Feature Highlights

New feature:

• Field Embedding - Field Embedding is the ultimate way to customize surveys and data collection instruments to make them look exactly how you want. Field Embedding is a Shazam-like feature that allows you to reposition field elements on a survey page or data entry form so that they get embedded in a new location on that same page.

• Granular administrator privileges- There now exist seven different categories of privileges that may be attributed to a REDCap administrator. If a user has at least one admin privilege, they are considered a REDCap administrator and thus will be able to access the Control Center; however, they will only be able to access the things to which they have been granted access.

• SendGrid Email API Integration -As an alternative for sending outgoing emails from REDCap (rather than using the standard settings in PHP.INI to send them natively from the web server), you may use SendGrid, which is a third-party paid service (owned by Twilio) that can send emails on behalf of REDCap.

• Select and modify multiple fields together on the Online Designer - Users may select multiple fields on the Online Designer by holding the Ctrl, Shift, or Cmd key on their keyboard while clicking on the field in the table, which will reveal the options to Move, Copy, or Delete all the selected fields. To make users aware of this feature, a floating note now appears near the right side of the page in the Online Designer with instructions on how to use this.

• Projects that have the Clinical Data Mart feature enabled will now be able to export the Clinical Data Mart settings in the Project XML file for the project and thus will be able to create new projects using that Project XML file as an alternate means of creating a Data Mart project.

• Integration of Paul Litwin's Stealth Queue external module - New ”Keep the Survey Queue hidden from participants?” setting in the “Set up Survey Queue” dialog on the Online Designer

• New hook: redcap_survey_acknowledgement_page - Allows custom actions to be performed on a survey's acknowledgement/"thank you" page immediately after the survey has been completed. 

• Improvements to the Data Resolution Workflow feature - When a user is opening a new data query and assigning the query to a user, there are new options to send a notification to the assigned user via email and/or REDCap Messenger to inform them about their query assignment.

•  Added "Language of text to be spoken" for the "Text-To-Speech" survey functionality, which is available on the Survey Settings page. For several years, REDCap has had a Text-to-Speech feature for surveys that, when enabled, allows questions and other text on survey pages to be converted into natural-sounding audio for the participant to hear. 

• Users may re-evaluate some or all Automated Survey Invitations for all records in a project. If an ASI has been modified after data has already been entered in the project, users may click the “Re-evaluate Auto Invitations” button in the Online Designer, which will re-evaluate selected ASIs for all records to ensure that invitations get properly sent or scheduled based on the new conditions of the ASI

• Users may re-evaluate some or all Alerts & Notifications for all records in a project. If an alert has been modified after data has already been entered in the project, users may click the “Re-evaluate Alerts” button on the Alerts & Notifications page, which will re-evaluate selected alerts for all records to ensure that notifications get properly sent or scheduled based on the new conditions of the alert

• Data Access Group import/export and DAG-User assignment import/export - The Data Access Groups page in a project now displays a drop-down list of options for users to import/export Data Access Groups, which allows users to bulk create or rename DAGs via a CSV file. It also allows for the import/export of DAG-user assignments via CSV file to bulk assign/reassign/unassign users from DAGs in a project.

• Data Quality Rule import/export - The Data Quality page in a project now displays a drop-down list of options for users to import/export custom Data Quality rules via a CSV file.

• Improvement: On a user's My Profile page, there is a new setting under "Notification Preferences for REDCap Messenger" to enable/disable email notifications specifically for General Notifications and System Notifications

• Improvement: File Upload fields and Signature fields may now be used in piping. If you are piping *from* a File Upload field or Signature field, the field's numerical value will be piped by default, but you may pipe the original filename of the uploaded file by appending the ':label' option, such as [my_field:label].

• Improvement: The REDCap::saveData method for plugins/hooks/modules now has an alternative way of passing parameters to the method. 

• New survey option “Save a PDF of completed survey response to a File Upload field” - On the Survey Settings page in the Online Designer, users may select a File Upload field in the project where a static PDF file of a participant’s survey response will be stored immediately after they complete the survey

• Auto-numbering of repeating instances for data imports - When using repeating events or repeating instruments, it may be difficult when performing dynamic imports of data for these because it is not easily known how many repeating instances already exist in a project for a given repeating event/instrument, thus often forcing users to invent clever ways to determine this, such as performing data exports beforehand and then dynamically determining what the next repeating instance number should be.

• New logic editor for conditional logic, branching logic, calculations, report filters, etc. In every place where users might add/edit logic or calculations, the new logic editor will be displayed in a modal dialog to provide a better user experience for entering their logic. The logic editor provides much more space for entering large amounts of logic, including a fullscreen mode to take maximum advantage of their screen’s real estate.
  
  

Change:

• When exporting data to SAS, the line "OPTIONS nofmterr;" is now added to the SAS script to prevent any formatting issues from throwing fatal errors.

• 350 Laboratory fields (including 30 related to COVID-19) and their associated LOINC codes were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.

• The "Help & FAQ" page is updated with new content.

Detailed Change Logs

Version 10.6.28 (released on 2021-07-02)

CHANGES IN THIS VERSION:

• Major bug fix: Fields embedded inside radio button and checkbox choices would fail to appear on data entry forms and survey pages.

• Bug fix: HTML styling on radio button and checkbox choices would mistakenly get removed on a survey page or data entry form.

Version 10.6.27 (released on 2021-06-30)

CHANGES IN THIS VERSION:

• Bug fix: If a field’s value is being piped on the same data entry form or survey page where the field itself is located, if that field is being hidden by branching logic, in which the user clicks “Okay” to the “Erase value” prompt to hide the field and erase its value, the piped value seen on the page would mistakenly not get changed/reset during this process but would instead retain the previous value of the field. (Ticket #108756)

• Bug fix: If the headers of a matrix of fields are displayed as floating/sticky on a data entry form or survey page, the floating headers would mistakenly disappear (at least until the user scrolls the page again) whenever branching logic gets triggered or if the "Reset" link for radio buttons are clicked. (Ticket #109434)

• Bug fix: When exporting data to a stats package (e.g., SAS) in which some multiple choice fields contain "<" in a choice label, the resulting syntax file might be mangled, truncated, and/or incorrect. Also, that choice label with "<" may not display correctly on the Data Dictionary Codebook page. (Ticket #109571)

• Bug fix: When importing data in standard XML format via the API, some fields that have a blank value in the XML file might cause the data import to fail. (Ticket #109293)

• Bug fix: When using the Scheduling module for a project that has record auto-numbering disabled, it is possible that a record could mistakenly be created twice if one user creates the record via data entry at the same time that another user creates the record via the Scheduling module. (Ticket #109287)

Version 10.6.26 (released on 2021-06-18)

CHANGES IN THIS VERSION:

• Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the URL of a specific endpoint.

• Bug fix: When exporting data to SAS in which the export contains some Ontology Text fields that have a dash in the raw value for some records in the export, it would prevent the data from being successfully loaded into SAS. Now when creating SAS formats for character variables in the resulting SAS syntax file, the values will be wrapped in single quotes for greater compatibility (unless all the values/options are numerical for the field).

• Bug fix: Calendar events that had no time set (i.e., only had the date set) but were scheduled or attached to a record would mistakenly not be ordered by record name when displaying the events of a given day on the Calendar page. (Ticket #108688)

• Bug fix: When a project is in draft mode, the Online Designer would mistakenly allow users to modify the variable name of matrix fields that exist live in production (i.e., not just in draft mode), which should not be allowed because it could inadvertently cause fields to be deleted via renaming. (Ticket #108705)

• Bug fix: When a REDCap server uses the HTTP_X_FORWARDED_FOR header for a user's IP address, in which the IP actually contains multiple IPs delimited with commas (often because a load balancer is being utilized), it now instead just uses the first IP address in the list rather than the whole value, which was causing a blank IP address to be recorded in REDCap's logging for users in this particular case.

• Bug fix: In very specific cases where data has been imported into an instrument (but not for the form status complete field) and no user has entered data for that instrument via the data entry form or survey page yet, the form status icon might mistakenly display as a gray color instead of as red on the Record Home page or Record Status Dashboard. (Ticket #108183)

• Bug fix: If using "LDAP" or "LDAP & Table-based" authentication, any user containing an apostrophe in their LDAP username would cause JavaScript issues to occur for an administrator on the Browse Users page when performing certain actions, such as changing their 2FA code expire time, suspending/unsuspending the user, or deleting the user account from the system. (Ticket #79647d)

Version 10.6.25 (released on 2021-06-11)

CHANGES IN THIS VERSION:

• Bug fix: When a user or admin is clicking the "Yes, move to production status" button in the Move To Production dialog in a development project, it would mistakenly not disable the button after being clicked, which might cause confusing pop-up messages to appear if the button was clicked again before it finished processing. (Ticket #108321)

• Bug fix: When using the Data Resolution Workflow and assigning a user to a data query, the Messenger notification would mistakenly fail if the user chose to notify the other user of their assignment via Messenger. Thus they would not be notified. (Ticket #108335)

• Bug fix: When importing or deleting a file via the API Import File or Delete File methods, it would mistakenly allow users to import files even when the entire record is locked or when the record/event/instrument/instance is locked for that file upload field. (Ticket #108399)

• Bug fix: When an alert has an email address set for the setting "Email to send email-failure errors", in certain situations (such as when running the "Re-evaluate Alerts" process) it would mistakenly send the email failure notification for *all* alerts in the project instead of just the ones that have an email address defined for the "Email to send email-failure errors" setting. This could result in some users receiving many more emails than expected when an alert fails to send successfully. (Ticket #85030)

• Bug fix: Fields that are embedded inside other embedded fields might not fully have their data piped in the field's label when viewed in a downloaded PDF of an instrument but might still display some field variables inside braces/curly brackets. (Ticket #108310)

• Bug fix: In certain cases where a backslash (\) is used in a data value that gets piped (e.g., text that contains "p\0.0233"), it might cause the data to get piped recursively many times and mistakenly output a mangle mess of text. (Ticket #108451)

• Bug fix: When selecting the Export Records method in the API Playground, if one or more values were selected for the Fields, Forms, or Records parameter, and then they were deselected to have no selections for them, the API request would return an error after clicking the Execute Request button on the page. (Ticket #108526)

• Bug fix: When clicking the "Delete data for THIS FORM only" button at the bottom of a data entry form, if the record currently exists in multiple arms and the form data being deleted is the only data in the current arm for the record, it would mistakenly delete the record from the arm in addition to removing the form data (although the record would still exist in other arms). This would not cause any data loss, technically, but the user would have to recreate the record in that arm again.

