Change Log

*Version 13.7.24 (released on 2023-11-30)

CHANGES IN THIS VERSION:

  • Major bug fix: When exporting a report (including using the API Report Export method) in CSV, XML, or JSON format, in which the report is ordered by a field other than the record name and the total size of the exported data is fairly large (containing several hundred or thousand records), the resulting exported data might mistakenly contain duplicate rows, some of which might appear empty while others have the expected data for the given record/event. (Ticket #219392)

  • Bug fix: For certain REDCap installations, the events on the Define My Events page would not be ordered correctly. (Ticket #219188)

  • Bug fix: When opening certain dialog popups throughout the application, in which the dialog contains a lot of text, the page might mistakenly auto-scroll downward unexpectedly, thus causing the user to have to scroll back up in order to read the dialog contents.

  • Bug fix: If a proxy is specified on the General Configuration page in the Control Center, it was mistakenly not using username-password authentication for HTTP requests made during CDIS remote calls to the EHR system. (Ticket #219039b)

  • Bug fix: The "Upcoming Scheduled Survey Invitations" popup on the Record Home Page might not display all the upcoming invitations scheduled in the next 7 days but might mistakenly omit some. (Ticket #218769)

  • Bug fix: Some example R code in the API Playground was syntactically incorrect and would cause errors if it was run in R as is. (Ticket #219535)

  • Bug fix: When a datediff() function has a literal date value (e.g., "22-07-2023") for the first or second parameter in the function, in which the date value is in DMY or MDY date format, the datediff might mistakenly not perform the calculation correctly in some instances - most specifically server-side processes, such as auto-calculations, data imports, and Data Quality rule H. (Ticket #219662)

  • Bug fix: In some rare cases when using nested IF action tags for a field in which spaces or line breaks appear in specific places in the IF's logic, the IF action tag might mistakenly not evaluate correctly.

  • Bug fix: Form Display Logic might mistakenly not be evaluated correctly on the Record Home Page when a record has not been created yet but is in the process of being created. (Ticket #219883)

Version 13.7.23 (released on 2023-11-16)

CHANGES IN THIS VERSION:

  • Bug fix: If the Mosio SMS Services have been enabled in a project, the configuration step for Mosio on the Project Setup page would mistakenly not be displayed if the system-level Twilio feature (rather than the system-level Mosio feature) had been left disabled on the Modules/Services Configuration page in the Control Center.

  • Bug fix: The Data Viewing Rights & Data Export Rights might not be set correctly for user roles after adding a new instrument to a project while in production. When adding a new instrument, the rights would always get set to "No access" for that instrument for all roles, despite the fact that the setting "Default instrument-level user access..." on the User Settings page in the Control Center might be set otherwise. Note: This does not affect individual users' rights but only user roles. (Ticket #218708)

  • Bug fix: When a Table-based user navigates into a project, after which the Password Expire Warning popup is displayed if their password is about to expire soon, and then the user clicks the "Change my password" button, they are mistakenly taken to a blank page. This issue only occurs if the Password Expire Warning popup is displayed while they are inside a project (as opposed to on the My Projects page). (Ticket #218606)

  • Bug fix: If using Multi-Language Management, under certain circumstances the language preference of a logged-in user was mistakenly overwritten by a browser cookie. (Ticket #218766)

  • Bug fix: If a proxy is specified on the General Configuration page in the Control Center, it was mistakenly not being utilized for HTTP requests made during CDIS remote calls to the EHR system. (Ticket #219039)

  • Bug fix: When merging two records while using Double Data Entry (DDE), the merging process might mistakenly replace specific characters with HTML entities in the values of the third record that was created. (Ticket #218547)

  • Bug fix: In some situations, the AWS SDK might mistakenly fail when attempting to store or retrieve files from S3. The AWS SDK for PHP has been updated to the latest version in order to resolve this.

  • Bug fix: When piping a value onto a form/survey from outside the current context, in certain situations the piped value might mistakenly get wrapped in invisible HTML "span" tags when output onto the page, which should only occur when the field being piped exists on the same page. (Ticket #219031)

  • Bug fix: When using a designated email field (whether project-level or survey-level), there might be some inconsistency with regard to saving the email field if the field exists on multiple events or on a repeating instrument/event, in which REDCap attempts to keep all values the same for the field in all places in the record. One of the worst side effects is that it might mistakenly create extra repeating instances on a record when the email field exists on a repeating instrument when multiple repeating instances already exist for another instrument on the same record. (Ticket #217938)

  • Bug fix: When performing a data import on the Data Import Tool page when using PHP 8, a fatal PHP error might mistakenly occur. (Ticket #212225b)

Version 13.7.22 (released on 2023-11-09)

CHANGES IN THIS VERSION:

  • Medium security fix: A Cross-site Scripting (XSS) vulnerability exists in the third-party library TinyMCE that is bundled in REDCap. The library has been updated to the latest version. Note: This does not affect the latest Standard Release of REDCap.

  • Bug fix: Two-factor verification would mistakenly fail for users when the 6-digit 2FA code has a leading zero. (Ticket #218277)

  • Bug fix: When using Clinical Data Pull, the "View" link to view the adjudication popup would mistakenly not appear at the top of the data entry page after having opened the page the first time. (Ticket #218182)

  • Bug fix: When using Multi-Language Management, the project-level overrides of some admin settings would mistakenly get ignored.

  • Bug fix: When using Multi-Language Management, the comments at the top of CSV export files from the MLM page mistakenly had a comma hard-coded as the CSV delimiter, which could lead to the file not being importable when a delimiter other than comma was chosen and depending on the type of software used to edit the file.

  • Bug fix: The "Map of Users" page in the Control Center might mistakenly not call the "redcap_control_center" hook under specific circumstances. (Ticket #218502)

  • Bug fix: External Module language files were mistakenly being overwritten by the Language::getLanguage() method, leading to the loss of module-specific language keys. This problem manifested when the tt function, used for internationalization within EMs, was called, particularly affecting pages that utilized the redcap_control_center hook. (Ticket #218492)

Version 13.7.21 (released on 2023-11-02)

CHANGES IN THIS VERSION:

  • Bug fix: When using the @CALCDATE action tag in which the Daylight Saving Time barrier is crossed when calculating the resulting date, in specific cases the result might mistakenly be one day off (if a date field) or one hour off (if a datetime field). Similarly, when using the datediff() function in which one date/datetime exists in DST while the other does not, in some cases the result might be off by one hour when using units of "h", "m", or "s". (Ticket #32022, #73668, #103913, #126830, #129720, #137174, #215534, #216566)

  • Bug fix: Fixed an issue affecting the behavior of custom CDIS mapping in the Clinical Data Pull (CDP) mapping interface, in which custom CDIS mapping fields were incorrectly designated as 'primary,' thus preventing users from utilizing them as intended. (Ticket #217391)

  • Bug fix: The setting "Custom text to display at top of Project Home page" would mistakenly not display in the project if it did not contain actual text but only contained an image or an HTML “style” tag. (Ticket #217972)

  • Bug fix: In certain situations, the WebDAV file storage check on the Configuration Check page might mistakenly fail with a fatal PHP error. (Ticket #217684)

  • Bug fix: When attempting to save a calc or @CALCTEXT field in the Online Designer, in which the calculation contained a Smart Variable, it would prevent normal users from saving the field and would just get stuck saying "Saving...". However, administrators would be able to save the field successfully.

  • Bug fix: In certain situations while on a survey page, a participant might be able to submit a survey when they should not, such as if the Save button is hidden on the survey page. (Ticket #217159)

  • Bug fix: A user would be unable to close the field validation error popup (specifically in iOS or Android) when the field with the validation error is followed by a signature field. (Ticket #217572)

  • Bug fix: When exporting and importing Automated Survey Invitations using a CSV file in the Online Designer, the import process might fail with a blank error message due to an inconsistency in the CSV delimiter used in the file. (Ticket #217941)

  • Bug fix: When using Multi-Language Management, the choice labels of multiple choice fields would not be piped correctly in some cases if the choice labels contain HTML. (Ticket #217955)

  • Bug fix: Users would mistakenly be allowed to define Missing Data Codes where some of the codes could be duplicated in different cases (case sensitivity-wise). For example, "na" and "NA" would both be allowed as Missing Data Codes. Note: This issue cannot be fixed retroactively but will be prevented going forward when users attempt to create or modify Missing Data Codes on the Project Setup page. (Ticket #216818)

Version 13.7.20 (released on 2023-10-26)

CHANGES IN THIS VERSION:

  • Bug fix: An issue may occur with a CDIS-related cron job in which certain records are not processed due to MemoryMonitor interruptions, and thus records would mistakenly not get queued for future processing to pull their clinical data from the EHR. This fix ensures that these unprocessed records are correctly queued for the next execution of the cron job, preventing data loss and ensuring more robust processing.

  • Bug fix: When a user lacks the instrument-level user privilege to modify survey responses for a given instrument, then they open a data entry form that has been enabled as a survey, and before they submit the form, a survey response has already been started or completed by a participant, it would mistakenly allow the user to unwittingly overwrite the survey response when they submit the form. It now returns an error message in this specific scenario and prevents the user from making changes. (Ticket #217157)

  • Bug fix: When a user is assigned to a Data Access Group and views a project's Logging page when no records exist in their DAG yet, the Logging page might crash and display an error message saying that an SQL query failed. This appears to only occur for certain versions of MySQL/MariaDB. (Ticket #217372)

  • Bug fix: Certain tables, such as the Record Status Dashboard and reports, might mistakenly not display with the correct width based on the current screen size, in which the table may display its scroll bar off the right side of the page (i.e., initially not visible) instead of it being visible after the page loads.

  • Bug fix: If the MyCap External Module is enabled in a project, the built-in MyCap feature would mistakenly have its “Enable” button as a clickable button on the Project Setup page. That button is now disabled/grayed out if the MyCap EM is already enabled in a project.

  • Bug fix: When using CDIS, specifically Clinical Data Mart, an intermittent issue in CDM projects would occur where searches for specific Medical Record Numbers (MRNs) would occasionally return duplicate results. The fix ensures that each MRN appears only once in the search outcomes.

  • Bug fix: When using Multi-Language Management, the "only one selection per column" notice on matrix fields was mistakenly not translatable via the MLM setup page. (Ticket #217480)

  • Bug fix: When adding or editing a multiple choice field via the Online Designer, the text in the section "How do I manually code the choices?" mistakenly contained a line break in the text rather than actually displaying the HTML tag "

    " as visible in the text.

  • Bug fix: When an alert is set to trigger "When conditional logic is TRUE during a data import, data entry, or as the result of time-based logic", in which a data value from a repeating instrument or repeating event is added via a data import, if the repeat instance number is "1" for the field being imported (or if the value is "new" when no repeating instances exist yet for that field), the import process might mistakenly not trigger the alert. (Ticket #214855)

  • Bug fix: When a checkbox field has a multiple choice option whose raw code is the same as a missing data code in the project, the report page might mistakenly display the error "DataTables warning: table id=report_table - Incorrect column count" when trying to view a report that contains such a checkbox. (Ticket #217249)

  • Bug fix: When hovering over the “view list” link on the Alerts & Notifications page for a given alert, the popover dialog would mistakenly not be hidden again if the user moves their cursor off of the popover. To remedy this, the user must now click the “view list” link to see the popover, after which the popover will hide if manually closed or if the user clicks on anything outside of the popover on the page.

  • Bug Fix: When importing records that are assigned to a Data Access Group, in which records for other DAGs exist in the redcap_data table with a blank record name (due to an older bug that caused the name to be blank), this would mistakenly prevent the data import process from importing the records. (Ticket #217724)

Version 13.7.19 (released on 2023-10-19)

CHANGES IN THIS VERSION:

  • Major security fix: A Stored Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into specific POST parameters of an Online Designer related URL so that the custom JavaScript could be injected into the calculations of calc fields, @CALCTEXT, and @CALCDATE fields. Thus the custom JavaScript could be executed whenever anyone opens the data entry form or survey page. This could lead to privilege escalation if a malicious user tricks an administrator into viewing the instrument, thus potentially becoming an administrator themselves and able to access all projects and data. The user must be authenticated into REDCap and must have Project Design rights in order to exploit this in a project. Bug exists in all REDCap versions for the past 10 years. Note: This bug was supposedly fixed in the previous version but mistakenly was not.

  • Medium security fix: Malicious users might be able to bypass the "Restricted file types for uploaded files" feature (if being utilized on the REDCap server) by uploading a file with an incorrect file extension into the File Repository of a project, and then changing the file's extension using the "rename file" feature. For example, an attacker could take a file named "exploit.exe", rename it to "image.jpg" on their local device, upload the file into the File Repository, rename the file to "image.exe", and then trick another user into downloading it and executing it locally. Now, REDCap prevents users from modifying the file extension of any files uploaded into the File Repository. Note: The vulnerability does not pose a risk to the REDCap server since REDCap itself never executes any uploaded files, but this only poses a risk to users who may unwittingly download and execute the file. Also, the malicious user must have File Repository privileges inside a project in order to exploit this.

  • Minor security fix: When using Two-Factor Authentication, in which users are logging in and entering a 6-digit one-time passcode (OTP), there was no limit placed on the number of passcode submissions that can be attempted for a given user within a specific window of time. Thus, the passcode verification process was subject to brute force hacking (so long as the attempts did not exceed the general Rate Limiter setting in REDCap). This has been changed so that the passcode verification process cannot be utilized more than 10 times per minute. If exceeded, it will now return an error.

  • Major bug fix: When a survey participant clicks the "Save & Return Later" button on a survey, REDCap would mistakenly not always find the participant's email address (from a designated email field or from the participant list) when loading the page that displays the return code. In some cases, another participant might be sent an email containing the original participant's survey link for completing the survey. Note: Despite sending the survey link to the wrong participant, the other participant would not be able to see the original participant's responses because they do not have the Return Code. (Ticket #140765, #217097)

  • Bug fix: When using Multi-Language Management, a JavaScript error might occur when piping calculated fields under specific conditions.

  • Bug fix: When using Twilio or Mosio, it would mistakenly not send SMS messages to U.S. phone numbers with an 445 area code. (Ticket #216751)

  • Bug fix: When using Multi-Language Management, the option to “Create from file/from scratch” would mistakenly not be available on the Control Center MLM setup page when the corresponding language creation was disabled for projects.

  • Bug fix: The language variable "design_1054" mistakenly existed twice in the file "English.ini".

  • Bug fix: If the settings "Allow normal users to edit their primary email address on their Profile page?" or "Allow normal users to edit their first name and last name..." are set to "Do not allow editing", a user that knows how to make a specially-crafted POST request to a specific end-point or knows how to manipulate the Profile page's user interface in a specific way would be able to modify their first/last name and/or email address, respectively.

  • Bug fix: When a user imports a Project XML file that is truncated (for whatever reason) and is thus does not represent properly structured XML, in some situations REDCap might still attempt to process the XML fully without any error message, which might result in some things not getting set correctly in the resulting project, possibly unbeknownst to the user. It now attempts to do a better job of detecting if the XML is properly structured, and if not, returns an error message explaining this.

  • Bug fix: When using "Azure AD OAuth2 & Table-based" authentication, users clicking the "Logout" link in REDCap would mistakenly not be successfully logged out of Azure AD. (Ticket #216423b)

  • Bug fix: When using Twilio or Mosio, it would mistakenly not send SMS messages to U.S. phone numbers with certain newer area codes, including 531 and 726. (Ticket #216751b)

Version 13.7.18 (released on 2023-10-11)

CHANGES IN THIS VERSION:

  • Major security fix: A Stored Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into specific POST parameters of an Online Designer related URL so that the custom JavaScript could be injected into the calculations of calc fields, @CALCTEXT, and @CALCDATE fields. Thus the custom JavaScript could be executed whenever anyone opens the data entry form or survey page. This could lead to privilege escalation if a malicious user tricks an administrator into viewing the instrument, thus potentially becoming an administrator themselves and able to access all projects and data. The user must be authenticated into REDCap and must have Project Design rights in order to exploit this in a project. Bug exists in all REDCap versions for the past 10 years.

  • Medium security fix: A user with Calendar privileges in a given project that knows how to make a specially-crafted POST request to a specific end-point might be able to edit or delete a calendar event in another project to which they do not have access.

  • Medium security fix: A user with Data Access Group privileges in a given project that knows how to make a specially-crafted POST request to a specific end-point might be able to rename or delete a DAG in another project to which they do not have access.

  • Bug fix: When using Multi-Language Management, REDCap’s auto-logout feature would mistakenly not work on the MLM setup page in some circumstances. (Ticket #216234)

  • Bug fix: When printing an instrument via the option "Download this survey with saved data (via browser's Save as PDF)", a vertical line/shadow would mistakenly appear on the left side of the resulting PDF.

  • Bug fix: When using Multi-Language Management, a specific warning was mistakenly not translatable via the MLM setup page.

  • Bug fix: When using "OpenID Connect & Table-based" authentication, users clicking the "Logout" link in REDCap would mistakenly not be successfully logged out of OIDC. (Ticket #216423)

  • Bug fix: When using Multi-Language Management, “style” HTML tags that span over multiple lines would mistakenly not work as expected when MLM is active.

Version 13.7.17 (released on 2023-10-05)

CHANGES IN THIS VERSION:

  • Major bug fix: A user with “Alerts & Notifications” privileges in a given project that knows how to make a specially-crafted POST request to a specific end-point used for "Alerts & Notifications" functionality might be able to delete any general uploaded file that belongs to the project, whether it be an attachment uploaded via the rich text editor, a file uploaded to a File Upload field, a Descriptive Text field attachment etc. This user could potentially delete the stored edoc file for any of those such places in the project. However, it is important to note that the user can only delete files within their own project to which they have access. They cannot delete files in other projects to which they do not have access.

  • Major bug fix: If survey invitations have been scheduled manually (i.e., not via ASI) with one or more reminders, the unsent/scheduled reminders would mistakenly not be automatically removed whenever the participant completes the survey. (Ticket #203090)

  • Bug fix: The end-points used for deleting instruments and fields in a project were mistakenly using a GET request (rather than a POST request), which could make it easier for a user to get tricked into unwittingly deleting an instrument or field if a malicious user sent them a specially-crafted link to click. Such a situation would not cause any permanent damage (e.g. no data would ever be deleted), and it could be easily fixed by re-adding the instrument/field back.

  • Bug fix: When using a CDIS service (CDM or CDP) to pull data from an EHR, when dealing with date values used in the FHIR requests to the EHR system, some dates might mistakenly be converted to the current timezone. This has been fixed to ensure that the date conversion only occurs in the response received from the FHIR system.

  • Bug fix: When using the Protected Email Mode feature, in which an alert is set up with an attachment file and the alert is set not to send immediately but at some later time, after the alert is triggered and the email is sent, when the recipient views the email on the Protected Email Mode page, the attachment would mistakenly not be downloadable on the page but would display an error when attempting to be download it. (Ticket #212760)

  • Bug fix: The hook functions "redcap_survey_page_top" and "redcap_survey_page" might mistakenly be provided with an incorrect DAG group_id value for records that have not yet been created, such as when viewing the first page of a public survey. In these cases, it would provide the DAG group_id of record "1" in the project if there exists a record named "1" when instead the group_id should be NULL. (Ticket #215884)

  • Bug fix: The Unicode Transformation process might mistakenly not convert data in some database tables that have a "project_id" column in which the project_id value in the table is NULL. (Ticket #215615)

  • Bug fix: Several PHP 8 compatibility issues when using certain MyCap pages/processes.

  • Bug fix: The @NOW-SERVER action tag would mistakenly not set the correct value for many time-validated field types, such as a Text field with "time_hh_mm_ss" validation, whenever an instrument/survey is loaded. Instead, it might set the value as the user/participant's local time (according to their browser). (Ticket #216135)

  • Bug fix: When using Multi-Language Management, for Yes/No and True/False fields, "No"/"False" was mistakenly shown instead of their associated translation in some places (e.g., Codebook). (Ticket #216265)

  • Bug fix: Several different features in REDCap, in which an AJAX call returns JSON-encoded data, might get misinterpreted and thus would fail because the request failed to have the "Content-Type: application/json" header set. This would only occur for certain web server configurations. (Ticket #214401)

Version 13.7.16 (released on 2023-09-28)

CHANGES IN THIS VERSION:

  • Bug fix: When renaming a record, the record name would mistakenly not get renamed on the Email Logging page. This would not cause any issues other than the Email Logging saying that an email belongs to the wrong record. (Ticket #215100)

  • Bug fix: The Unicode Transformation process might mistakenly not display correct information regarding whether or not some specific steps in the process need to be completed.

  • Bug fix: The "field suggest" feature when using the Logic Editor was mistakenly no longer appearing as of REDCap 13.7.13 LTS and 13.9.3 Standard Release. (Ticket #215285)

  • Bug fix: When using the Clinical Data Mart design checker's "fixDesign" process, a fatal PHP error might occur in certain situations.

  • Bug fix: Some project pages might fail with a fatal PHP error when using PHP 8 due to the calling of an undefined PHP constant in the External Module Framework. (Ticket #215348)

  • Bug fix: When using Multi-Language Management, the "Access Denied!" a message that appears on data entry forms when a user has no access was mistakenly not a translatable element in MLM. (Ticket #215504)

  • Bug fix: In a MyCap-enabled project, slider labels (displayed above or next to the slider) were not displaying correctly in the MyCap config JSON and thus might cause issues in the MyCap mobile app.

  • Bug fix: When using the Data Resolution Workflow along with Data Access Groups in a project, if a user attempts to assign a data query to a user, in some situations the drop-down list of assignable users would mistakenly list users that are not currently eligible to be assigned to the data query because they are not currently assigned to the record's DAG. It should only list users that are currently in the record's DAG (or users not in any DAG) if the record itself is assigned to a DAG. (Ticket #213770)

  • Bug fix: When using CDIS, the SMART on FHIR authentication process was causing incorrect scope levels to be applied, specifically impacting Cerner users. The issue prevented the proper assignment of the "user" level during authentication, thus potentially leading to authorization errors.

  • Bug fix: The auto-fill form/survey feature for administrators might mistakenly fail for most/all time validated fields. (Ticket #215684)

  • Bug fix: When an [X-event-name] Smart Variable is prepended to a field variable (especially in combination with an [X-instance] Smart Variable) in logic, calculations, or piping, it might cause the evaluation of the logic/calc/piping not to be performed successfully. For example, for [previous-event-name][field], the direct previous event might be used when instead the previous designated event for that field's instrument should be used. (Ticket #214317, #213503)

  • Bug fix: If using an HTML "style" tag inside user-defined text (e.g., field label, survey instructions), the CSS styles inside the tags might mistakenly not work on the page if line breaks or carriage returns occur anywhere inside the opening and closing style tag. (Ticket #215693)

Version 13.7.15 (released on 2023-09-22)

CHANGES IN THIS VERSION:

  • Major bug fix: When using randomization while in production status, if a user is uploading a new allocation table to be appended to the existing production allocation table, in which the development allocation table happens to exactly match all the production allocations after the allocation upload has occurred, all the production allocations would mistakenly be erased, which would also remove the "randomized" status for any already randomized records. This is extremely rare, but is extremely destructive and difficult to restore back to its previous state.

  • Bug fix: When viewing the MyCap participant list, the Baseline Date might mistakenly be displayed in an incorrect date format.

  • Bug fix: A user that does not have Project Setup privileges in a project could potentially exploit a missing user rights check on the endpoints where field attributes are modified in the Online Designer by crafting special HTTP requests to those specific endpoints. This does not allow the user to do anything other than add new fields or edit the attributes of existing fields.

  • Bug fix: When viewing the Record Status Dashboard in certain cases when using PHP 8, the page might crash with a fatal PHP error. (Ticket #214370)

  • Bug fix: When users make API requests, the full API token was mistakenly being logged in the redcap_log_view table for each request. This is not typically an issue because such values in that table are not exportable via the front-end user interface but are only accessible via direct database access. However, if some institutions are sending the full export of their redcap_log_view table to their local security office, the logging of the API token in that table could be problematic. The API token will now be redacted in the redcap_log_view table. (Ticket #214322)

  • Bug fix: When users delete or regenerate their API token in a project, the value of the old token was mistakenly not being logged on the project's Logging page.

  • Bug fix: Fixed issue with the CDIS "Break the Glass" feature. When attempting to restore a serialized list of patients, an error is thrown due to the DateTime class not being listed within the "allowed_classes" parameter of the unserialize function. (Ticket #214670)

  • Bug fix: An administrator with only “Install, upgrade, and configure External Modules” admin privileges might not be able to view certain External Module pages or perform certain External Module operations, such as accessing the EM Manage page in the Control Center. (Ticket #214721, #214722)

  • Bug fix: An issue might occur when downloading a file from a File Upload field when REDCap is hosted on Google Cloud Platform due to the usage of an unnecessary project_id prefix for Google bucket file storage.

  • Bug fix: The notification for the Unicode Transformation process on the Configuration Check page might mistakenly not be displayed on the page anymore after step 2a of the process has been completed. It should not go away until all 4 of the steps are completed.

  • Bug fix: When attempting to access the "App Data Dumps" on the REDCap Mobile App page in a project, if any of the data dump files somehow can't be found in the file system (which would be unexpected), the page would crash with a fatal PHP error. From now on, it will merely skip any files in this situation. (Ticket #215007)

  • Bug fix: When date or datetime fields are piped into the choice label of a drop-down field, in which the date/datetime field has MDY or DMY date format and also exists on the same page as the drop-down field, the date/datetime values might not get piped in the correct format but may appear in the drop-down as a mangled date/datetime value.

Version 13.7.14 (released on 2023-09-08)

CHANGES IN THIS VERSION:

  • Medium security fix: The Chart.js JavaScript library that is included in REDCap contains a bundled version of the Moment.js library, which contains a security vulnerability in that specific version. The bundled Moment.js library has been removed. It does not need to be replaced since REDCap already has the latest version of Moment.js included separately already.
  • Bug fix: When using Azure AD V1 for authentication, the setting "AD attribute to use for REDCap username" on the Security & Authentication page mistakenly listed the employee ID attribute as "employeeID" when it should instead be "employeeId". This could prevent proper authentication if that option was selected. (Ticket #213619)
  • Bug fix: When using the Survey Login feature and a survey participant begins a new survey while their survey login session is still active, the survey instructions would mistakenly not be displayed on the page by default. (Ticket #212987)
  • Bug fix: When exporting a project as a Project XML file and then creating a new project from the XML file, if the Survey Login feature had been utilized and the Survey Settings checkbox had been checked when exporting the XML file, the Survey Login settings would mistakenly not get transferred into the newly created project. (Ticket #212987)
  • Bug fix: When using the Custom Record Label on a multi-arm longitudinal project, if an "ad hoc" calendar event is created and is attached to a specific record, the Custom Record Label might mistakenly not be displayed when viewing the calendar event in the calendar popup window. (Ticket #23367b)
  • Bug fix: When adding a new instrument in a MyCap-enabled project, the Online Designer page might mistakenly crash with a fatal PHP error when using PHP 8. (Ticket #213817)
  • Bug fix: When enabling Mosio SMS Services on a project, it would mistakenly allow users to enter a Mosio API Key that is already being used by another REDCap project. This should not be allowed. It will now prevent a user from entering a Mosio API Key if that key is already being used by another project. Additionally, if two projects already are using the same Mosio API Key before upgrading to this REDCap version, the Mosio configuration popup will auto-disable the SMS Conversation option to prevent both projects from using the same Mosio API Key, which could cause issues specifically when using the "Initiate survey as SMS conversation" option. (Ticket #213376)
  • Bug fix: An error was thrown during the deserialization of CDIS messages. The issue was caused by the DateTime class not being included in the list of allowed classes for deserialization.
  • Bug fix: When using Multi-Language Management, branching logic based on a field set by the action tags LANGUAGE-CURRENT-FORM/-SURVEY would mistakenly not work when the field is a text box field.
  • Bug fix: REDCap's internal function for copying files would mistakenly fail to copy files when using Google Cloud Storage as the file storage system. (Ticket #213946)

Version 13.7.13 (released on 2023-08-31)

CHANGES IN THIS VERSION:

Minor security fix: A DOM-based Cross-site Scripting (XSS) vulnerability was discovered on all project-level pages that could possibly be exploited if a malicious user is able to manipulate the JavaScript "location" interface/variable in specific ways.

Bug fix: When pulling data from an EHR system via CDIS, date filters were not being correctly applied when fetching temporal data. (Ticket #212894)

Bug fix: FHIR stats were mistakenly counted in DDP (Dynamic Data Pull) projects when using CDP (Clinical Data Pull) auto-adjudication.

