Adding calendar categories

juggernautsei · September 30, 2017, 7:00pm

Version Number: v5.0.1-dev

I was trying to add calendar categories and when I checked the drop down for the calendar. None of the ones that I entered were there. Is the feature broken? I looked in the database and none of the entries made it to the database although there were no error messages on the screen.

brady.miller · October 1, 2017, 8:34am

whoa,

That is a weird bug. When I clicked ok to confirm the new category, it all of sudden went to the calendar display (this is not normal behavior). And also confirmed the new category was not made.

Bug confirmed.

-brady

brady.miller · October 1, 2017, 8:39am

Just added the following issue for this:

sjpadgett · October 1, 2017, 8:44am

yep and I know why. but I’m keeping it a secret

brady.miller · October 1, 2017, 8:51am

me too (ok, I’m bluffing )

sjpadgett · October 1, 2017, 8:52am

Kidding but have found bugs in postnuke api’s that may tie many of these issue with calendar together. First is a security fix where trying to escape a url with attr()… probably a nono. Another with depreciated functions and php7.

sjpadgett · October 1, 2017, 9:11am

What version php? Because it’s really broke in version7…

brady.miller · October 1, 2017, 9:19am

My testing was on version php 7.0 . Note this works on php version 7.0 in OpenEMR 5.0.0 .
-brady

brady.miller · October 1, 2017, 9:22am

Looks like it’s going to be an overzealous escaping issue.

sjpadgett · October 1, 2017, 9:24am

You know me, I usually don’t have any opinions on escaping:)

brady.miller · October 1, 2017, 9:33am

Just committed the fix on this. Lesson learned here is can not htmlescape paths (it breaks the & characters) like was done there. There are several more places where matrix escaped paths so will plan to revert those after analyze them a bit. Note these were real security vulnerabilities they were addressing, so they’ll likely need to attack them further upstream/downstream before the url is prepared or when it is used.
-brady

brady.miller · October 1, 2017, 9:39am

btw,
Here’s the commit with issues (and potentially several more issues):

-brady

sjpadgett · October 1, 2017, 9:46am

Yep, need to escape the uri part separate from the query part…
I have some refactoring in pnMod.php and pnApi.php in postnuke for the server issue, should I wait?

brady.miller · October 1, 2017, 9:52am

Actually, looks like it just got double escaped (single escaping a & to html should be fine, which seemed odd why it broke things):

http://one.openemr.io/openemr/interface/main/calendar/index.php?module=PostCalendar&amp;amp;type=admin&amp;amp;func=categoriesUpdate

Regarding your refactoring, definitely fine to bring in now.

-brady