Version 10.6.24 (released on 2021-06-04)

CHANGES IN THIS VERSION:

• Bug fix: When importing a file via the File Import API method in which the file exceeds the maximum allowed file size, it would return an error message that mistakenly referenced the max upload size of the server instead of the max upload size that is manually set for File Upload fields for the project, which might be a different value than the server maximum.

• Bug fix: If an error popup for a calculation or branching logic appears immediately when a survey page or data entry form initially loads (due to syntax errors in the branching/calculation), the stock language in the error message itself would mistakenly say "undefined" instead of actual text. However, this would not occur if the error message was displayed later on after the page had already loaded.

• Bug fix: Certain example plugins that are included in an initial installation of REDCap would mistakenly display PHP errors if they are accessed without a "pid" parameter in their URL. (Ticket #107782)

• Bug fix: When using the "Select instruments/events" option for a custom record status dashboard, it would mistakenly not limit the dashboard to those instruments/events. (Ticket #107785)

• Bug fix: The horizontal line on which users/participants write their signature was mistakenly not displaying in the "add signature" dialog on forms/surveys.

• Bug fix: When copying a project or creating a new project using a project template, it would mistakenly not copy over the project-level settings below (Ticket #108151):

  • Delete a record's logging activity when deleting the record?

  • Auto-delete all Data Export Files in the File Repository that were created more than X days ago?

  • Exempt the project from 2-step login?

  • Always force 2-step login in this project for EVERY login session?

  • Double Data Entry module

  • Date Shifting De-Identification Option: Date Shift Range

  • Enable/disable the Shared Library for this project?

Version 10.6.23 (released on 2021-05-28)

CHANGES IN THIS VERSION:

• Major bug fix: If a project has randomization enabled and is using strata fields, if one or more strata fields exist on a survey instrument, and the survey containing the strata field(s) is opened after the record has been randomized, the strata fields would mistakenly not be disabled/readonly on the survey page but could be edited, which can cause major issues with a randomized project. It is expected that the strata fields should be disabled/readonly (whether on the data entry form or survey page) after the record has been randomized.

• Bug fix: When a project is in Analysis/Cleanup mode, and a user wishes to set the project data to be read-only/locked, the popup dialog for doing this mistakenly has the wrong text for the dialog buttons.

• Bug fix: When a project has a very large number of arms, it may prevent the Record Status Dashboard from displaying data properly, and might also prevent the background "record list cache" process from completing successfully. (Ticket #107502)

• Bug fix: In server environments with PHP error reporting enabled, it would display a deprecation notice regarding the constructor of the PEAR Log class. (Ticket #55557b)

• Bug fix: When unlocking an instrument using the Unlock button at the bottom of a form, any fields with the @READONLY or @READONLY-FORM action tag would mistakenly become editable. (Ticket #107549)

• Bug fix: The <caption> HTML tag was mistakenly not allowed in field labels, survey instructions, and all places that display user-defined text on a webpage. (Ticket #107664)

Version 10.6.22 (released on 2021-05-21)

CHANGES IN THIS VERSION:

• Bug fix: When using the Survey Queue in a longitudinal project, there are some scenarios where the queue might mistakenly not process the conditional logic correctly for a survey in the queue, thus causing it to return an empty queue or omit some surveys from being displayed in the queue. (Ticket #106801)

• Bug fix: PHP 8 compatibility error when viewing some custom record status dashboards. (Ticket #107055)

• Bug fix: When using the Data Resolution Workflow in which a normal user is attempting to delete a file attachment that has been uploaded to an opened data query, it would mistakenly display an error message every time. Instead it should display a message letting them know that only administrators are allowed to delete files attached to data queries. (Ticket #106984)

• Bug fix: PHP 8 compatibility error when using Two Factor Authentication. (Ticket #103721)

• Bug fix: PHP 8 compatibility error when using the DAG Switcher. (Ticket #107209)

• Bug fix: PHP 8 compatibility error that occurs in some specific cases when viewing the Record Status Dashboard. (Ticket #107225)

• Bug fix: When a project contains repeating events in which a report has filter logic to filter out specific repeating instances (e.g., [current-instance] <> "" and [current-instance] = [first-instance]), the report might mistakenly display no results or incorrect results when there is actually data to display. This does not affect repeating instruments but only repeating events.

• Bug fix: When a radio button field that is part of a matrix is embedded on a data entry form or survey page, the radio button's "reset" link would mistakenly not get embedded along with its associated field. Thus there would be no way to reset a matrix radio field that is embedded. Now the "reset" link appropriately gets moved to be immediately below its associated embedded radio field.

• Bug fix: To prevent Microsoft Outlook Safe Links from submitting surveys and junk data on its own, REDCap survey pages now block all POST requests that originate via the IP address range 52.147.217.*, in which it immediately returns an error message. This is in addition to a recent fix that protected surveys from Safe Links coming from another IP range (40.94.*.*).

• Bug fix: When REDCap is sending a large amount of email notifications from REDCap Messenger, such as when there is a General Notification or System Notification, if the cron job process for sending the emails takes too long, it may mistakenly get run several times, resulting in users receiving the same email notification several times. (Ticket #107208)

Version 10.6.21 (released on 2021-05-14)

CHANGES IN THIS VERSION:

• Major bug fix: When using an Adaptive or Auto-Scoring instrument downloaded from the REDCap Shared Library, in which that survey was set to use "Enhanced radios and checkboxes" via the Survey Settings page, the survey would not function and would not allow participants to submit their responses unless the survey was reverted to no longer using "Enhanced radios and checkboxes".

• Bug fix: When a survey participant is taking a specific Adaptive or Auto-Scoring instrument (such as "NIH TB Hearing Handicap Age 65+") downloaded from the REDCap Shared Library that contains an initial descriptive text field (i.e., it has no choices to choose from), the survey would not function and would not allow participants to submit their responses. Note: This only affects 3 or 4 total Adaptive or Auto-Scoring instruments in the entire REDCap Shared Library.

• Bug fix: If a report contains filter logic containing around 900 or more field variables, the report might mistakenly return 0 results instead of the appropriate results. REDCap cannot parse more than 900 or so field variables in logic due to a limitation in PHP. If more than 900 field variables are used in a report's filter logic and it causes PHP to crash, REDCap will provide a helpful error message in this case to inform the user that there is either a syntax error in the filter logic or that it is too long and needs to be shortened. (Ticket #106834)

Version 10.6.20 (released on 2021-05-14)

CHANGES IN THIS VERSION:

• Bug fix: If a data export takes a long time and the user is away from the computer so long that the auto-logout dialog displays on the page, the auto-logout dialog would mistakenly be displayed underneath the "Exporting data" popup, thus preventing the user from seeing it and preventing the auto-logout process from occurring. (Ticket #106545)

• Bug fix: When not using record auto-numbering in a project while viewing the Add/Edit Records page or Record Status Dashboard, if a record name is hand-entered in a different case than in which it was saved (e.g. "abc" vs "ABC"), it might cause issues on the Record Home page, such as not displaying Custom Labels for Repeating Instruments. (Ticket #106559)

• Bug fix: When viewing a custom Record Status Dashboard in a project that has Double Data Entry enabled, the custom dashboard's "sort by" setting (if utilized) would mistakenly not sort the dashboard's records correctly for any user that has the DDE #1 or #2 designation. (Ticket #105030)

• Bug fix: When REDCap is reporting its general stats to the consortium, it would mistakenly fail to send them in some cases where the URL ended up being more than 2000 characters long.

• Bug fix: A survey theme's background color might mistakenly not get applied to a radio/checkbox matrix on the survey page, thus displaying part of the matrix in the wrong color. Bug emerged in the previous version. (Ticket #106712)

• Bug fix: The setting "Designate an email field for communications (including survey invitations and alerts)" on the Project Setup page would mistakenly be disabled and not usable unless the project has the setting "use surveys in this project?" enabled, which is not correct since the designated email setting can be used for more than just surveys.