Bug fix: When using Table-based authentication and a user has somehow been granted access to a project and added to a user role (e.g., via user role CSV upload) despite the fact that the username does not exist as a real user account in the system, it would be impossible to remove the user from their role, to re-assign them to another role, or ultimately to remove them from the project. (Ticket #207764)

Bug fix: When viewing the Online Designer in a MyCap-enabled project, the "Enable" button for enabling MyCap for a given a data collection instrument would mistakenly be disabled, thus preventing users from enabling the instrument as a MyCap task, if the instrument's first field was part of a matrix of fields. (Ticket #213075)

Bug fix: When viewing the Stats & Charts page for a given report and clicking the "Missing" link to view a list of missing values, it might mistakenly display many false positives of repeating instances that do not really exist in the data. (Ticket #211913)

Bug fix: When clicking the "Enable color-blind accessibility" displayed below a pie or donut Smart Chart on a data entry form or survey page, it would send the user/participant to a non-existent page, thus resulting in a 404 error. (Ticket #211920)

Bug fix: When using “Azure AD OAuth2 & Table-based” authentication together with Duo two-factor authentication (2FA), after a user successfully logs in via Table-based authentication, they would mistakenly not be redirected to the Duo OAuth2 page for two-factor authentication. (Ticket #211697)

Bug fix: When using Multi-Language Management, the text "(Place a mark on the scale above)" that is displayed below Slider fields was mistakenly not translatable via MLM. It has now been added.

Version 13.7.12 (released on 2023-08-25)

CHANGES IN THIS VERSION:

Major bug fix: If a repeating Automated Survey Invitation has been enabled in a project in which one or more records have triggered the ASI initially, if the ASI was then disabled for a certain amount of time and then re-enabled later, after which a user or participant triggered an ASI in any project in which the ASI is set to send immediately, it would mistakenly cause the repeating ASI in the original project to send/schedule hundreds or thousands of invitations for each record that was originally triggered in that original project. This issue was caused by the invitation-sending function being called recursively when an individual record triggers an ASI. (Ticket #210378)

Bug fix: In certain instances, the "Download PDF of instrument(s) via browser's Save as PDF" feature may mistakenly not show all the text for Notes Box fields in the resulting PDF if the Notes Box fields contain a lot of text. (Ticket #211228)

Bug fix: The feature to compare data dictionaries/revisions on the Project Revision History page might produce unexpected results in which the comparison does not display the correct results. (Ticket #208391)

Bug fix: Descriptive Text fields would mistakenly not be returned when a user searches for fields via the Field Finder on the Codebook page. (Ticket #212763)

Bug fix: After modifying the schedule of an existing record on the Scheduling page, the logged events of schedule modifications would correctly appear on the Logging page by default, but some of the schedule-related logged events would not appear on the Logging page when using the "Filter by record" option for that specific record. Note: This will be fixed for all schedule modifications going forward, but all existing logged events for schedule modifications cannot be fixed retroactively. (Ticket #208481)

Bug fix: When calling the API Export Records method to retrieve data in "odm" format from a project that contains data for repeating events, if the "fields" parameter is provided in the API call and does not contain any field utilized on a repeating event, the resulting XML might mistakenly be malformed and not structured correctly. (Ticket #208787)

Bug fix: Administrators that have "Perform REDCap Upgrades" privileges would receive an error message when attempting to use the Easy Upgrade feature if they did not also have some other admin privileges. This has been fixed so that only "Perform REDCap Upgrades" privileges are needed to perform an upgrade. (Ticket #211957)

Bug fix: When using the @DOWNLOAD-COUNT action tag in which the field being referenced by the action tag exists on the same page, if users or participants download the file using their browser's right-click "Save as" option (as opposed to directly clicking it), it would mistakenly not register as a download to be incremented for the count field on the page. Although the server-side call to download the file via "Save as" would increment the counter field's value on the back-end, the front-end value would now be out of sync. There's no way to change the counter on the page from being temporarily out of sync, but REDCap will now auto-fix the value after the form/survey is submitted in order to reconcile the true count value and save it to the counter field. In summary, this fix should ensure that the counter field's value is correct whether or not someone downloads the file with a normal click or via the right-click "Save as" option.

Bug fix: When modifying any of the drop-down fields in the Survey Design Options section of the Survey Settings page for a given instrument, it would cause the Cancel button at the top or bottom of the page to no longer work unless clicked many times. (Ticket #211204)

Bug fix: Several files located in the /redcap/webtools2/pdf/ subdirectories are no longer compatible with PHP 8.2.0 and higher. In addition to fixing the compatibility issues with PHP 8.2, all the files in /redcap/webtools2/pdf/ have now been incorporated directly into the REDCap version directory so that they can be kept up to date on an ongoing basis with future versions of PHP. (Ticket #211377)

Bug fix: If the File Storage method for REDCap is set to "Google Cloud Storage using API Service Account", downloading the Instrument Zip file of an instrument that is enabled as a survey and contains a survey logo would mistakenly fail due to a fatal PHP error. (Ticket #212967)

Bug fix: When entering a non-URL value (e.g., field variables, Smart Variables) into the "Embed an external video" text box while editing a Descriptive Text field in the Online Designer, it would mistakenly prepend "http://" to the beginning of the value entered.

Bug fix: Public reports and public project dashboards might not display optimally when viewed on mobile devices, such as images appearing too large or the report table going outside of its parent box.

Version 13.7.11 (released on 2023-08-18)

CHANGES IN THIS VERSION:

Bug fix: When using the Designate Instruments page in a longitudinal project while running PHP 8, editing the event grid may result in an error message, preventing the edits from being saved. This issue was supposedly fixed in a previous issue but mistakenly was not. (Ticket #212677)

Version 13.7.10 (released on 2023-08-17)

CHANGES IN THIS VERSION:

Bug fix: When using the EHR launch window for Clinical Data Pull, the REDCap page embedded in the EHR might mistakenly not display any CDP projects for the user for the relevant patient. (Ticket #211654)

Bug fix: In certain places throughout REDCap, the rich text editor might mistakenly display the "Insert/edit media" button on the editor toolbar. This was added unintentionally, and in most (if not all) cases, attempting to add media using that button would not be successful. That media button has now been removed from the editor. (Ticket #211132)

Bug fix: When using the Designate Instruments page in a longitudinal project while running PHP 8, editing the event grid may result in an error message, preventing the edits from being saved. (Ticket #211983)

Bug fix: When using Multi-Language Management, the MLM page in the Control Center might mistakenly not export the MLM usage stats in a way that the file can be opened successfully in Excel. (Ticket #211875)

Bug fix: For certain server configurations, Send-It might cause some files to be corrupted when downloaded by the recipient. (Ticket #212072, #208036)

Bug fix: When a user is running Data Quality rule A or B, it might mistakenly return checkbox fields as discrepancies. As noted by the single asterisk at the bottom of the Data Quality page, rules A and B note that "checkbox fields are also excluded since an unchecked checkbox is itself often considered to be a real value." (Ticket #212048)

Bug fix: When performing an API Metadata Import, a data dictionary snapshot would mistakenly be taken after the new metadata was saved via the API call when instead the snapshot should be taken immediately beforehand during this metadata import process.

Bug fix: When performing a data import on the Data Import Tool page when using PHP 8, a fatal PHP error might mistakenly occur. (Ticket #212225)

Bug fix: In certain edge cases that involve the Records::getRecordList() method being called by a REDCap plugin, a fatal PHP error might occur when using PHP 8 if the "pid" parameter does not exist in the current URL but has been set as $_GET['pid'] manually by the plugin itself. (Ticket #212232)

Bug fix: If a checkbox field contains a choice coding that contains a period, in which there exists another choice coding with the same value if the period is excluded (e.g., "2" vs "2."), those two choices would get mistakenly conflated as the same import/export version of the checkbox variable name, which could cause issues with data exports and reports not displaying correctly. From now on, any periods existing in a checkbox coding will be converted to an underscore in the resulting import/export variable name, whereas in previous versions the period was removed completely from the variable name. (Ticket #211904)

Bug fix: When importing a missing data code for a field that has a min/max validation range, the data import process would mistakenly return an error saying that the missing data code value was out of range. Instead, it should allow the missing data code value to be imported. (Ticket #211903)

Bug fix: Using the function isblankormissingcode() in a calculation for non-numeric missing data codes might mistakenly cause the server-side rendering of the calculation (e.g. Data Quality rule H) to return an incorrect value. (Ticket #212145, #212178)

Bug fix: If a field has the @CALCTEXT action tag and also has date/datetime validation, server-side processing of the calculation (e.g., Data Quality rule H) might mistakenly fail to save a new/correct value for the @CALCTEXT field. (Ticket #211780)

Bug fix: When exporting a PDF of an instrument containing data via the API, the Logging page would mistakenly display the project ID in place of the record name in the Action column of the Logging table for this logged event. This will be fixed so that it will resolve this issue for both past logged events and future logged events. (Ticket #212245)

Bug fix: Some folders in the File Repository might mistakenly not display due to a DataTables error caused by the JSON-encoding of mangled UTF-8 characters in the descriptions and attributes of the files being displayed in the file list. (Ticket #208637)

Bug fix: If a Notes field is embedded inside a checkbox field's choice label on a survey that has "enhanced radio buttons and checkboxes" enabled, the checkbox choice would mistakenly get unchecked whenever the participant clicked or focused their cursor on the Notes field. Note: This does not affect embedded Text fields but only Notes fields. (Ticket #210763)

Bug fix: If the query of a Dynamic SQL field begins with "select" followed immediately by a line break or carriage return (as opposed to a space), the Dynamic SQL field would not return any results and would not display any drop-down options. (Ticket #212474)

Bug fix: If using an HTML "style" tag inside user-defined text (e.g., field label, survey instructions), the CSS styles inside the tags might mistakenly not work on the page if line breaks or carriage returns occur anywhere inside the opening and closing style tag. (Ticket #211394)

Bug fix: When using an [aggregate-X] smart variable in a calculation or CALCTEXT field, depending on the context the calculated value might not always get saved successfully, and additionally the Logic Editor might note the calculation to have errors when it in fact does not. (Ticket #211063)

Version 13.7.9 (released on 2023-08-03)

CHANGES IN THIS VERSION:

Bug fix: If a user has created a File Repository folder that is Data Access Group restricted or User Role restricted, and then a user deletes the DAG or User Role to which the folder is restricted, the folder would mistakenly be deleted, after which all of the files in the folder would be automatically moved into the main top-level folder in the File Repository. This has now been changed so that if a folder is restricted to a User Role, the folder will no longer be deleted when the User Role is deleted, but the folder and its files will remain as not restricted to any role. And if the folder is restricted to a DAG, users will simply be unable to delete the DAG until all its DAG-restricted folders are deleted first. (Ticket #210829)

Bug fix: If a user is utilizing the "Upload users (CSV)" method to update user privileges on the User Rights page, in which a user is being assigned to a Data Access Group or is being removed from a DAG, the upload process would mistakenly not log the DAG assignment/removal on the Logging page. (Ticket #210831)

Bug fix: If a longitudinal project is in production, a normal user with Project Design privileges on the "Designate Instruments for My Events" page could possibly remove an Instrument-Event mapping (i.e., uncheck a disabled checkbox in the mappings table), which they are not allowed to do to projects in production, if they know how to manipulate the webpage in specific ways and then click the Save button.

Bug fix: When using the Calendar Sync feature, calendar events that do not have a time specified (but only a date) might reflect an incorrect start time and end time in some external calendar applications. (Ticket #211137)

Bug fix: When using an HTML5 video tag in user input text (e.g., field labels, survey instructions), in which the tag contains the "controls" attribute, the attribute would mistakenly be renamed to "cremoved" in the resulting HTML. (Ticket #211141)

Bug fix: For CDIS, fixed issues related to properly handling the absence of a valid FHIR access token, such as FHIR logs being saved with a “wrong format” error and also scenarios where the absence of a user ID caused unexpected behavior.

Bug fix: When using Multi-Language Management and exporting general settings as a file, the data entry form and survey active states would mistakenly be swapped in the export file. (Ticket #211172)

Bug fix: When a user is using the User Access Dashboard to delete or expire a user's access in a project, in some cases the action would mistakenly not get logged on the project's Logging page (although the action would be logged in the redcap_log_event database table, which might not be used by the project, thus making the logged event not accessible on the project's Logging page).

Bug fix: When using Missing Data Codes in a project, in which a Text field with field validation has the @nomissing action tag, users would be able to manually hand-enter Missing Data Codes into the Text field, even though the value entered failed the field validation.

Bug fix: When performing a data import that contains blank values for a Slider field, in which the import is set to allow blank values to overwrite existing saved values, the import process would mistakenly return an error message saying that the value must be an integer. It should instead not return any error message in this situation. (Ticket #211075)

Bug fix: When a user has an apostrophe in their username, and the user goes to create a new project, they may not be able to access the project they just created. (Ticket #210832)

Bug fix: The act of creating or editing an alert on the Alerts & Notifications page would get logged on the Logging page. However, the Logging page would represent the alert's "trigger_on_instrument_save_status" attribute incorrectly, displaying "any_status" when the alert is set to be triggered when an instrument is saved with Complete status only and as "complete_status_only" when set to be triggered on any form status. Note: The alert itself would be saved correctly, but the logged event for creating/editing the alert would merely be inaccurate. (Ticket #210832)

Bug fix: In some cases when an external module is being used, a fatal PHP error might occur for certain PHP versions. (Ticket #211611)

Bug fix: When a field variable is being piped or used in logic, and the field is prepended with the Smart Variable [first-event-name] or [last-event-name], in which the current context is a different instrument on which the field itself is located, the event field pair might result in a blank value or an incorrect value. (Ticket #210930)

Version 13.7.8 (released on 2023-07-28)

CHANGES IN THIS VERSION:

Bug fix: When using Twilio, it would mistakenly not send SMS messages to U.S. phone numbers with an 934 area code. (Ticket #90686b)

Bug fix: If the system-level setting "ENABLE FILE UPLOADING FOR THE FILE REPOSITORY MODULE" is set to "disabled", users would still be able to upload files into the File Repository in any project. Bug emerged in REDCap 13.1.0. (Ticket #210765)

Bug fix: The documentation for using reports as filters in Smart Charts, Smart Tables, or Smart Functions was confusing and has been updated for clarity. It notes now that when referencing a unique report name in Smart Charts, Smart Tables, or Smart Functions, no other filtering parameters can be used (e.g., DAGs, events) with the report filter and thus any other filters will be ignored. If users wish to additionally filter by DAGs and/or events, it is recommended that they add such filtering to the report itself by editing the report. The wizard on the Project Dashboard page has also been updated to reflect this.

Bug fix: When using the @Wordlimit or @charlimit action tag on a Text field, the first field on the page that uses either action tag might have its "X characters remaining" label or "X words remaining" label, respectively, duplicated multiple times below the field itself. (Ticket #208658)

Bug fix: The example Perl code in the API Playground for making Curl calls was outdated and would not run successfully for some users.

Bug fix: When using MyCap in a project, a blank Menu might be displayed for participants when using the MyCap mobile app, specifically for iOS devices.

Version 13.7.7 (released on 2023-07-21)

CHANGES IN THIS VERSION:

Major bug fix: When a user has File Repository user privileges in a project with the e-Consent Framework enabled on one or more instruments, the user would mistakenly be able to download the e-Consent PDF files stored in the PDF Survey Archive folder in the File Repository, even when the user does not explicitly have "Full Data Set" data export rights for the given instrument. In order to download the e-Consent PDFs, the user should have "Full Data Set" data export rights for the given instrument. (Ticket #210214)

Bug fix: Some MyCap-related pages that deal with PROMIS instruments (auto-scoring and adaptive) might mistakenly crash due to a fatal PHP error when using PHP 8.

Bug fix: If the Online Designer displays an error icon next to a MyCap-enabled instrument, it would allow the user to click the icon and attempt to try to fix the errors when the project is in production mode; however, it would fail to fix it and just re-display the error. Instead, it will now inform the user that errors exist but that they must put the project in draft mode first before they can fix the errors. (Ticket #210179)

Bug fix: When using Duo two-factor authentication, if the system is set to "Offline", it would mistakenly prevent administrators from successfully logging in via Duo 2FA. (Ticket #202197)

Bug fix: When a user is updating a language on the Multi-Language Management setup page, some import settings, such as the "Keep existing translations" option, would mistakenly not be honored during the language update process. (Ticket #210395)

Bug fix: In longitudinal projects with multiple arms, certain actions (such as deleting a record, renaming a record, and others) would mistakenly execute SQL queries that were not structured correctly and thus might make the database server unnecessarily slow due to long query times.

Bug fix: When using certain action tags on a field where the value on the right side of the equal sign in the action tag definition is not wrapped in single quotes or double quotes and additionally other annotation text follows after the action tag in the Field Annotation text (e.g. @charlimit=8 More text here), the action tag might not be interpreted successfully and thus might not get enforced. (Ticket #210175)

Bug fix: If a survey is using a system-level theme or a user-saved custom theme, the theme colors would mistakenly not get preserved in the Project XML file if a user exports the Project XML file and then creates a new project with it. (Ticket #210371)

Bug fix: When using the Data Resolution Workflow feature, if a user executes Data Quality rule H, fields that have been marked as "Verified data value" would mistakenly appear in the list of discrepancies (they should not appear there by default) and would not appear as "verified" in the DQ popup. (Ticket #209447)

Bug fix: Using an [X-event-name] Smart Variable in combination with an [X-instance] Smart Variable in logic, calculations, or piping might cause the evaluation of the logic/calc/piping not to be performed successfully. (Ticket #208887)

Bug fix: When using the Clinical Data Pull, the EHR Launch process might mistakenly fail. (Ticket #210523)

Bug fix: The CDIS messaging feature might mistakenly display the phrase “invalid date” where the date/time of the message should be.

Version 13.7.6 (released on 2023-07-14)

CHANGES IN THIS VERSION:

Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in the File Repository in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way inside the filename of an uploaded file. The user must be logged in to REDCap and also must have File Repository privileges in the project in order to exploit this. (Ticket #210134)

Bug fix: When an instrument has an embedded field that is immediately followed by a piped field or by another embedded field (with no space between them), the field/value might mistakenly not be rendered in the exported PDF of that instrument. (Ticket #210165)

Bug fix: A fatal PHP error might occur related to specific CDIS processes.

Bug fix: A fatal PHP error might occur related to CDIS when performing the Standalone launch inside REDCap. (Ticket #209840)

Bug fix: When viewing the PDF Survey Archive files for the e-Consent Framework in the File Repository, if the system-level e-Consent setting "Capture the IP address..." is set to "Do NOT capture IP address", the table header in the File Repository would mistakenly say "IP Address" instead of "Identifier (Name, DOB"). (Ticket #209302)

Bug fix: When using the Control Center page to update the database tables to support full Unicode, in some situations the resulting SQL might mistakenly contain a double comma, which would result in SQL errors and prevent the process from completing successfully. (Ticket #209856)

Bug fix: When using Multi-Language Management and using the Right to Left (RTL) setting when there are multiple choice fields with horizontal alignment, the choices might not always display correctly. (Ticket #209612)

Bug fix: When taking a survey while using a mobile device, the page would auto-scroll unnecessarily after completing a multiple choice field that has one or more visible fields embedded inside it. In this case, the page should not auto-scroll when the field contains embedded fields. (Ticket #208523)

Bug fix: When a user selects the option "Remove all date and datetime fields" when exporting data, or if that option is automatically imposed upon the user due to having De-Identified data export rights, survey completion timestamp fields would mistakenly not be removed from the resulting data export file. (Ticket #208758)

Bug fix: When a project is in Analysis/Cleanup status and the current user does not have Project Design & Setup privileges, the Project Home page and Project Setup page would mistakenly display a "Modify" button in the yellow section at the top of the page describing if users can modify records or not. This button should only be displayed for users with Design rights. Clicking the button would not actually change anything though, so this issue is more of an aesthetic issue that could cause confusion. (Ticket #107257)

Bug fix: If an unclosed HTML comment (i.e, "<!--" without quotes) exists in user-defined text that is displayed on the page (e.g., field label, survey instructions, a piped value from a Text field), it would mistakenly cause the page content to be truncated, thus preventing the user from seeing any of the page after where the text is located. (Ticket #207897)

Bug fix: A missing LOINC code was added to the CDIS mapping features.

Bug fix: If the URL of another REDCap server exists in user-defined text that is displayed on the page (e.g., field label, survey instructions, a piped value from a Text field), the REDCap version number in the URL would mistakenly be replaced with the REDCap version number of the current server. It should never replace the REDCap version number in any URLs unless the URL corresponds to the current REDCap server. (Ticket #208528)

Bug fix: When using Twilio or Mosio for a survey implemented as an SMS conversation, Yes/No fields and True/False fields would not have their field labels rendered correctly in the conversation. Instead of their field label, it would display "No" or "False", respectively. (Ticket #209624)

Bug fix/change: The @DOWNLOAD-COUNT action tag documentation has been updated for clarity to explain that if a field with @DOWNLOAD-COUNT also utilizes @inline or @INLINE-PREVIEW and displays an inline PDF that has been uploaded, if a user downloads the file via the inline PDF controls (which are generated by the browser and not by REDCap), the download will not get properly counted via @DOWNLOAD-COUNT. This is to clarify that @DOWNLOAD-COUNT only works when users/participants click the file download link on the page. (Ticket #208354)

Bug fix: If an administrator does not specifically have "Modify system configuration pages" admin rights, the date field on the Cron Jobs page in the Control Center would mistakenly be disabled.

Bug fix: If an inline image was added to text on an instrument via the rich text editor and then the project was later copied, the image would display correctly on the data entry form in the project copy, but it would mistakenly not display when viewing the instrument as a survey in the project copy.

Bug fix: In certain scenarios, a couple fatal PHP errors might occur on survey pages when using PHP 8. (Ticket #210196)

Version 13.7.5 (released on 2023-07-07)

CHANGES IN THIS VERSION:

Bug fix: On certain occasions, the Control Center and/or Configuration Check page might mistakenly display the warning that "Some non-versioned files are outdated", which might be incorrect and a false positive.

Bug fix: A fatal PHP error might occur when using Duo for two-factor authentication.

Bug fix: A fatal PHP error might occur when attempting to send emails via the Email Users page, thus preventing the emails from being sent.

Bug fix: A fatal PHP error might occur related to CDIS when performing the EHR launch of the REDCap window inside the EHR user interface.

Version 13.7.4 (released on 2023-07-07)

CHANGES IN THIS VERSION:

Critical security fix: A Blind SQL Injection vulnerability was found on data entry forms and survey pages, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. This bug affects all known REDCap versions.

Critical security fix: A PHP Deserialization Remote Code Execution vulnerability was found in which a malicious user who is logged in could potentially exploit it by manipulating an HTTP request to a specific CDIS-related page while manipulating a certain CDIS-related cookie in a specific way. If successfully exploited, this could allow the attacker to remotely execute arbitrary code on the REDCap server. This vulnerability exists in REDCap 13.0.1 and higher.

Critical security fix: A Blind SQL Injection vulnerability was found when calling certain API methods, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by entering specially-crafted data into a Text field, changing the field to a File Upload field, and then calling the Delete File or Import File API method. This bug affects all known REDCap versions.

Major security fix: An SQL Injection vulnerability was found on a MyCap-related page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. In order to exploit this, the user must be logged in as a REDCap user and must also have one or more instruments enabled as MyCap tasks.

Major security fix: A Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way on many pages that output user-defined text onto a REDCap webpage. This bug affects all versions of REDCap.

Bug fix: After unsuspending a user on the Browse Users page on the "View User List By Criteria" tab, the "Display only X users" drop-down would mistakenly get reset. (Ticket #208937)

Various PHP 8 related bug fixes related to CDIS.

Bug fix: A new Clinical Data Mart background process would not be scheduled if the current one was taking too long to complete.

Bug fix: PHP 8 related fix for the Data Import Tool. (Ticket #208086)

Bug fix: When using Multi-Language Management with the e-Consent Framework, some text on the e-Consent confirmation screen at the end of the survey was mistakenly not translatable.

Bug fix: When using Multi-Language Management, the language switcher and globe menu would not work on survey return pages when the survey is set up to show a logo and the option to "Hide survey title on survey page when display logo" is turned on. (Ticket #208961)

Bug fix: When using Multi-Language Management on a survey where Google reCAPTCHA is enabled, the Google reCAPTCHA text would mistakenly not be translatable. (Ticket #208797)

Bug fix: PHP 8 related issue on certain MyCap pages in project. (Ticket #208688)

Bug fix: In some situations, the survey page might mistakenly throw a fatal PHP error for PHP 8. (Ticket #208147)

Version 13.1.37 (released on 2023-07-07)

CHANGES IN THIS VERSION:

Critical security fix: A Blind SQL Injection vulnerability was found on data entry forms and survey pages, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. This bug affects all known REDCap versions.

Critical security fix: A PHP Deserialization Remote Code Execution vulnerability was found in which a malicious user who is logged in could potentially exploit it by manipulating an HTTP request to a specific CDIS-related page while manipulating a certain CDIS-related cookie in a specific way. If successfully exploited, this could allow the attacker to remotely execute arbitrary code on the REDCap server. This vulnerability exists in REDCap 13.0.1 and higher.

Critical security fix: A Blind SQL Injection vulnerability was found when calling certain API methods, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by entering specially-crafted data into a Text field, changing the field to a File Upload field, and then calling the Delete File or Import File API method. This bug affects all known REDCap versions.

Major security fix: An SQL Injection vulnerability was found on a MyCap-related page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. In order to exploit this, the user must be logged in as a REDCap user and must also have one or more instruments enabled as MyCap tasks.

Major security fix: A Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way on many pages that output user-defined text onto a REDCap webpage. This bug affects all versions of REDCap.

Version 13.7.3 (released on 2023-06-28)

CHANGES IN THIS VERSION:

New LTS branch based off of REDCap 13.7.2 (Standard)

Version 13.1.36 (released on 2023-06-23)

CHANGES IN THIS VERSION:

Bug fix: The "Design Checker" for the Clinical Data Mart might mistakenly fail with an error when attempting to fix the structure of a CDM project. (Ticket #207348)

Bug fix: PHP 8 related fixes for CDIS functionality.

Bug fix: When exporting a Project Dashboard as a PDF, some parts of the page that should not be included in the PDF were included.

Bug fix: More compatibility fixes when using Epic Hyperdrive for CDIS in the context of EHR launches.

Bug fix: Related to CDIS, unnecessary steps were removed for the Smart on FHIR OAuth2 process.

Version 13.1.35 (released on 2023-06-08)

CHANGES IN THIS VERSION:

Bug fix: MyCap push notifications might mistakenly not work when using a proxy for the REDCap web server. (Ticket #207578)

Bug fix: When using Multi-Language Management, the “:value” piping modifier would not mistakenly not work when performing piping on MLM-enabled forms and surveys. (Ticket #207629)

Bug fix: When using date-based or time-based [survey-X] Smart Variables in conjunction with a [X-instance] Smart Variable while also using the ":value" modifier (e.g., [survey-time-completed:my_survey:value][last-instance]), a blank value might mistakenly be returned instead of the expected value. (Ticket #206098b)

Bug fix: When using the Copy Project feature and selecting to copy the reports in a project, the resulting new project's reports would mistakenly not have the same unique report names. The unique report names of the new project should be exactly the same as the original project. (Ticket #207248)

Bug fix: When piping a data value into the choice label of a multiple choice field on a repeating instrument, the correct data value might mistakenly not get piped correctly when viewing the choice label on a report or in a CSV Labels data export. (Ticket #207193)

Bug fix: When using the Calendar Sync feature, the calendar feed or export might mistakenly be off by one hour for cities in specific time zones. (#206585b)

Bug fix: When importing and exporting user rights or user roles via CSV files on the User Rights page, some user privilege categories (e.g. Alerts & Notifications) might mistakenly not be found in the downloaded CSV user rights/roles files. (Ticket #206747, #207132)

Bug fix: When selecting files in the File Repository and clicking the Move button, the "folder" drop-down list in the dialog would mistakenly display folders that have been deleted. (Ticket #207763)

Bug fix: When viewing multi-page inline PDFs on the e-Consent certification screen on surveys when using certain devices, such as iPads, only the first page of the PDF might be viewable on the webpage. An option is now displayed near the bottom of the e-Consent certification screen on surveys to allow the participant to download and view the PDF in another browser tab if they are using a device that does not support multi-page inline PDFs. (Ticket #205407)

Bug fix: When exporting a project or project data as CDISC ODM/Project XML, a fatal PHP error might occur when using PHP 8. (Ticket #78389)

Bug fix: When using Multi-Language Management, the error dialog displayed when a user enters an invalid choice for an auto-complete drop-down field was mistakenly not available for translation on the MLM setup page. (Ticket #207825)

Bug fix: When using CDIS, the project menu was not hidden in an EHR launch context.

Bug fix: When downloading a PDF of an instrument that contains a Descriptive Text field with an inline PDF attachment, in certain cases the inline PDF might overlap the next field below it when instead it should begin a new page right after the inline PDF. (Ticket #206391)

Bug fix: Piping Smart Variables or field variables into the Data Entry Trigger URL would mistakenly cause "span" HTML tags to be inserted into the URL.

