New dictation modernazation #818
Conversation
Here is the reintroduction of the drag n drop file uploader. Added the Global to turn it on if not is stays hidden.
# Conflicts: # templates/documents/general_upload.html
…ging the front face and adding the WYSIWYG editor to the text box
interface/documents/upload.php
Outdated
| /** | ||
| * Drag and Drop file uploader. | ||
| * | ||
| * Copyright (C) 2017 Sherwin Gaddis sherwingaddis@gmail.com |
There was a problem hiding this comment.
We are trying to standardize our docblocks. Examples here http://www.open-emr.org/wiki/index.php/How_to_Document_Your_Code_Properly#Examples_for_OpenEMR
interface/documents/upload.php
Outdated
| $category_id = filter_input(INPUT_GET, 'parent_id'); | ||
|
|
||
|
|
||
| $sanitize_all_escapes=true; |
There was a problem hiding this comment.
This functionality has been removed, remove 25, 26
interface/documents/upload.php
Outdated
| $fake_register_globals=false; | ||
|
|
||
| require_once("../globals.php"); | ||
| require_once(dirname(__FILE__) . "/../../library/documents.php"); |
There was a problem hiding this comment.
I think '$GLOBALS["srcdir"]' would point to the library folder
There was a problem hiding this comment.
Actually $scrdir will do the job.
interface/documents/upload.php
Outdated
|
|
||
| } | ||
|
|
||
| ?> |
interface/forms/dictation/new.php
Outdated
| @@ -1,29 +1,56 @@ | |||
| <!-- Form generated from formsWiz --> | |||
| <?php | |||
| /** Copyright (C) 2016 Sherwin Gaddis <sherwingaddis@gmail.com> | |||
There was a problem hiding this comment.
See above comment about docblocks
interface/forms/dictation/new.php
Outdated
| </head> | ||
| <body class="body_top"> | ||
| <h1><?php echo xlt('Speech Dictation'); ?></h1><br><br> |
There was a problem hiding this comment.
Wrap this in a div with the class page-header
interface/forms/dictation/new.php
Outdated
| </head> | ||
| <body class="body_top"> | ||
| <h1><?php echo xlt('Speech Dictation'); ?></h1><br><br> | ||
|
|
||
| <div class="container"> |
There was a problem hiding this comment.
Container should be up by the body, we want most everything contained
interface/forms/dictation/new.php
Outdated
| <label class="text"><?php echo xlt('Additional Notes:'); ?> </label><br><textarea class="form-control ckeditor" cols=80 rows=8 wrap="virtual" name="additional_notes" ></textarea> | ||
| </div> | ||
|
|
||
| <a href="javascript:top.restoreSession();document.my_form.submit();" class="link_submit"><button><?php echo xlt('Save'); ?></button></a> |
There was a problem hiding this comment.
Remove the a tag, setup the button with a type=submit and the following classes: btn btn-default btn-save
interface/forms/dictation/new.php
Outdated
| <a href="<?php echo "$rootdir/patient_file/encounter/$returnurl";?>" class="link" | ||
| onclick="top.restoreSession()">[<?php echo xlt('Don\'t Save'); ?>]</a> | ||
| onclick="top.restoreSession()"><button><?php echo xlt('Don\'t Save'); ?></button></a> |
There was a problem hiding this comment.
This will seem odd, but there's reasons. This element will take the user away from the page so it should be an tag, but there is no need for a button inside. Add the btn btn-cancel and btn-link classes to the anchor. This will make it look like a button while maintaining the proper functionality. Also, I'd stick with "Cancel" as the text, that seems to be the paradigm throughout the rest of the program
interface/forms/dictation/new.php
Outdated
| </head> | ||
| <body class="body_top"> | ||
| <h1><?php echo xlt('Speech Dictation'); ?></h1><br><br> | ||
|
|
||
| <div class="container"> | ||
| <form method=post action="<?php echo $rootdir;?>/forms/dictation/save.php?mode=new" name="my_form"> |
There was a problem hiding this comment.