Version 10.6.19 (released on 2021-05-07)

CHANGES IN THIS VERSION:

• Major bug fix: Alerts & Notifications that are set to be sent via SMS or Voice Call would mistakenly not get sent whenever the alert is triggered. Bug emerged in REDCap 10.6.18 LTS and 11.0.0 Standard. (Ticket #106260)

• Bug fix: On surveys that have Enhanced Radio & Checkboxes enabled, in which radio fields are embedded inside checkbox labels or checkboxes are embedded inside radio labels (or other variations of these), some of the options might mistakenly not be selected after clicking on them. (Ticket #105880)

• Bug fix: When using the Designated Phone Field with the Twilio telephony services for surveys, the participant's record ID might mistakenly not be displayed on the Survey Invitation Log in certain cases. (Ticket #49955)

• Bug fix: When creating a new Table-based authentication user on the "Create single user" page in the Control Center, it is possible to create a user without entering a value for their username. That should not be allowed. (Ticket #106103)

• Bug fix: When using the "Move to Production status" public survey for "Custom Surveys for Project Status Transitions" when users are not allowed to move projects to production on their own but must request an administrator do so on their behalf, if the user failed to select the radio button asking "Keep existing data or delete?" in the dialog pop-up and then they completed the public survey afterward, the "Working..." progress message would appear and never go away, thus preventing the request from being submitted correctly. (Ticket #106173)

• Bug fix: When the datediff cron job is running for Alerts & Notifications that contain datediff+today/now in their conditional logic, the cron job might mistakenly take a long time to complete (or might time out) because the record list cache has not been created yet for the projects for which the cron job is processing. To prevent the cron job from taking too long and possibly timing out, it will attempt to build the record list cache in real time for each project it is processing. This may mean that initial attempts of the cron job may still take a long time, but later instances of the cron should be much faster.

• Bug fix: When the datediff cron job is running for Automated Survey Invitations that contain datediff+today/now in their conditional logic, the cron job might mistakenly take a long time to complete (or might time out) because the record list cache has not been created yet for the projects for which the cron job is processing. To prevent the cron job from taking too long and possibly timing out, it will attempt to build the record list cache in real time for each project it is processing. This may mean that initial attempts of the cron job may still take a long time, but later instances of the cron should be much faster.

• Bug fix: When using the survey setting "Time Limit for Survey Completion" in which a user clicks the clock icon for a participant in the Participant List in order to modify their Link Expiration time, clicking the "Expire it now" button in the dialog would mistakenly fail to do anything because of a JavaScript error. (Ticket #106167)

• Bug fix: When a text field is embedded inside a checkbox field, clicking inside the text box mistakenly causes its parent checkbox to become unchecked. (Ticket #105001b)

• Bug fix: When launching the Clinical Data Pull embedded window inside an EHR user interface, it might mistakenly say that the current web browser is not compatible.

• Bug fix: If a field is using the @CALCDATE action tag that references a field variable as the second parameter, if that second parameter field has a blank value, the @CALCDATE calculation might return an incorrect value when instead it should be returning a blank value. This only occurs on the server-side (PHP) processing of @CALCDATE when a form/survey is being saved, and does not occur with the client-side (JavaScript) version of the function. This means that while the value looks blank when viewing a data entry form or survey page, the incorrect value would be seen on reports, data exports, or wherever the @CALCDATE field is being piped. (Ticket #106243)

• Bug fix: If using a survey-level designated email field, in certain cases the Participant Email displayed in the Survey Invitation Log might mistakenly be blank or might display the project-level designated email field instead. Bug emerged in REDCap 10.6.18 LTS and 11.0.0 Standard.

• Bug fix: When a survey invitation is sent to a participant via a Twilio SMS message, viewing the message afterward in the Survey Invitation Log would mistakenly display extra text (e.g., "-- To begin the survey, visit...") appended to the message that did not actually get sent to the participant in the SMS message. Additionally, when viewing an SMS message in the Survey Invitation Log, it would mistakenly display any URLs in the message as clickable links instead of correctly displaying them as non-clickable URLs, which is more accurate to how they are seen by the recipient. (Ticket #104997)

• Bug fix: When a project has been set up with Automated Survey Invitations and is using the Designated Email Field, the Public Survey Link page might mistakenly display the red box saying "WARNING: The designated email field does not exist on the first survey", which might not be true if a survey has been orphaned (created in the past but then later removed) in which the survey had one or more ASI's set up for it.

• Bug fix: Dots/periods have been allowed in checkbox codings since REDCap 9.9.0, but the data dictionary import process would still mistakenly display an error message saying that this is not allowed, which is not correct. (Ticket #106375)

• Bug fix: When a project is using Twilio for sending survey invitations, and an Automated Survey Invitation is set to "use participant's preference" for the invitation type/delivery method, then any participant whose delivery preference is "email" would mistakenly receive the expected email body text but with extra text appended to it (e.g. "Please take this survey. You may open the survey..."). In many cases, this means that the email body is duplicated in the email, which is not desirable. (Ticket #102953)

• Bug fix: When editing a field in the Online Designer and using different background colors or text colors in tables added via the rich text editor, a survey theme's color might mistakenly override a table row's or table cell's background/text color when viewing the field on a survey page. (Ticket #106340)

Version 10.6.18 (released on 2021-04-30)

CHANGES IN THIS VERSION:

• Bug fix: When exporting data via the Export Records API method as type=eav, it would mistakenly fail to include the value of the redcap_event_name field (and would export it as blank/null) if the project is longitudinal and the exported data format is XML or JSON. Bug emerged in REDCap 10.6.16 (LTS) and 10.9.3 (Standard). (Ticket #105673)

• Bug fix: When attempting to use the Easy Upgrade on an AWS Quick Start deployment of REDCap, the upgrade process may fail due to "\r" characters in the upgrade shell script. (Ticket #103939)

• Bug fix: When creating a project via a Super API Token, the API call would fail due to a fatal PHP error, thus preventing the project from being created. Bug emerged in REDCap 10.6.16 (LTS) and 10.9.3 (Standard).

• Bug fix: When importing data (via Data Import Tool, API, or REDCap::saveData), all records would mistakenly have spaces trimmed off the beginning and end of every value being imported. This would prevent the data from being imported as-is. It now no longer trims whitespace off of the beginning and end of data values during data imports.

• Bug fix: On certain occasions, an alert that is triggered may mistakenly send an email to the "Email to send email-failure errors" recipient multiple times (instead of just once) or may send it to that recipient when it is not supposed to.

• Bug fix: A field using the @CALCTEXT action tag would mistakenly return a blank value whenever it should be returning a value of 0. (Ticket #105128)

• Bug fix: When using the concat() function in a @CALCTEXT field, the calculation might mistakenly fail if certain characters such as "+" are utilized inside the concat() function. (Ticket #105445)

• Bug fix: When a text box field is embedded inside a checkbox field on a survey that is using Enhanced Checkbox/Radio Fields, the checkbox would be unable to be selected. (Ticket #97954)

• Bug fix: When a checkbox field is embedded inside a checkbox field, it would mistakenly check the first sub-checkbox whenever checking the parent checkbox. (Ticket #97954)

• Bug fix: When a radio field is embedded inside a checkbox field, several things would function incorrectly when clicking on the labels of the radio fields or their "reset" link. (Ticket #105001)

Version 10.6.17 (released on 2021-04-22)

CHANGES IN THIS VERSION:

• Minor security fix: A Cross-site Scripting (XSS) vulnerability and Cross-site Request Forgery (CSRF) vulnerability were discovered where a malicious user could potentially exploit them on two specific Control Center pages.

• Bug fix: When a @CALCTEXT field is used in a longitudinal project, in which its value gets set but all other fields on its instrument do not have a value saved, a red form status icon would mistakenly be displayed for its instrument on the Record Home page and Record Status Dashboard. The status icon should instead remain gray in this case even when calc fields and @CALCTEXT fields have a value. (Ticket #105061)

• Bug fix: PHP 8 compatibility error in LDAP authentication code. (Ticket #105100)

• Bug fix: If a record is deleted via the Delete Record API method, and then another record is created later having the same record name, the Data History popup for a given field would mistakenly list the logged events from the previously-existing record when instead it should not. (Ticket #105144)

• Bug fix: If submitting a public survey, and the record ID field is referenced in the equation of a calculated field located on another instrument, the calculated field's value would mistakenly not get saved. (Ticket #105178)

• Bug fix: When using Twilio telephony services in which multiple projects are using the same Twilio Account SID but have different Twilio phone numbers, some of the Twilio logs on the Twilio website might mistakenly not get erased as they should (REDCap automatically deletes all Twilio logs after each SMS or phone call for privacy purposes).

• Bug fix: If a repeating survey has one repeating instance of the survey that has been locked at the instrument level, then if another repeating instance (that is not locked) of that same survey is opened, it would mistakenly display an error to the participant saying that the response has been locked, which is not true.

• Bug fix: When using the Data Resolution Workflow and viewing an opened query that has not yet been assigned to a user, it would mistakenly not allow you to assign the query to a user. (Ticket #105205)

Version 10.6.16 (released on 2021-04-16)

CHANGES IN THIS VERSION:

• Bug fix: When generating System Notifications for REDCap Messenger during a REDCap upgrade, it was mistakenly using the PHP constant NOW instead of the MySQL function NOW() in a specific query. For that specific process, it now uses the MySQL function NOW() only when hosting REDCap on Google App Engine, otherwise it uses the PHP constant NOW, as it did in previous versions. Bug emerged in 10.6.15.