Version 13.1.34 (released on 2023-06-02)

CHANGES IN THIS VERSION:

Bug fix: If a user does not have "Add/Edit/Organize Reports" privileges, "Report B" would mistakenly not appear for them on the "My Reports & Exports" page. (Ticket #206987)

Bug fix: A non-existent CDP-related CSS file would get called on the Online Designer page and thus would throw a silent 404 error in the browser console. (Ticket #207222)

Bug fix: When re-evaluating Alerts & Notifications, in which one or more alerts are recurring, the process might report an incorrect number of alerts that were removed/unscheduled during re-evaluation as a result of the alert's conditional logic no longer being True. This does not affect any behavior but only the count of alerts that were removed/unscheduled during the re-eval process. (Ticket #206980)

Bug fix: Data entry forms and survey pages might mistakenly crash due to a fatal PHP error in very specific scenarios when using PHP 8. (Ticket #207349)

Bug fix: On the MyCap-enabled project, the Online Designer might mistakenly crash due to a fatal PHP error in very specific scenarios when using PHP 8. (Ticket #207381)

Bug fix: In certain places throughout REDCap where the Logic Editor is used, when modifying the text in the editor, an error might appear saying "Odd number of single quotes exist" (or something similar) when apostrophes, quotes, parentheses, and some other characters are utilized in an "inline comment" (beginning with // or #) in the editor. (Ticket #207092)

Bug fix: When copying the MyCap generated invitation text, which would contain a REDCap version number in the URL of the QR code image, and pasting it onto a webpage in REDCap, such as in the survey completion text or in a field label, the QR code would mistakenly fail to load on the page if that older version of REDCap had been removed from the web server.

Version 13.1.33 (released on 2023-05-25)

CHANGES IN THIS VERSION:

Minor security fix: An SQL Injection vulnerability was found on a MyCap-related page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. In order to exploit this, the user must be logged in as a REDCap user and must also have one or more instruments enabled as MyCap tasks.

Major bug fix: If a REDCap user knows the report_id of a report from another REDCap project to which they do not have access, they could manipulate the URL of a report in one of their own projects by replacing the report_id in the URL with the other project's report_id and thus be able to view (but not export) all the data from the other project's report. Note: The user would not be able to access anything else from that other project though. Additionally, the user must be logged in and must have access to at least one project in order to exploit this issue. Bug emerged in REDCap 12.2.0. (Ticket #206894)

Bug fix: When using the Calendar Sync feature, the calendar feed or export might mistakenly be off by one hour for cities in specific time zones. (Ticket #204252, #206585)

Bug fix: If a field has been piped into the min or max validation range of a Text field, in which the piped field does not have a saved value yet, a user attempting to import data will mistakenly get an error stating that the field "should not be greater than the field maximum" or "less than the field minimum", which would thus prevent the user from importing the data. (Ticket #203219)

Bug fix: When a user attempts to place a production project into draft mode, it might mistakenly just reload the same page with no changes, thus preventing the project from being put in draft mode. This often occurs when multiple users are changing things in the Online Designer near the same time while in production. (Ticket #6346b)

Bug fix: Some project-level features in the Additional Customizations popup were mistakenly not being added to the Project XML file when exporting->importing a project. These include the following features: Enable the Data History popup, Display the Today/Now button, Prevent branching logic from hiding fields that have values, and Require a 'reason' when making changes to existing records. (Ticket #206575)

Bug fix: When uploading an Instrument Zip file that contains survey settings, in which the survey theme of the survey does not exist on the current REDCap server, the upload would hang and never finish. Now, if the survey theme does not exist on the current REDCap server, the default survey theme will be used instead. (Ticket #206167)

Bug fix: When viewing the REDCap Mobile App's "App Data Dumps" page and clicking the "Import Data from File" button for a specific data dump file, it would mistakenly throw a fatal PHP error on the page when using PHP 8. (Ticket #137777b)

Bug fix: Fixed compatibility issue when using Epic Hyperdrive for CDIS in the context of EHR launches. It addresses a known issue where the cookie samesite policy conflicts with Hyperdrive. By detecting the Hyperdrive user agent, REDCap disables the samesite policy, ensuring seamless integration and functionality.

Bug fix: CDIS-related processes might fail in specific cases due to PHP 8 incompatibility.

Bug fix: A missing LOINC code was added to the CDIS mapping features.

Bug fix: When deleting scheduled survey invitations on the Survey Invitation Log using the "Delete all selected" button, it might crash with a fatal PHP error if deleting only one participant at a time when using PHP 8.

Version 13.1.32 (released on 2023-05-19)

CHANGES IN THIS VERSION:

Major bug fix: When a participant completes the first page of a multi-page survey, it might mistakenly create a duplicate record that contains only the responses submitted on the first survey page. This does not affect single-page surveys. (Ticket #206613)

Major bug fix: When a participant clicks the “Save & Return Later” button on the first page of a multi-page public survey, and then returns to complete the survey later, it might mistakenly not update the original create but would instead create a duplicate record containing the values submitted on the last survey page. This does not affect single-page surveys. (Ticket #206623)

Version 13.1.31 (released on 2023-05-19)

CHANGES IN THIS VERSION:

Major bug fix: If a field is required and is embedded in the choice label of a multiple choice field on a multi-page survey, in which the field itself has branching logic and is also used in the branching logic or calculation of another field on a separate survey page, the field's value might mistakenly get erased when submitting a survey page where the field does not exist but where the field is used in a branching logic or calculation.

Bug fix: A JavaScript error would mistakenly get thrown on the survey page after clicking the Save button on a multi-page survey, which might cause some things not to work on the survey. (Ticket #206073)

Bug fix: If using Multi-Language Management, the translated choice labels for Yes/No and True/False fields would mistakenly not display correctly on the Codebook page. (Ticket #206001)

Bug fix: When using an [X-instance] Smart Variable with other survey-related Smart Variables while using PHP 8, it might cause a fatal PHP error if no repeating instances exist yet for the targeted repeating instrument/event. (Ticket #206098)

Bug fix: When creating or editing a report, pressing the Enter key while in any text input (e.g., the Value text box in Step 3) would mistakenly cause the "List of users with access" popup to display. (Ticket #204875)

Bug fix: When a non-REDCap user receives a Send-It download link via email for a REDCap installation that is using a directory-based authentication method (e.g., Shibboleth), the recipient would never be able to download the file because it would mistakenly always require them to log in as a REDCap user.

Bug fix: If using Multi-Language Management, the same field could mistakenly be embedded multiple times on the same page when embedded via MLM translations. (Ticket #206370)

Bug fix: If using Multi-Language Management, if a radio or checkbox field exists on an MLM-enabled survey that also has the Enhanced Choice survey option enabled, in which another field on the survey page is embedded inside one of that field’s choice labels, the field would not be successfully embedded on the page but would display an error message saying that that field has been embedded multiple times on the page, which is not true.

Bug fix: When downloading the Project XML file for a project, in some circumstances the process might fail with a fatal PHP error when using PHP 8. (Ticket #206404)

Bug fix: If a survey has "Save & Return Later" enabled and allows participants to return without needing a return code, but it does not allow them to return if the survey has already been completed, then in certain circumstances after a participant completes a public survey in this case, in which they have a unique survey link back to their response (e.g., from an email), they would mistakenly be allowed to modify their completed response. (Ticket #206154)

Version 13.1.30 (released on 2023-05-11)

CHANGES IN THIS VERSION:

Major security fix: A Cross-site Scripting (XSS) vulnerability was discovered in a file download process in which a malicious user could potentially exploit it by inserting HTML/XML tags and/or JavaScript in a very specific way into an SVG file that is then uploaded into a File Upload field or as a Descriptive Text field attachment, and then having a logged-in REDCap user attempt to download that file using a specially crafted URL. This bug affects all versions of REDCap.

Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way on many pages that output user-defined text onto a REDCap webpage. This bug affects all versions of REDCap.

Bug fix: When using MyCap, the MyCap “getStudyImages” API test would mistakenly fail if the project has been copied or created via Project XML upload, in which the images zip file was not getting stored in the back-end database.

Bug fix: When using Multi-Language Management, snapshots would be created for all projects when approving DRAFT mode, even when MLM was not in use (no languages). Now a snapshot is made only when MLM is active (not disabled) AND there is at least one language defined. Additionally, there was no automatic snapshot taken when projects are moved to production initially. Now a snapshot is taken automatically (same rules as for DRAFT).

Bug fix: When opening a data entry form or survey page in certain versions of iOS in Mobile Safari or in Internet Explorer, the page would never fully load due to a JavaScript error. This bug was supposedly fixed two versions earlier but mistakenly was not. (Ticket #202806b)

Bug fix: When utilizing the "Include PDF of completed survey as attachment" option in the Confirmation Email section on the Survey Settings page for a survey that is using the e-Consent Framework, the PDF consent form that is attached to the email would mistakenly not include the e-Consent Type in the filename of the PDF. It should have listed the e-Consent Type as part of the filename for the email attachment.

Bug fix: When performing randomization on a record, a JavaScript error might mistakenly occur, which would cause calculated fields on the current page not to be recalculated post-randomization. (Ticket #205428)

Bug fix: When using Multi-Language Management, the Survey Login page text might mistakenly not get translated. (Ticket #205427)

Bug fix: The DAG Switcher API method would mistakenly always return the message "ERROR: Invalid DAG" even when the API is being called correctly. Bug emerged in 13.1.27 LTS and 13.4.11 Standard. (Ticket #205557)

Version 13.1.29 (released on 2023-05-04)

CHANGES IN THIS VERSION:

Medium security fix: A Blind SQL Injection vulnerability was found on a MyCap-related page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. In order to exploit this, the user must be logged in as a REDCap user and must also have one or more instruments enabled as MyCap tasks. (Ticket #205078)

Medium security fix: A vulnerability was found in the "Save & Return Later" feature on survey pages, in which a malicious user could potentially exploit it by manipulating an HTTP request in a specially-crafted way that would allow them to email themselves the private survey link of another survey participant. If return codes are not required to return to the survey, using brute force methods the attacker might be able to view sensitive data that survey participants have entered. However, if return codes are required, then the attacker will not be able to view any survey responses. (Ticket #205081)

Major bug fix: When using Multi-Language Management and saving MLM translations on the MLM setup page, all Action Tag translations and all choice label translations for multiple choice fields would be permanently lost upon save. Bug emerged in the previous release. (Ticket #205076, #205146)

Bug fix: When downloading the Project XML file for a project, in some circumstances the process might fail with a fatal PHP error when using PHP 8. (Ticket #204965)

Bug fix: For CDIS-related FHIR calls specifically to Epic, the FHIR coding systems have been updated to reflect the Epic FEB23 update.

Version 13.1.28 (released on 2023-05-03)

CHANGES IN THIS VERSION:

Critical security fix: A Blind SQL Injection vulnerability was found on survey pages, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request to the survey end-point in a specially-crafted way.

Bug fix: When using the [form-link] or [survey-link] Smart Variable with Custom Text while also having the [new-instance] Smart Variable appended to it, it would mistakenly return a blank string instead of a survey link.

Bug fix: Fixed more issues related to error checking for the Imagick PHP extension check on the Configuration Check page.

Bug fix: When exporting a PDF of a survey response in some specific ways, it might mistakenly return the word "ERROR" instead of outputting the PDF. Bug emerged in REDCap 13.1.25. (Ticket #204340)

Bug fix: If some Smart Variables are used in a calculation or conditional logic, in which the evaluation of the calculation/logic results in a blank/empty string (i.e., after applying the current context and the current data during the logic evaluation process), an incorrect value might be returned from the calculation/logic. For example, this could cause calculated fields and Data Quality rule H not to function as expected. (Ticket #203945)

Bug fix: When using Multi-Language Management, fields on a data entry form that are piped on the page would mistakenly disappear from the page immediately after the form has loaded. (Ticket #204372)

Bug fix: When using Multi-Language Management, the Form Complete status field on data entry forms would mistakenly not change to the correct translated text when switching languages on the page while using iOS. (Ticket #203189b)

Bug fix: When opening a data entry form or survey page in certain versions of iOS in Mobile Safari or in Internet Explorer, the page would never fully load due to a JavaScript error. (Ticket #202806, #204332)

Bug fix: When a Survey Base URL is defined in the Control Center and a survey participant clicks the "Close survey" button after completing a survey, if the survey had been opened in the participant's browser from outside of REDCap, such as clicking a link in an email, in which the browser will not let the webpage close the tab but instead falls back to displaying the "You may now close this tab/window" message on the page, the participant would mistakenly not be taken to a URL beginning with the Survey Base URL but would instead be taken to the non-survey Base URL defined in the Control Center, which could be confusing to the participant. (Ticket #204422)

Bug fix: When attempting to upload Alerts & Notifications via CSV file, if the "email-to" field contains the value [survey-participant-email], REDCap would mistakenly return an error message saying the value isn't valid when it actually is. (Ticket #201256)

Bug fix: When using Multi-Language Management, in certain cases an error would occur when attempting to import MLM settings via CSV or JSON files, thus preventing the upload from completing.

Bug fix: If proxy server settings have been provided on the General Configuration page in the Control Center, those settings would mistakenly fail to be used by the internal MyCap API check on the MyCap Configuration Check page and thus could result in a false positive saying that issues exist.

Bug fix: When using Multi-Language Management and using the eConsent Framework, the footer of the eConsent PDF, when displayed at the end of a survey, would mistakenly not have its text translated by MLM. This issue was supposedly fixed in the previous version but mistakenly was not. (Ticket #204669)

Bug fix: The Share->Copy Link functionality might stop functioning for files in the File Repository if attempting to perform the functionality in a specific way more than once while on the page. (Ticket #204876)

Bug fix: When utilizing the "Include PDF of completed survey as attachment" option in the Confirmation Email section on the Survey Settings page for a survey that is using the e-Consent Framework, the PDF consent form that is attached to the email would mistakenly have REDCap's back-end stored filename as the PDF filename rather than the intended user-friendly version of the filename. Additionally, the consent PDF was mistakenly not listed by name in the logged details of the event on the Logging page.

Version 13.1.27 (released on 2023-04-27)

CHANGES IN THIS VERSION:

Critical security fix: A PHP Deserialization Remote Code Execution vulnerability was found in which a malicious user who is not logged in could potentially exploit it by manipulating an HTTP request to a survey page while uploading a specially crafted file. If successfully exploited, this could allow the attacker to remotely execute arbitrary code on the REDCap server. This vulnerability exists only in the following REDCap versions: LTS 13.1.11 through 13.1.26 and Standard Release 13.3.0 through 13.4.10.

Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in a file download process in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way into an HTML file that is then uploaded into a File Upload field or as a Descriptive Text field attachment, and then having a logged-in REDCap user attempt to download that file using a specially crafted URL.

Major bug fix: Partially completed one-page surveys might mistakenly behave as if the participant has not started the survey if they return to the partially completed survey after having entered some data. (Ticket #204003)

Major bug fix: When a survey participant opens a public survey under certain conditions, such as when multiple participants are using the same device, the survey page (and/or subsequent pages) might mistakenly get populated with the previous participant's responses, thus allowing participants to see data they should not. This fix reverts functionality from Ticket #142376 (from REDCap 13.4.3 Standard and 13.1.19 LTS) that attempted to gracefully recover a participant's session if they used their browser's BACK button on a survey as a means of returning to a previous survey page. (Ticket #204164)

Bug fix: When publishing a MyCap configuration in a project, some chart fields might not get stored correctly in the config and thus might affect participants using the MyCap mobile app on iOS.

Bug fix: When using Multi-Language Management, the @LANGUAGE-FORCE action tag (if being used on a field) would mistakenly not work as expected.

Bug fix: When using DUO as an option for two-factor authentication, the 2FA process would mistakenly redirect users to the REDCap home page after a successful login rather than redirecting them to the current page they were originally on. (Ticket #203337)

Bug fix: The “Field Finder” on the Codebook page might mistakenly display some HTML in the search results if the user begins the search with the letter “c”.

Bug fix: When using Duo two-factor authentication, the REDCap login page might mistakenly be blank when using Mobile Safari on an iOS device. (Ticket #203626)

Bug fix: When using Multi-Language Management and using the eConsent Framework, the footer of the eConsent PDF, when displayed at the end of a survey, would mistakenly not have its text translated by MLM.

Bug fix: Fixed issues related to error checking for the Imagick PHP extension check on the Configuration Check page. (Ticket #203313b)

Bug fix: Requests to the survey end-point that contained "__passthru" and "route" in the URL would mistakenly not get logged in the redcap_log_view table.

Bug fix: When using Multi-Language Management, some browsers might attempt to auto-translate part of the webpage when viewing a page translated via MLM. Such a browser action will now be prevented in order to allow the form or survey to be viewed exactly how the user intended. (Ticket #203925)

Bug fix: When viewing a Public Project Dashboard on PHP 8, the page might mistakenly crash due to a fatal PHP error. (Ticket #203634)

Bug fix: Fixed an issue with the setting related to the use of email addresses in a CDIS project, in which it was causing the email addresses not to be fetched from the EHR.

Bug fix: During the MyCap EM to REDCap migration process, the migration popup was displaying the wrong "number of tasks" if there are any inadequately-enabled tasks on the EM side.

Bug fix: If the unique group name of a Data Access Group happens to be an integer and also happens to be the same value as the Group ID number of another DAG in the same project, users would mistakenly not be able to utilize the DAG Switcher if they attempt to move in and out of the DAG whose Group ID number matches the unique group name of another DAG. (Ticket #204033)

Bug fix: When using "&new" in a survey URL of a repeating survey, in which the URL also contains extra URL parameters for the purpose of survey pre-filling, those extra parameters would mistakenly be lost and thus will not be pre-filled after redirecting the participant to a not-yet-created repeating survey instance. (Ticket #204113)

Bug fix: When using Multi-Language Management, some browsers might attempt to display a popup to ask the user if the page should be auto-translated by the browser. In the previous version, the auto-translate action is now prevented, but this new fix now prevents the translation popup from displaying altogether in order to reduce confusion for users/participants when using MLM. (Ticket #203925b)

Bug fix: If the dates used together in a datediff() function or in a @CALCDATE action tag do not have the same date format, the resulting error message would mistakenly mention "Since the DATEFORMAT parameter was not provided as the fourth parameter in the equation, 'ymd' format was assumed". The date format parameter is a legacy feature and is no longer used or needed, so that specific part of the error message has been removed in these cases. (Ticket #204213)

Version 13.1.26 (released on 2023-04-20)

CHANGES IN THIS VERSION:

Major bug fix: When copying a project and all its records, any fields that have no action tags (i.e., have nothing in the Field Annotation) would mistakenly have their value converted into a MyCap participant code for all records/events. Additionally, some repeating instance data might get orphaned or not get copied over correctly. (Ticket #203436)

Bug fix: The MyCap mobile app might mistakenly crash in certain situations on the About page if the About page’s image for the app is stored incorrectly in the project’s MyCap configuration.

Bug fix: The Control Center's Configuration Check page might mistakenly display an incorrect message that the Imagick PHP extension is not installed correctly when in fact the issue was that Ghostscript was not installed correctly on the server. (Ticket #203313)

Version 13.1.25 (released on 2023-04-19)

CHANGES IN THIS VERSION:

Critical security fix: Two different Remote Code Execution vulnerabilities were found in the process whereby files are uploaded via File Upload fields and via the Data Import Tool, in which a malicious user could potentially exploit it by manipulating an HTTP request while uploading a specially crafted file on the Data Import Tool page, on a data entry form, or on a survey page. If successfully exploited, this could allow the attacker to remotely execute arbitrary code on the REDCap server. These vulnerabilities exist in all versions of REDCap.

Critical security fix: An Insecure Direct Object References (IDOR) vulnerability was found, in which a malicious user could potentially exploit it by manipulating an HTTP request in a specially crafted manner on a survey page. This could allow the attacker to export PDFs containing data of individual survey participants (potentially containing sensitive/private information). Any valid survey link (including a public survey link) could be used and manipulated in order to export a PDF containing data for any record within the project to which the survey link belongs.

Major security fix: A Blind SQL Injection vulnerability was found on the Alerts & Notifications page, in which a malicious user could potentially exploit it by manipulating an HTTP request on that page or indirectly via the survey page.

Medium security fix: A Path Traversal vulnerability was found in a specific endpoint relating to the Clinical Data Pull feature, in which a malicious user could potentially exploit it by manipulating an HTTP request on a specific CDP page.

Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by entering an HTML "iframe" tag in a carefully crafted manner into the value of a text field on a form or survey. Additionally, that text field's value must be piped to another place on that same page in order to exploit it. This bug exists in all versions of REDCap, both LTS and Standard Release.

Bug fix: The warning popup that is displayed when a user attempts to download a data dictionary when one or more of the instruments in the project have been imported from the REDCap Shared Library, in which the user must first agree to the Shared Library's Terms of Use, was mistakenly not being displayed when users also perform the following other relevant actions: download an instrument zip file, download a Project XML file, or copy the project.

Bug fix: Long-running CDIS-related cron jobs might mistakenly prevent External Module cron jobs from running at their expected interval.

Bug fix: When two administrators are viewing the Multi-Language Management page in the Control Center at the same time, the second person to navigate there will not be able to view the page while the first person is still viewing it due to a fatal PHP crash. Bug emerged in the previous version. (Ticket #202782)

Bug fix: When using the "Compare" feature for data dictionaries and/or snapshots on the Project Revision History page, on certain occasions it would not perform the comparison correctly and thus would display incorrect results.

Bug fix: Due to various API changes in the third-party web service used by the Field Bank feature, the Field Bank would no longer return any results if a user searched for a field in the Field Bank dialog in the Online Designer. This affects REDCap versions 10.7.0 and higher.

Bug fix: When copying a MyCap-enabled project that contains records, in which the records are also being copied, the process would fail to copy the records into the MyCap Participant List in the new project. The records would get copied correctly but mistakenly not added to the MyCap Participant List.

Bug fix: If the two authentication settings "Number of failed login attempts..." and "Amount of time user will be locked out after having failed login attempts..." on the Security & Authentication page somehow have non-integer values, it could cause the REDCap login page to crash with a fatal PHP error when using PHP 8. (Ticket #202976)

Bug fix: After renaming a record in a longitudinal project and using the Form Display Logic feature, the Record Home Page might mistakenly give a fatal PHP error when using PHP 8. (Ticket #203014)

Bug fix: When using Multi-Language Management on form or survey, the choice label from radio button fields that are inside a matrix would fail to pipe successfully if on the page. (Ticket #201392)

Bug fix: CDIS-related bug that could cause issues when refreshing a user’s FHIR access token, in which the format of the date used to check for expiration was wrong.

Bug fix: When using Twilio telephony services for surveys, U.S. phone numbers having the area code "986" would mistakenly not work for SMS or voice calls unless the number has a "1" prepended to it. (Ticket #203044)

Bug fix: When clicking any of the table headers for the project list table on the My Projects page, it would mistakenly hide all the projects in the list except for those in the "Unorganized Projects" folder. Additionally, if any project folders were previously open, the user would find that all project folders had been closed after reloading the page. (Ticket #203046)

Bug fix: The login page for "Shibboleth & Table-based" authentication might mistakenly display both the Shib and Table-based login options under the Shib login tabs when using more than one Shibboleth login option. Bug emerged in REDCap 13.4.0. (Ticket #200919b)

Bug fix: When using Multi-Language Management, the @LANGUAGE-FORCE action tag might not work as intended under specific conditions. (Ticket #202553)

Bug fix: When using an [aggregate-X] Smart Variable in a calculation or any kind of conditional logic or branching logic, in which the value returned for the [aggregate-X] Smart Variable is greater than "999", the logic might mistakenly not function as expected. (Ticket #203063)

Bug fix: When using Multi-Language Management on a data entry form, the MLM language switcher drop-down displayed on the form might mistakenly be obscured and/or not visible while using certain iOS devices. (Ticket #203189)

Bug fix: The link to the Training Videos on the login page would be incorrect in some situations. (Ticket #203245)

Bug fix: When an adaptive or auto-scoring survey that has been downloaded from the REDCap Shared Library is not the first instrument in the project and is set to "Redirect to a URL" on the Survey Settings page, the survey participant would mistakenly not be redirected to the defined URL after completing the survey. (Ticket #203316)

Version 13.1.24 (released on 2023-04-12)

CHANGES IN THIS VERSION:

Bug fix: Several missing LOINC codes were added to the CDIS mapping features.

Bug fix: A CDIS-related database query could throw a fatal error when computing information for a DataMart revision.

Bug fix: When using MyCap, records might not appear in the MyCap Participant List if they were created while the MyCap feature was disabled in the project, after which MyCap was later enabled. (Ticket #202374)

Bug fix: The "Auto-fill Form" link for administrators to use on forms and surveys would mistakenly insert the wrong value for specific field validations, such as Number (1 decimal place), Number (comma as decimal), and other number types. (Ticket #202401)

Bug fix: When loading the first page of a multi-page public survey, in which no records exist in the project yet, the survey page might display a "REDCap crashed" error when running PHP 8. (Ticket #202648)

Bug fix: When downloading a PDF of an instrument that contains a Descriptive Text field with an inline PDF attachment, in certain cases an extra empty page might appear in the resulting PDF right before where the inline PDF is rendered. (Ticket #202598)

Bug fix: When using the Smart Variable [stats-table] and limiting its data via appending a unique report name, in which the report itself returns zero results, the stats table would mistakenly display statistics for all records in the project. (Ticket #201751)

Version 13.1.23 (released on 2023-04-07)

CHANGES IN THIS VERSION:

Bug fix: If the REDCap database table structure has utf8mb4 collation while REDCap’s database connection is configured to use utf8[mb3], both the db_character_set and db_collation values in the redcap_config database table will be modified to ensure that the character set is aligned. This fix will occur during the upgrade process and will also be added to the Unicode Transformation page.

Bug fix: When piping a field variable that has an [X-event-name] Smart Variable prepended to it while also having an [X-instance] Smart Variable appended to it, it might mistakenly return a blank value rather than piping the correct value. (Ticket #142932)

Bug fix: When a @CALCTEXT field contains an if() function that has a plus sign ( ) inside of single quotes or double quotes, the resulting text would mistakenly have the text "*1 1*" replacing every plus sign. This would occur when viewing a @CALCTEXT field on a data entry form or survey but not via server-side calculation methods, such as Data Quality rule H. (Ticket #141653)

Bug fix: If using Multi-Language Management, the @LANGUAGE-CURRENT-FORM action tag was working on (completed) surveys viewed on data entry pages, which should never have been the case.

Version 13.1.22 (released on 2023-04-03)

CHANGES IN THIS VERSION:

Major bug fix: Reverted the bug fix in Ticket #142759, which sought to provide server-side checking to prevent @READONLY fields from having their data values modified through the client side (e.g. JavaScript). This has been reverted because there appear to be too many scenarios in which this server-side checking was blocking legitimate data entry and thus some data was not getting saved properly. Most of these scenarios occurred when using certain action tags together with @READONLY, as described in Ticket #202226 (i.e., @CALCTEXT, @CALCDATE, @DEFAULT, @SETVALUE), but other scenarios, such as when performing survey pre-filling (via URL parameters or via POST requests) for @READONLY fields, could not easily be incorporated into the server-side checking. Therefore, the server-side checking for @READONLY fields (added to REDCap 13.1.20 LTS and 13.4.4 Standard) has been removed/reverted because it was preventing legitimate data entry on forms and surveys in various scenarios.

Version 13.1.21 (released on 2023-04-01)

CHANGES IN THIS VERSION:

Major bug fix: Opening a data entry form when using PHP 8 would crash the page with a fatal PHP error on certain occasions. Bug emerged in the previous version.

Version 13.1.20 (released on 2023-03-31)

CHANGES IN THIS VERSION:

Bug fix: If using MySQL 8 for the REDCap database, admins might see false positives for the database structure check in the Control Center, in which it might mistakenly say “Your Database Structure is Incorrect” when it is actually correct. Bug emerged in the previous version. (Ticket #202144)

Bug fix: Fields that have a @READONLY action tag could have their data value modified on a survey page or data entry form by manipulating the webpage via JavaScript or via the web browser's developer console. (Ticket #142759)

Version 13.1.19 (released on 2023-03-31)

CHANGES IN THIS VERSION:

Major bug fix: If a user calls the "Export Records" API method and explicitly provides the "fields" API parameter as a comma-delimited text string (instead of an array), the API might mistakenly export the data for all project fields, including data for fields for which the API user does not have data export rights. (Ticket #200812)

Bug fix: When following the directions on the page "Updating your REDCap Database Tables to support full Unicode", the process might mistakenly fail due to certain MySQL/MariaDB errors occurring when attempting to convert certain characters to utf8mb4 via the UPDATE queries provided on the page. If you have attempted to use this page previously and had to stop due to these errors, then after upgrading, we recommend you try it again using the new SQL provided on that page.

Bug fix: Small fixes for the page "Updating your REDCap Database Tables to support full Unicode".

Bug fix: Custom Survey Queue Text might mistakenly have many unnecessary line breaks, thus causing the text to have large, empty gaps. (Ticket #201330)

Bug fix: When user privileges are edited or when users are added to a project via the CSV file upload on the User Rights page, it would mistakenly not log the individual events of each user being edited or added, respectively. (Ticket #200514)

Bug fix: When the survey expiration date is saved in YMD date format on the first save of the Survey Settings page, the date format is corrupted and not saved correctly. (Ticket #201743)

Bug fix: If a participant is taking a multi-page public survey and uses their browser’s Back button to go back to the first survey page, then then afterward continues forward again on the survey, it would mistakenly create a duplicate response/record in the project (Ticket #142376)

Bug fix: Vertically-aligned checkboxes (and some other elements as well) might not display correctly (or might be invisible) on survey pages while using an RTL (right-to-left) translated language via Multi-Language Management. (Ticket #201476, #200785)

Bug fix: When taking an adaptive or auto-scoring survey that was imported from the REDCap Shared Library while the Survey Queue is being utilized, the Survey Queue might mistakenly fail to be displayed at the end of the survey or (if using auto-start) the next survey in the queue would fail to begin automatically. (Ticket #201816)

Bug fix: When taking an adaptive or auto-scoring survey that was imported from the REDCap Shared Library while the Survey Queue is being utilized, clicking the Survey Queue icon at the top right of the survey page might mistakenly not display the Survey Queue.

