A client wants to sprinkle some long-ish passages of descriptive text in with his layouts. This is not data to store for each instance of the form, but rather part of the form, much like a label. So I guess I’ll make a new field type “Static Text”, and have the layout editor give it some special treatment (like not creating a database field for it, and allocating extra space in the layout editor GUI for entry of the text).
The request is to display it statically on the screen. The “Description” field of a layout item will already display as a tooltip during data entry, however that is limited to 255 characters.
In options.inc.php, placed the htmlspecialchars around your description. It’s vital to be liberal with this function and surround any code that the user can potentially modify before it is outputted to the screen; this effectively eliminates cross-scripting attacks, and it’s pretty much a good idea to get in the habit of doing this for all code.
In transaction_add.php, note that file has been converted to utilization of binding in sql statements, which eliminates sql-injection (and no longer need to manually escape variables via the formdata.inc.php related commands ). The one command I changed is the unusual scenario, since binding can not be used on column names. So, in this case need to manually escape the column name variables (could potentially have a a quote - never know) with the add_escape_custom() function. This binding method can only be used in scripts that have been fully converted, such as the add_transaction.php script (check out the above wiki link describing this security project, and you’ll see converted files have the obvious sanitize_all_escapes=true; flag at the top).
Hope this makes sense. Let me know if you have any questions.
Default was removed because nothing seemed to be using it. Did I miss a case?
For the description we actually wanted the flexibility to include some types of HTML markup like font size, colors, bolding, even images. So htmlspecialchars() is not the answer for this one. Any suggestions?
Thanks for the point about escaping column names. I’m pretty sure I preserved your use of binding in add_transaction.php.
Regarding default value, agree nothing seems to be using it.
Didn’t realize you’d be including HTML markup (assumed not since you wrapped it in the nl2br function). I’ll change it back. In the future when all output is enclosed by htmlspecialchars in openemr (guessing will take at least a year), could then come back and perhaps figure out a way to make this item more secure.