Take a look at the examples on http://getbootstrap.com/css/#forms for how to layout a form.
|
As a note, buttons in bootstrap get their styling via the btn class, not via the button element. it's common to use btn classes on anchor tags, especially cancel links. |
|
delete the 2 unrelated files to make this PR more clear. |
interface/forms/dictation/new.php
Outdated
| <?php Header::setupHeader(); ?> | ||
| <script type="text/javascript" src="<?php echo $webroot."/library/custom_template/ckeditor/ckeditor.js" ?>"</script> | ||
| <script src="<?php echo $webroot."/library/custom_template/ckeditor/_samples/sample.js" ?>" type="text/javascript"></script> | ||
| <link href="<?php echo $webroot."/library/custom_template/ckeditor/_samples.css"; ?>" rel="stylesheet" type="text/css" /> |
There was a problem hiding this comment.
Do these things drastically change form? And also, will the form still be backward compatible?
There was a problem hiding this comment.
To my limited knowledge, the ckeditor wraps around the text area like styling. I will test to make sure but it does not change the property of the text area.
There was a problem hiding this comment.
Which two unrelated files
There was a problem hiding this comment.
2 unrelated files are:
interface/documents/upload.php
templates/documents/general_upload.html (revert this to file in master by just copying it over)
interface/forms/dictation/report.php
Outdated
| print "<td><span class=bold>" . xlt($key) . ": </span><span class=text>" . | ||
| nl2br(text($value)) . "</span></td>"; | ||
| print "<td><span class='bold'>" . xlt($key) . ": </span><span class='text'>" . | ||
| nl2br($value) . "</span></td>"; |
There was a problem hiding this comment.
removing the text() call is an issue here since it opens the door to cross scripting attacks.
There was a problem hiding this comment.
But leaving it there causes the output to show the html characters. I have changed the order and it still outputs the line breaks to the screen. After doing some research I found html_entity_decode() works. And should prevent XSS attacks.
interface/forms/dictation/report.php
Outdated
| print "<td><span class=bold>" . xlt($key) . ": </span><span class=text>" . | ||
| nl2br(text($value)) . "</span></td>"; | ||
| print "<td><span class='bold'>" . xlt($key) . ": </span><span class='text'>" . | ||
| html_entity_decode($value, ENT_QUOTES | ENT_HTML5) . "</span></td>"; |
There was a problem hiding this comment.
html_entity_decode won't protect from cross scripting attacks.
Can't have raw html (which then allows raw javascript) in fields like this. This could be a potential fatal flaw of ckeditor if that is what requires bypassing html escaping.
There was a problem hiding this comment.
I was doing some reading and it is not the job of the editor but the server side store process. So, reading that, I changed the way the data is stored. I put the input filters in place and then converted any HTML into entities and that is stored in the tables. Now we should be safe from XSS attacks.
There was a problem hiding this comment.
This still doesn't sound like it will protect from xss. Let me look into this a bit.
…erver side (read an article). So, updated the save function. Now, the system stores html entities. No html in the database table now.
…urity and recall handling.
|
|
|
@juggernautsei ,
I am guessing that ckeditor has a some basic code built in to escape obvious things like <script> tags. Would test it on the prior code without all the above escaping stuff. |
|
I put the report file back to the way it was with the text($value) and the save.php is back to the original. Below is what shows in the patient chart. And it is what is in the database table.
|
|
@juggernautsei , |
|
@juggernautsei , |
|
We still have a problem. When I remove the text the cross-scripting works. And it does not show on the screen so it is not stopping or rendering harmless the XSS injection. SOLUTION |
|
The htmlpurifier looks promising. I can bring that in via composer (so it's then autoloaded); just let me know and I'll bring it into the codebase. -brady |
|
Another place we can also use this is in pnotes. |
|
Yes, pull the HTML purifier into the code base. It has a symphony plugin. |
|
Hi @juggernautsei , I just added both packages to the codebase(check out the most recent 2 commit in the main codebase). Note I installed the standard-all package for ckeditor (if needed, can install one of the other packages such as full, if needed in the future). -brady |
interface/forms/dictation/view.php
Outdated
| @@ -12,6 +12,8 @@ | |||
|
|
|||
| use OpenEMR\Core\Header; | |||
| include_once("../../globals.php"); | |||
| require_once("../../../public/assets/htmlpurifier-4.9.2/library/HTMLPurifier.auto.php"); | |||
There was a problem hiding this comment.