Bug fix: If an alert is set to be triggered during a data import, in which it will send an alert for each new repeating instance of a repeating instrument, the alert would mistakenly fail to get triggered if the imported value of the "redcap_repeat_instance" field is literally "new" rather than an integer. (Ticket #200445)

Bug fix: If the record ID field has any kind of field validation, the validation would mistakenly fail to be enforced when renaming the record on the Record Home Page. (Ticket #200101)

Bug fix: The "Save & Mark Survey as Complete" button on data entry forms might mistakenly be displayed in situations in which it should not. (Ticket #142863)

Bug fix: The process that checks for errors in the REDCap database structure might have reported false positives if REDCap is running on newer MariaDB versions (10.3.37 , 10.4.27 , 10.5.18 , 10.6.11 , 10.7.7 , 10.8.6 , 10.9.4 , 10.10.2 , 10.11.0 ), in which the “SHOW CREATE TABLE” query in these newer MariaDB versions excludes a column's charset and collation if the column matches the default charset/collation of the table.

Bug fix: When creating a new project via the MyCap project template, the project creation process would mistakenly update the baseline date setting configuration before updating the project configuration, thus causing some things to be out of sync with regard to MyCap settings in the project in certain cases.

Bug fix: The user privilege for "Alert & Notifications" was mistakenly not getting copied for project users when using the "Copy Project" feature while electing to copy the current users into the new project. This issue was supposedly fixed in the previous version but mistakenly was not. (Ticket #201585)

Bug fix: When using an ontology service (e.g., BioPortal) on a Text field, the cron job that sends Alerts and Automated Survey Invitations might mistakenly crash with a fatal PHP error if the field's value is piped into the email body of the Alert or ASI. (Ticket #201928)

Bug fix: When uploading a CDISC ODM XML file of data on the Data Import Tool page, in certain situations while using PHP 8, the page could crash with a fatal PHP 8 error. (Ticket #200728)

CDIS-related bug fixes:

Resolved an issue where an error during FHIR authentication prevented the complete log from being displayed.

Fixed a bug where fhir_identity_provider, a CDIS setting, was not given proper priority during the FHIR authentication process.

Addressed a bug where the "next" page of a bundle containing too many entries could have no reference to the FHIR resource, resulting in a logging error.

Bug fix: When composing an invitation for a repeating survey on the Participant List page, the Compose Invitations dialog would mistakenly pre-check the checkbox of participants in the dialog's participant list in which the participant row represents a placeholder for a not-yet-existing repeating instance of the survey. In this case, users might not wish to send an invitation to these placeholders, but they exist there in the participant list just in case they do wish to invite them. So leaving them pre-checked when the Compose dialog opens could cause users to mistakenly send another repeating survey invitation to the participant when the user did not intend to do that.

Bug fix: When two users are simultaneously on the same data entry form in a project about to create a new record, in which both users have been assigned the same tentative record name prior to the record being created, if the second user to click Submit is also locking the instrument, the second user's record would skip a number in the record creation sequence (e.g., user 1 creates record "101" while user 2 creates "103" instead of "102") while also mistakenly not locking the second user's new record. (Ticket #201814)

Bug fix: When a repeating instrument for a record has an instance 2 but not an instance 1 saved, the left-hand instrument menu might mistakenly display a gray status icon for the repeating instrument (as if no instances exist) when viewing other instruments within the record. (Ticket #202054)

Version 13.1.18 (released on 2023-03-24)

CHANGES IN THIS VERSION:

Major bug fix: When appending "&new" to the end of a survey URL for a repeating survey, it would mistakenly not redirect to the next not-yet-created repeating instance of the survey but would instead display the message that the survey had been completed.

Bug fix: When using Duo two-factor authentication, REDCap would mistakenly not honor when a user checked the checkbox to not prompt for the MFA login again for 7 days. (Ticket #201444)

Bug fix: When clicking the Check All button on the Email Users page in the Control Center, if some text had been entered into the Search filter beforehand, every user would mistakenly be selected rather than just the visible users in the table. This could cause the email to go to all users instead of just specific ones.

Bug fix: When the REDCap API has been disabled at the system level, the Tableau Export option on the "Other Export Options" page would mistakenly still appear. (Ticket #200248)

Bug fix: When copying a project or creating a project from a template, the creator of the project would mistakenly not have "Alerts & Notifications" privileges. (Ticket #201585)

Version 13.1.17 (released on 2023-03-24)

CHANGES IN THIS VERSION:

Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered on survey pages in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way into the survey URL in order to pre-fill a Text field on the page, in which the field must have the @DEFAULT action tag and must also be piped somewhere on the current page. (Ticket #201503)

Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in the File Repository in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way inside the “comment” text of an uploaded file. (Ticket #200457)

Bug fix: The survey auto-continue feature might mistakenly not work with PROMIS computer adaptive test (CAT) surveys but instead would just display the text "Thank you for your interest, but you have already completed this survey". (Ticket #200757, #200621)

Bug fix: When using Multi-Language Management, the proper language would not get used for the e-Consent PDF in certain situations (Ticket #200944).

Bug fix: When using Multi-Language Management, the survey acknowledgement page might not show the appropriate language.

Bug fix: When a PDF file is attached to a Descriptive Text field and is set to display inline, it might not always get positioned in the correct place in the resulting PDF that is generated.

Bug fix: When a PDF file is attached to a Descriptive Text field and is set to display inline, the inline PDF might be displayed with too low a resolution inside the resulting PDF that is generated. Its resolution has been increased from 120 DPI to 200 DPI to make it more readable. (Ticket #200582)

Bug fix: When a PDF file is attached to a Descriptive Text field and is set to display inline, the inline PDF might mistakenly be too large for the page and might run off the page if more than one or two lines of text exist for the Descriptive Text field's field label. The resulting PDF that is generated will instead begin the inline PDF on a new page by itself in this scenario. (Ticket #200582b)

Bug fix: Small tweaks and fixes for the page "Updating your REDCap Database Tables to support full Unicode".

Bug fix: Piping in a survey's Survey Completion Text would always fail to work. (Ticket #200909)

Bug fix: In some situations, a required field that is embedded inside another required field hidden by branching logic might mistakenly not be able to have its value removed when a user deletes the value and then clicks Save on a survey or data entry form. The value would reappear again if the page was reloaded.

Bug fix: In some rare scenarios when a participant submits the first page of a public survey, the page might result in a "too many redirects" error, thus preventing the user from completing the survey. (Ticket #200351)

Bug fix: When composing a survey invitation, in which the Smart Variable [survey-link:instrument] or [survey-url:instrument] is used (i.e., with an instrument name) inside the body of the invitation, the dialog titled "Invitation text is missing [survey-link] variable" would mistakenly appear when it should not. (Ticket #200914)

Bug fix: When submitting the first page of a public survey, in which an MDY or DMY formatted date/datetime field was submitted, the survey might mistakenly display the "invalid values entered!" dialog saying that the field's submitted value was incorrect, which is not true.

Bug fix: Several missing LOINC codes were added to the CDIS mapping features.

Bug fix: Fixed typo in Multi-Language Management logEvent() method. This does not seem to affect anything though.

Bug fix: When embedding a matrix field and using the ":icons" notation, the balloon and history icons would mistakenly not be displayed for the embedded matrix field.

Bug fix: If a horizontally-aligned checkbox is embedded inside the choice label of another checkbox that is vertically-aligned, the first checkbox of the embedded field might mistakenly not be visible. (Ticket #201393)

Version 13.1.16 (released on 2023-03-10)

CHANGES IN THIS VERSION:

Major bug fix: If the Automatic Upgrade (blue button on the Upgrade page), Easy Upgrade, and/or Auto-Fix options are available in your REDCap installation (regardless of whether you have actually used those options or not), it could be possible for someone that is not logged in to REDCap to directly access the upgrade page of an older version sitting on the web server (e.g., https://.../redcap_v11.1.0/upgrade.php) and click the blue Upgrade button for the Automatic Upgrade, which would mistakenly revert the system back to that version. Note: Doing this would not run any other SQL but only the few queries that change the "redcap_version" in the redcap_config database table (and a couple of other minor things). If either the Automatic Upgrade or Easy Upgrade option is available on your system, then it is recommended that you additionally go and remove EVERY ugprade.php file that exists inside all previous REDCap version folders. This is just a one time thing, and is not necessary to do in the future. (Ticket #200338)

Change: Replaced all hard-coded links to REDCap Community pages to point to the new REDCap Community website hosted on the Vanderbilt REDCap server. Previous links pointed to the old AnswerHub site.

Bug fix/change: Inline PDF attachments on Description Text fields were mistakenly not being rendered as inline in PDF exports.

Last year when the inline PDF feature was added for attachments on Description Text fields, in which in previous REDCap versions only images could be displayed as an inline attachment on the web page and in the exported PDF file, the feature was mistakenly not fully implemented because the PDF attachment was not rendered inline inside the resulting exported PDF file for a form or survey. To fix this, any PDF attachments that are set to be displayed as inline on a Descriptive Text field will now correctly be rendered as inline in the PDF of the form/survey in order to be consistent with how inline images have always been treated in PDFs.

Additionally, the ImageMagick PHP extension is required for this fix to work. It is a common but not universal PHP extension. A new check has been added to the Configuration Check page to detect if this extension has been enabled on the REDCap web server, and if not, the page will provide a link with instructions for installing it, if desired.

NOTE: If administrators wish to disable this setting so that inline PDF attachments are not rendered as inline inside the PDF files, they may disable this functionality at the system level on the Modules/Services Configuration page in the Control Center.

Bug fix: When the min or max validation range of a date- or number-formatted Text field contains certain Smart Variables, the min/max range check might mistakenly not work on a form or survey due to a JavaScript error. (Ticket #143298)

Bug fix: When a user deletes all the data in a single event for a record (in the UI or via the API), the resulting logged event seen on the Logging page would mistakenly note that it happened to the first event instead of to the specified event.

Bug fix: When the Record ID field has the @HIDDEN-PDF action tag, the field would mistakenly not get hidden in the downloaded PDF when clicking the PDF option "This data entry from with saved data (via browser's Save as PDF)" while on a data entry form. (Ticket #111718b)

Bug fix: While the ability of individual projects to have their own authentication method was removed in REDCap 13.1.2, this setting was mistakenly not removed from the Edit Project Settings page (in which changing its value on that page does nothing to affect anything). (Ticket #200379)

Bug fix: When copying a MyCap-enabled project, it would mistakenly copy the MyCap tasks into the new project, even when the MyCap copy option is not checked.

Bug fix: When migrating a project using the MyCap external module to begin using the native MyCap feature, the migration process might mistakenly not process certain MyCap tasks correctly that were not adequately enabled in the MyCap EM.

Bug fix: The Smart Variables [survey-time-started], [survey-date-started], [survey-time-completed], [survey-date-completed], [survey-duration], [survey-duration-completed] might mistakenly return the value for record "1" in a project (if record "1" exists) when these Smart Variables are used in a calculated field, @CALCTEXT field, or branching logic on the first page of a public survey. These would, however, work correctly if used in a field label, choice label, etc., if used on a non-public survey, or if used on survey page 2 or higher of a public survey.

Version 13.1.15 (released on 2023-03-03)

CHANGES IN THIS VERSION:

Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in the @CALCTEXT action tag in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way inside the text of the @CALCTEXT action tag.

Minor security fix: An SQL Injection vulnerability was found on the Database Activity Monitor page, in which a malicious user could potentially exploit it by manipulating an HTTP request on another page while an administrator views the Database Activity Monitor page.

Bug fix: Several missing LOINC codes were added to the CDIS mapping features.

Bug fix: When REDCap is sending a confirmation email to a survey participant after completing a survey, it might mistakenly cause a fatal PHP error on the page. (Ticket #143145)

Bug fix: When piping a File Upload field with “:link” or “:inline” in the body of outgoing emails (e.g., alerts, ASIs), the piping would mistakenly not be successful under certain circumstances. (Ticket #143158)

Bug fix: The Stats & Charts page might mistakenly crash in certain situations due to a fatal PHP error when using PHP 8. (Ticket #143019b)

Bug fix: When using Multi-Language Management, in which an Automated Survey Invitation has been translated, the ASI might mistakenly not be sent in the desired language when there are conflicting things (or none) dictating what the language should be for the ASI. To prevent this issue regarding language ambiguity in ASIs, a new MLM setting had to be added to allow users to define the language source of a given ASI at the survey level (but not at the survey-event level), in which users may choose the “Language preference field” or “User's or survey respondent's active language” as the ASI Language Source on the MLM setup page. (Ticket #143119)

Bug fix: When using Multi-Language Management, in which an Automated Survey Invitation has been translated, the ASI might mistakenly be sent out in the fallback language in some cases. (Ticket #143119b)

Bug fix: Any HTML tags used inside the equation of a @CALTEXT field would mistakenly not display correctly in the View Equation popup on data entry forms. (Ticket #143228)

Bug fix: An issue specific to PHP 8.1 might cause some features of the Clinical Data Mart to crash with a fatal PHP error.

Bug fix: Large configurations for Multi-Language Management might mistakenly get truncated in the database when saved. The configuration columns in the MLM database tables were increased to handle this. (Ticket #143355)

Bug fix: The embedded PDF on the e-Consent certification page of a survey with the e-Consent Framework enabled would mistakenly look squished (have incorrect dimensions) when taking the survey on an iPad. (Ticket #143212)

Bug fix: In some cases after a participant has completed a survey, if they return to the survey using a private survey link (i.e., not a public survey link) while the survey has "Save & Return Later" disabled, the participant might mistakenly be allowed to modify the existing survey response. (Ticket #143400)

Version 13.1.14 (released on 2023-02-24)

CHANGES IN THIS VERSION:

Major bug fix: On public surveys where the participant fails to enter a value for a required field on the first page of the survey, in which the survey page has dozens or hundreds of fields, the survey page might mistakenly crash with an HTTP 414 error (URL Too Long) after being submitted, thus preventing the participant from completing the survey. Bug emerged in REDCap 13.1.11 (LTS) and 13.3.0 (Standard). (Ticket #142829)

Bug fix: The Azure AD (V1) authentication was mistakenly displaying “samAccountName” as an option to use for “AD attribute to use for REDCap username” when instead it should have been using “onPremisesSamAccountName”. (Ticket #134789)

Bug fix: When re-evaluating an Automated Survey Invitation for a repeating survey that has been set up with a repeating ASI, the re-evaluation process might report that some invitations were scheduled when they were not.

Bug fix: In some cases, images that were added via the rich text editor to a project dashboard, to custom text on a report, or to survey components (instructions, questions, etc.) would mistakenly not display on the public version of the dashboard, on a public report, or on the survey, respectively, unless the person viewing it was currently logged in as a REDCap user. (Ticket #142302)

Bug fix: If Automated Survey Invitations have been set up for a survey, in which some invitations have already been scheduled for a record, if the survey instrument gets marked as "Complete" via normal save operations on the data entry form (with the exception of clicking the "Save & Mark Survey as Complete" button), the scheduled invitations would mistakenly get automatically deleted. They should only get deleted if the survey has been completed via the survey page or by a user clicking the "Save & Mark Survey as Complete" button on the data entry form. Bug emerged in REDCap 9.3.7. (Ticket #142989)

Bug fix: When creating a Table-based authentication user or when adding a user to a project, if the username that was entered contained illegal characters, the error message would fail to note that the @ symbol is allowed in usernames. (Ticket #142999)

Bug fix: The Stats & Charts page might mistakenly crash in certain situations due to a fatal PHP error when using PHP 8. (Ticket #143019)

Bug fix: When using Duo two-factor authentication, if the system is set to "Offline", it would mistakenly prevent administrators from successfully logging in via Duo 2FA. (Ticket #143003)

Bug fix: When piping instance-related Smart Variables into the email text of a survey's Confirmation Email, the resulting piped text might mistakenly not be formed correctly. For example, appending [new-instance] to the [survey-link] Smart Variable, in which survey-link contains custom display text, would output the survey URL instead of the survey link with the custom text. (Ticket #143059)

Version 13.1.13 (released on 2023-02-17)

CHANGES IN THIS VERSION:

Bug fix: When a record is correctly assigned to a Data Access Group, it might not appear to be assigned to its DAG while viewing the Record Status Dashboard, the Add/Edit Records page, and reports if data values for the record somehow got stored incorrectly in the backend redcap_data table in multiple/mixed cases (e.g., "101a" vs "101A"). Un-assigning and then re-assigning the record back to its original DAG might fix this issue temporarily, but the bug would arise again whenever the project's internal "Record List Cache" was cleared/rebuilt. (Ticket #141329, #142544) NOTE: If the issue still exists after the upgrade, click the “Clear the Record List Cache” button on the Project Setup->Other Functionality page.

Bug fix: When exporting CSV files in various places throughout REDCap, the process might mistakenly fail for PHP 8 under specific unexpected conditions.

Bug fix: The cron job used for the Clinical Data Mart or Clinical Data Pull might mistakenly fail due to the user ID being used instead of the username when creating a new instance of the job.

Bug fix: Over 20 missing LOINC codes were added to the CDIS mapping features.

Bug fix: When performing certain actions in the File Repository, such as uploading files, an error message would mistakenly be displayed afterward saying that there is a DataTables warning. Bug emerged in REDCap 13.3.0 (Standard). (Ticket #140624)

Bug fix: The "resources" link in the MyCap informational dialog on the Project Setup page mistakenly pointed to the wrong URL. (Ticket #142514)

Bug fix: The CSV file upload for importing Automated Survey Invitations (ASIs) in the Online Designer would mistakenly fail with an error if the user's preferred CSV delimiter was not set to "comma" via their user profile. (Ticket #142555)

Version 13.1.12 (released on 2023-02-10)

CHANGES IN THIS VERSION:

Bug fix: The "System Statistics" page in the Control Center did not display the label correctly for the count of projects utilizing the Clinical Data Pull feature.

Bug fix: Data values imported for a patient’s “birth-sex” via FHIR using the Clinical Data Operability Services might mistakenly get converted into an incorrect value (“UNK”) in some specific cases. (Ticket #141976)

Bug fix: If using the e-Consent Framework with the setting "Allow e-Consent responses to be edited by users?" enabled, users with edit privileges would mistakenly be prevented from modifying the data on the consent form via a data import. (Ticket #140846)

Bug fix: The Survey Queue page might crash due to a fatal PHP error when using PHP 8. (Ticket #142125)

Bug fix: When using the @RICHTEXT action tag on a Notes field, changing the text in the editor (i.e., the field's value) might mistakenly not trigger calculations or branching logic accordingly. (Ticket #142127)

Bug fix: When using the rich text editor to translate a survey's survey instructions on the Multi-Language Management setup page, any images uploaded via the rich text editor would mistakenly not load when viewing the translations on a survey page (that is, unless the person viewing the survey is a REDCap user and is currently logged in to REDCap). (Ticket #141658b)

Bug fix: If a user that has "read-only" user privileges for a specific instrument is viewing the Data History of a File Upload field on that instrument, the "Delete" link next to each file/revision would mistakenly be displayed in the Data History popup. Users with read-only instrument-level privileges should not be able to delete older revisions of a File Upload field. (Ticket #141709)

Bug fix: If a repeating instrument has been enabled as a survey, but the survey setting "(Optional) Repeat the survey" has not been enabled on the Survey Settings page, then when viewing the participant list, a placeholder instance might mistakenly not be displayed in the participant list to represent a not-yet-taken instance of the repeating survey. There should always be at least one untaken placeholder instance displayed for each record in the participant list for repeating surveys because this allows users to open a new instance of the survey or email the participant a link to that new survey instance. (Ticket #141545)

Bug fix: When creating/editing a report, the explanatory dialog for Step 3's "Show data for all events for each record returned" checkbox was outdated and mistakenly did not mention anything about the setting's usage in projects containing repeating instruments/events. (Ticket #141953)

Bug fix: When the "Text-To-Speech" feature is enabled on a survey, the speaker buttons would mistakenly not appear next to the field labels of fields in a matrix, thus preventing participants from utilizing the feature there. (Ticket #141787)

Bug fix: In very specific situations where a field is a required field and is embedded in another field, in which the container field is hidden by an @HIDDEN action tag while the field embedded inside it also has an @HIDDEN action tag, the user would mistakenly get prompted by the Required Field dialog for a hidden embedded field if the container and/or embedded fields have @HIDDEN-SURVEY while on a data entry form *or* if they have @HIDDEN-FORM while on a survey page. (Ticket #142212)

Bug fix: If a whole record has been locked or if a data entry form has been locked for a given record, any survey participant who happened to have opened their survey prior to the record/instrument being locked would mistakenly still be able to submit and save their survey response, and as a result, possibly overwrite any existing data on the locked record/form. (Ticket #139555)

Bug fix: When downloading a data dictionary or an instrument zip file, any Dynamic Query (SQL) fields that contain "\\n" in their SQL query would mistakenly have the text "\\n" replaced with "|" in the resulting downloaded file. (Ticket #141734)

Version 13.1.11 (released on 2023-02-02)

CHANGES IN THIS VERSION:

Bug fix: Fixed PHP 8 related error when an administrator tries to hide the blue Easy Upgrade box in the Control Center. (Ticket #141539)

Bug fix: When using "now" as the min/max for a date field or using "today" as the min/max for a datetime field, the validation range check would mistakenly not detect an out-of-range value. (Ticket #141646)

Bug fix: When using the rich text editor to translate a label on the Multi-Language Management setup page, the image icon was mistakenly missing from the editor's toolbar interface, thus preventing users from uploading alternative images into the translated text.

Bug fix: When using the rich text editor to translate a label on the Multi-Language Management setup page, any images uploaded via the rich text editor would mistakenly not load when viewing the translations on a survey page (that is, unless the person viewing the survey is a REDCap user and is currently logged in to REDCap). (Ticket #141658)

Bug fix: When a survey participant enters data on a public survey, in which some required fields are left blank, it is possible for the participant to re-submit the page in the browser (via the browser Back/Reload button) and thus cause duplicate records to be created. This can especially happen for certain browsers, such as Mobile Safari on iOS devices, when minimizing the browser and then re-opening the browser later. (Ticket #141012)

Version 13.1.10 (released on 2023-01-27)

CHANGES IN THIS VERSION:

Bug fix: In some cases, images that were added via the rich text editor to a project dashboard would mistakenly not display on the public version of the dashboard unless the person viewing it was currently logged in as a REDCap user.

Bug fix: When creating a project using the MyCap project template included in REDCap, in some cases the resulting project might result in errors when a participant loads the project on their MyCap mobile app.

Bug fix: A fatal PHP error might occur for PHP 8 on a project using the Clinical Data Pull feature, in which a user clicks the "Delete data for THIS FORM only" button at the bottom of a data entry form. (Ticket #141230)

Bug fix: When using Clinical Data Pull and launching the CDP REDCap page embedded inside of Epic Hyperspace (this does not affect other EHRs but only Epic), the embedded page would not function correctly due to incompatibilities with Internet Explorer, which is the embedded browser utilized by Hyperspace. This bug emerged in the previous REDCap version.

Bug fix: When exporting a project’s data to SAS, in which the project is using Missing Data Codes and also the exported data set contains Text or Notes fields, the resulting SAS syntax file might mistakenly be missing an underscore at the end of the variable name for the “format” attribute for the Text and Notes fields. (Ticket #103142)

Bug fix: The replacement function utf8_encode_rc() for PHP's utf8_encode() might prevent certain users from logging in successfully, in which this ultimately is caused by certain unknown web server configurations. (Ticket #140393)

Bug fix: When using the Randomization page while a project is in production status, a REDCap administrator is unintentionally able to erase the randomization model of the project, which should only be allowed while in development status (even for admins). The "Erase randomization model" button will now stay disabled for everyone when a project is in production. (Ticket #141286)

Bug fix: If a required field's field label contains a lot of HTML, in which the field value is left empty when submitting a survey page or data entry form, the "Some fields are required" dialog that is displayed would mistakenly not look correctly on some occasions due to the HTML in the label. To prevent this issue and to make the field label more readable, the required field dialog will now strip all HTML from the field label when displaying it. (Ticket #141262)

Bug fix: Bug fix: When MyCap is enabled in a project, on some rare occasions when migrating a project using the MyCap external module, the process might fail due to an SQL error. (Ticket #138168b)

Bug fix: Importing data for a patient’s race via Clinical Data Interoperability Services (CDIS) might mistakenly fail in cases where the patient has more than one race listed in the EHR.

Bug fix: When a user is viewing the field drop-down for the Data Search feature on the Add/Edit Records page in a project that has more than 20K records, the note text in the first option of the field drop-down would mistakenly be truncated, thus preventing the user from being able to read it. (Ticket #141317)

Bug fix: When uploading a CSV file of user privileges on the User Rights page, the "lock_records" privilege would mistakenly return an error if its value is set to "2", which is a valid value. (Ticket #141141)

Bug fix: When changing an existing alert from sending "immediately" and "every time" to sending not immediately (e.g., "Send on next X at time Y") without explicitly clicking the "Just once" radio option in Step 2B after doing so, these changes made to Step 2 would mistakenly not get saved when saving the alert. (Ticket #140491)

Version 13.1.9 (released on 2023-01-20)

CHANGES IN THIS VERSION:

Major bug fix: In certain situations where survey invitations get scheduled for a repeating Automated Survey Invitation, in which the record's data is later modified, the repeating invitations that were scheduled might mistakenly get unscheduled. (Ticket #140851)

Major bug fix: If a user is creating a new record on a data entry form, in which record auto-numbering is enabled in the project and the form is submitted by the user with a required field that has no value, if the project's internal Record List Cache (a secondary list of records in the database for improving performance) had not been built yet or was recently cleared (which is done automatically by REDCap internally), the user submitting the form might trigger the Record List Cache building process, which might inadvertently create multiple identical records instead of just creating the one record.

Bug fix: If a checkbox field has a large amount of choices, thus causing the checkbox options to become a scrollable box, the overall height of the scrollable box would mistakenly be too short on surveys that have the "Enhanced radio buttons and checkboxes" feature enabled. Since the enhanced radios/checkboxes are much larger than regular radios/checkboxes, the scrollable area has been made twice as tall in these cases in order to provide a less confusing user experience to survey participants.

Bug fix: The Multi-Language Management page in the Control Center might incorrectly denote a translated language as being 100% complete when it is only 99.9% complete. (Ticket #140724)

Bug fix: Various issues related to checkbox fields with many options, such as displaying a horizontally-aligned checkbox field as too wide in Firefox. Also, the new feature added in the previous version that would cause a long list of checkbox options to become scrollable has now been completely removed since so many users complained about it being problematic for them. (Ticket #140759)

Bug fix: When piping a Notes field that has the @RICHTEXT action tag, the HTML formatting in the field's value might mistakenly not render correctly on the page, especially if the value contains HTML tables. (Ticket #140910)

Bug fix: When a datetime field is using "now" as the min or max validation range, and the user clicks the "Now" button next to the field after having been on the page for more than one minute, the "out of range" popup would mistakenly display.

Bug fix: When using Multi-Language Management, if some slider fields do not have their slider label values translated, it could cause some parts of the survey page or data entry form not to display all its translated text successfully. (Ticket #140871)

Bug fix: Some LH-aligned radio buttons might mistakenly cause the page to be too wide if a radio choice label is very long. Unfortunately, the only way to fix this issue fully is to revert a change in the previous version that improved the text wrapping of the choice labels of horizontally-aligned checkbox fields.

Bug fix: If a survey participant clicks the "Save & Return Later" button on a survey, which has no survey title (i.e., it was left blank), the email sent to the participant might be slightly confusing because it displays only two double quotes where the survey title should be. It now displays slightly different text if the survey title has not been defined.

Bug fix: If a project title contains some UTF-8 encoded characters, the project title would mistakenly display as garbled when viewing it on the My Projects page on a mobile device. (Ticket #140814)

Bug fix: If a repeating Automated Survey Invitation has reminders enabled, the Survey Invitation Log might mistakenly display a bell icon and number (representing a reminder) next to a recurring invitation that is not actually a reminder.

Bug fix: When using the Randomization page and downloading an example allocation table in Step 2, for certain randomization models, the CSV file produced may become too large to be processed, which might throw an error, and/or it might take an abnormally large amount of time to output the CSV file. To prevent these situations, the example allocation tables now will only output a maximum of 50,000 rows regardless of the randomization model set up in the project. (Ticket #140909)

Version 13.1.8 (released on 2023-01-13)

CHANGES IN THIS VERSION:

Bug fix: If a Project Template has Form Display Logic, new projects created from that Project Template would mistakenly not have the Form Display Logic settings copied over. (Ticket #140489)

Bug fix: If REDCap is using an external file storage method (e.g., AWS S3, Azure Blob Storage) for storing all files in the system, the Project Revision History's version comparison feature would mistakenly fail, and it would result in a fatal PHP error when using PHP 8. (Ticket #140551)

Bug fix: If a participant email address contains one or more capital letters and is added manually to the Participant List multiple times, the Participant List would mistakenly fail to display a number and parentheses immediately before the email address on each row (e.g., "1) rob@aaa.com") to help differentiate the multiple instances of the same email address. (Ticket #140466)

Bug fix: When using Duo two-factor authentication, some important debugging information would mistakenly not get output to the page when an error occurred, in which it prevented admins from effectively troubleshooting certain network-based configuration issues that could cause Duo not to work dependably for users.

