@ -111,7 +107,7 @@ function check_search_str()
return false;
}
top.restoreSession();
return true;
return true;
}

</script>
Expand All @@ -130,7 +126,7 @@ function check_search_str()
<b>
<?php
if ($codetype) {
echo "<input type='text' name='form_code_type' value='$codetype' size='5' readonly>\n";
echo "<input type='text' name='form_code_type' value='" . attr($codetype) . "' size='5' readonly>\n";
} else {
echo " <select name='form_code_type'";
echo ">\n";
Expand All @@ -153,10 +149,10 @@ function check_search_str()
}
?>
<?php xl('Search for', 'e'); ?>
<input type='text' name='search_term' id='search_term' size='12' value='<?php echo $_REQUEST['search_term']; ?>'
<input type='text' name='search_term' id='search_term' size='12' value='<?php echo attr($_REQUEST['search_term']); ?>'
title='<?php xl('Any part of the desired code or its description', 'e'); ?>' />
&nbsp;
<input type='submit' name='bn_search' id='bn_search' value='<?php xl('Search', 'e'); ?>' />
&nbsp;
<input type='submit' name='bn_search' id='bn_search' value='<?php xl('Search', 'e'); ?>' />
</b>
</td>
</tr>
Expand Down Expand Up @@ -187,7 +183,7 @@ function check_search_str()
$drug_id = addslashes($row['drug_id']);
$selector = addslashes($row['selector']);
$desc = addslashes($row['name']);
?>
?>
<input type="checkbox" name="diagnosis[row_count]" value= "<?php echo $desc; ?>" > <?php echo $drug_id." ".$selector." ".$desc."</br>";
}
} else {
Expand All @@ -205,7 +201,7 @@ function check_search_str()
echo xl('Please enter new search string');?>");
document.theform.search_term.value=" ";
document.theform.search_term.focus();
</script>
</script>
<?php
}

Expand All @@ -232,14 +228,14 @@ function check_search_str()
<center>
</br>
<input type='button' id='select_all' value='<?php xl('Select All', 'e'); ?>' onclick="chkbox_select_all(document.select_diagonsis.chkbox);"/>

<input type='button' id='unselect_all' value='<?php xl('Unselect All', 'e'); ?>' onclick="chkbox_select_none(document.select_diagonsis.chkbox);"/>

<input type='button' id='submit' value='<?php xl('Submit', 'e'); ?>' onclick="window_submit(document.select_diagonsis.chkbox);"/>

<input type='button' id='cancel' value='<?php xl('Cancel', 'e'); ?>' onclick="window_close();"/>
</center>

</center>
<?php } ?>
</form>
</body>
Expand Down

0 comments on commit 699e3c2

Please sign in to comment.