Did this come in via bower or composer?
There was a problem hiding this comment.
This was brought in via composer in the current codebase
There was a problem hiding this comment.
So the ../../../public should be replaced with which global? I looked for it and couldn't find it or remember what it is.
There was a problem hiding this comment.
Since it's autoloaded, no include/require is needed. The class is magically available in all scripts. However, will need to rebase your code on the most current codebase (in order to bring this code in). Also should delete entire public/assets/htmlpurifier-4.9.2 directory from your branch.
There was a problem hiding this comment.
Will likely need a usestatement
There was a problem hiding this comment.
The use statement was not needed as @bradymiller suggested. It works without the use statement. I will post in a moment.
There was a problem hiding this comment.
It shouldn't work without that line. It needs to be added
There was a problem hiding this comment.
Now I am not sure which line you are referring. If you are referring to this line:
require_once("/public/assets/htmlpurifier-4.9.2/library/HTMLPurifier.auto.php");
I am pretty sure it works without it because without that line the page loads. Please correct me if I am wrong but if the page makes a call to a class that it can't find that page should throw an error and not load, right? Everything is working fine without that line.
You can try it out at http://omp.openmedpractice.com/rolebase log in admin pass.
interface/forms/dictation/view.php
Outdated
| $obj = formFetch("form_dictation", $id); | ||
| ?> | ||
| <form method=post action="<?php echo $rootdir?>/forms/dictation/save.php?mode=update&id=<?php echo attr($id);?>" name="my_form"> | ||
| <div class="page-header"> | ||
| <h1><?php echo xlt('Speech Dictation Review/Edit'); ?></h1> | ||
| </div> | ||
| <div class="form-group"> | ||
| <label for="dictation"><?php echo xlt('Dictation: '); ?></label><br><textarea class="form-control ckeditor" cols=80 rows=24 wrap="virtual" name="dictation" ><?php echo html_entity_decode(text($obj{"dictation"}));?></textarea> | ||
| <label for="dictation"><?php echo xlt('Dictation: '); ?></label><br><textarea class="form-control ckeditor" cols=80 rows=24 wrap="virtual" name="dictation" ><?php |
There was a problem hiding this comment.
Suggest breaking this super long line up. Textarea with "form-control" shouldn't have the colts attribute, CSS takes care of that
interface/forms/dictation/view.php
Outdated
| </div> | ||
| <div class="form-group"> | ||
| <label for="additional_notes"><?php echo xlt('Additional Notes: '); ?></span><br><textarea class="form-control ckeditor"cols=80 rows=8 wrap="virtual" name="additional_notes" ><?php echo html_entity_decode(text($obj{"additional_notes"}));?></textarea> | ||
| <label for="additional_notes"><?php echo xlt('Additional Notes: '); ?></span><br><textarea class="form-control ckeditor"cols=80 rows=8 wrap="virtual" name="additional_notes" ><?php |
interface/forms/dictation/report.php
Outdated
| @@ -14,9 +14,6 @@ | |||
| include_once($GLOBALS["srcdir"]."/api.inc"); | |||
| require_once("../../../public/assets/htmlpurifier-4.9.2/library/HTMLPurifier.auto.php"); | |||
interface/documents/upload.php
Outdated
| @@ -0,0 +1,46 @@ | |||
| <?php | |||
interface/forms/dictation/new.php
Outdated
| <?php Header::setupHeader(); ?> | ||
| <script type="text/javascript" src="<?php echo $webroot."/library/custom_template/ckeditor/ckeditor.js" ?>"</script> | ||
| <script src="<?php echo $webroot."/library/custom_template/ckeditor/_samples/sample.js" ?>" type="text/javascript"></script> | ||
| <link href="<?php echo $webroot."/library/custom_template/ckeditor/_samples.css"; ?>" rel="stylesheet" type="text/css" /> |
There was a problem hiding this comment.
after you rebase your code to the most recent codebase, then you will use the ckeditor that is in public/assets/
interface/forms/dictation/report.php
Outdated
| include_once(dirname(__FILE__).'/../../globals.php'); | ||
| include_once($GLOBALS["srcdir"]."/api.inc"); | ||
| require_once("../../../public/assets/htmlpurifier-4.9.2/library/HTMLPurifier.auto.php"); |
There was a problem hiding this comment.