Bug fix: If a checkbox field has a large amount of choices, it could cause the field to mistakenly take up a disproportionate amount of the survey page or data entry form, thus resulting in a bad user experience. In this case now, the whole list of checkbox options will instead become scrollable so that the checkbox field does not become too unwieldy while still allowing the user to see all the choices.

Bug fix: Checkbox fields that are horizontally-aligned might mistakenly have a choice’s checkbox and its label appear on two different lines due to text wrapping. Instead, an individual choice’s checkbox and label now no longer wrap to the next line but instead stay together on the same line.(Note: This fix does not apply when viewing a form/survey on a mobile device.)

Bug fix: In very specific situations where a field is a required field and is embedded in another field, in which the container field is hidden by an @HIDDEN action tag while the field embedded inside it does not have an @HIDDEN action tag but does have a @DEFAULT action tag, the default value added to the embedded field via the @DEFAULT action tag would mistakenly not get saved when saving the page.

Bug fix: Various fixes related to issues with using Duo two-factor authentication, including issues caused by the use of a proxy with the REDCap web server. (Ticket #140186, #137099)

Bug fix: Clicking the "View Equation" link for a @CALCTEXT field on a data entry form or survey page while the project is in production status but not in draft mode would mistakenly display an error message instead of displaying the calculation. (Ticket #140645)

Bug fix: When downloading a CSV file of either users or user roles on the User Rights page, the form-level viewing rights and form-level export rights in the CSV file might mistakenly contain instruments that have been deleted from the project. (Ticket #140668)

Bug fix: If PDF files had been stored in the File Repository's "PDF Survey Archive" folder, after which the Auto-Archiver and/or e-Consent Framework had been disabled for all surveys in the project, the "PDF Survey Archive" folder would mistakenly no longer be visible in the File Repository, thus preventing users from accessing previously-saved files. That folder will now be displayed if the Auto-Archiver and/or e-Consent Framework is enabled or if any files already exist in the folder. (Ticket #140435)

Version 13.1.7 (released on 2023-01-06)

CHANGES IN THIS VERSION:

Bug fix: Certain Font Awesome icons might mistakenly not display correctly on survey pages.

Bug fix: In certain situations in which REDCap or an External Module executes a specific parameterized query to the database, the query might mistakenly fail due to an "illegal mix of collations".

Bug fix: Unless using the latest version of the REDCap Mobile App, a @CALCTEXT field might mistakenly not function correctly in the Mobile App if its calculation contains multiple nested IF() statements.

Bug fix: When a participant is viewing their survey queue, if they click the "Get link to my survey queue" button and then click "Send" to email the survey queue link to themselves, the Email Logging page would mistakenly not associate the email with a record in a project when searching for emails on that page. This can make it very difficult to find this email via the Email Logging page. In the future, this action will associate the email with a specific record on the Email Logging page.

Bug fix: A SQL query might mistakenly not get formatted correctly and thus might fail when CDIS is sending a notification to a user via REDCap Messenger regarding the completion of an asynchronous CDIS task.

Bug fix: The "How do I format the equation?" link in the "Edit Field" dialog in the Online Designer would mistakenly open the wrong question on the "Help & FAQ" page.

Bug fix: If a user assigned to a Data Access Group views a report that has DAG filtering imposed via "Step 3: Additional Filters" in the report settings, in which the user's DAG is not one of the selected DAGs of the Additional Filters, the report might mistakenly display some records from the user's DAG when instead it should not return any records in the report. A similar behavior might also occur for a user that is not assigned to a DAG when viewing the same report, but instead occurring when using the DAG Live Filter to select a DAG that is not one of the selected DAGs of the Additional Filters. (Ticket #140302)

Version 13.1.6 (released on 2022-12-29)

CHANGES IN THIS VERSION:

Bug fix: The user privilege for "Alert & Notifications" was mistakenly not getting copied for project users when using the "Copy Project" feature while electing to copy the current users into the new project. (Ticket #140023)

Bug fix: The Cron Jobs page in the Control Center might crash with a fatal PHP error for certain versions of PHP if the "exec" function is disabled in PHP as a "dangerous" function on the REDCap web server. (Ticket #140034)

Version 13.1.5 (released on 2022-12-28)

CHANGES IN THIS VERSION:

New LTS branch based off of REDCap 13.1.4 (Standard)

Note: Please see the Standard Release ChangeLog from v12.5.0 to v13.1.4 to see the full list of new features and bug fixes released with this new LTS branch.

Version 12.4.31 (released on 2022-12-28)

CHANGES IN THIS VERSION:

Bug fix: When the system-level setting "Allow reports to be made 'public'?" has been set to "No", administrators are still allowed to make reports public, which is expected; however, when anyone attempts to view the report using the public link, it displays an error saying that it cannot be displayed. Anyone with the public link should be able to view the report. (Ticket #132901b)

Bug fix: When testing a calculation using the "Test calculation with a record" drop-down for a calculated field in the "Edit Field" popup on the Online Designer, there are certain situations where the process might mistakenly crash with a fatal PHP error when using PHP 8. (Ticket #139955)

Bug fix: If the value of a Text or Notes field contains an email address that is immediately followed by a line break/carriage return, the email address would mistakenly not get converted into a "mailto" link properly when displayed on a report. (Ticket #139960)

Version 12.4.30 (released on 2022-12-22)

CHANGES IN THIS VERSION:

Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered on the User Rights page where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way inside a CSV file when importing user privileges or user roles on that page.

Bug fix: In very specific cases when a report is set to only display the record ID field, in which the report has filter logic that contains fields on a repeating instrument/event, the resulting report might mistakenly include grayed out columns that correspond to the fields (or to the form status fields of the fields' instrument) that are used in the filter logic. (Ticket #139584)

Bug fix: Users with instrument-level locking privileges could inadvertently bypass locking controls and modify data on a locked data entry form if they have another browser tab open of that same data entry form before it was locked, and then saved that form within 30 seconds of locking the form in the other tab. (Ticket #139555)

Bug fix: If a project is created using a Project XML file, in which the XML file contains public reports, the unique public report link/hash of any public reports in the original project would mistakenly get duplicated and attributed to the newly created project. This would not cause any noticeable problems for the user because the public report link would always point to the original project and not to the new project created.

Bug fix: When using the Clinical Data Mart, a patient’s Medical Record Number (MRN) might get stored as an empty string in the FHIR logs table, thus causing the Data Mart to crash.

Bug fix: When using Clinical Data Pull, in which a user is accessing an embedded REDCap page inside of Epic Hyperspace, some parts of the page might mistakenly not work due to JavaScript errors. (Ticket #139896)

Bug fix: REDCap might fail with a fatal PHP error on various pages when using PHP 8 under very specific conditions. (Ticket #139416)

Bug fix: The @IF action tag would mistakenly not function correctly for fields in PDF exports. For example, @IF([field]="", @HIDDEN-PDF, "") would not function correctly to show/hide the field in the resulting PDF export.

Version 12.4.29 (released on 2022-12-16)

CHANGES IN THIS VERSION:

Bug fix: A fatal PHP error would occur when using DDP Custom in a project for PHP 8. (Ticket #138771b)

Bug fix: If a user is adding an external video URL to a Descriptive Text field, in which they mistakenly paste some Embed HTML or an invalid URL into the field's video URL attribute, if REDCap doesn't recognize it as a Vimeo or YouTube link, REDCap might mistakenly try to output the text directly onto the page as-is without verifying that it is a valid URL. (Ticket #139291)

Bug fix: When using the date/time picker widget to select a value for a date or datetime field on a survey page or data entry form, and then later on the same page the user uses the time picker on a "Time (HH:MM)" or "Time (HH:MM:SS)" validated field, after selecting the value for the Time field, the page would mistakenly scroll back to the last date/time field on that page where the date/time picker was used, which could be very confusing and disorienting to the user. (Ticket #139201)

Bug fix: The Standalone Launch process for Clinical Data Interoperability Services might mistakenly fail for some server configurations due to a duplicate slash (“/”) in the link to the page.

Bug fix: When a user performs a data export containing fields from an instrument for which they have "De-identified" data export rights, and the user selects the de-id option to "Shift all dates" (rather than "Remove all date and datetime fields") in the export dialog, the date fields would not be date shifted but would mistakenly be completed removed from the resulting exported data set. Bug emerged in REDCap 12.2.0. (Ticket #139392)

Bug fix: A field with the @CALCTEXT action tag, in which the calculation contains text strings with line breaks, might mistakenly cause calculation errors to appear on the page and prevent the @CALCTEXT from working.

Bug fix: Some calculations or branching logic might mistakenly fail to work and would display an error if they are substantially long. Bug emerged in the previous version. (Ticket #127140)

Bug fix: Surveys that are set to use Comic Sans as the font for the survey text would mistakenly not display correctly when viewing the survey on iOS devices. (Ticket #95086)

Bug fix: In very specific situations where a field is a required field and is embedded in another field, in which both fields have branching logic, if the container field is hidden by branching logic while the field embedded inside it has branching logic that evaluates to True (meaning that the embedded field would otherwise be visible if the container field itself were visible), REDCap would mistakenly display an error saying that the embedded field is required and thus needs a value, which is incorrect since the embedded field is not even visible on the page. (Ticket #139582)

Bug fix: When piping a field value for a field on a repeating instrument/event, in which the piped value originates from another repeating instance (e.g., [field][previous-instance]), the current instance's value might mistakenly be piped instead of the value from the desired instance. (Ticket #139581)

Bug fix: When an image is embedded (via the rich text editor) in an email for a survey invitation or alert, in which the Protected Email Mode is enabled in the project, the page where the recipient would view their email in REDCap might mistakenly not display the embedded image on the page but would show a broken image placeholder. (Ticket #139648)

Bug fix: If a user uploaded a Project XML file for a Clinical Data Mart project, it would mistakenly enable the Data Mart feature in the newly created project even when the CDM feature is disabled at the system level. This would cause some errors to occur in the project. (Ticket #139577)

Version 12.4.28 (released on 2022-12-09)

CHANGES IN THIS VERSION:

Major bug fix: A malicious user could potentially delete a file uploaded into a project to which they do not have access by manipulating an HTTP request on the Alerts & Notifications page in another project. (Ticket #138873)

Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered on the Project Modifications page (where an admin would view a user's Draft Mode changes) where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way in a field's Field Label, Choice Labels, or Field Notes. (Ticket #139108)

Bug fix: A fatal PHP error would occur when using DDP Custom in a project for PHP 8. (Ticket #138771)

Bug fix: A fatal PHP error would occur when certain Data Quality rules when using PHP 8. (Ticket #131294b)

Bug fix: The REDCap Mobile App page mistakenly noted that the mobile app does not support Field Embedding, which is no longer true. That warning message has been removed.

Bug fix: If one or more fields in a project utilize the @IF action tag, the REDCap Mobile App page would mistakenly fail to display a warning at the top of page to explain that the @IF action tag is not supported by the mobile app and thus fields with @IF might not function in the mobile app the same as they do on survey pages and data entry forms.

Bug fix: A couple REDCap pages that are served as AJAX requests via JavaScript mistakenly had their "Content-Type" header set as "text/html" when instead it should have been "application/json", which was causing these requests not to be loaded successfully in the REDCap user interface in certain server/network environments.

Bug fix: If a user on a data entry form clicks the PDF download option called "This survey with saved data (via browser's Save as PDF)", if some fields on the page have been modified but not yet saved, REDCap will display a confirmation to the user to ensure that they understand that the resulting PDF will not contain only saved data values but instead may contain both saved and yet-to-be-saved values. (Ticket #138777)

Bug fix: If an external module calls a randomization-related method in a project that does not have randomization enabled, it might throw a fatal PHP error for PHP 8. (Ticket #138756)

Bug fix: Multi-line text used inside single quotes or double quotes in the @CALCTEXT action tag might mistakenly have some words mistakenly replaced in the resulting text if they look like JavaScript or PHP operators (e.g., "or", "and"). (Ticket #138785)

Bug fix: When using certain text or HTML inside the text of the @CALCTEXT action tag, the output value of the field might mistakenly be missing some spaces if text elements in the @CALCTEXT contained leading or trailing spaces. Additionally, text used in @CALCTEXT that contains HTML or single/double quotes might mistakenly get mangled and not display correctly on the page for the @CALCTEXT field. (Ticket #138396)

Bug fix: When using the Survey Auto-Continue feature, in which a participant clicks a survey link of an already-completed survey and is redirected 20 times through a bunch of subsequent already-completed completed surveys, some browsers might mistakenly display a “too many redirects” error to the participant instead of properly redirecting them to the next unfinished survey. (Ticket #138914)

Bug fix: A malicious user could potentially view a deleted message in REDCap Messenger by manipulating the parameters and/or query string of an HTTP request performed by Messenger. Only administrators should be allowed to view deleted messages in the Messenger interface. (Ticket #138873)

Bug fix: A malicious user could potentially delete or edit a REDCap Messenger message, even when the user did not create the message and is not an administrator, by manipulating the parameters and/or query string of an HTTP request performed by Messenger. (Ticket #138859)

Bug fix: When using the AAF authentication method, the PHP method User::updateUsernameForAaf() mistakenly would not update all the database tables that contain a "user" or "username" column. Four tables were missing from the list. Thus, some database tables would not get updated when the method is called. (Ticket #138396)

Bug fix: When creating a new project via a Project XML file, if the project is longitudinal and utilizes the Survey Queue and/or Automated Survey Invitations, the Survey Queue and ASI settings might mistakenly not get added from the XML file when the project is created. (Ticket #139035)

Version 12.4.27 (released on 2022-12-02)

CHANGES IN THIS VERSION:

Major bug fix: When using certain external authentication methods, survey pages might sometimes mistakenly time out if the project's internal Record List Cache (a secondary list of records in the database for improving performance) had not been built yet, which is done automatically by REDCap internally. This would cause an internal API call to fail when it is made inline while loading survey pages, thus causing the survey page not to load. This was supposedly fixed in version 12.4.13 LTS and 12.5.6 Standard Release, but mistakenly was not. (Ticket #104761b)

Bug fix: The calendar feed might mistakenly provide incorrect times of calendar events for certain geographical regions that do not observe Daylight Saving Time. (Ticket #130176)

Bug fix: Typo on OpenID Connect's login screen. (Ticket #138381)

Bug fix: When creating a new project where a user selects a project template but then chooses to upload a Project XML file, REDCap might get confused about which option was selected and behave unexpectedly, such as creating the project without granting access to the initial user. (Ticket #138361)

Bug fix: When a calculated field uses the datediff() function, in which the first parameter is literally "today" while the second parameter is a datetime field, the calculation might mistakenly return a blank value. (Ticket #138033)

Bug fix: In some specific circumstances, the Data Import Tool might mistakenly crash due to a fatal PHP error for PHP 8. (Ticket #138527)

Bug fix: Dozens of REDCap pages that are served as AJAX requests via JavaScript mistakenly had their "Content-Type" header set as "text/html" when instead it should have been "application/json", which was causing these requests not to be loaded successfully in the REDCap user interface in certain server/network environments.

Version 12.4.26 (released on 2022-11-23)

CHANGES IN THIS VERSION:

Bug fix: When entering a value for the "Domain allowlist for user email addresses'' setting on the User Settings page in the Control Center, it would mistakenly not allow top-level domains to be entered if they contain more than 4 characters (e.g., vanderbilt.health). It now appropriately allows top-level domains up to the maximum 63 characters. (Ticket #104291)

Bug fix: When using the “Mapping Helper” feature or CDP Mapper for CDIS, some things might not load correctly because of some HTML needing to be escaped first in the resulting JSON.

Bug fix: If the RemoveTempAndDeletedFiles cron job happens to be running at the same time as the Easy Upgrade process is extracting a new REDCap version, on certain server configurations the cron job might mistakenly delete some of the REDCap files being deployed in the new version, thus leaving the new REDCap version directory missing some critical files. (Ticket #137910)

Bug fix: Bar charts and pie charts might mistakenly be displayed on Public Dashboards despite having an insufficient amount of data to display (based on the setting "Minimum number of data points required to display Smart Charts, Smart Tables, or Smart Functions on a *public* Project Dashboard..."). (Ticket #137411)

Bug fix: When performing field embedding on a survey page or data entry form, the page might crash due to a fatal PHP error if the project has a very large amount of fields.

Bug fix: When using the Smart Variable [last-instance] appended to [survey-url], a fatal PHP error could occur for PHP 8 in certain situations, such as if no repeating instances exist yet for the survey for the current record. (Ticket #138322)

Version 12.4.25 (released on 2022-11-17)

CHANGES IN THIS VERSION:

Bug fix: Certain versions of MariaDB do not output the "COLLATE" portion of a database table's column definition in the results of a "SHOW CREATE TABLE" query, thus causing false positives to display in the Control Center that say that the "database structure is incorrect". (Ticket #137551, #137575, #137321)

Bug fix: For some web server configurations, the server's session "garbage collection" might mistakenly not run or might not run very often, thus causing the redcap_sessions database table to become overly bloated. The garbage collection process is now run manually via a cron job to ensure this task gets performed regardless of server configuration. (Ticket #137675)

Bug fix: When more than ten completed surveys are displayed in a participant's Survey Queue, the "all surveys completed" row might appear in the wrong place in the table. (Ticket #137550)

Bug fix: When a user not assigned to a Data Access Group filters the results on the Logging page by DAG, the page might crash with an error if no users are currently assigned to that DAG in the project. (Ticket #137764)

Bug fix: When viewing the REDCap Mobile App's "App Data Dumps" page, in which a data dump file could not be found on the server for unknown reasons, it would mistakenly throw a fatal PHP error on the page for PHP 8. (Ticket #137777)

Bug fix: When using REDCap::saveData() in a plugin, hook, or external module, in which the "dataLogging" parameter is passed to the method as FALSE, the record list cache (i.e., the back-end secondary list of records) would mistakenly fail to get updated during this process. This means that if new records are being created via REDCap::saveData() with dataLogging=FALSE, those records would appear not to have been created until an admin clicked the "Clear the Record List Cache" button, after which the records would finally appear in the project, such as on the Record Status Dashboard, reports, and the Add/Edit Records page. (Ticket #137836)

Version 12.4.24 (released on 2022-11-11)

CHANGES IN THIS VERSION:

Bug fix: When using CDIS/FHIR services to extract medications from the EHR, the values for the RxNorm code and RxNorm label were mistakenly switched.

Bug fix: CDIS related cron jobs were mistakenly running for projects in Analysis/Cleanup mode or marked as Completed.

Bug fix: When certain Smart Variables (specifically form-url, form-link, survey-date-completed, survey-time-completed, survey-date-started, survey-time-started, survey-duration, and survey-duration-completed) have [first-event-name] or [last-event-name] appended to them, an incorrect value might be returned from the Smart Variable.

Bug fix: When performing randomization on a record while on the first instrument, in which the user locks the instrument immediately after randomization has occurred, the record would get mistakenly duplicated after clicking the Save button on the page. (Ticket #137260)

Bug fix: The BioPortal API token stored in the redcap_config database table was mistakenly not encrypted at rest as other third-party tokens/keys are. (Ticket #137403)

Bug fix: When using Multi-Language Management, the language drop-down list was mistakenly being displayed on data entry forms even when only one language has been defined on the MLM setup page. It should only display the language choice list if there is another language to choose.

Bug fix: If a field is used in cross-form or cross-event branching logic, in which the value of the field contains double quotes, the branching logic may not function correctly on the page. (Ticket #136926)

Bug fix: A fatal PHP error might be thrown in some specific cases where the method Records::deleteEventInstanceByProject() is called in certain contexts. (Ticket #137376)

Bug fix: If a project is using record auto-numbering, and the highest-numbered record gets renamed so that it is no longer the highest-numbered record, after which a participant completes a public survey in the project, the new record created by the participant would mistakenly skip the appropriate record number and be assigned to one number higher than expected. (Ticket #125567)

Version 12.4.23 (released on 2022-11-04)

CHANGES IN THIS VERSION:

Bug fix: If the text in a Text field or Notes field contains an email address, it should display the email address as a clickable mailto link when viewing the data on a report. However, it would only do that if the field value contained only an email address and no other text. (Ticket #136735)

Bug fix: When an Automated Survey Invitation has been set up in a longitudinal project, in which the ASI's conditional logic includes datediff() today/now and has the "Ensure logic is still true" checkbox checked while additionally one or more of the variables in the logic are missing a prepended unique event name, the DateDiff Today/Now cron job might mistakenly schedule a survey invitation that should not be scheduled, even though REDCap will ultimately unschedule the invitation right before trying to send it. This bug was supposedly fixed in REDCap 12.4.7 LTS and 12.5.0 Standard, but mistakenly it was not. (Ticket #136960)

Bug fix: The Multi-Language Management settings "Export or import general settings" were mistakenly being displayed on the MLM Control Center page when they should only be displayed in a project. (Ticket #136968)

Version 12.4.22 (released on 2022-10-27)

CHANGES IN THIS VERSION:

Minor security fix: An SQL Injection vulnerability was found in the Copy Field action on the Online Designer, in which a malicious user could potentially exploit it by manipulating an HTTP request on that page.

Minor security fix: An SQL Injection vulnerability was found in the "Import from Field Bank" action on the Online Designer, in which a malicious user could potentially exploit it by manipulating an HTTP request on that page.

Major bug fix: When a user clicks the "Generate API Token" button on the API page in a project, it would mistakenly return a vague/unhelpful error message saying that the token could not be created (or it would simply reload the page with no warning in some cases). This would happen if the user has API Import and/or API Export privileges but does not have Mobile App privileges. The only user permission that should be required to request an API token on this page are API Import or API Export privileges. Bug emerged in REDCap 12.4.20 LTS and 12.5.13 Standard Release.

Major bug fix: When renaming or deleting an instrument via the Online Designer while in development status, the instrument-level data viewing rights and instrument-level data export rights would mistakenly not always get updated to reflect the new instrument name for all the users and roles in the project. Note: While this fix will prevent the issue going forward, users will need to manually update a user's/role's permissions to fix any already affected users/roles. (Ticket #136038)

Major bug fix: When a field is embedded on a multi-page survey, in which the embedded field's container field is hidden by branching logic on a different page on which the container field is itself located, the embedded field's value might mistakenly get erased when the later survey page is submitted if the embedded field is a Required field.

Bug fix: When using Multi-Language Management, the Survey Login page text might mistakenly not get translated. (Ticket #136358)

Bug fix: When using Multi-Language Management, the choices for multiple choice fields would mistakenly not get imported when performing a CSV file import on the MLM setup page. (Ticket #136415)

Bug fix: When the authentication method is set to "OpenID Connect" or "OpenID Connect & Table-based", admins may define which OIDC attribute will serve as the REDCap user's username. However, the "preferred_username" attribute was mistakenly missing from the "Attribute to use for REDCap username" drop-down on the Security & Authentication page. (Ticket #132200)

Bug fix: If a user clicks the "Re-send Email" button for an email displayed on the Email Logging page in a project that has the "Protected Email Mode" feature enabled, that re-sent email would mistakenly not be sent using the Protected Email Mode but would be sent to the recipient as-is. (Ticket #120500)

Bug fix: If a text field on a data entry form or survey page is a required field and already has a saved value, if the field's value is manually removed (via backspacing) on the page and then the field is hidden by branching logic, upon saving the page, the "Some fields are required!" prompt might mistakenly get displayed for the field, which should not occur due to the fact that the field is hidden on the page. (Ticket #136520)

Bug fix: When using Multi-Language Management, the text in the title of the “Invalid values entered” popup on data entry forms and survey pages would mistakenly not be available for translation on the MLM setup page. (Ticket #136541)

Version 12.4.21 (released on 2022-10-22)

CHANGES IN THIS VERSION:

Major bug fix: When performing a data import (via API, Mobile App, Data Import Tool, or REDCap::saveData) that contains not-yet-created records, in which the import process will trigger Automated Survey Invitations immediately after creating the new records, the ASI invitations might mistakenly not get scheduled/sent. In this case, the ASIs would only get triggered when someone modified a record after the import or ran the "Re-evaluate Auto Invitations" process.

Bug fix: When exporting a Project XML file and creating a new project using it, if the project is not longitudinal but was longitudinal at some point in the past, in which the first event (while longitudinal) was named something other than "Event 1" on Arm 1, then any Automated Survey Invitation settings from the XML file might mistakenly fail to import correct into the newly created project. (Ticket #136254b)

Version 12.4.20 (released on 2022-10-21)

CHANGES IN THIS VERSION:

Bug fix: Reports that have filter logic might mistakenly display some records as being in multiple arms despite the fact that they only exist in a single arm (or exit in less arms than depicted in the report). If this occurs, the report will show the record with default values in the other arm. (Ticket #135620)

Bug fix: When exporting user roles via the API, the "unique_role_name" attribute of some roles might mistakenly be blank if the role had been recently created but not yet viewed in the user interface on the User Rights page. (Ticket #125602)

Bug fix: When upgrading REDCap to v12.1.0 or higher, some queries in the upgrade SQL script might mistakenly fail when specifically using MySQL 8 as the database. (Ticket #131519b)

Bug fix: When performing a fresh install of REDCap, the install page might output a 500 server error and might provide confusing error messages when valid database credentials have not been successfully added to the database.php file yet. (Ticket #128344)

Bug fix: When performing a data dictionary export in a project that is using "Japanese (Shift JIS)" for the "character encoding for exported files", the process might fail with a fatal PHP error for PHP 8.0 . (Ticket #136046)

Bug fix: Utilizing a forward slash "/" anywhere inside the @IF action tag would mistakenly cause the action tag not to function. (Ticket #135803)

Bug fix: CDIS-related issue with FHIR version DSTU2 where date filters were mistakenly not applied to Observations data.

Bug fix: On the Other Functionality page when exporting the Project XML file ("metadata & data"), it would mistakenly always include all available project attributes in the resulting XML file despite the fact that some or all of the checkbox options for those project attributes were left unchecked on the page. This does not affect the "metadata only" XML file but only the "metadata & data" XML file.

Bug fix: Important documentation was missing from the Special Functions dialog and FAQ regarding the usage of date/datetime fields with MDY and DMY date formatting when used in text string functions in branching logic and calculations.

Bug fix: Fields in a project might randomly get out of order, which can be caused by a user on the Online Designer reordering the instruments in conjunction with some other action, such as copying an instrument immediately before the reordering and/or viewing an instrument immediately after the reordering. (Ticket #109041)

Bug fix: When using Multi-Language Management, the Automated Survey Invitation tab on the MLM setup page might mistakenly display as blank and prevent any translation of ASIs in certain cases, such as when some ASIs have been orphaned in the backend database and are not associated with a valid event in the project. (Ticket #136254)

Bug fix: The "Conditional logic for Survey Auto-Continue" would mistakenly not get copied into a new project's survey(s) when using the Copy Project feature on the Other Functionality page. (Ticket #136281)

Bug fix: When REDCap is using WebDAV for file storage, in which the WebDAV connection settings have not yet been defined, a fatal PHP error may occur on certain pages when using PHP 8. (Ticket #136289)

Bug fix: When a user clicks the "Request API Token" button on the REDCap Mobile App page in a project, it would mistakenly return a vague/unhelpful error message saying that the token could not be created (or it would simply reload the page with no warning in some cases). This would happen if the user did not have API Import or API Export privileges. The only user permission that should be required to request an API token specifically for the Mobile App is "Mobile App" user privileges. Bug emerged in REDCap 12.4.13 LTS and 12.5.6 Standard Release. (Ticket #135788)

Version 12.4.19 (released on 2022-10-07)

CHANGES IN THIS VERSION:

Bug fix: The Record Status Dashboard might load unnecessary slowly for projects that are not using Form Display Logic and have 1000 records.

Bug fix: On some rare occasions in longitudinal projects, a report with filter logic might mistakenly not display its report headers on the page. Bug emerged in the previous version.

Bug fix: When using Twilio telephony services for surveys, U.S. phone numbers having the area code "656" would mistakenly not work for SMS or voice calls unless the number has a "1" prepended to it.

Bug fix: Some pages might mistakenly not function correctly due to a JavaScript error when using Internet Explorer.