• Bug fix: When a field with the @PREFILL action tag is being piped somewhere on the same page, the field would mistakenly not have its value piped successfully when the page is loaded. (Ticket #104613)

• Bug fix: It was impossible to disable the "Auto logout time" setting (i.e., by setting its value to "0") on the Security & Authentication page in the Control Center because it would prompt the admin to enter a minimum value of "3". (Ticket #104680)

• Bug fix: If a File Upload field is embedded inside a checkbox choice label, in which the File Upload field has branching logic so that it is only displayed when the checkbox next to it is checked, the upload or download process for the File Upload field would mistakenly cause the checkbox to be checked/unchecked, thus causing the issue of hiding the File Upload field while trying to upload/download its file. (Ticket #104664)

• Bug fix: When performing a data import that contains checkbox fields in which a checkbox has a Missing Data Code previously saved for it, any checkbox options being set to "1" for that field during the data import will mistakenly not remove the existing Missing Data Code from the field. Thus the field ends up with a Missing Data Code and other checked values, which should not happen. Additionally, when viewing the field on a data entry form afterward, the field would mistakenly still appear to have a Missing Data Code. (Ticket #104712)

• Bug fix: When an instrument has already been enabled as a survey and it does not have the e-Consent Framework enabled, if a user then navigates to the Survey Settings page and enables the e-Consent Framework for that survey, the "Allow e-Consent responses to be edited by users?" option is mistakenly not checked by default. That option should be checked by default when enabling the e-Consent Framework. (Ticket #104869)

• Bug fix: When a matrix checkbox field is embedded on a survey page or data entry form, and another field has branching logic that references that embedded matrix checkbox, the branching logic would fail to work successfully when the trigger checkbox is checked/unchecked. (Ticket #104866)

• Bug fix: If an administrator has set a project to be "Offline", users could inadvertently still use the API for that project, which should not be allowed. (Ticket #104931)

• Bug fix: Depending on the username or the name of a Data Access Group, the "(+1)" text that signifies the amount DAG Switcher assignments might mistakenly not display next to the user's current DAG on the User Rights page's table of users.

• Bug fix: If a user/participant adds a signature to a Signature field in which they resize the popup to make it larger while signing it, it would result in a larger image being saved that would mistakenly not always fit correctly in an exported PDF of that instrument. (Ticket #104927)

• Bug fix: Data Quality rules A and B might mistakenly not display all valid discrepancies for a field if the field's branching logic contains certain Smart Variables. (Ticket #99077)

• Bug fix: When performing an API data export of CSV data in EAV data format, it would mistakenly display the CSV "event" header as "event_id" instead of "redcap_event_name".

• Bug fix: When importing data via the API in EAV format (where type=eav) and using the value "new" to perform auto-numbering of the redcap_repeat_instance field, it was mistakenly not returning an error for this. This is not allowed since the "new" value for redcap_repeat_instance cannot be used when type=eav but only for type=flat. This has also been added to the API documentation to inform users of this limitation. (Ticket #104491)

• Bug fix: If a user is idle on a data entry form, and the red auto-logout message appears and states that their session has ended, if they attempt to close that browser tab, it would mistakenly display the prompt asking them if they wish to leave the site. It should not display that prompt. (Ticket #104948)

Version 10.6.15 (released on 2021-04-09)

CHANGES IN THIS VERSION:

• Bug fix: If the body of an alert contains an inline image with a "src" attribute value containing "&file=" followed by an integer, there is a small possibility that an unrelated file that belongs to another REDCap project might get mistakenly attached to the alert that is sent.

• Bug fix: When a calc or @CALCTEXT field is used in the calculation of another calc or @CALCTEXT field, depending on the specific arrangement and order of the fields on the page, it could mistakenly cause the field to trigger itself over and over on the webpage, even when just initially loading a survey page or data entry form, in which it will use more and more web browser memory as time passes until the page crashes in the user's browser after several seconds or minutes. (Ticket #104217)

• Bug fix: When using the randomization feature and viewing any data entry form on an already-randomized record, in very specific circumstances the values of some embedded fields on the page might mistakenly not get saved successfully after being modified.

• Bug fix: On multi-page surveys, a section header might mistakenly be displayed on the page even though all fields in the section are hidden. (Ticket #66721b)

• Bug fix: For every webpage in REDCap, the HTML DOCTYPE declaration and the HTML tag's "lang" attribute were mistakenly hard-coded as "EN" (English). This was causing issues with regard to browsers assuming that the webpage was always in English, which is not always true. (Ticket #104487)

• Bug fix: If a user contains an apostrophe in their username and they attempt to create a new project, the process would fail due to a SQL query error. (Ticket #79647b)

• Bug fix: If a user contains an apostrophe in their username and an administrator clicks the "Edit user info" button on the "Browse Users" page when viewing their account, it would mistakenly display an error message saying "User names can only contain letters, numbers, underscores, hyphens, and periods" and would not let them leave the field, thus forcing the admin to refresh the page. (Ticket #79647c)

• Bug fix: The User Access Dashboard was mistakenly displaying projects that have been "marked as completed". Such projects are not accessible by normal users and therefore should not be visible on that page.

• Bug fix: When using Twilio for survey invitations, if a participant sends an SMS message to the Twilio phone number being used in a REDCap project, it might mistakenly reply back to the participant from a different Twilio phone number if the Twilio account has multiple phone numbers associated with it, in which the other number is associated with another REDCap project that is also using Twilio.

• Bug fix: Several places in REDCap were mistakenly still linking to the old Language Center on the REDCap Community site instead of the newer plugin page that now serves as the current Language Library.

• Bug fix: When exporting data to SAS, fields that have a number, integer, date, or datetime data type might mistakenly not have their "informat" or "format" syntax set correctly in the SAS syntax file, which could cause warnings or errors when loading the exported data into SAS. (Ticket #96569)

• Bug fix: If checkboxes are embedded and they are also piped to other places on the same page, then the piping action would mistakenly not occur in real time if the checkbox's choice label is clicked. Note: The piping would work correctly if the checkbox element itself is clicked or if the page was saved and reloaded, but it would not act in real time when clicking the label of the checkbox. (Ticket #104317)

• Bug fix: The Data Access Group drop-down filter was mistakenly not being displayed at the top of the project logging page for projects that contain DAGs. (Ticket #104574)

• Bug fix: If certain user-defined text (e.g., field labels, survey instructions) contain HTML character codes, there is a chance that the HTML character codes might not get parsed correctly when being sanitized for security purposes prior to being displayed on the page. This could cause them not to display correctly on the page or (worst case) cause the page to result in a PHP error if it gets stuck in an infinite loop while processing this text. (Ticket #104583)

Version 10.6.14 (released on 2021-04-02)

CHANGES IN THIS VERSION:

• Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in various places in REDCap, such as in survey question text and other user places that store user input.

• Bug fix: Fixed a compatibility issue when hosting REDCap using the PHP7 version of Google App Engine.

• Bug fix: If a report's filter logic contains only Smart Variables and no real project fields (e.g., [current-instance] = [first-instance]), the report would mistakenly not return any results for fields that exist on the first instrument if the first instrument is a repeating instrument.

• Bug fix: When uploading an Instrument Zip file into the Online Designer, any field variables in the Action Tag/Field Annotation text would mistakenly not get renamed (as they do for calculations and branching logic) if those variables exist oBug fix: When copying an instrument via the "Choose action" drop-down in the Online Designer, if a matrix of fields has a very long matrix group name, the action might fail and return an error message. (Ticket #103564)n the instrument being uploaded and already exist as variables in the project. (Ticket #102968)

• Bug fix: When copying an instrument via the "Choose action" drop-down in the Online Designer, if a matrix of fields has a very long matrix group name, the action might fail and return an error message. (Ticket #103564)

• Bug fix: When performing a CSV data import via the Data Import Tool, if the CSV file contains a byte order mark (BOM), it can cause processing issues in certain situations, thus returning an error about not being able to find the Record ID field in the file. To remedy this, the BOM is now always removed (if it exists) before the CSV gets processed during the data import process.

• Bug fix: In a longitudinal project that uses Automated Survey Invitations in which a user deletes an entire event via the Define My Events page, any already-scheduled invitations via ASIs would mistakenly remain in the Survey Invitation Log but would no longer be associated with any event (i.e., partial orphaning). This would cause the invitations to still be sent, which is not expected, and thus causes issues because those invitations no longer point to a real survey/event anymore, in which they would display a message to the recipient opening the survey link that they are not a participant for that survey. This has been fixed so that any already-scheduled invitations connected to the deleted event will also get appropriately deleted. (Ticket #103930)

• Bug fix: Fixed typo in field label for Twilio-related phone options for Alerts & Notifications on the "Modules/Services Configuration" page in the Control Center.

• Bug fix: When deleting a project, due to a SQL query error, the contents of the project logging (e.g., data values that were saved, record names, other record-specific logged events) were mistakenly not being deleted from the log when the project gets officially deleted after 30 days (or if an administrator clicks the "Delete it now" option in the Control Center). (Ticket #103532)

Version 10.6.13 (released on 2021-03-26)

CHANGES IN THIS VERSION:

• Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in various places in REDCap, such as in survey question text and other user places that store user input.