After you rebase code to most recent codebase, then you can remove the above line.
interface/forms/dictation/view.php
Outdated
| include_once("../../globals.php"); | ||
| require_once("../../../public/assets/htmlpurifier-4.9.2/library/HTMLPurifier.auto.php"); |
There was a problem hiding this comment.
After you rebase code to most recent codebase, then you can remove the above line.
interface/forms/dictation/view.php
Outdated
| <?php Header::setupHeader(); ?> | ||
| <script type="text/javascript" src="<?php echo $webroot."/library/custom_template/ckeditor/ckeditor.js" ?>"</script> | ||
| <script src="<?php echo $webroot."/library/custom_template/ckeditor/_samples/sample.js" ?>" type="text/javascript"></script> | ||
| <link href="<?php echo $webroot."/library/custom_template/ckeditor/_samples.css"; ?>" rel="stylesheet" type="text/css" /> |
There was a problem hiding this comment.
After you rebase code to most recent codebase, then you can use the ckeditor in public/assets/
interface/forms/dictation/new.php
Outdated
| <link rel="stylesheet" href="<?php echo $css_header;?>" type="text/css"> | ||
| <html> | ||
| <head> | ||
| <title>Dictation</title> |
There was a problem hiding this comment.
translate:
<title><?php echo xlt('Dictation'); ?></title>
interface/forms/dictation/new.php
Outdated
| <?php Header::setupHeader(); ?> | ||
| <script type="text/javascript" src="<?php echo $webroot."/public/assets/ckeditor-4-7-0/ckeditor.js" ?>"</script> | ||
| <script src="<?php echo $webroot."/public/assets/ckeditor-4-7-0/js/sample.js" ?>" type="text/javascript"></script> | ||
| <link href="<?php echo $webroot."/public/assets/ckeditor-4-7-0/css/samples.css"; ?>" rel="stylesheet" type="text/css" /> |
There was a problem hiding this comment.
For the above 3 lines, need to use the global for the assets path(this will allow us to migrate that path easily if needed):
<script type="text/javascript" src="<?php echo $GLOBALS['assets_static_relative']; ?>/ckeditor-4-7-0/ckeditor.js"</script>
<script src="<?php echo $GLOBALS['assets_static_relative']; ?>/ckeditor-4-7-0/js/sample.js" type="text/javascript"></script>
<link href="<?php echo $GLOBALS['assets_static_relative']; ?>/ckeditor-4-7-0/css/samples.css" rel="stylesheet" type="text/css" />
There was a problem hiding this comment.
note I made some edits to above post
There was a problem hiding this comment.
Note that the path to samples.* on your bottom 2 lines is incorrect.
interface/forms/dictation/new.php
Outdated
| <h1><?php echo xlt('Speech Dictation'); ?></h1><br><br> | ||
| </div> | ||
|
|
||
| <form method=post action="<?php echo $rootdir;?>/forms/dictation/save.php?mode=new" name="my_form"> |
There was a problem hiding this comment.
forms needs to deal with session leak issue (especially since it was removed from the Save link):
<form method=post action="<?php echo $rootdir;?>/forms/dictation/save.php?mode=new" name="my_form" onsubmit="return top.restoreSession()">
More information on this can be found here:
http://www.open-emr.org/wiki/index.php/OpenEMR_System_Architecture#PHP_Sessions_and_Browser_Windows
interface/forms/dictation/view.php
Outdated
| <link rel="stylesheet" href="<?php echo $css_header;?>" type="text/css"> | ||
| <html> | ||
| <head> | ||
| <title>Review</title> |
There was a problem hiding this comment.
translate and use Dictation:
<title><?php echo xlt('Dictation'); ?></title>
interface/forms/dictation/view.php
Outdated
| <?php Header::setupHeader(); ?> | ||
| <script type="text/javascript" src="<?php echo $webroot."/public/assets/ckeditor-4-7-0/ckeditor.js" ?>"</script> | ||
| <script src="<?php echo $webroot."/public/assets/ckeditor-4-7-0/js/sample.js" ?>" type="text/javascript"></script> | ||
| <link href="<?php echo $webroot."/public/assets/ckeditor-4-7-0/css/samples.css"; ?>" rel="stylesheet" type="text/css" /> |
There was a problem hiding this comment.