Bug fix: When performing a Data Search specifically on a project's record ID field on the "Add/Edit Records" page in a longitudinal project, some record names might mistakenly not be returned from the search, especially if no data has been saved in the first event for some of the records. (Ticket #135313)

Bug fix: The "Phone (North America)" field validation might not correctly recognize some valid 10-digit North American phone numbers, especially if the fourth digit is a "3". (Ticket #135444)

Bug fix: When using the Text-to-Speech survey feature, any fields initially hidden by branching logic on the survey would mistakenly not have the speaker icon displayed for it to allow participants to hear the question text audibly. (Ticket #135010)

Bug fix: If a project is using Missing Data Codes and is also using the Secondary Unique Field, setting a missing data code for the Secondary Unique Field on a survey or data entry form might mistakenly result in the "Duplicate Value" error dialog. The uniqueness check should instead be ignoring any missing data codes for the Secondary Unique Field. (Ticket #132779)

Bug fix: If a user is exporting data in EAV format for the Export Records API Method, and some of the data being exported exists on a repeating instrument or a repeating event, the record ID field might mistakenly get exported multiple times as identical rows, despite the fact that the first instrument is not a repeating instrument and does not exist on a repeating event. (Ticket #135154)

Version 12.4.18 (released on 2022-09-30)

CHANGES IN THIS VERSION:

Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way when uploading a CSV file of alerts on the "Alerts & Notifications" page. (Ticket #134640)

Bug fix: The title of the "None of the Above" dialog on data entry forms and survey pages would mistakenly not display correctly. (Ticket #134326)

Bug fix: The dialog for the @NONEOFTHEABOVE action tag might mistakenly not display at all.

Bug fix: Uploading Automated Survey Invitations settings via CSV file might mistakenly mangle some of the timestamps in the file (e.g., "Send at exact date/time:") if they are in YMD date format when the user has an MDY or DMY date format preference set for their user account on the Profile page. The CSV import will now accept dates/times in either YMD date format or the user's preferred date format. (Ticket #133727)

Bug fix: When importing or exporting the user rights for users or roles (whether via the user interface or API), certain privileges would mistakenly be ignored, such as those pertaining to Randomization, Double Data Entry, and the Data Resolution Workflow. (Ticket #133179)

Bug fix: When assigning projects to a Project Folder on the "My Projects" page, the project list in Step 2 of the dialog would mistakenly list projects to which the user no longer has access. This would only happen if the projects had been assigned to that particular Project Folder sometime in the past. (Ticket #134503)

Bug fix: In the Online Designer, when saving a Text field that was previously a Calculated field, the calculation might mistakenly not get removed from the field after being changed to a Text field, thus possibly causing issues when rendering the field on a data entry form or survey. (Ticket #134303)

Bug fix: A calculation error might occur on a data entry form or survey page whenever a calculated field utilizes one of the [aggregate-X] Smart Variables while also utilizing other Smart Variables that result in a text string (as opposed to a number - e.g., [record-dag-label]). (Ticket #134589)

Bug fix: When exporting a Project XML file and creating a new project using it, if the project is not longitudinal but was longitudinal at some point in the past, in which the first event (while longitudinal) was named something other than "Event 1" on Arm 1, then any Survey Queue settings from the XML file might mistakenly fail to import into the newly created project. (Ticket #134837)

Bug fix: The "Advanced Link" option for Project Bookmarks might mistakenly return data from the API even though the user's REDCap session is no longer active. If the session has ended, the API should instead return only a value of "0".

Bug fix: When viewing a Custom Record Status Dashboard in a longitudinal project, in which the filter logic references fields that might exist on events that contain no data for certain records, those records with no data for the event might mistakenly not get displayed on the dashboard. (Ticket #134055)

Bug fix: When editing an alert on the Alerts & Notifications page and clicking the keyboard Enter button right after entering an invalid email address into the "manually enter emails" text boxes for the Email To, CC, or BCC settings, the error dialog would mistakenly never close but would keep popping up endlessly. This would prevent the user from fixing the email address entered and ultimately could only be resolved by refreshing the page. (Ticket #135021)

Version 12.4.17 (released on 2022-09-16)

CHANGES IN THIS VERSION:

Bug fix: The "Add Participants" dialog on the Participant List page would mistakenly be missing some text that displays the name of the currently selected arm (only for longitudinal projects that have multiple arms). (Ticket #134086)

Bug fix: When new records are being created via a data import that will trigger the scheduling of an Automated Survey Invitation that contains the Smart Variable [survey-queue-url] or [survey-queue-link] in the ASI email body, the Smart Variable would mistakenly be blank in the resulting email that gets scheduled. This does not affect existing records but only those created via data import. (Ticket #101536)

Bug fix: Appending the Smart Variable [aggregate-count:record_id] with a parameter to filter the results by one or more specific Data Access Groups (using the either unique DAG names or "user-dag-name") would mistakenly have no effect on the result. (Ticket #132676)

Bug fix: When opening a Calendar event, the popup might crash due to a fatal PHP error in PHP 8.0 . (Ticket #134180)

Version 12.4.16 (released on 2022-09-09)

CHANGES IN THIS VERSION:

Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way for calculated fields on data entry forms and survey pages. (Ticket #132986)

Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way for certain features of REDCap Messenger.

Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way for a certain feature on the Project Setup page and Copy Project page.

Bug fix: When renaming records, the record name would mistakenly get double-decoded during the process, which is not necessary and might cause issues depending on the specific characters inside the record's record name. (Ticket #133650)

Bug fix: Using "now" or "today" as the first parameter in the @CALCDATE action tag might mistakenly not work while viewing a data entry form or survey page if the @CALCDATE field has DMY or YMD date format. (Ticket #133677)

Bug fix: When using the Randomization feature and randomizing a record in a project that has record auto-numbering enabled, in which the record is being randomized before the record has first been created, right after the record has been randomized, the left-hand menu link to the record's Record Home Page might mistakenly point to a new not-yet-created record instead of the record that was just randomized. (Ticket #133678)

Bug fix: When using the biomedical ontology searching mechanism on a data entry form or survey, results in certain ontologies might not return the expected "notation" or "cui" attribute (because they do not have those attributes), thus defaulting to the using the label itself for the data value of the field. It should instead attempt to use the "@id" attribute (if available) as a tertiary measure before defaulting to using the label. (Ticket #133550)

Bug fix: When using "OpenID Connect" or "OpenID Connect & Table-based" authentication and logging in to the server at a specific URL outside the main REDCap Home page, the user would always mistakenly be redirected back to the Home page instead of the original URL. This could cause issues in certain cases, such as when clicking the email address validation link from an email. (Ticket #133729)

Bug fix: When using WebDAV for file storage in REDCap, very large files might be able to be uploaded into File Upload fields, but attempting to download the same large files might mistakenly result in a fatal PHP error due to memory constraints. (Ticket #133638)

Bug fix: When viewing the dialog of Upcoming Scheduled Survey Invitations for a record on the Record Home Page, the survey title (if long) might mistakenly be truncated inside the dialog. (Ticket #133813)

Bug fix: The "Other Export Options" page was mistakenly displaying the Tableau Export dialog contents near the top of the page instead of only displaying it inside the dialog after clicking the blue "View export instructions" button. (Ticket #133813)

Bug fix: When using Multi-Language Management, in which a survey’s text is translated, the survey might crash with a fatal PHP error in specific scenarios when using PHP 8. (Ticket #133892)

Bug fix: When using the Data Resolution Workflow and either opening/responding to/closing a data query or verifying/de-verifying a value via the results of a Data Quality rule on the Data Quality page, that specific result's button in the Data Quality dialog might not correctly get updated with the new status icon/number of comments if the project is longitudinal but instead would incorrectly display the icon/comment count for another event's result for the same record. (Ticket #131878)

Version 12.4.15 (released on 2022-09-02)

CHANGES IN THIS VERSION:

Minor security fix: The third-party JavaScript libraries Handlebars and Moment.js were updated to the latest version because they contained some security vulnerabilities.

Major bug fix: When using Multi-Language Management on a survey with the e-Consent Framework enabled, the PDF displayed inline on the page to the participant at the end of the survey would mistakenly not be in the participant's chosen language but instead would be in the default language. Note: This does not affect the e-Consent PDF being stored in the File Repository, which is correctly stored in the participant's language.

Bug fix: Fix for fatal PHP 8 error when viewing the Participant List page in specific circumstances. (Ticket #132555)

Bug fix: The Email Logging page would mistakenly not return any logged emails if the search filter was set to return emails of type "Alerts & Notifications". This was due to emails not getting stored in the email logging database table with the correct category attribute. Thus, when using the type filter "Alerts & Notifications" going forward, it will only return results of emails sent after upgrading to this version of REDCap. (Ticket #133222)

Bug fix: When creating a report and adding a date, datetime, or number field as a report filter in Step 3, if the field has a min or max range validation set and the user enters a value for the filter field that was outside of the field's min/max range, it would mistakenly display the out-of-range warning. This out-of-range warning is not necessary when building reports but only when entering data. The out-of-range check has been removed for report filter fields. (Ticket #133203)

Bug fix: When a user in a Data Access Group is viewing the Logging page or calling the API Export Logging method, if the "Filter by event" filter (or "logtype" parameter in the API) was set to a record-oriented value (e.g., Record created only), certain logged events might mistakenly not be returned if the logged events were not performed by a user that explicitly belongs to the current user's DAG (e.g., a non-DAG user or a survey participant). (Ticket #133203)

Bug fix: While reordering an event on the Define My Events page of a longitudinal project, the black popup that appears temporarily would mistakenly be located in the wrong place on the page. (Ticket #133296)

Bug fix: A space was mistakenly missing before the URL in the "Super API Token has been deleted" email sent to the user. (Ticket #133345)

Bug fix: When adding a new instrument to a project in development status, all users in the project would mistakenly not automatically be given "Full Data Set" data export rights to the new instrument. In certain circumstances when a new instrument is added, users would receive De-Identified export rights mistakenly, and in other situations, they would not appear to have any export rights at all for the new form until they logged in to REDCap and entered the project. This could additionally cause confusion where it might appear that the user's form-level export rights had changed if the user had not accessed the project during the time in which the new instrument was created and then the project was moved to production. (Ticket #133306)

Bug fix: When using Multi-Language Management, the MLM setup page might mistakenly crash with a fatal PHP error in specific circumstances due to UTF-8 characters being present in some text. (Ticket #133305)

Bug fix: Added 11 missing LOINC codes for Clinical Data Interoperability Services (CDIS) mapping.

Bug fix: Clicking the "Project Owners" button on the Email Users page in the Control Center might mistakenly select some users that should not be selected, especially if the users had been project owners on projects that had been marked as completed or were recently deleted.

Bug fix: When using Azure AD authentication, specifically V1 of Azure AD, the username or email address for a B2B collaboration user object might contain an "#EXT#" identifier as text inside it in certain cases. This is problematic to have the character "#" in a user's username and email. If this occurs, the text "#EXT#" will be automatically removed. (Ticket #121605c)

Bug fix: When a user has User Rights privileges in a project and has also been assigned to a Data Access Group, if the user goes to edit their own rights on the User Rights page and clicks "Save", it would mistakenly remove them from their current DAG without warning. (Ticket #133313)

Bug fix: When using Twilio for sending SMS messages for survey-related activities, in some cases the Survey Invitation Log might not correctly report that the participant had opted out of receiving SMS messages. In these cases, in which the Twilio API returns the specific error message "Attempt to send to unsubscribed recipient", the invitation log now correctly notes that the invitation did not send because the participant opted out. (Ticket #105253)

Bug fix: When a user clicks the "Delete data for THIS FORM only" button at the bottom of a data entry form, in which the form exists on a repeating event where no other forms have data (i.e., all other form status icons are a gray color), the repeating event would mistakenly still appear in reports when in fact it should no longer appear in reports. (Ticket #131790)

Version 12.4.14 (released on 2022-08-26)

CHANGES IN THIS VERSION:

Minor security fix: Several Cross-site Scripting (XSS) vulnerabilities were discovered where a malicious user could potentially exploit them on specific pages by inserting HTML tags and JavaScript event attributes or by manipulating parameters in the URL, specifically when editing Project Dashboards, when uploading and viewing inline images files on forms/surveys, and when entering Missing Data Codes of the Project Setup page.

Bug fix: When the system-level setting "Allow reports to be made 'public'?" has been set to "No", administrators would mistakenly not be allowed to make reports public. Regardless of this setting, admins should always be able to make any report public. (Ticket #132901)

Bug fix: Clicking the "View export instructions" for the Tableau Export option on the "Other Export Options" page might mistakenly fail to open the dialog, thus resulting in a JavaScript error.

Bug fix: When changing the system-level language on the General Configuration page in the Control Center, the page would mistakenly not change over to the new language immediately after submitting the page but only when the page was refreshed afterward.

Bug fix: If a user knows specific paths for the PHPQRCODE third-party library in REDCap, they could call it many times at a specific URL, which might cause the web server's storage to fill up with lots of temporary files. (Ticket #132432)

Bug fix: When using Form Display Logic in a longitudinal project, in which the logic references one or more fields on an event that currently has no data for a given record, the Form Display Logic would mistakenly fail to work correctly.

Bug fix: When piping a date or datetime field into the max validation range check for another date/datetime field, if the field being used as the max exists on a different instrument or survey page, it would mistakenly not throw an out-of-range warning if the value was above the maximum. Note: This does not affect the min range check but only the max. (Ticket #124222b)

Version 12.4.13 (released on 2022-08-19)

CHANGES IN THIS VERSION:

Major bug fix: When exporting a PDF that contains a multiple choice field that has been flagged as an Identifier field, if the user has De-Identified data export rights for the field's instrument, the data for the field would mistakenly not be removed from the resulting PDF. (Ticket #132190)

Major bug fix: When clicking the “Forgot your password?” link on the login page and then entering the username of a valid REDCap user, the password of the username entered would mistakenly be reset immediately after being entered, which could lock out the user if a malicious user is randomly entering usernames to try and discover a valid username. It now only resets the user’s password after they click the password reset link in the email that they receive. Additionally, in order to prevent malicious users from discovering valid usernames, the password reset page now returns the exact same message in all situations, whether the username entered is a real username or not. In the case when using one of the “X & Table-based” authentication methods, if the user entered is an external user (i.e., not a Table-based user), they will also receive an email that will inform them that they must reset their password using an external resource outside of REDCap (or it will instead display the custom password reset text that has been defined in the Control Center). (Ticket #132595)

Major bug fix: When using certain external authentication methods, survey pages might sometimes mistakenly time out if the project's internal Record List Cache (a secondary list of records in the database for improving performance) had not been built yet, which is done automatically by REDCap internally. This would cause an internal API call to fail when it is made inline while loading survey pages, thus causing the survey page not to load. (Ticket #104761)

Bug fix: The Codebook page can become very slow in certain situations when lots of fields exist in the project, especially when utilizing languages for Multi-Language Management. (Ticket #132349)

Bug fix: When using Multi-Language Management in a project, some translations might get mistakenly overwritten when importing a CSV/JSON translation file due to an issue with case sensitivity with the language ID (e.g., “es” vs “ES”). (Ticket #132443)

Bug fix: Some of the text inside the dialog displayed to an administrator when a project has been marked as Completed was changed in order to be less confusing about the project's status after the admin has restored it. (Ticket #132499)

Bug fix: When using Azure AD authentication, users might mistakenly not have their first/last name and email auto-populated into their user profile after initially logging in to REDCap. This bug was supposedly fixed in the previous version but mistakenly was not. (Ticket #130664b)

Bug fix: When using the Data Resolution Workflow feature and creating data queries based on the results of Data Quality rules, the results of the Data Quality rules might not display the correct number of comments for a given discrepancy unless it belongs to a repeating instrument. (Ticket #131878)

Bug fix: When a user's date/time format user preference on the Profile page is set specifically to "YYYY-MM-DD and 24-hour time", some timestamps displayed in the REDCap user interface (e.g., Most recent activity on Project Home, Email Logging sent time) would mistakenly display the "seconds" component of the datetime when it should only display hours and minutes. (Ticket #132678)

Bug fix: When using Azure AD authentication, the username for a B2B collaboration user object might contain an "#EXT#" identifier as text inside it in certain cases. This is problematic to have the character "#" in a user's username. If this occurs, the text "#EXT#" will be automatically removed from the user's username. (Ticket #121605b)

Bug fix: By manipulating URLs and/or JavaScript variables on a REDCap project page, a user might be able to request an API token for a project in which they do not explicitly have API rights (although they would have to have access to the other project in order to do this). Even if the administrator approved the token request via the To-Do List or via the email request, the user would not be able to obtain the API token that was created for them, nor would they be able to use the token even if they could somehow obtain it. So no real harm or privacy issues could result from this. (Ticket #132778)

Bug fix: When using Multi-Language Management and importing translations for survey settings via a CSV file, some survey settings would mistakenly fail to import successfully. (Ticket #132828)

Bug fix: When using Multi-Language Management, the “[Reminder]” text for Automated Survey Invitation reminders was mistakenly not translatable. It can now be translated on the User Interface > Survey > Survey Emails section on the MLM setup page. (Ticket #132868)

Version 12.4.12 (released on 2022-08-05)

CHANGES IN THIS VERSION:

Major bug fix: When viewing and downloading files under the "Data Export Files" tab of the File Repository, users that do not have Full Data Set data export rights to every field contained within a given export file on that page would mistakenly be able to download the export file(s). REDCap will now check to ensure that the user has Full Data Set access to every field contained within the export file, and if they do not, the user will not be able to download the data export file(s), in which it will instead display the following message on the page: "NOTICE: You are not able to download the export files here because you have either none or partial data export rights to one or more fields contained within the data export file." This bug was introduced in REDCap 12.2.0 with the advent of instrument-level data export rights.

Bug fix: When a user attempts to submit an instrument to the REDCap Shared Library via the Online Designer, the descriptive text regarding this process mistakenly includes a dead hyperlink to a page that no longer exists. The hyperlink has been replaced with a modal dialog containing the same information. (Ticket #131617)

Bug fix: PHP compatibility issue in some circumstances might cause the PDF export to fail with a fatal error when using PHP 8. (Ticket #131673)

Bug fix: When using Multi-Language Management, some HTML and JavaScript might be inserted into the webpage source code too early when viewing the Survey Access Code page. (Ticket #131704)

Bug fix: The Codebook would mistakenly not display the min/max values of slider fields on the page if the min/max range values were never explicitly set (i.e., as 0 and 100, respectively). (Ticket #131065b)

Bug fix: When using Multi-Language Management, there might be an issue when attempting to import a system language (from the Control Center) into a project and also with exporting a language. (Ticket #131811)

Bug fix: A user creating a new project would mistakenly not receive "Full Data Set" data export privileges on all instruments in the new project.

Bug fix: When using the Survey Setting to provide custom text for the survey’s Submit button, in which a field variable is piped into the Submit button text, it might mistakenly cause the Previous page button not to function on the survey page. (Ticket #131937)

Bug fix: Viewing a report might cause the page to mistakenly crash with a fatal PHP error in certain situations when running PHP 8. (Ticket #132041)

Bug fix: If a participant is attempting to take an Adaptive or Auto-Scoring survey (i.e., downloaded from the REDCap Shared Library), in which the survey has the Survey Login feature enabled, after the participant has successfully logged in, the survey would mistakenly not display correctly because the first question and submit button would not be visible on the page, thus making it impossible to complete the survey (unless the participant refreshed the page in their browser, after which it would work correctly).

Bug fix: When using Multi-Language Management, if a user exports a CSV language file on the MLM setup page, edits it, and then imports it back again, in certain circumstances the uploaded changes might not take effect.

Bug fix: When using Azure AD authentication, users might mistakenly not have their first/last name and email auto-populated into their user profile after initially logging in to REDCap. (Ticket #130664)

Bug fix: When using Multi-Language Management, if the survey setting checkbox “Store the translated version of the PDF” is not checked for the “Save a PDF of completed survey response to a File Upload field” setting on the Survey Settings page, the saved PDF of the response would mistakenly be stored in the language that the participant had chosen on the survey page instead of storing the PDF using the default language. (Ticket #131879)

Version 12.4.11 (released on 2022-07-27)

CHANGES IN THIS VERSION:

Major bug fix: When the Protected Email Mode is enabled in a project, and a recipient clicks the link in their email to view the original email content within REDCap, they would never receive the follow-up email containing the one-time code, thus preventing them from accessing the content of their email. (Ticket #131414)

Major bug fix: When using Google OAuth2 authentication with the User Allowlist enabled, the User Allowlist would mistakenly not prevent users from logging in who were not on the allowlist. (Ticket #131346)

Major bug fix: When simultaneous users are viewing the same data entry form for a record that has not yet been created, in which the same tentative record name is displayed at the top of the form for both users, if the second user attempts to lock the form after the first user has already saved the form and created the record, the second user will end up creating a record with another record name (as expected); however, instead of the second record's form getting locked, the first user's record would mistakenly be the one that gets locked. (Ticket #131431)

Bug fix: Various PHP errors specific to PHP 8 were fixed on the Data Quality page. (Ticket #131294)

Bug fix: Attempting to copy an instrument in the Online Designer when the instrument contains no fields (excluding the form status complete field) often results in the instrument not actually being copied or causes it to be half-copied (i.e., almost copying it but leaving some parts orphaned in the database backend). To fix this, users will no longer be able to copy an instrument if the instrument has no fields. If a user attempts to copy an instrument with no fields, a dialog will be displayed letting them know that they cannot copy the instrument until at least one field exists in the instrument. (Ticket #131273)

Bug fix: A fatal PHP error might occur when accessing the Data Quality page with PHP 8.0 . Note: This bug was supposedly fixed in REDCap 12.4.8 (LTS), but mistakenly it was not. (Ticket #130364)

Bug fix: When using the Multi-Language Management feature, selecting a language as the Fallback language in the MLM setup might prevent the user/participant from switching to the Default language on a form/survey and would instead mistakenly display the Fallback language text on the page.

Bug fix: A fatal PHP error might occur when using a CDIS service. (Ticket #130928)

Bug fix: When using biomedical ontology searching for a Text field, certain specific codes for very specific ontologies (e.g., SNOMEDCT) might mistakenly return a slightly incorrect code/value (typically off by a value of "1"). This appears to be extremely rare and seems to be due to a limitation with regard to how JavaScript handles large numbers. (Ticket #131406)

Bug fix: If survey instructions or survey completion text is indented in specific ways (e.g., when the HTML <p> tag has a padding style added to it), the indention would not appear on the survey page but only on the Survey Settings page. (Ticket #131479)

Bug fix: When two records are about to be created on a data entry form with the same tentative record name (as is displayed at the top of the form) by two simultaneous users, and the second record being created is created via the randomization process, then the project Logging page would mistakenly list the second record's record name with an incorrect value in the "List of Data Changes" column, although the real record name in the "Action" column would be correct for the record.

Bug fix: When using the Data Resolution Workflow feature and creating data queries based on the results of Data Quality rules, the results of the Data Quality rules might not display the correct number of comments for a given discrepancy if it belongs to a repeating instrument or repeating event. (Ticket #130207)

Bug fix: When upgrading to REDCap 12.1.0 or higher, in certain situations the resulting upgrade SQL script might contain some malformed "drop foreign key" queries in which the foreign key name is mistakenly blank, thus resulting in an SQL error during the upgrade. (Ticket #131519)

Bug fix: Fixed typo on the Publication Matching page in the Control Center. (Ticket #131581)

Bug fix: When the text of the survey Submit buttons have been translated (either via a language INI file or via the Multi-Language Management feature), the button text might mistakenly spill out of the button and not display correctly if the button text ends up being wider than 140 pixels. (Ticket #131545)

Version 12.4.10 (released on 2022-07-21)

CHANGES IN THIS VERSION:

Major bug fix: The "Export Logging" API method would mistakenly allow users to export a project's logging when they do not explicitly have "Logging" privileges in the project. Note: The method would still require API Export privileges to work. The method now requires both API Export privileges and Logging privileges. (Ticket #131089)

Minor security fix: The jQuery UI library was updated from v1.13.1 to v1.13.2 due to a Cross-site Scripting (XSS) bug.

Bug fix: When using Multi-Language Management and translating the alternative Stop Action text that appears when a survey ends via Stop Action, the alternative Stop Action text would mistakenly not appear in its translated form when displayed on the survey page. (Ticket #130689)

Bug fix: When using Multi-Language Management, certain items would not be translated when only one language (which differs from what is set as the project language) is used. (Ticket #130688)

Bug fix: When using the "Save & Return Later" feature on a multi-page survey, in which the survey contains a non-hidden @CALCTEXT field whose value gets populated early in the survey, when a participant returns to the survey later, REDCap would mistakenly advance the participant to the page with the @CALCTEXT field, even if it occurs on a later page than where the participant left off. (Ticket #131056)

Bug fix: Regarding the Text-To-Speech functionality for surveys, the "Arabic (Male)" voice was deprecated in the IBM Watson TTS service that is utilized by REDCap. That voice has now been removed as an option on the Survey Settings page, and any surveys using the "Arabic (Male)" voice will automatically have the Text-To-Speech functionality disabled.

Bug fix: The Codebook would mistakenly not display the min/max values of slider fields on the page if the "Display number value?" slider setting is not checked/enabled. (Ticket #131065)

Bug fix: When using one of the "X & Table-based" authentication methods, various processes (e.g., cron job for user auto-suspension due to inactivity) might not work correctly for some users in certain situations, and various user interfaces (e.g., Sponsor Dashboard) might not display all correct options or page elements for some users in certain situations.

Version 12.4.9 (released on 2022-07-15)

CHANGES IN THIS VERSION:

Bug fix: When a survey is set to use "Large" or "Very large" survey text size while some SPAN tags are located inside some H1, H2, etc. tags in the survey instructions, survey completion text, or in any other text displayed on the survey page, the text inside the SPAN tags would mistakenly appear as much smaller than they should on the page. (Ticket #130326)

Bug fix: When using Azure AD authentication, the user principal name for a B2B collaboration user object might contain an "#EXT#" identifier as text inside the user's email address. This is problematic to have the character "#" in a user's email and also (if using their email address as the user's username) to have it in the username. If this occurs, the text "#EXT#" will be automatically removed from the user's email address. (Ticket #121605)

Bug fix: When using the Multi-Language Management feature and translating the titles of surveys in a project, if a survey participant navigates to the survey queue page directly, the survey titles for the surveys listed in the survey queue would be correctly translated; however, when viewing the survey queue immediately after completing a survey, the survey titles would mistakenly not be translated into the participant’s selected display language. (Ticket #130429)

Bug fix: Outgoing emails would mistakenly get logged in the "redcap_outgoing_email_sms_log" database table even when the emails themselves failed to send successfully. This could cause the table to fill with emails that never actually sent, many of which might have a missing sender or recipient address in the table. (Ticket #130546)

Bug fix: If data is being imported (via API, Data Import Tool, Mobile App, or REDCap::saveData) for a slider field, an erroneous message might be returned in some situations regarding the slider field's min/max specific range settings.

Bug fix: If a user has instrument-level locking privileges but only has read-only data viewing privileges for an instrument when viewing the instrument that has been fully or partially completed as a survey response, the "Lock this instrument?" checkbox would mistakenly not be displayed at the bottom of the page, thus preventing the user from locking or unlocking the form. Users with locking privileges should always be able to lock or unlock a form despite whether they have edit privileges or read-only privileges for that instrument. (Ticket #130667)

Bug fix: A fatal PHP error might occur for longitudinal projects with no instrument-event designations when navigating to the Survey Distribution Tools page when using PHP 8. (Ticket #130743)

Bug fix: When an administrator attempts to use the Project Revision History link for a given project on the Browse Projects page in the Control Center, it would mistakenly not load and thus would not be usable.

Bug fix: When modifying Descriptive Text fields in the Online Designer, in which a field contains an inline image attachment, the image might mistakenly not display anymore in certain cases until the page is reloaded. (Ticket #130817)

Bug fix: When using Multi-Language Management, if a user removed the default text of an item (e.g., sets the text as blank for a field label, survey instructions, etc.) after having translated the item, the MLM setup page would mistakenly no longer display the item anymore, thus making it impossible to edit the existing translated text.

Bug fix: User input text (e.g., field labels, survey instructions) that is rendered in downloaded PDFs might get mistakenly truncated if the text contains the less-than character "<" immediately followed by certain special characters, such as " ", "-", "".", or "*". (Ticket #130761)

Version 12.4.8 (released on 2022-07-08)

CHANGES IN THIS VERSION:

Bug fix: When a field's action tags are displayed below it in the Online Designer, sometimes an apostrophe might mistakenly get displayed in the action tag name.

Bug fix: Fixed issue with example HTML not displaying correctly for an item on the "Help & FAQ" page.

Bug fix: When using the Multi-Language Management setup page, translation changes might mistakenly not get saved successfully (although they might appear to be saved) if the current user is an administrator that has “Access to all projects and data” system privileges but has not been explicitly given Project Design privileges within the project. (Ticket #130248)

Bug fix: A fatal PHP error might occur when accessing the Data Quality page with PHP 8.0 . (Ticket #130364)

Version 12.4.7 (released on 2022-07-01)

CHANGES IN THIS VERSION:

Bug fix: The REDCap Cron Job might mistakenly output some SQL queries when running the QueueRecordsDatediffCheckerCrons job.