• Major bug fix: When using randomization in a longitudinal project in which randomization strata fields exist on a different event than the randomization field, if the values of the strata fields are added or modified during the randomization process, their values would mistakenly not get saved or logged in the correct event, thus orphaning those values. (Ticket #103189)

• Major bug fix: If signature image files are being uploaded for Signature fields across multiple REDCap projects simultaneously (within milliseconds of each other), there is a small chance that one of the signature files might mistakenly get associated with a field in another project where someone was adding an image at the same moment. (Ticket #102764)

• Bug fix: If a survey participant receives a survey link via email in Microsoft Outlook (in either the desktop client or web version), in which Microsoft Outlook Safe Links has been implemented and has replaced the survey link in the email body, whenever the Safe Link version of the survey link is clicked by the participant, a Microsoft service (located in the IP address range 40.94.*.*) will make a POST request to the survey page about 10-20 seconds after the participant loads it (unbeknownst to them). This service actually submits the survey as if a real person was taking the survey, including submitting values for the survey questions. This means that for public surveys it is submitting false responses like a bot, and for private/unique survey links it is actually submitting the survey for the user, in which the participant is not able to enter their own response if they wait 10-20 seconds before submitting the survey themselves because this service has already completed the survey for them. To prevent this odd behavior by Microsoft Outlook Safe Links, REDCap survey pages now block all POST requests that originate via the IP address range 40.94.*.*, in which it immediately returns an error message.

• Bug fix: When record auto-numbering is enabled in a project, the process used to generate new record names is 2-5x slower than it should have been due to some inefficient structuring of SQL queries being used. This fix results in a performance improvement, especially for very active public surveys.

• Bug fix: If a project's "record list cache" is currently being built, which is done automatically via a back-end process, at the same time that new records are being created in the project, it might cause the cache not to be built for many minutes or hours (due to repeated failures while building the cache) if the project has lots of activity, all of which could cause the project to get extremely slow and might affect the performance of the overall system.

• Bug fix: In certain situations, such as public surveys being taken by hundreds or thousands of participants in a very short period of time, a project's "record list cache" (which is built automatically via a back-end process) might mistakenly get reset/reverted, which causes the record auto-numbering mechanism to mistakenly use a very slow SQL query for generating the next proposed record name. This can cause the public survey to get increasingly slow as more participants attempt to take it.

• Bug fix: If the system's "Auto logout time" is set to a value of 2 or less, it will cause the user interface to become mostly unusable due to all the auto-logout popups being displayed immediately on every page. The minimum value for "Auto logout time" has been set to "3" on the Security & Authentication page to prevent this issue from occurring. (Ticket #102319)

• Bug fix: When a survey participant is taking an Adaptive or Auto-scoring instrument from the REDCap Shared Library, if a survey question contains stem text at the beginning of the question text (e.g., "In the past 7 days"), the stem text was not being as displayed sufficiently separated from the rest of the question text. Certain validated instruments require that they be more separated.

• Bug fix: When building a list of participants on the Participant List, a database query on that page was suboptimal and was causing the page to load slowly for some projects. That query has been modified to be faster.

• Bug fix: If a project contains File Upload fields but no records have any files uploaded to those fields, a user can click the ZIP icon on the Other Export Options page to download a "ZIP file of uploaded files (all records)", in which it will correctly state a notice that there are no files to download. However, if during that same session the user goes and uploads a file and returns to download the ZIP of all files again, it will mistakenly still say there is nothing to download, which is incorrect. If they log out and log back in again, this issue goes away. (Ticket #103117)

• Bug fix: A SQL query was slow and inefficient when determining if the "FHIR Statistics" link should be displayed on the Control Center's left-hand menu. This would sometimes cause all Control Center pages to load unnecessarily slowly.

• Bug fix: If a user is viewing a survey response on a data entry form to which they have viewing access but do not have privileges to edit survey responses, any fields with @NOW, @TODAY, or other similar Action Tags would mistakenly have new values pre-filled for them on the page if those fields did not already have a value. This should not happen since the current user is not able to modify any values (i.e., they are not allowed to submit the form).

• Bug fix: Data Quality rule H might fail to complete if the project contains a large amount (>300) calculated fields.

• Bug fix: When using Missing Data Codes in a project, if multiple fields are embedded together inside another field on a data entry form, it would cause the click event of the "M" icon not to function correctly in which the Missing Data Code popup would mistakenly fail to open for those particular fields. (Ticket #103213)

Version 10.6.12 (released on 2021-03-05)

CHANGES IN THIS VERSION:

• Minor security fix: Removed the outdated and unused JavaScript library YUI Charts.

• Bug fix: When clicking "Cancel" inside the Logic Editor dialog, it might mistakenly revert the value of the text box being modified to the value of another text box that was previously edited via the Logic Editor while on that same page. (Ticket #101200)

• Bug fix: Calculations or conditional logic containing >1000 variables might mistakenly cause PHP to crash while processing and parsing them.

• Bug fix: Multi-page surveys that contain calculated fields might mistakenly take an unnecessarily long time to load each survey page due to inefficient calculation/logic processing on the server side.

• Bug fix: When adding a new Table-based user on the "Add Users (Table-based Only)" page in the Control Center, it would mistakenly allow admins to create usernames with spaces or apostrophes when not using LDAP or LDAP+Table authentication, which is the only time that spaces and apostrophes are allowed in usernames. (Ticket #101773)

• Bug fix: When using the Smart Variables [survey-date-completed] and [survey-time-completed] in the Custom Record Label, they would mistakenly not have their date displayed according to the user's preferred date format (as defined on their My Profile page) but instead would display it always in Y-M-D date format. (Ticket #102141)

• Bug fix: Since calculations typically do not expect fields to have a ":value" signifier attached to field variables (because it is assumed), an error message would occur on a data entry form or survey page if any fields in branching logic, calc fields, or pseudo-calc fields (@CALCTEXT) have ":value" appended to the field variable (e.g., [race:value]). REDCap will now allow ":value" to be appended to field variables in branching logic or calcs/pseudo-calcs and will treat them as equivalent to using just the field variable. (Ticket #102149)

• Bug fix: The "Check For Identifiers" page was mistakenly displaying any HTML that existed in a field label, thus making it unreadable on the page in certain instances. It now strips all HTML from the field label when displaying it.

• Bug fix: When setting up the REDCap cron job on the Control Center's "Cron Jobs" page on a Windows server, the page failed to mention the important fact that the cron job's scheduled task needs to be set to "Run a new instance in parallel", which can be set under the Settings tab in the Windows Task Scheduler.

• Bug fix: On the Browse Users page in the Control Center, the "Display User List" button on the "View User List By Criteria" would fail to load the user list table if using Internet Explorer 11. (Ticket #90646)

• Bug fix: Clicking on the "Perl" tab at the bottom of the API Playground page when the "Import A File" API method has been selected would cause a fatal PHP error in PHP 8 and certain versions of PHP 7, thus causing that page to crash. (Ticket #102291)

Version 10.6.11 (released on 2021-02-26)

CHANGES IN THIS VERSION:

• Bug fix: When a user is using the My Profile to reset their password while using certain versions of Internet Explorer, it might mistakenly fail to reset their password due to various JavaScript errors occurring on the page. (Ticket #100595)

• Bug fix: Fixed issue with text and embedded images displayed for an item on the Help & FAQ page. (Ticket #101384)

• Bug fix: Clicking on the "Past Day", "Past Week", etc. buttons near the top of the project Logging page might mistakenly add the "seconds" component of the timestamp into the time range filter fields, thus causing an error message to display on the page if the user puts their cursor inside the field and then then tabs out of the field. (Ticket #101369)

• Bug fix: If the survey setting "Save a PDF of completed survey response to a File Upload field" is enabled on a survey that also has the e-Consent Framework enabled, and the File Upload field specified for the "Save a PDF" setting exists on that same survey (often hidden by @HIDDEN-SURVEY), the PDF of the completed survey response would fail to be saved to the specified File Upload field when the participant completes the survey.

• Bug fix: When using an Adaptive or Auto-Scoring instrument from the REDCap Library (e.g., PROMIS, Neuro-QoL), the "reset" link next to each question's radio buttons would mistakenly fail to reset the radio button, if selected.

• Bug fix: The API Playground's example R code for the API Import File method was not correct and has been fixed. (Ticket #101454)

• Bug fix: The API Playground's example R code for the API Export File method was not correct and has been fixed. (Ticket #101454)

• Bug fix: When setting a survey's text-to-speech value to "English (United Kingdom) Female" on the Survey Settings page, it would mistakenly fail to save that setting correctly, thus preventing it from working as expected on the survey. (Ticket #101419)

• Bug fix: When an administrator is processing a "Move to production" request on the To-Do List page, clicking the "Check For Identifiers" link in the dialog while processing the request would mistakenly make the dialog go blank/empty. It will now open a new browser tab. (Ticket #101426)

• Bug fix: When a slider field is the first field displayed on a data entry form, the field receives focus when the form loads (which always occurs for the first field on any form), which makes it appear as if the field might already have a value. If the user misunderstands this and doesn't enter a value because they think it already has one (when it does not), data loss could result. Thus slider fields will no longer receive focus by default on a data entry form when they are the first field on the form. Note: This does not apply to surveys. (Ticket #101420)

• Bug fix: If an Adaptive (CAT) survey has been downloaded into a project from the REDCap Shared Library, and the setting "Allow participants to skip questions?" has been set to "Yes" on the survey's Survey Settings page, a participant attempting to skip a survey question without answering it would mistakenly receive an error message saying that an unknown error occurred and that they cannot continue with the survey.