For the above 3 lines, need to use the global for the assets path(this will allow us to migrate that path easily if needed):
<script type="text/javascript" src="<?php echo $GLOBALS['assets_static_relative']; ?>/ckeditor-4-7-0/ckeditor.js"</script>
<script src="<?php echo $GLOBALS['assets_static_relative']; ?>/ckeditor-4-7-0/js/sample.js" type="text/javascript"></script>
<link href="<?php echo $GLOBALS['assets_static_relative']; ?>/ckeditor-4-7-0/css/samples.css" rel="stylesheet" type="text/css" />
There was a problem hiding this comment.
Note that the path to samples.* on your bottom 2 lines is incorrect.
interface/forms/dictation/view.php
Outdated
| <a href="<?php echo "$rootdir/patient_file/encounter/$returnurl";?>" class="link" | ||
| onclick="top.restoreSession()">[<?php echo xlt('Don\'t Save Changes'); ?>]</a> | ||
| </form> | ||
| <form method=post action="<?php echo $rootdir?>/forms/dictation/save.php?mode=update&id=<?php echo attr($id);?>" name="my_form"> |
There was a problem hiding this comment.
forms needs to deal with session leak issue (especially since it was removed from the Save link):
<form method=post action="<?php echo $rootdir?>/forms/dictation/save.php?mode=update&id=<?php echo attr($id);?>" name="my_form" onsubmit="return top.restoreSession()">
More information on this can be found here:
http://www.open-emr.org/wiki/index.php/OpenEMR_System_Architecture#PHP_Sessions_and_Browser_Windows
interface/forms/dictation/view.php
Outdated
| </form> | ||
| <form method=post action="<?php echo $rootdir?>/forms/dictation/save.php?mode=update&id=<?php echo attr($id);?>" name="my_form"> | ||
| <div class="page-header"> | ||
| <h1><?php echo xlt('Speech Dictation Review/Edit'); ?></h1> |
There was a problem hiding this comment.
Probably doesn't makes sense to make this title different on the forms since most forms do not allow this (goal is keeping things as uniform as possible), since usually view.php redirects to new.php on a lot of the forms. Also good to keep the title in head the same as this title which should be the same as the form name. So would use 'Speech Dictation' in all those place.
| <form method=post action="<?php echo $rootdir;?>/forms/dictation/save.php?mode=new" name="my_form" onclick="top.restoreSession()"> | ||
|
|
||
| <div class="form-group"> | ||
| <label for="dictation"><?php echo xlt('Dictation: '); ?></label><br><textarea class="form-control ckeditor" name="dictation" ></textarea> |
There was a problem hiding this comment.
@bradymiller, correct me if I'm wrong, but shouldn't end-of-line spaces and punctuation like this be avoided? Also, I'm in favor of yanking colons from labels all together
There was a problem hiding this comment.
@robertdown
In this case, the damage was already done about 8 years ago; meaning, this "constant" was already sent to the translation pipeline in it's current form at that time. So, changing these can cause a new constant that needs to be translated. This isn't always the case; for example, here , the Dictation constant already exists, so changing this wouldn't even create a new constant:
https://github.com/openemr/openemr/blob/master/contrib/util/language_translations/currentConstants.txt#L1899
A good general strategy:
If there's a reason(such as not wanting to have the colons), then should change these constants, however, shouldn't do a codebase wide arbitrary fixing of leading/trailing spacing in contants. Hope that makes some sense.
|
Remove the following directory (this will make it much easier to review the code): |
|
Review Please |
|
This branch wasn't working since missing the ckeditor, so I rebased this code into 1 commit and into the most recent codebase in another PR here: Should start working on the new PR branch and will close this PR. |
Looking for input on what should I do next.