Bug fix: When an Automated Survey Invitation has been set up in a longitudinal project, in which the ASI's conditional logic includes datediff() today/now and has the "Ensure logic is still true" checkbox checked while additionally one or more of the variables in the logic are missing a prepended unique event name, the DateDiff Today/Now cron job might mistakenly schedule a survey invitation that should not be scheduled, even though REDCap will ultimately unschedule the invitation right before trying to send it. (Ticket #129893)

Bug fix: When a Vimeo video link is provided for the embedded video URL for a Descriptive Text field, the video would mistakenly not to be playable on the page if the URL contained extra alphanumeric characters that appear after the first set of numbers and slash in the video URL (e.g., Fertility Preservation - Female at Birth ). (Ticket #118309)

Bug fix: Missing Data Codes could mistakenly not be saved to a File Upload field during a data import (e.g., API, Data Import Tool, REDCap::saveData) despite the fact that Missing Data Codes could be saved for File Upload fields via the web interface. (Ticket #82602)

Bug fix: If an administrator has "Manage user accounts" privileges but does not have "Access to all projects and data..." privileges, the Browse Users page might malfunction when they attempt to perform certain actions, such as suspending users, where it would mistakenly send an email to the user themselves as if they had made a request from the Sponsor Dashboard page (which they didn't). (Ticket #129830)

Bug fix: Fixed typo in Double Data Entry error message. (Ticket #130093)

Bug fix: If a project is using randomization with strata fields, in which the strata fields exist on the first instrument, and then a participant loads the first instrument as a survey via the public survey link, if the strata fields appear on the first page of the survey, the strata fields will mistakenly be rendered as disabled/read-only on the public survey page if the highest-numbered record in the project has already been randomized. (Ticket #130107)

Version 12.4.6 (released on 2022-06-27)

CHANGES IN THIS VERSION:

New LTS branch based off of REDCap 12.4.5 (Standard)

Note: Please see the Standard Release ChangeLog between v12.1.0 and v12.4.5 to see the full list of new features and bug fixes released with this new LTS branch.

Version 12.0.33 (released on 2022-06-27)

CHANGES IN THIS VERSION:

Bug fix: If a project is using randomization with strata fields, in which the randomization field and/or strata fields exist on a survey that has "Save & Return Later" enabled, if a participant completes part of the survey for a record that has already been randomized, then returns later to the survey but forgets their return code, then clicks the "Start Over" button on the survey, the randomization field and/or strata fields on the survey would mistakenly have their values erased. All the other field values on the survey should be erased, but the randomization field and strata field data should never get erased for records that are already randomized. (Ticket #129892)

Version 12.0.32 (released on 2022-06-24)

CHANGES IN THIS VERSION:

Bug fix: When using Send-It to send a file from the File Repository or a file associated with a File Upload field on a record, although the email being sent would get captured in the backend email log, the email details would mistakenly not get captured in the project-level Email Logging page. (Ticket #129554)

Bug fix: When a record's Survey Queue contains more than five completed surveys, in which case it will hide all the completed surveys in the queue to conserve space on the page, the queue would mistakenly display the text "X surveys completed!" where X is mistakenly the total number of surveys in the queue and not the total number of completed surveys in the queue. (Ticket #128732)

Bug fix: On the System Statistics page, the stats for the number of data values pulled for both the Clinical Data Mart and Clinical Data Pull were not being calculated correctly and might have been previously reporting much lower numbers by mistake.

Version 12.0.31 (released on 2022-06-17)

CHANGES IN THIS VERSION:

Major bug fix: A change in the code for the Multi-Language Management setup page in the previous REDCap version might mistakenly cause certain tabs on the page not to get updated when saved.

Bug fix: If a hook, plugin, or external module is calling the REDCap::saveData() method, in which parameters are passed to the method all in a single array (i.e., $params=[...]; REDCap::saveData($params)), the "dataAccessGroup" parameter's value would mistakenly be ignored if included in the parameter array. (Ticket #129203)

Bug fix: The data entry form page or Online Designer might mistakenly crash with a fatal PHP error in certain situations when using PHP 8.0 . (Ticket #129297)

Bug fix: Documentation of the datediff() function was mistakenly inferring that the "returnSignedValue" function parameter could be provided in all caps (e.g., TRUE). However, its value must always be lower case (e.g., true). The documentation has been changed to reflect this to reduce confusion. (Ticket #129332)

Bug fix: When using Twilio to send invitations via Automated Survey Invitations that utilize the "Participant's Preference" as the invitation type, if the ASI belongs to a survey that is a repeating instrument, it is possible that the participant's preferred invitation type might get stored incorrectly in the backend database, thus potentially causing some invitations to be sent to the participant using the wrong invitation type (e.g., sent via Email instead of via SMS). (Ticket #128878)

Bug fix: The API method "Export Logging" would mistakenly not return the extra text for the "Reason for Data Changes(s)" if the setting "Require a 'reason' when making changes to existing records" is enabled in the project.

Bug fix: The "Survey Link Lookup" link would mistakenly still be displayed on the Control Center left-hand menu even if all survey functionality was disabled globally in the system via the "Enable the use of surveys in projects?" setting on the Modules/Services Configuration page.

Version 12.0.30 (released on 2022-06-10)

CHANGES IN THIS VERSION:

Minor security fix: Updated the third-party package Guzzle to remediate the package’s cross-domain cookie leakage. (Ticket #128703)

Bug fix: Piping would not work successfully in real-time for Dynamic SQL fields on a survey or data entry form when the displayed language is changed on the page via Multi-Language Management. (Ticket #128562)

Bug fix: Added 2 missing LOINC codes for the "social history" observation category in CDIS.

Bug fix: Slider fields would mistakenly not be active and functional when viewed in the Online Designer. (Ticket #128916)

Bug fix: Project-level external module settings would mistakenly not get deleted from the "redcap_external_module_settings" database table after a project has been permanently deleted. (Ticket #128909)

Bug fix: The Record Home Page in a longitudinal project would mistakenly display the column for an event when the current user has no access to any instruments that are designated for that event. It should instead hide the column on the page rather than displaying it as empty. (Ticket #127708b)

Bug fix: All rich text editors would mistakenly strip out any Font Awesome icons that were added to the source code HTML of the rich text editor.

Bug fix: When using Multi-Language Management, a piped label might fail to display its translated language when on a PROMIS instrument (adaptive, auto-scoring, or battery) that was downloaded from the REDCap Shared Library.

Bug fix: The Moment.js library was updated since it was out of date.

Bug fix: The Multi-Language Management setup page might mistakenly not load due to a JavaScript error in some very specific situations.

Bug fix: Prepending [previous-event-name] or [next-event-name] to the Smart Variables [survey-time-X] and [survey-date-X] might mistakenly not return a value (e.g., [previous-event-name][survey-time-completed:followup_survey]). (Ticket #128662)

Version 12.0.29 (released on 2022-05-26)

CHANGES IN THIS VERSION:

Bug fix: The datediff() function might not work as expected when using different data types in the parameters (e.g., date and datetime together) for PHP-based implementations of the logic evaluation process, such as the Survey Queue, ASI conditional logic, Data Quality rule logic, etc. (Ticket #128299)

Bug fix: If a survey that is a repeating instrument is displayed in the survey queue, if over 8 instances of the survey have been completed and the survey is to allow participants to return via Save & Return Later in order to modify completed responses, it would mistakenly display all 8 survey instances as visible in the survey queue when instead it should display them as being collapsed on the page. (Ticket #128362)

Bug fix: If a Descriptive Text field has an inline image attachment, in which the image's file extension does not match its true mime type (i.e., someone has renamed its file extension to something incorrect prior to uploading the image), it would mistakenly cause the PDF export to run a long time and eventually time out when attempting to export a PDF of the instrument. (Ticket #128336)

Bug fix: If using the [survey-link] Smart Variable with Custom Text and with an instance Smart Variable appended to the end (e.g., [survey-link:medications:Take this survey][last-instance]), the custom text would not display correctly but would include the unique instrument name at the beginning of the custom text by mistake.

Bug fix: When granting a user access to a project via the User Rights page, the new user's data export rights in the popup would mistakenly default to "Full Data Set" for all instruments when instead they should default to "De-Identified" if in development status and to "No Access" if in production status. (Ticket #128504)

Bug fix: The ":ampm" piping parameter would mistakenly not work for datetime fields that have DMY date format. (Ticket #128507)

Bug fix: Data Quality rule D "Field validation errors (out of range)" would mistakenly not process the min and max values for the out-of-range check correctly if a field's min/max was set as "today", "now", or as a piped variable (e.g., [other_date]).

Version 12.0.28 (released on 2022-05-20)

CHANGES IN THIS VERSION:

Bug fix: The Instant Adjudication process for the Clinical Data Pull feature would mistakenly not pull a value from the EHR system when there exists a perfect timestamp match for a data value whose field has been mapped using the Near, Earliest, or Latest preselection strategies.

Bug fix: The install page would mistakenly crash with a fatal PHP error if using PHP 8 when the database credentials in database.php are either not correct or they cannot successfully connect to the database.

Bug fix: When using the same field two or three times (i.e., from different arms) as a Survey Login field, clicking the "Show value" checkbox in the Survey Login dialog would mistakenly cause the field to duplicate itself inside the dialog.

Bug fix: If duplicate instances of the same cron job somehow exist in the redcap_crons database table, which should not happen, REDCap will now detect this issue automatically and remove the duplicate jobs from the table.

Bug fix: If the Smart Variables [form-link] and [form-url] have a literal instance number appended to them (e.g., [form-link:meds][3]), they would mistakenly not get parsed correctly and would always produce a link/URL that points to the first repeating instance. (Ticket #127042)

Bug fix: When using Multi-Language Management, @CALCTEXT and @CALCDATE fields would fail to have their values piped immediately on the page after a language switch. Additionally, when only a single language (out of multiple languages) was active on a survey, the language switch might actually fail to work.

Bug fix: If a participant clicks the “Start Over” button on a partially completed survey that happens to be a repeating instrument or on a repeating event, the Logging page would mistakenly not explicitly state the repeating instance number to which the survey response belonged, thus making it appear as if it references instance #1 always. (Ticket #128018)

Bug fix: When uploading a data dictionary that has calculations or branching logic that contain Smart Variables with a comma inside them (e.g., [aggregate-sum:age,age2], it would recommend stripping out the comma during the upload process, which would not be desirable.

Bug fix: When using CDIS services (CDP or CPM), the FHIR services might mistakenly not function successfully if the EHR endpoint contains custom port numbers in their URL (e.g., https://example.com:8888/FHIR/DSTU2/).

Bug fix: If a Project Bookmark is set to only be displayed for users in specific Data Access Groups, the bookmark would mistakenly fail to display for aa REDCap administrator that is using the "View Project As User" feature to impersonate a user assigned to one of those DAGs. However, the bookmark would display correctly for the DAG-assigned users themselves. (Ticket #128093)

Bug fix: The Survey Settings feature "Save a PDF of completed survey response to a File Upload field" would mistakenly fail to function if enabled for an Adaptive or Auto-Scoring survey that has been imported from the REDCap Shared Library. (Ticket #128156)

Bug fix: In the API Playground, the Export Metadata API method would mistakenly display the Form Complete Status fields in the field drop-down list on the page. It should not display those fields in the drop-down because those fields are never included in the data dictionary, thus they would never return anything from this API method. (Ticket #127974)

Bug fix: Fixed rare issue where the fast refreshing of the main Control Center page would mistakenly display an issue where "redcap_ztemp_X" database tables exist and need to be deleted. (Ticket #128055)

Version 12.0.27 (released on 2022-05-12)

CHANGES IN THIS VERSION:

Bug fix: Fix for an issue in the External Modules Framework that was mistakenly converting all HTML entities in some text and causing JavaScript errors when utilizing a specific EM method that might be used by an EM. (Ticket #126891)

Bug fix: Field labels containing HTML character codes (e.g., ä) would mistakenly not be displayed correctly on the X or Y axis of a [line-chart] or [scatter-plot] Smart Chart. (Ticket #127516)

On the "Modules/Services Configuration" page in the Control Center, the setting to globally disable the "Stats & Charts" page in every project was mistakenly still referring to the page by its old name "Graphical Data View & Stats", which was confusing for admins. (Ticket #127597)

Bug fix: CDIS-related fixes

Several missing LOINC codes were added to the CDP and CDM mapping.

The field “Address (district/county)” in CDM was mistakenly missing as a field in CDM projects.

The deceasedBoolean value in CDM was mistakenly not being saved if False.

Bug fix: If the value of the "report_id" parameter that is passed to the Export Reports API method does not belong to the current project whose API token is being used, if the user who owns the API token has access to the project to which the report_id belongs, the API would mistakenly not return an error but would instead return a list of record names from the other project. Note: No other data from the other project would be returned other than the record names.

Bug fix: When running PHP 8.0 , the Stats & Charts page might fail with a fatal PHP error if number/integer fields somehow contain non-numeric values. (Ticket #122604b)

Bug fix: When Multi-Language Management is disabled in a project, the process of a user's production draft mode changes being approved would inadvertently cause an MLM snapshot to be saved. (Ticket #127650)

Bug fix: If the system-level setting "Enable the Graphical Data View & Stats" has been disabled and then a user is granted access to a project, the user might mistakenly be able to access parts of the "Data Reports, Exports and Stats" page, even when they do not have any data export or reports privileges. (Ticket #127597)

Bug fix: The Record Home Page in a longitudinal project would mistakenly display the column for an event that has no instruments designated for it. It should instead hide the column on the page rather than displaying it as empty. (Ticket #127708)

Bug fix: When branching logic contains certain Smart Variables, especially [aggregate-X] Smart Variables, it would throw a branching logic error on the survey page or data entry form. (Ticket #127741)

Bug fix: When a user calls the API method "Export PDF file of instruments" in a longitudinal project, in which the "event" parameter is either blank or is not provided in the API request, it would return a PDF that mistakenly only contains the first event's data, when instead it should return a PDF with data for all events. (Ticket #127820)

Version 12.0.26 (released on 2022-05-06)

CHANGES IN THIS VERSION:

Minor security fix: An SQL Injection vulnerability was found when submitting the Create Project page, in which a malicious user could potentially exploit it by manipulating an HTTP request on that page.

Bug fix: If an embedded date or datetime field has a @READONLY action tag, the field's Today/Now button and its clickable datepicker icon would mistakenly remain active and allow users/participants to modify the field's value.

Bug fix: If a field being piped into an outgoing email has the @RICHTEXT action tag, the resulting email body would mistakenly not look correct, such as containing too many line breaks or malformed tables. (Ticket #127174)

Bug fix: Some REDCap installations somehow missed the upgrade script from REDCap 9.7 that enabled the "redcap.link" URL shortener. It will now be enabled if not.

Bug fix: When using Twilio telephony services for surveys, U.S. phone numbers having the area code "332" would mistakenly not work for SMS or voice calls unless the number has a "1" prepended to it.

Bug fix: The Publication Matching feature in the Control Center might mistakenly fail with a fatal PHP error when using PHP 8. (Ticket #127359)

Bug fix: If a drop-down or radio button field on a survey has the @DEFAULT action tag, when the page initially loads, it would mistakenly scroll all the way down to the field with the @DEFAULT action tag (thus skipping the fields above it) if the participant was taking the survey on a mobile device. (Ticket #127406)

Bug fix: Fixed an issue pertaining to changes made to Multi-Language Management translations while projects are in draft mode, especially affecting Automated Survey Invitation translations, in which the submitted changes would mistakenly not save successfully.

Bug fix: If the conditional logic for an Automated Survey Invitation in a longitudinal project was mistakenly missing prepended event names for any field variables in the logic, the ASI might mistakenly not get triggered appropriately. (Ticket #127385)

Version 12.0.25 (released on 2022-04-29)

CHANGES IN THIS VERSION:

Bug fix: The HTML tag "code" was mistakenly not included in the ALLOWED_TAGS list of HTML tags that are allowed to be used in user input (e.g., field labels, survey instructions).

Bug fix: When using the survey setting “Redirect to a URL” together with Multi-Language Management, the resulting URL would not be correct or would be malformed, thus preventing the redirection from working successfully. (Ticket #126791)

Bug fix: When uploading and then downloading a file for a File Upload field on the first page of a public survey, in which a record named record "1" already exists in the project prior to loading this survey, an erroneous message would be displayed along with some JavaScript errors on the page. (Ticket #125758)

Bug fix: When using the export->import process for Multi-Language Management via a JSON/CSV file, there might be issues with successfully importing Alerts and Automated Survey Invitations in the file.

Bug fix: If a drop-down field has the "auto-complete" setting enabled, in which the drop-down contains more than 200 choices, then when viewing drop-down on a survey page or data entry form, clicking the drop-down's down-arrow would mistakenly not open the full list of choices for the drop-down. (Ticket #125257)

Bug fix: Calculated fields containing form status fields (i.e. form "_complete") mistakenly do not fire when on a survey page. (Ticket #127009)

Bug fix: When importing data for a field that has the @FORCE-MINMAX action tag and also has a minimum or maximum range check value as "now", "today", or a piped variable name, out-of-range values in the data import file would mistakenly not be flagged as errors during the import process and would be saved. (Ticket #126862)

Bug fix: When using Multi-Language Management, the choice text for Yes/No and True/False fields in the MLM “User Interface” section would mistakenly not get changed to the translated text when switching languages on a survey page or data entry form. (Ticket #127022)

Bug fix: When a user requests that their project be moved to production, after the administrator approves their request, the user would mistakenly not receive a confirmation email of this approval if the "Enable email notifications for administrators" checkbox is left unchecked on the "To-Do List" page in the Control Center. (Ticket #127040)

Version 12.0.24 (released on 2022-04-22)

CHANGES IN THIS VERSION:

Major bug fix: A field's question text on a survey page might mistakenly not get recognized by certain screen reading software. Bug emerged in REDCap 12.2.2 Standard and REDCap 12.0.14 LTS. (Ticket #122843)

Bug fix: The Record Status Dashboard page might crash with a fatal PHP error in specific cases when using PHP 8.0 or 8.1. (Ticket #126395)

Bug fix: When a checkbox is set as an Identifier field and is referenced in the body of an alert, which is set to remove all identifiers from the alert body when sent, it might throw a fatal PHP error in PHP 8.0 .

Bug fix: When using Twilio telephony services for surveys, U.S. phone numbers having the area code "346" would mistakenly not work for SMS or voice calls unless the number has a "1" prepended to it. (Ticket #126590)

Bug fix: When using Twilio telephony services for surveys, U.S. phone numbers having the area codes "220", "223", "458" would mistakenly not work for SMS or voice calls unless the number has a "1" prepended to it. (Ticket #126741)

Bug fix: Clicking certain hyperlinks on a survey page might mistakenly add the green highlighted background to the field if the link exists inside a field that is a container for embedded fields. (Ticket #105242b)

Bug fix: If a line-chart or scatter-plot Smart Variable contains a third field used for categorization, the plot might mistakenly not display but would appear blank if some choices for the categorization field are not all presented in the plot's data.

Bug fix: When importing data in JSON format (including via the REDCap::saveData method), if a single record is represented in the imported data as multiple items/rows (i.e., when importing longitudinal events or repeating instances), if one of the rows for a record contained a leading or trailing space in the record name while other items/rows for that same record did not, the spaces would mistakenly not get trimmed off of the record name but instead would cause the record to end up in a split state in the project, in which it would appear ultimately as separate records. (Ticket #126035)

Version 12.0.23 (released on 2022-04-15)

CHANGES IN THIS VERSION:

Bug fix: If using the Multi-Language Management feature, changing the language on the page would mistakenly not alter the URL of embedded video in a descriptive text field if a translated/alternative version of the video URL was provided for a language in the project. (Ticket #125502)

Bug fix: When the Survey Queue is enabled in a project, a fatal PHP error might occur in some specific cases when using PHP 8.0 or 8.1 while exporting the Project XML file or while performing other Survey Queue related activities. (Ticket #126079)

Bug fix: When a project’s language is set to be different from the system language, the popup dialogs in a project that display documentation for piping, field embedding, and special functions would mistakenly always be shown in the system language. (Ticket #126117)

Bug fix: Using the action tag @READONLY (including @READONLY-SURVEY and @READONLY-FORM) on a Notes field that also has the action tag @RICHTEXT would mistakenly cause the Notes field not to be disabled/readonly but would still be editable. Going forward, any of the @READONLY action tags will negate @RICHTEXT on a field. (Ticket #126097)

Bug fix: If a user assigned to a Data Access Group attempts to view a data entry form for a record not assigned to their DAG (e.g., by manipulating the URL in order to navigate to the record), it would mistakenly not display the "Record X belongs to another Data Access Group" error message and would display mostly a blank page due to a JavaScript error.

Bug fix: When using the Mailgun service for sending outgoing emails while utilizing the “Universal FROM Email Address” setting, the Reply-To header would mistakenly fail to be set correctly for all outgoing emails. (Ticket #126173)

Bug fix: If a user had downloaded an Adaptive or Auto-Scoring instrument from the REDCap Shared Library, they would mistakenly be allowed to translate the instrument via the Multi-Language Management setup page. Since Adaptive or Auto-Scoring instruments are validated, they should not be able to be translated because such would cause them to no longer be validated. So all Adaptive or Auto-Scoring instruments will be disabled on the MLM setup page, thus preventing users from translating them.

Bug fix: If a user has downloaded an instrument from the REDCap Shared Library, whether it was a curated instrument or not, it now displays a warning when attempting to translate the instrument on the Multi-Language Management setup page that the user should first check to see if the instrument is validated. And if so, they should not translate the instrument because such might cause it to no longer be validated.

Bug fix: When using Multi-Language Management, the survey termination option "Redirect to a URL" would mistakenly not use the translated URL. (Ticket #126255)

Bug fix: When creating a project via Project XML import, the process might crash with a fatal PHP error if using PHP 8.0 or 8.1. (Ticket #126268)

Bug fix: When using Multi-Language Management, if a form or survey page is submitted while leaving some required fields without values, a JavaScript error would mistakenly be thrown after the page reloads, which might cause certain things not to function correctly on the page. (Ticket #126225)

Bug fix: Fields with a @READONLY or @READONLY-X action tag would mistakenly not be disabled on the page if the fields were embedded. (Ticket #126276)

Bug fix: The @IF action tag will mistakenly not evaluate correctly on a survey page or data entry form if the record does not yet exist (e.g., when viewing the first page of a public survey).

Bug fix: The @IF action tag might mistakenly not get parsed correctly in certain instances when using Multi-Language Management.

Bug fix: When using Multi-Language Management, the UI text displayed below a field when using the @CHARLIMIT or @WORDLIMIT action tags would mistakenly not be translatable on the MLM setup page.

Bug fix: On the Survey Settings page, if the option "Send Confirmation Email" is enabled along with the option "Include PDF of completed survey as attachment" while using Multi-Language Management, the PDF of the survey response attached to the confirmation email would mistakenly always be in the default language when instead it should be in the language in which the respondent took the survey. (Ticket #126341)

Bug fix: When a user assigned to a Data Access Group is performing a data import for a project with Record Auto-Numbering enabled, in which the import setting "Yes, rename all records" has been set for the data import, the import process will mistakenly time out and never fully complete. (Ticket #126160)

releasesoftwarelts

 

 

 

Version 12.0.22 (released on 2022-04-08)

CHANGES IN THIS VERSION:

Major bug fix: Some contexts that employ a user rights check might mistakenly throw a fatal PHP error in some specific cases when using PHP 8.0 or 8.1. (Ticket #125951)

Version 12.0.21 (released on 2022-04-08)

CHANGES IN THIS VERSION:

Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way as user-defined text in various places. (Ticket #125900)

Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it on the Data Quality page and Data Comparison Tool page by inserting HTML tags and/or JavaScript event attributes into the name of a record. (Ticket #125952)

Bug fix: Several actions on the Multi-Language Management setup page were mistakenly not getting logged on the Logging page. (Ticket #125513)

Bug fix: When using Multi-Language Management, the piping of choices in a drop-down field works inside the same instrument but mistakenly does cross-pipe into different instruments in the same project. (Ticket #125546)

Bug fix: When using Multi-Language Management, the text for the "Duplicate Value" warning popup was mistakenly not available to be translated. (Ticket #125557)

Bug fix: When using Twilio telephony services for surveys, U.S. phone numbers having the area code "534" would mistakenly not work for SMS or voice calls unless the number has a "1" prepended to it. (Ticket #125591)

Bug fix: The API documentation for the "Delete User" method mistakenly had "dags" as a parameter when instead it should have said "users" as the parameter name. (Ticket #125497)

Bug fix: For full compatibility with all stats packages during a data export, the syntax file for data exports that contain a field with a blank field label will have the field variable name used in place of the field label. (Ticket #125436)

Bug fix: If the Secondary Unique Field is enabled and also has the @HIDDEN action tag, the AJAX call to check the uniqueness of its value might mistakenly get triggered if the field is the first field on a data entry form. (Ticket #125020)

Bug fix: If Twilio is enabled at the system-level, the phone number fields would mistakenly not be displayed on a user's Profile page unless Two-Factor authentication was enabled on the system. Even when not using Two-Factor, it will now display the phone number fields on the Profile page when Twilio is enabled in order to allow users to use their account-associated phone numbers for outgoing Alerts & Notifications via Twilio. (Ticket #124440)

Bug fix: An HTTP 500 error might occur in some cases when using PHP 8.1 if the database connection fails to the REDCap database server. This requires a replacement of the non-versioned file “redcap_connect.php”.

Bug fix: When a user clicks the "Erase all data" button or if deleting all records while moving the project to production, the log entries listed on the Email Logging page would mistakenly not be deleted during this process. It now properly deletes all items on the Email Logging page in both of these cases. (Ticket #125656)

Bug fix: Some contexts that employ a user rights check might mistakenly throw a fatal PHP error in some specific cases when using PHP 8.0 or 8.1. (Ticket #125914, #125923)

Bug fix: If a user selects a record from the drop-down list on the Logging page to filter by record, it might mistakenly display non-record related events on the page, such as events related to creating/editing/deleting user roles in the project. (Ticket #124825)

Bug fix: If a calc or @CALCTEXT field on a non-repeating instrument has a cross-form calculation that utilizes a calc/@CALCTEXT field from a repeating instrument, the calc/@CALCTEXT field on the non-repeating instrument would mistakenly not get triggered or calculated when performing manual data entry on a survey page or data entry form, although it would get calculated correctly when running Data Quality rule H. (Ticket #125456)

Version 12.0.20 (released on 2022-04-01)

CHANGES IN THIS VERSION:

Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the URL on the API Tokens page in the Control Center and also on the API page in a project.

Minor security fix: Updated the Guzzle library due to a security vulnerability reported for that package. (Ticket #125337)

Bug fix: Minor issue with Medication data being pulled from the EHR using a CDIS service.

Bug fix: When using Twilio for surveys in a project, in which a participant is taking a survey and clicks the "Save & Return Later" button followed by clicking "Send survey link", an error would mistakenly be thrown if the preferred contact mode for the participant was set to SMS_INVITE_WEB (i.e., send the survey link via SMS). The phone number would mistakenly be used instead of a valid email in the "from" property of the email. (Ticket #124472)

Bug fix: When using PHP 8.0 and an API Supertoken is used in the API to retrieve the REDCap version, an error would be thrown. (Ticket #124562)

Bug fix: The “RemoveTempAndDeletedFiles” cron job might mistakenly fail in certain cases with a fatal PHP error if using WebDAV as the File Storage method for REDCap. (Ticket #124802)

Bug fix: When using Multi-Language Management, if the @LANGUAGE-CURRENT-X action tag was used on a drop-down field, branching logic would mistakenly not fire after the value was changed. (Ticket #124748)

Bug fix: The Survey Queue’s UI text would mistakenly not display the translated text when using Multi-Language Management. (Ticket #124855)

Bug fix: When searching for users on the Browse Project page, typing the letter “b” might mistakenly cause HTML to be displayed in the auto-complete output. (Ticket #124935)

Bug fix: The @LANGUAGE-SET action tag would mistakenly not get applied when the corresponding survey field is prefilled from a url parameter. (Ticket #124976)

Bug fix: Using the datepicker widget on a survey page or data entry form might allow users to bypass the field validation on the field if immediately switching to using the datepicker widget on another field on the page. (Ticket #124909)

Bug fix: In some specific scenarios, such as when symlinks exist in the file system on the REDCap web server, the System Statistics page in the Control Center might mistakenly throw a fatal PHP error or be real slow when making the AJAX request to obtain the web server space usage. (Ticket #124710)

Bug fix: Apostrophes that occur in the output of Smart Variables like [user-role-label], [user-dag-label], and [record-dag-label] would mistakenly not get escaped and thus cause JavaScript errors to occur when used in calculated fields. (Ticket #125187)

Bug fix: Fixed typo in @READ-ONY action tag description.

Bug fix: Leading/trailing pipe characters "|" in the choice option column of an uploaded data dictionary would mistakenly create empty/null multiple choice options. (Ticket #125166)

Bug fix: IP addresses in IPv6 format for users would mistakenly get logged as NULL in the redcap_log_view database table. (Ticket #124944)

Bug fix: When using the @CALCDATE action tag with PHP 8.0 , the correct value may be seen as calculated on the survey page or data entry form, but the value may mistakenly get erased upon saving the page afterward. (Ticket #124619)

Bug fix: When a field is embedded and is a required field, the field's value might mistakenly not get saved when submitting a survey page or data entry form if the field also has an @HIDDEN action tag.

Bug fix: When a field contains the @IF action tag and also contains other non-action tag text inside the Field Annotation text, it might cause the @IF action tag not to get interpreted correctly. (Ticket #124974)

Version 12.0.19 (released on 2022-03-10)

CHANGES IN THIS VERSION:

Major bug fix: When an admin attempts to approve a production project's drafted changes, the approval process would mistakenly fail. (Ticket #124102)

Bug fix: When using Multi-Language Management, the text of field validation errors and their associated names/labels displayed in the error popup would mistakenly not be displayed in the translated language.