• Bug fix: When fields are embedded using the ":icons" parameter in order to additionally embed the field's associated icons, depending on how the embedded fields are laid out on the page, the SPAN tag containing the icons might mistakenly wrap to the next line and appear below the embedded field rather than displaying to the right of the field. (Ticket #101466)

• Bug fix: When the Smart Variable [survey-queue-link] or [survey-queue-url] is used in the email body of an Automated Survey Invitation or an Alert, if the record is being created via the API, which then triggers the sending/scheduling of the invitation or alert, the link/URL of the record's survey queue would mistakenly be blank (not displayed at all) inside the email body. (Ticket #101536)

• Bug fix: When a REDCap administrator attempts to add Stop Actions for a Dynamic SQL field on a survey instrument in the Online Designer, an error message would mistakenly be displayed, thus preventing them from doing so.

Version 10.6.10 (released on 2021-02-19)

CHANGES IN THIS VERSION:

• Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the username field on the REDCap login form when logging in as a valid user for the very first time using an external authentication method, such as LDAP or Shibboleth. (Ticket #101037)

• Bug fix: When copying a project that contains surveys with the e-Consent Framework enabled, it would mistakenly not copy over some e-Consent settings, such as the "force signature" fields and "Allow e-Consent responses to be edited by users".

• Bug fix: When running Data Quality rule H's "Fix calcs now" button, if any fields listed in the discrepancy list are calc or pseudo-calc fields that exist on a survey that was completed using the e-Consent Framework, it would not change the values of those fields (as expected) but would mistakenly not return any error messages regarding why the values weren't changed, which could be confusing to users. It now displays error messages (if any) after clicking the "Fix calcs now" button for DQ rule H.

• Bug fix: When an Automated Survey Invitation is set to be triggered by survey completion OR conditional logic, in which the ASI is set to send "Immediately" and also has the "Ensure logic is still true" checkbox checked in the ASI setup, if a user/participant completes the trigger survey while the conditional logic still evaluates as FALSE, it would mistakenly fail to send the survey invitation, but it would correctly schedule any reminders for that survey invitation if the ASI has reminders defined. (Ticket #100770)

• Bug fix: When using X-instance Smart Variables in report filter logic (e.g., [current-instance] = [last-instance]), in which the report is returning data for multiple repeating instruments in the project, the report might mistakenly display rows of repeating instance data that should not be returned. (Ticket #100577)

• Bug fix: Fixed PHP 8 fatal error caused when parsing certain logic or calculations. (Ticket #101033)

• Bug fix: Descriptive fields could not successfully be embedded if the Descriptive field's field label does not contain any HTML tags and was not created using the rich text editor. (Ticket #101130)

• Bug fix: When opening an existing field for editing in the Online Designer, it would mistakenly convert <br> tags that exist in the "Action Tags/Field Annotation" text into literal line breaks. (Ticket #101178)

Version 10.6.9 (released on 2021-02-12)

CHANGES IN THIS VERSION:

• Bug fix: When importing data from a CDISC ODM XML file (whether it be a Project XML file with data or a data-only ODM export file), in which the file contains data for repeating instruments, only the first repeating instance of any repeating instrument would get successfully imported.

• Bug fix: When importing data from a CDISC ODM XML file (whether it be a Project XML file with data or a data-only ODM export file), in which the file contains data for repeating events, only the last repeating instance of any repeating event would get successfully imported and would mistakenly get saved into the first repeating instance of the event.

• Bug fix: If a signature field is embedded on a survey page or data entry form, depending on where it is embedded, the signature image might mistakenly not be displayed directly above the download link after the user/participant adds their signature. It should always be displayed directly above the download link.

• Bug fix: In a longitudinal project that contains calculated fields whose equations reference fields on other events, Data Quality rule H might fail to return discrepancies for events that do not contain any data for any fields.

• Bug fix: Auto-calculations (i.e., the server-side processing of calculated fields) would mistakenly try to include all the fields in the project when assessing if calculated fields are being triggered and thus need to be updated, rather than only considering the fields that are being updated at that moment, such as during a data import or data entry. This could cause certain data imports to take much longer than they should.

• Bug fix: A fatal PHP error would occur in certain situations when running PHP 8.0. (Ticket #100549)

• Bug fix: A fatal PHP error would occur in certain situations when running PHP 8.0. (Ticket #100456)

• Bug fix: A fatal PHP error would occur in certain situations when running PHP 8.0 while performing a data import via the API Import Records method. (Ticket #100416)

• Bug fix: The "Quick Add" dialog on the "Create New Report" page might mistakenly not work correctly if a data collection instrument's name/label contained a backslash.

• Bug fix: When viewing the Survey Invitation Log for a project displayed in a non-English language, the "Delete all selected" button might mistakenly not be displayed on the page. (Ticket #100480)

• Bug fix: When using advanced filter logic for reports, the logic would not get interpreted correctly if it contained certain Smart Variables, especially if it contained only Smart Variables with no field variables (e.g., [current-instance] <> ""). With this issue fixed, users may now utilize X-instance Smart Variables in a more intuitive way for filtering reports, such as the following: 1) Display only repeating instance data - [current-instance] <> "", 2) Display only non-repeating instance data - [current-instance] = "", 3) Display only the first instance of only repeating instance data - [current-instance] <> "" and [current-instance] = [first-instance], and so on. (Ticket #45618)

• Bug fix: On a project's Project Setup page, some things would mistakenly display incorrectly (or display when they should not) if an administrator was using the "View project as user" feature.

• Bug fix: If using the survey setting "Save a PDF of completed survey response to a File Upload field" in which an Alert is set to send "Immediately" with the PDF as an attachment on the alert, the PDF would mistakenly not get attached to the alert. However, if the alert was set to send after a delay of any kind, the PDF would correctly get attached.

• Bug fix: When copying a project via the Copy Project page, in which the Survey Queue settings are being copied, the following Survey Queue settings would fail to be copied to the new project: "Custom text to display at top of survey queue" and "Keep the Survey Queue hidden from participants?".

• Bug fix: Calculated field values were mistakenly not getting saved via cross-form or cross-event calculations (via Auto-Calculations) if the calculation was based on the value of a field being blank when the field's value was not being changed.

• Bug fix: It was recently discovered that due to a security fix added to REDCap 10.3.3 (Standard) and thus to all subsequent versions, some survey-specific features in REDCap do not function correctly if not using MySQL/MariaDB 5.5.5 or higher. Anyone using a version lower than MySQL/MariaDB 5.5.5 should upgrade their database to v5.5.5 or higher. The Configuration Check page now reflects MySQL/MariaDB 5.5.5 as being the minimum required database version that REDCap supports.

• Bug fix: When a project has thousands or more records and has several records being created every minute, there might exist a slight lag in the back-end Record List Cache immediately after creating a new record, in which it could cause REDCap to mistakenly assume that a record doesn't exist yet when in fact it was just created. This might cause a record's data to get duplicated as a new record if a user is not paying attention while attempting to create another record.

Version 10.6.8 (released on 2021-02-05)

CHANGES IN THIS VERSION:

• Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the URL of the Survey Settings page when enabling an instrument as a survey.

• Bug fix: When clicking the "Send-It" link to send a file from inside a project (e.g., a data export file or a file from File Repository), after submitting the page to send the file to the desired recipients, an error message would mistakenly display saying that the user does not have permission to the file. Thus the file would not be sent. Note: This does not affect the main Send-It page that is accessible via the tab on the main REDCap home page, etc. (Ticket #100024)

• Bug fix: If an API user belongs to a Data Access Group, the project's back-end Record List Cache would mistakenly get reset every time the user would import a batch of records via the API. This would cause performance degradation of the project if many API imports are occurring for the project in a relatively short amount of time.

• Bug fix: When a project has enabled the "Delete a record's logging activity when deleting a record" setting, the action of deleting a record would correctly delete the record's logging activity with regard to what can be viewed via the front-end user interface, but it was mistakenly not additionally deleting the back-end SQL logging details that are stored in the database log_event tables (even though this information can only be accessed if you have direct access to the database or via a special plugin or external module for doing such). (Ticket #100131)

• Bug fix: When a calc field or @CALCTEXT field exists on a repeating instrument or repeating event, the calculation might not get triggered during a data import or when running Data Quality rule H, in which it will fail to find discrepancies for this field when some discrepancies exist (but only in specific situations depending on the calculation being used for the field). (Ticket #82961)

• Bug fix: When a field has an @HIDDEN-PDF action tag in the Field Annotation/Action Tag text in which "@HIDDEN-PDF" is preceded with a line break with no space before the line break, the field would mistakenly not be hidden when downloading a PDF of the instrument.

• Bug fix: When attempting to download a file that was just uploaded to a File Upload field on a survey page, it would display an error message and prevent the downloading of the file if the survey had not been saved yet (i.e., if the participant was still on page one of the survey, whether public or private). This should not occur at all when the participant is using a private/unique survey link. This error message now only displays on public surveys in which the survey has not been saved yet at all (before the record has been created), which is appropriate. (Ticket #99754)

• Bug fix: When using cross-form or cross-event calculations or branching logic involving a DMY or MDY formatted date or datetime field, if the field referenced on the other instrument/event has a Missing Data Code saved for it, saving the current instrument would cause the "Invalid values entered!" warning to appear mistakenly. (Ticket #100238)

• Bug fix: When a project has thousands or more records and has several records being created every minute, there might exist a slight lag in the back-end Record List Cache immediately after creating a new record, in which it could cause REDCap to mistakenly assume that a record doesn't exist yet when in fact it was just created. This might cause a record's data to get duplicated as a new record if a user is not paying attention while attempting to create another record.

• Bug fix: In some rare cases for projects that have calculated fields on repeating instruments, running Data Quality rule H would return valid discrepancies, but clicking the “Fix now” button on the page would mistakenly fail to fix the calculations.

• Bug fix: When attempting to download an instrument's Instrument ZIP file in the Online Designer when the instrument was created in Draft Mode but does not yet exist in the live version of the project, it would display a generic error message, which could be confusing to users. It now displays a more informative message regarding why exactly the zip file cannot be downloaded. (Ticket #100290)

Version 10.6.7 (released on 2021-01-29)

CHANGES IN THIS VERSION:

• Bug fix: When a REDCap administrator is using the "View project as user" feature to impersonate a user when viewing an "initial survey" in the Participant List while the project is in production, it would mistakenly not disable the "Enable" button for the Participant Identifier column in the Participant List. In this scenario, that button should remain disabled since it would be disabled for the user being impersonated.

• Bug fix: The style of the text displayed inside the rich text editors did not match the general style and CSS classes of text on REDCap webpages (e.g., the text in the editors were much larger). This made it more difficult to accurately determine what the resulting text would actually look like on the page.

• Bug fix: When the text inside the @CALCTEXT action tag contains an opening parenthesis inside quotes but does not contain a closing parenthesis inside those same quotes (and vice versa), the @CALCTEXT equation would mistakenly not get parsed correctly and might cause an error to display on the survey/form or might cause the @CACLTEXT field to display as a normal editable text field instead of a pseudo-calc field.

• Bug fix: When a required field is left empty/blank on a survey or data entry form, in which the required field has no field label defined, instead of displaying a bullet point with no text in the error prompt, which is confusing, the variable name of the field will be displayed as an alternative. (Ticket #99551)

• Bug fix: When running the "Re-evaluate Alerts" feature on the Alerts & Notifications page in a longitudinal project, in which the alert is set to be triggered on "[Any event]" if an instrument is saved with a Complete status, it would mistakenly trigger alerts for records that do not have a Complete status for the instrument. If the alert is set to be triggered by completing the instrument on a specific event (rather than on "[Any event]"), this issue does not occur. (Ticket #99889)

• Bug fix: Data Quality rule F would mistakenly return false positives if the project is a multi-arm longitudinal project and a field's branching logic references fields/events in arms where the record currently doesn't exist. (Ticket #99922)

Version 10.6.6 (released on 2021-01-22)

CHANGES IN THIS VERSION:

• Major bug fix: A race condition can occur when two records are being randomized at the exact same time, in which it is possible that they both mistakenly receive the same allocation and same value for the randomization field in the project. (Ticket #99159)

• Minor security fix: In several places where a user can download a CSV file of various settings (e.g., export of Data Quality rules), it might be possible for a malicious user to perform CSV injection in a CSV file that is downloaded and opened in Microsoft Excel by another user, in which dangerous code could be injected and executed unknowingly by the user on their computer.

• Bug fix: In some situations where embedded fields have branching logic that is triggered by other embedded fields, if the parent field of those embedded fields is itself triggered by branching logic, then some of the embedded fields inside the parent might mistakenly be displayed when they should be hidden by branching logic.

• Bug fix: When clicking the "Send-It" link to send a file from inside a project (e.g., a data export file or a file from File Repository), after submitting the page to send the file to the desired recipients, an error message would mistakenly display saying that the user does not have permission to the file. Thus the file would not be sent. Note: This does not affect the main Send-It page that is accessible via the tab on the main REDCap home page, etc.

• Bug fix: When a survey participant is taking a PROMIS, NeuroQoL, NIH Toolbox, etc. assessment that is adaptive or has auto-scoring, the "Anchor Text" would mistakenly not be displayed on the survey page for the first and last choices of the survey question (assuming anchor text exists for the question).

• Bug fix: When using the Custom Record Label and/or Secondary Unique Field in a project that contains many records (i.e., thousands or more), running Data Quality rules would mistakenly take an inordinate amount of time to return the results.

• Bug fix: When using the Custom Record Label and/or Secondary Unique Field in a project that contains many records (i.e., thousands or more), the Resolve Issues page (available when using the Data Resolution Workflow) would mistakenly take an inordinate amount of time to load.

• Bug fix: The Configuration Check page might mistakenly display a yellow recommendation saying that the MySQL/MariaDB query cache is not enabled but mistakenly does not tell the user that they should set the setting query_cache_type to "ON" or "1" in their My.cnf or My.ini config file. It now checks the query_cache_type setting to recommend that it be enabled.

• Bug fix: On a data entry form or survey, it might be possible in very specific situations for hidden radio elements to mistakenly be selected and be somewhat visible on the page. This would not affect any data but might cause confusion to the user. (Ticket #99271)

• Bug fix: Fixed a fatal PHP error that occurs on certain pages in PHP 8 only. (Ticket #99323)

• Bug fix: If an embedded checkbox field has the @READONLY action tag, it would mistakenly be possible to check/uncheck the checkbox and thus change its value by clicking its choice label, although clicking the checkbox element itself would do nothing and would remain read-only, as expected. (Ticket #99322)

• Bug fix: If a file that is uploaded for a File Upload field or for a message in REDCap Messenger exceeds the maximum file size as defined by the server or by REDCap's configuration, the file's metadata would mistakenly remain in the database and (if the file size exceeded the REDCap limit but not the server limit) the file might still remain on the server. It will now set the file to be removed from these places when this occurs. (Ticket #99324)

• Bug fix: When piping a field into a label on a data collection instrument in a longitudinal project in which the piped field variable is prepended with the [previous-event-name] Smart Variable, the piping would fail to work in certain specific contexts, such as if the instrument of the field being piped is not designated on the previous event when viewing a different instrument on the next event. In these cases, it would mistakenly display six underscores (as if there is no value) rather than the real value. (Ticket #99342)

• Bug fix: In the field-view in the Online Designer, the floating help boxes on the right of the page might mistakenly overlap some of the instructional text. (Ticket #98688)

• Bug fix: When a multi-page survey has fields utilizing the @CALCTEXT or @CALCDATE action tag, in which those fields themselves are used in a calculation or branching logic on a separate page that also does not display the fields utilized inside the @CALCTEXT or @CALCDATE logic, it would mistakenly display an error message on the survey page. (Ticket #98545)

• Bug fix: If a user is attempting to enable the Secondary Unique Field on a field that somehow has records with blank values (for the "value" column) saved for that field in the database, REDCap would mistakenly not allow the user to enable the Secondary Unique Field for the field. (Ticket #83279)

• Bug fix: If utilizing certain Smart Variables inside the query of a Dynamic SQL Field (e.g., [record-name]), the Smart Variable would mistakenly not get escaped in the query, which might cause the query to fail and not return the desired results.

• Bug fix: When editing logic in the Logic Editor for the Survey Queue or Automated Survey Invitations, if a syntactical error exists in the logic, it might mistakenly create an infinite loop where the error popup keeps displaying and is not able to be fully closed, thus causing the user to have to reload the page. (Ticket #99412)

Version 10.6.5 (released on 2021-01-14)

CHANGES IN THIS VERSION:

• Major bug fix: On a survey page or data entry form, if a slider field already has a value saved for it before the time that the page is loaded, and a user then modifies the slider field value, while it would appear that the slider's value has changed, it mistakenly has not. Bug emerged in REDCap 10.6.2. (Ticket #98450)

• Bug fix: The Configuration Check page was mistakenly displaying MySQL database configuration suggestions for the MySQL query cache setting even though the query cache is deprecated in MySQL 5.7.20+. It will now no longer suggest changes to the query cache if using MySQL 5.7.20+. Note: This issue was supposedly fixed in REDCap 10.6.3 but mistakenly was not. (Ticket #97786)

• Bug fix: If running REDCap on PHP 5.5, it would mistakenly display the message "Composer detected issues in your platform: Your Composer dependencies require a PHP version >= 5.6.0." and would prevent REDCap from working. (Ticket #98346)

• Bug fix: If using an if() function inside the @CALCTEXT action tag, in which the if() function is outputting text that contains a comma, it would mistakenly display an error message on the survey page or data entry form.

• Bug fix: If a longitudinal project's Automated Survey Invitation (ASI) has conditional logic that contains datediff() with "today" or "now" as a parameter and also has a field in the logic that is prepended with any "event-name" Smart Variable, then the ASI cron job that runs every 4 hours might mistakenly schedule invitations when it shouldn't or might mistakenly remove some already-scheduled invitations (but only if the "Ensure logic is still true before sending invitation?" option is checked).