Bug fix: If an administrator is impersonating a user via the "View Project as User" feature, the admin would mistakenly see all Project Bookmarks on the left-hand menu when instead they should only see the Project Bookmarks that the user being impersonated should see. (Ticket #124021)

Bug fix: Permission-related issues for certain directories on the REDCap web server could lead to fatal PHP errors for some functions throughout REDCap that attempt to list files in specific directories.

Bug fix: A fatal PHP error might occur in certain situations when a participant is submitting a survey while using PHP 8.0 on the web server. (Ticket #124146)

Bug fix: If a user uses the syntax [field:value] in logic or a calculation, even though this is not correct syntax for logic/calcs (because it is implied that only the raw value should ever be used), it is allowed for compatibility reasons. However, while this syntax works for calculated fields on the same page, it would mistakenly not work for data imports, nor would it work for cross-instrument or cross-event calculations. This syntax will now work in all contexts. (Ticket #124182)

Bug fix: When clicking a table header to sort the column in a DataTables table on any particular REDCap page, the up/down arrow icon in the column header would mistakenly disappear due to a CSS error. (Ticket #124177)

Bug fix: If a field has the @HIDDEN, @HIDDEN-FORM, or @HIDDEN-SURVEY action tag, it would fail to hide the field if the field is embedded in another field on the page.

Bug fix: 18 Laboratory fields and their associated LOINC codes were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.

Bug fix: Line breaks are mistakenly not preserved in the equation of a calculated field when saving the field via the Online Designer. (Ticket #124341)

Bug fix: When piping a datetime field into the min/max validation range check for another datetime field, if the fields being used as the min or max exist on the same page, it would mistakenly throw an out-of-range error if the datetime fields are in MDY or DMY format. Note: This issue does not occur for date fields but only for datetime or datetime w/ seconds fields. (Ticket #124222)

Version 12.0.18 (released on 2022-03-03)

CHANGES IN THIS VERSION:

Major bug fix: The release of REDCap 12.0.17 LTS contained a deploy issue in which the contents of the 12.0.17 LTS zip files were actually the contents of the 12.2.5 Standard Release zip files. This upgrade process for 12.0.18 should fix this and should undo any SQL table-related issues that have occurred if the auto-generated SQL to auto-fix database structure issues has already been run after having upgraded to 12.0.17. After this upgrade has completed, you may or may not see the notice that database structure issues exist, but if so, just execute that SQL to fix those. If you installed 12.0.17 as a fresh install, we ask that you drop all the database tables and perform a new install after re-downloading 12.0.17 and replacing the "redcap_v12.0.17" directory on your server with the corrected version. (Ticket #123525)

Major bug fix: When a user is assigned to a Data Access Group and is attempting to import a record whose record name is the same as an existing record that belongs to another DAG, if the "force record auto-numbering" setting is not enabled as an option during the import process, the user would mistakenly be allowed to import the data with the record name as-is, thus overwriting data to the existing record that does not belong to their DAG. (Ticket #123593)

Bug fix: When using Multi-Language Management, there are scenarios when a form/survey is set to only a subset of languages (but not including the fallback), in the case of a missing translation, the default language would mistakenly be applied instead of the fallback language.

Bug fix: If the "Email Logging" feature has been disabled at the system level, the Email Logging link on the left-hand project menu would mistakenly still be displayed. (Ticket #123563)

Bug fix: When Multi-Language Management is enabled for a specific instrument, and a user/participant fails to enter a value for all required fields, the "Some fields are required" popup would mistakenly fail to be displayed on the page after the page is reloaded. (Ticket #123641)

Bug fix: When using Multi-Language Management, the matrix field floating/stick headers would mistakenly not appear in the desired translated language. (Ticket #123704)

Bug fix: When a Smart Chart uses a unique report name as a parameter, in which a checkbox field is utilized in the Smart Chart and the report has the checkbox option "Combine checkbox options into single column..." checked, the resulting Smart Chart would not be displayed correctly. (Ticket #123574)

Bug fix: When viewing the Training Videos page while not logged in to REDCap, the tables and icons on the page would be displayed, but the text on the page would mistakenly appear invisible. (Ticket #123751)

Various bug fixes for Multi-Language Management.

Bug fix: A participant could inject some JavaScript code into their browser's console that would allow them to bypass the Required Field check (specifically for drop-down fields only), thus mistakenly allowing them to complete the survey page or complete the whole survey without actually entering a value for such drop-down fields. (Ticket #123585)

Bug fix: When using Multi-Language Management, the text for Automated Survey Invitations would mistakenly not save successfully.

Version 12.0.17 (released on 2022-02-25)

CHANGES IN THIS VERSION:

Bug fix: In some specific scenarios while using PHP 8.0 or 8.1, the System Statistics page in the Control Center might mistakenly throw a fatal PHP error when making the AJAX request to obtain the web server space usage. (Ticket #123238)

Bug fix: If some branching logic, conditional logic, or calculations have incorrect syntax in a specific way, depending on the logic/calculation itself, it could result in a fatal PHP error when being processed. (Ticket #123229)

Bug fix: When using the Smart Variable [stats-table] in the content of an outgoing email (i.e., survey invitation or alert), the table would mistakenly be missing all the styling applied to it when viewed in the REDCap application. (Ticket #123207)

Bug fix: When using the Smart Variable [stats-table] in the content of an outgoing email (i.e., survey invitation or alert), the "Export table" link that is normally displayed below the table might mistakenly get included in the email body, which might occasionally cause the link to be removed from the email message by the email client or might cause the entire email message to be flagged as spam and therefore not received by the recipient.

Bug fix: When multiple choice fields have choice values of "0" and "00", and a record has either choice selected and saved on an instrument, if that instrument is then exported as a PDF with data, both choices would mistakenly appear checked as seen in the PDF. (Ticket #123282)

Bug fix: When using Twilio telephony services for surveys, U.S. phone numbers having the area code "667" would mistakenly not work for SMS or voice calls unless the number has a "1" prepended to it. (Ticket #123291)

Bug fix: When using a Custom Record Label that contains Smart Variables but not field variable names, the Custom Record Label would mistakenly not display at all in certain places where the record name is displayed. (Ticket #123187)

Bug fix: The Multi-Language Management setup page would mistakenly fail to load/display any fields on the instrument-level translation tab if a multiple choice field on the instrument contained zero choices. (Ticket #123371)

Bug fix: When exporting data via the user interface, API, or REDCap::getData(), depending on the structure of a project, an error might mistakenly be returned due to hitting the PHP memory_limit threshold and thus throwing a fatal PHP error. This was due to REDCap's internal batch process, which is completely transparent to the user, having too large a value for the size of a given batch.

Bug fix: When the "Filter by records in a DAG" drop-down filter has been selected on the Logging page, and the user then clicks the "Export all pages using current filters" button at the top of the page, the DAG filter would mistakenly not be applied in the resulting CSV export file. (Ticket #123472)

Bug fix: When a project is being created via a Project XML file, and the Secondary Unique Field in the XML file is a calculated field or a @CALCTEXT field, which are not allowed to be set as the Secondary Unique Field, it would mistakenly set the field as the Secondary Unique Field when creating the project. In this case it will now instead unset the Secondary Unique Field setting for the newly created project. (Ticket #123099)

Bug fix: The Multi-Language Management feature would mistakenly display Yes/No or True/False field choices as blank labels when viewing a survey page or instrument for a given translated language. (Ticket #123371b)

Bug fix: Resolved issues where UTF-8 encoded text in field labels gets truncated and displayed in various places throughout REDCap, in which it would sometimes mistakenly display a black-diamond-with-question-mark character at the point of truncation in the label.

Bug fix: The logged event "Change participant invitation preference" (when using Twilio) would mistakenly not be tied to the record name when filtering the logging results by a specific record. (Ticket #123515)

Version 12.016 (released on 2022-02-21)

CHANGES IN THIS VERSION:

Bug fix: In some specific scenarios when using PHP 8.0 or 8.1 with some longitudinal project, the Online Designer might mistakenly crash with a fatal PHP error. (Ticket #123103)

Bug fix: When using Multi-Language Management and changing an enumerated value (e.g., choices, Action Tags), the "reference change tracker" was wrongly highlighting some items on the page.

Bug fix: When a Secondary Unique Field is designated in a project while its two display-related checkbox sub-options are left unchecked, then when viewing a data entry form for an instrument that was completed via survey (as opposed to via data entry form), the value and/or label of the SUF would mistakenly be displayed at the top of the data entry form. (Ticket #123127)

Version 12.0.15 (released on 2022-02-18)

CHANGES IN THIS VERSION:

Minor security fix: A vulnerability was discovered where malicious user could potentially exploit it by manipulating an HTTP request for the project Calendar page popup, in which some minimal amount of data from the calendar event could be exposed to a REDCap user for a project to which they do not have access.

Bug fix: A new system-level configuration setting was added to the User Settings page in the Control Center to allow admins to select the default instrument-level user access that gets set for all project users' Data Viewing Rights whenever a new instrument is created while in production status. The available options are "No Access" (default) and "View & Edit". Many administrators have noted that the sudden change in REDCap 11.3.0 for default instrument-level user access for new instruments while in production has caused quite a lot of confusion for users and has thus greatly increased the support workload of administrators. Despite being a new system-level option, this is considered a bug fix because it serves to restore continuity with previous versions by allowing admins (if desired) to revert the behavior back to the way it behaved in pre-11.3.0 versions. (Ticket #120976)

Bug fix: When processing REDCap logic, in some specific instances with specific logic, which may also be dependent upon PHP version, a fatal PHP error might occur and might crash the page. (Ticket #122418)

Bug fix: When using Multi-Languagement Management and defining a Fallback language that is different from the Default language, any User Interface text on a survey page or data entry form might mistakenly be displayed in the Fallback language when the Default language has been selected as the display language.

Bug fix: If an external module utilizes the "redcap_pdf" hook while the system-level "redcap_pdf" hook (in the hook functions file) is also being utilized to perform custom tasks on the server, the results returned from the EM PDF hook would mistakenly not get utilized downstream. (Ticket #122775)

Bug fix: The datepicker widgets used for the time window search on the Email Logging page in a project would mistakenly not stay visible in certain cases when trying to use them. (Ticket #122811)

Bug fix: The URL for the example Login Page logo used on the REDCap Install page mistakenly pointed to a non-existent image/URL.

Bug fix: When attempting to send outgoing emails (e.g., survey invitations, alerts), if the email subject is left empty, it might prevent the email from sending successfully.

Various fixes for the External Module Framework.

Bug fix: In certain situations with longitudinal projects, the Form Display Logic might mistakenly not function correctly to enable/disable the right instruments. (Ticket #122974)

Bug fix: When creating a longitudinal project via a Project XML file, the form-event mapping might mistakenly not get saved during the project creation process.

Bug fix: When exporting and then importing a Project XML file to create a new project that has some Form Display Logic defined, if the project is longitudinal and has some Form Display Logic conditions that references an instrument on "[All Events]", those Form Display Logic conditions might mistakenly not get saved during the project creation process.

Bug fix: When editing an existing report that has fields selected via the drop-down lists in Step 3 (Filters), then the user clicks the "Use advanced logic" link, then the user clicks the "Use simple logic (choose fields from list)" link, then if they select a field in the first filter field drop-down (which has no field selected), it would mistakenly not display a new field/row immediately below that row. Thus, the user is not able to add more than one filter field for the report in this scenario unless they save the report and reload it to edit it again. (Ticket #18065)

Version 12.0.14 (released on 2022-02-11)

CHANGES IN THIS VERSION:

Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the values of Text Box and Notes Box fields that are piped somewhere else on the same page as where the field exists. This does not occur if they are piped into a different instrument, different event, or elsewhere in the project.

Bug fix: A field's question text on a survey page might mistakenly not get recognized by certain screen reading software, especially if the survey has the "enhanced radio buttons and checkboxes" setting enabled. (Ticket #121765)

Bug fix: When attempting to upload a data dictionary with calculated fields or @CALCTEXT fields that contain Smart Variables inside their calculation, REDCap might mistakenly return an error message saying that the Smart Variables are not real variables, thus preventing the user from uploading the data dictionary.

Bug fix: Too many Google services were mistakenly included during the recent bundling of the Google PHP API Client Services library, thus causing REDCap's resulting code to bloat unnecessary by an extra 15,000 files.

Bug fix: The contents of the email sent to a participant after clicking the “Save & Return Later” option in a survey were mistakenly not translatable via the Multi-language Management feature.

Bug fix: When adding a field to a project in production while in draft mode, an incorrect error message is displayed if the field is being added below a section header. (Ticket #122044)

Bug fix: A fatal PHP error might be thrown in very specific instances when using PHP 8.0 . (Ticket #122182)

Bug fix: A fatal PHP error may occur on the Online Designer page for PHP 8.0 in certain situations. (Ticket #122108)

Bug fix: Resolved some potential upgrade issues occurring with SQL queries failing in some particular situations when upgrading to REDCap 11.2.0 or higher. (Ticket #121952)

Bug fix: When a project has record auto-numbering enabled, and a user creates a record, renames it, and then deletes it, the next record to be created would mistakenly not have the same record name as the one deleted (assuming no other records had been created during the interim). It is assumed that the next record would have the same name as the deleted one. (Ticket #122090)

Bug fix: When adding hyperlinks into a field label, survey instructions, etc., in which the hyperlink URL contains "on" and also "=" somewhere inside it, the URL might mistakenly get mangled when output on the page in which "onXXXXX=" will be replaced with the word "replaced=". (Ticket #121691)

Bug fix: When uploaded files are being copied on the server (e.g., when copying a project containing Descriptive Text fields with file attachments), if the file somehow can't be found or accessed on the server, it would throw a fatal PHP error in PHP 8.0 . (Ticket #122496)

Bug fix: When required fields are left empty on a data entry form that is submitted, thus displaying the required fields popup, and then the page is refreshed, it would mistakenly keep displaying the required fields popup to the user even when the required fields might have been given values in the interim. (Ticket #122480)

Bug fix: When using [survey-date-completed] or similar Smart Variables inside the conditional logic for Automated Survey Invitations, it might cause the page to crash when submitting a survey or data entry form, resulting in a fatal PHP error. (Ticket #122473)

Bug fix: If an instrument is exported as a PDF with data, in which the instrument contains slider fields that display the slider value next to it, the slider's value displayed in the box next to the field in the PDF would mistakenly always be normalized to be between 0 and 100, rather than displaying the literal value as-is. (Ticket #122035)

Bug fix: Data Quality rule F might mistakenly return false positives for fields that exist on repeating instruments in a longitudinal project, especially when the field's instrument is also utilized as a non-repeating instrument in another event. (Ticket #121343)

Bug fix: When running PHP 8.0 , the Stats & Charts page might fail with a fatal PHP error if number/integer fields somehow contain non-numeric values. (Ticket #122604)

Bug fix: When upgrading to REDCap 11.4.1 or higher, the SQL upgrade script might mistakenly crash with an error on a certain query. (Ticket #122565)

Bug fix: When using Multi-Language Management and translating a survey that has Stop Actions, the User Interface text for the title of the Stop Action popup (i.e., "End the survey?") would mistakenly not appear in its translated form. (Ticket #122644)

Bug fix: When importing the JSON or CSV language file for Multi-Language Management, labels might mistakenly not get updated to their translated form for option choices for some multiple choice fields. (Ticket #122636)

Bug fix: Some text was changed in the Tableau section of the "Other Export Options" tab on the "Data Exports, Reports, and Stats" page because it could be confusing to users if certain institutions have special licensing and/or policy with regard to the installation of Tableau. (Ticket #122618)

Bug fix: If a user is assigned to a Data Access Group, the "Select a previously sent email" drop-down list in the "Compose Survey Invitations" popup on the Participant List page would mistakenly not filter out previously-sent emails pertaining to records that belong to other DAGs. (Ticket #122495)

Bug fix: If more than 500 instances of the @IF action tag are used for a field, whether nested or used in parallel, all the @IFs listed after the 500th @IF would mistakenly not get processed, thus causing the @IFs not to function correctly on the field.

Bug fix: The “Break the Glass” feature in Clinical Data Pull (CDP) was mistakenly not able to perform a successful login for the user, thus was not able to break the glass for a record.

Bug fix: When creating a new project using a Project XML file with an API super token, in some particular use cases depending on the exact setup of the project and its data, the API request might mistakenly crash or might not complete the process if any record data exists inside the Project XML file. (Ticket #121579)

Bug fix: Clicking a slider field to initialize it would mistakenly not immediately trigger its value to be piped if the slider is piped elsewhere on the same page. It would only pipe if the slider’s value was modified after its initialization. (Ticket #122704)

Bug fix: A warning message would mistakenly be returned when attempting to upload a data dictionary containing checkboxes with a dot/period in a checkbox choice coded value, in which that checkbox choice was being referenced in a calculation or branching logic. Notes: Dots/periods are allowed in a checkbox choice code. (Ticket #122581)

Bug fix: When uploading a file for a File Upload field via the API Import File method, the resulting logged event on the project logging page would only display the field name when it should instead display the field_name and back-end edoc ID value for the file in the logged event description. This was changed because it was inconsistent with the logging produced when uploading a file via the user interface. (Ticket #122272)

Bug fix: Text Box fields with the @SETVALUE action tag would always display the red bar on the side of the field (regardless of the value) when instead the red bar should only be displayed when the saved value is different from the displayed value.

Version 12.0.13 (released on 2022-01-28)

CHANGES IN THIS VERSION:

Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the title of a project.

Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way for certain features of REDCap Messenger.

Bug fix: Some of the example R code in the API Playground mistakenly referenced a function named "fileUpload()" when it should instead be "upload_file()". (Ticket #101454b)

Bug fix: Data Quality rule E was mistakenly using the median and not the mean for the field when determining if the value was an outlier (e.g., two standard deviations from the mean). (Ticket #121704)

Bug fix: Some password-related configuration settings for Table-based authentication might mistakenly contain trailing spaces in their value, thus possibly preventing the settings from working as expected. (Ticket #121716)

Bug fix: The REDCap cron job might crash unexpectedly when attempting to send an Alert containing a [survey-link] Smart Variable when the project does not have any surveys enabled. This only occurs in PHP 8.0 and 8.1. (Ticket #121644)

Bug fix: Survey Queue settings in the "Set Up Survey Queue" popup would mistakenly not get saved for a survey that is currently set to "offline" status. (Ticket #121668)

Bug fix: When uploading a new user role via a CSV file on the User Rights page, some specific user privileges for the new role might mistakenly not get saved correctly during the upload process. (Ticket #121461)

Bug fix: When a user assigned to a Data Access Group is using the Data Resolution Workflow, the Resolution Metrics page would mistakenly display the "Average time for query response (by user in days)" chart when instead it should only display the chart for users who do not belong to a DAG. (Ticket #121527)

Bug fix: When an alert or an automated survey invitation has conditional logic that contains datediff today/now, in which Smart Variables are used in the logic but no real field variables are used, the alert/ASI would mistakenly fail to be scheduled/sent by the datediff today/now cron jobs that run every 4 hours. (Ticket #121276)

Version 12.0.12 (released on 2022-01-25)

CHANGES IN THIS VERSION:

Bug fix: If a file is being imported via API for a File Upload field, in which the field's instrument is a repeating instrument, then it might make the instrument inaccessible in the user interface (e.g., Record Home Page, Record Status Dashboard) if no other field on the instrument contains any data for that instance. (Ticket #120354)

Bug fix: Issues might occur (e.g., blank white page) when installing REDCap on PHP 8.1 due to the setting "mysqli_report", which defaults to "MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT" in that version. This will also require replacing the redcap_connect.php non-versioned file on the REDCap web server.

Bug fix: When attempting to send a File Upload field's file via Send-It from a data entry form, the popup window would display a blank page if using PHP 8.0 or higher. (Ticket #121163)

Bug fix: Remediated PHP 8.X-specific errors that occur when users alter URLs in unexpected ways.

Bug fix: The mouseover text displayed when hovering over the "Members: Everyone" text in the General Notifications channel in REDCap Messenger would mistakenly display the wrong text. (Ticket #121312)

Bug fix: When performing calculations for a @CALCTEXT field (whether on a data entry form, survey page, data import, or Data Quality rule H), some dynamically-created regular expressions in PHP that search for other calculated fields or @CALCTEXT fields that are used within the original @CALCTEXT field might cause an overload due to the regular expression being too long, thus possibly resulting in not accurately determining dependent fields used inside the @CALCTEXT field's equation. This means that some @CALCTEXT fields might possibly not get their value updated successfully. (NOTE: This is a very similar but slightly different fix for the bug fix with the same description in the previous version.)

Bug fix: When using the Auto-Archiver or e-Consent Framework on a survey while also setting the Stop Action survey option to "Do not save the survey response", when a participant triggers a stop action on the survey, it would mistakenly display the error message "X is not an existing record in this project!" at the bottom of the page. (Ticket #121166)

Bug fix: When an administrator is approving a To-Do List request to make a user's report "public", after clicking the "Click here" link to view the report while inside the approval dialog, it would cause the dialog to flash and then go white, thus preventing the admin from approving the request (unless they went into the project manually and viewed that report before returning to the To-Do List request). (Ticket #120893)

Bug fix: Small change to text in the Two-Factor Authentication settings on the "Security & Authentication" page to improve clarity of the option IP Exception setting used for 2FA.

Bug fix: When loading the Participant List inside the "Compose Survey Invitations" popup, it would mistakenly take an unnecessarily large amount of time to load a list of thousands or more participants for certain surveys.

Bug fix: If using WebDAV as the File Storage Method for the following system-level settings 1) 'File Upload' field enhancement: Password verification & automatic external file storage, 2) Record-level Locking Enhancement: PDF confirmation & automatic external file storage, or 3) e-Consent Framework: PDF External Storage Settings (for all projects), these features may no longer be storing files successfully to the external server. A new "authentication type" setting for WebDAV only has been added to all 3 settings on the "Modules/Services Configuration" page in the Control Center to allow an administrator to set the WebDAV authentication as "Basic", "NTLM", or "Digest" (depending on the local configuration of the WebDAV server being used). Setting the WebDAV authentication type appropriately for each of the 3 settings (if being utilized) should fix this issue.

Bug fix: The Google OAuth2 authentication would fail to work in PHP 8.0 and 8.1, thus resulting in a fatal PHP error when attempting to log in. (Ticket #121050)

Bug fix: For some projects, the Multi-language Management page might get stuck during its initialization, thus preventing users from using it. (Ticket #118463)

Bug fix: In some situations when clicking the table headers of the Participant List table, all cells in the Participant Identifier column that were previously editable would mistakenly become no longer editable.

Bug fix: When using the Multi-language Management feature, some embedded multiple choice fields might mistakenly not appear in the expected translated language on a data entry form or survey page. (Ticket #121557)

Version 12.0.11 (released on 2022-01-14)

CHANGES IN THIS VERSION:

Bug fix: A project dashboard with custom access settings might mistakenly not be accessible to administrators using the "View project as user" feature.

Bug fix: When creating or editing a Project Dashboard that has been set as "public", the option to create a custom public link would mistakenly not be displayed on the page (assuming that the URL Shortening Service is enabled at the system level).

Bug fix: When creating or editing a report that has been set as "public", the option to create a custom public link would mistakenly not be displayed on the page (assuming that the URL Shortening Service is enabled at the system level).

Bug fix: If using the @CALCTEXT action tag on a datetime field, in which the [survey-time-completed] Smart Variable is referenced inside @CALCTEXT(), the resulting value might cause the calculation error popup to display on a survey or data entry form, and the value might not save correctly on the form/survey, via data import, or via running Data Quality rule H. This issue occurs mostly when using field validation with formatting H:M (rather than H:M:S) and also with formatting MDY or DMY (rather than YMD).

Bug fix: If a date or datetime field was using the @HIDEBUTTON action tag, the date format label (e.g., "M-D-Y") would mistakenly not be displayed on the right.

Bug fix: PHP error occurs for PHP 8.0 or 8.1 when downloading Automated Survey Invitations as a CSV file in the Online Designer. (Ticket #120965)

Bug fix: When piping data on an instrument for a field from another instrument while also using the Multi-language Management feature for the current instrument, the piped value might mistakenly not display on the page.

Bug fix: When performing calculations for a @CALCTEXT field (whether on a data entry form, survey page, data import, or Data Quality rule H), some dynamically-created regular expressions in PHP that search for other calculated fields or @CALCTEXT fields that are used within the original @CALCTEXT field might cause an overload due to the regular expression being too long, thus possibly resulting in not accurately determining dependent fields used inside the @CALCTEXT field's equation. This means that some @CALCTEXT fields might possibly not get their value updated successfully.

Bug fix: Some long-running reports might mistakenly return the error message "An unknown error has caused the REDCap page to halt..." in specific edge cases.

Bug fix: If an alert has an [aggregate-X] Smart Variable piped into the alert's email body, it might cause the cron job to crash when attempting to send the alert. (Ticket #120561)

Version 12.0.10 (released on 2022-01-10)

CHANGES IN THIS VERSION:

Bug fix: The field drop-down for the "Designate a Secondary Unique Field" setting in the "Additional Customizations" popup on the Project Setup page would mistakenly not include some Textbox fields (notably those with no Action Tags or Field Annotation).

Bug fix: When using Smart Variables that utilize the parameters ":fields" or ":instrument" in a calculated field or @CALCTEXT field, if the user is entering data on a form or survey, the calculation might mistakenly not get updated if fields used inside the Smart Variable exist on a different instrument or event.

Bug fix: For certain server configurations, the REDCap cron job might mistakenly crash due to a floating point precision issue when creating a timestamp. This occurrence is fairly rare. (Ticket #120688)

Bug fix: When using certain Smart Variables inside a calculation or @CALCTEXT field, a calculation error message might mistakenly appear on the data entry form or survey page and thus would prevent calculations from occurring on that page. (Ticket #120660)

Bug fix: When a report contains data from a repeating instrument and/or repeating event, in which the report's checkbox setting "Include the repeating instance fields (redcap_repeat_instrument, redcap_repeat_instance) in the report and data export?" is not checked, viewing the Stats & Charts page for the report would display the charts and tables correctly unless a user selects a Live Filter for the report, in which it would mistakenly cause all/most tables and charts not to display at all on the page. (Ticket #120408)

Version 12.0.9 (released on 2022-01-07)

CHANGES IN THIS VERSION:

Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way as user-defined text in various places.

Minor security fix: If a field contains integer values (e.g., Textbox, Radio, Drop-down) for a record, and then the field is changed to be a File Upload field, viewing a data entry form or a report that contains that field might (depending on the pre-existing integer value of the field) mistakenly expose the filename of files that have been uploaded to other File Upload fields, including possibly those from other projects. Users are not able to download these uploaded files or view their contents, but can view the filename of the file on a data entry form or a report.

Minor security fix: A Blind SQL Injection vulnerability was found on the Cron Jobs page in the Control Center, in which a malicious user could potentially exploit it by manipulating an HTTP request on that page.

Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the URL on the API Tokens page in the Control Center and also on the API page in a project.

Major bug fix: In a longitudinal project with Data Access Groups, importing data via the "Import Records" API method for an existing record that is assigned to a DAG, in which the API parameters format="json" and overwriteBehavior="overwrite" are used, if the JSON data being imported contains a non-blank value for the "redcap_data_access_group" field for one event while another event of data (for the same record) does not contain the "redcap_data_access_group" field at all in the JSON, REDCap would mistakenly perceive the absent "redcap_data_access_group" field as a blank value and thus would un-assign the record from the DAG (due to the overwriteBehavior="overwrite" parameter being used). When this occurs, the DAG unassignment event would also not get logged on the project Logging page.

Bug fix: Drop-down fields using the auto-complete option would cause the webpage to be slow/laggy when typing a value into the field's textbox or when clicking the down-arrow button for the field to view the full list of choices if the field has hundreds or thousands of choices defined. This slowness was due to the auto-complete feature not being set up correctly in the underlying JavaScript. Note: Clicking the down-arrow button for an auto-complete drop-down with 1000 choices when the field has no value will now display a notice next to the field that the full list of choices cannot be displayed and instead encourages the user to type a value to search all options.

Bug fix: When referencing a Smart Variable inside conditional logic (e.g., Data Quality rules, ASI logic) in which the Smart Variable is appended with a colon parameter while also being prepended with a unique event name (e.g., [event_1_arm_1][survey-date-completed:form_1]), the logic might fail to be successfully evaluated. This could cause Data Quality rules to throw an error or could cause survey invitations for ASIs not to get sent in specific cases. (Ticket #120543)

Bug fix: When a multi-page survey contains required fields that exist on pages after page 1, in some specific scenarios it might mistakenly display the "Some fields are required!" prompt for fields on later pages after submitting the first page. Note: The participant would still be allowed to continue to the next page after the initial submission of page 1. (Ticket #120518)

Version 12.0.8 (released on 2021-12-28)

CHANGES IN THIS VERSION:

New LTS branch based off of REDCap 12.0.7 (Standard)

Note: Please see the Standard Release ChangeLog between v11.2.0 and v12.0.7 to see the full list of new features and bug fixes released with this new LTS branch.