• Bug fix: The option “UNK, Unknown” was missing from the “race” field options when using the Clinical Data Pull (CDP) feature.

• Bug fix: Two Laboratory fields (including a COVID-related one) and their associated LOINC code were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.

• Bug fix: In some cases, the @CALCDATE action tag might mistakenly return the value "NAN" when it should return a blank/"" value. This often happens when one or more of the parameter values for @CALCDATE are blank. Bug emerged in REDCap 10.6.3.

• Bug fix: In a longitudinal project, if a field on a repeating instrument or repeating event has branching logic that contains a field name appended with the Smart Variable "first-instance" or "last-instance", the branching logic might mistakenly not get parsed correctly and would display a branching logic error popup on the survey page or data entry form. (Ticket #98427)

• Change: The "Help & FAQ" page was updated with new content.

• Bug fix: In certain situations where an [X-instance] Smart Variable in piping, it would cause PHP to crash with a fatal error if using PHP 8. (Ticket #98920)

• Bug fix: Ways were found where a user could access a file uploaded to a File Upload field that exists in another project, specifically via the Send-It link on data entry forms or via downloading the "ZIP file of uploaded files (all records)". However, this could only be done if the user has access to that other project.

Version 10.6.4 (released on 2020-12-30)

CHANGES IN THIS VERSION:

• New LTS branch based off of REDCap 10.6.3 (Standard)

Version 10.0.33 (released on 2020-12-30)

CHANGES IN THIS VERSION:

• Major bug fix: If using the datediff() function in a calculated field or in the @CALCTEXT action tag, if the returnSignedValue parameter is provided and has a TRUE value in the function but the dateFormat parameter is not provided, then the calculation might mistakenly return a positive number value on the page if the value is actually a negative number. Note: This could be fixed if running Data Quality rule H.

• Bug fix: If a survey participant sends an SMS message to a Twilio phone number that is set up for a REDCap project, REDCap would reply simply with "Please enter your access code to begin the survey", which might be unexpected in some situations, such as if the participant sent the SMS to this number by accident or if they sent it before they were invited to take the survey. More response text has been added to the message now to provide more clarity to the respondent in these situations. (Ticket #97520)

• Bug fix: When clicking the "M" icon to open the Missing Data Code menu for an embedded field on a data entry form, it would mistakenly not display the menu at all or it would display it on the wrong location on the page.

• Bug fix: When using Twilio telephony services for Alerts & Notifications, the Notification Log would mistakenly fail to display the recipient's phone number on the page if a phone/number field is being used as the recipient's phone number. Instead it would merely display the unpiped variable name in the Recipient column.

• Bug fix: When using Twilio telephony services for Alerts & Notifications and viewing a scheduled or sent notification via the View Notification dialog on the Notification Log, it would mistakenly fail to display the recipient's phone number in the dialog if a phone/number field is being used as the recipient's phone number. Instead it would merely display the unpiped variable name.

• Bug fix: When viewing the Notification Log for Alerts & Notifications, it might mistakenly fail to display unsent/scheduled notifications in the log in certain cases if the "End time" filter is set to a blank value. This might make it appear as if the notification has not been scheduled.

• Bug fix: If users cannot create projects on their own but must request that admins create them on their behalf, an administrator creating the project for a user mistakenly needs to have the "Allow this user to request that projects be created for them by a REDCap administrator?" privilege enabled for their user account. This should not be required but should be implied via their status as an admin. (Ticket #98128)

• Bug fix: When performing a data import of a CDISC ODM (XML) file that contains only data (i.e., metadata not included), in which the XML file contains base64-encoded binary files for File Upload fields, those File Upload files would mistakenly be ignored during the import process and would not be imported with the rest of the data. (Ticket #96800)

• Bug fix: When creating a new REDCap project using a Project XML file, in which the XML file contains surveys and fields with Stop Actions, the Stop Actions would mistakenly not get added to the fields for the new project created. (Ticket #97959)

• Bug fix: When performing a data import where the uploaded data set contains checkbox fields, REDCap would mistakenly allow values of "1.0" and "0.0" (and other approximations of "1" and "0") to be imported for checkbox fields. This would also cause the values not to save correctly for these fields, even though the logging implies otherwise. It should only explicitly allow values of "1" and "0" for checkboxes. (Ticket #97972)

• Bug fix: If a project has Double Data Entry enabled and DDE person #1 or #2 is viewing a custom record status dashboard, the dashboard will mistakenly return incorrect results on the page for custom dashboards that have filter logic defined. (Ticket #97174)

• Bug fix: In a longitudinal project that contains repeating instruments and/or repeating events, if a custom data quality rule has logic that contains a field whose data collection instrument exists in both repeating and non-repeating contexts in the project, the data quality rule might not always return all the discrepancies that exist. (Ticket #97508)

• Bug fix: If a project was marked as Completed, any Alerts & Notifications or survey invitations that had been previously scheduled would mistakenly continue to send. They should not send if a project is marked as Completed.

• Bug fix: If a project has Double Data Entry enabled and DDE person #1 or #2 is viewing the record status dashboard, the Custom Record Label (if enabled) would fail to display on the page next to the record names. (Ticket #97116)

• Bug fix: If a data collection instrument's unique instrument name contains a triple underscore, in which its name was manually set via Column B in a data dictionary upload, when entering data for this instrument on the data entry form, the value for the instrument's form status complete field would fail to save successfully and thus would always get set to Incomplete ("0"). Note: This would not affect data imports or surveys but only data entered on the data entry form. (Ticket #96547)

• Bug fix: If using the @NONEOFTHEABOVE action tag on a checkbox field that is embedded inside another field, the @NONEOFTHEABOVE functionality would not function correctly if the user clicked the checkbox label to check/uncheck the option (as opposed to clicking the checkbox element itself). (Ticket #98269)

Version 10.0.32 (released on 2020-12-18)

CHANGES IN THIS VERSION:

• Minor security fix: Due to a vulnerability in the third-party JavaScript library "Handlebars", the library was updated to the latest version. (Ticket #97725)

• Minor security fix: Due to a vulnerability in the third-party library TinyMCE, the library was updated to the latest version. (Ticket #97725)

• Minor security fix: The "Prevent Clickjacking" security feature would mistakenly not work successfully on a certain page when that page is called in an unexpected manner without a "pid" parameter in the URL. (Ticket #97736)

• Minor security fix: A Cross-Site Request Forgery (CSRF) vulnerability was discovered where a malicious user could potentially bypass the CSRF check by adding a specific parameter to HTTP requests in the application.

• Bug fix: If a user clicks on a status icon for a repeating instrument on the Record Status Dashboard, in which there are many repeating instances for the record-instrument, it might display the popup list of repeating instances so that they mistakenly run off the top of the page, making it impossible to close the floating popup or to view it completely.

• Bug fix: If a radio button or slider field has a Missing Data Code as its value, clicking the "reset" link next to the field would mistakenly not remove the Missing Data Code label from the user interface below the field, even though it would correctly set the value to blank/null for the field. (Ticket #97028)

• Bug fix: If a slider field has a value and is being hidden by branching logic, in some scenarios it might mistakenly display the "survey errors exist" error on surveys or might keep displaying the "erase value" prompt repetitively in an infinite loop on a data entry form. (Ticket #97395)

• Bug fix: If a survey participant clicks the “Survey Queue” icon at the top right of the survey page, in which the queue contains a lot of items so much that the queue is taller than the page itself, the queue would mistakenly run off the top or bottom of the page and would not be closable. (Ticket #96613)

• Bug fix: If a survey title contains HTML tags, the tags would mistakenly be displayed in the drop-down list of surveys in the Participant List.

• Bug fix: If a date or datetime field is embedded inside the choice label of a checkbox field, clicking the Today/Now button for the embedded date/datetime field would mistakenly check or uncheck the checkbox choice in which it is embedded. (Ticket #97719)

• Bug fix: On the Alerts & Notifications page, when modifying an alert that previously had the option set to send it "Every time the form/survey in Step 1B is X", and then when the alert was later opened after being saved, if it was changed in Step 1A (selecting the third radio option) so that that choice was no longer viable and was hidden in the dialog, it would still keep the alert listed as a recurring alert in the backend database table, which could cause it to not get triggered or sent at the correct times. Note: This fix will prevent this issue from occurring in the future and will also retroactively fix any alerts that have been saved incorrectly due to this bug. (Ticket #97507)

• Bug fix: 13 Laboratory and Vital Signs fields and their associated LOINC codes were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.

• Bug fix: When calling the "Export List of Export Field Names" API method or the REDCap::getExportFieldNames() method for a project that has Missing Data Codes defined, it would mistakenly fail to add the Missing Data Codes as extra choice options for checkbox fields (excluding fields with the @NOMISSING action tag). (Ticket #96240)

• Bug fix: When a project is being permanently deleted (either by an administrator on the Browse Projects page or via the cron job 30 days after a user has "deleted" the project), it would mistakenly fail to log the very last event for the project (i.e., that the project is itself being permanently deleted), which should include the following info about the project in this last logged event: the project title, project ID, number of fields, number of records, current project status, and list of current project users.

• Bug fix: When processing a user request on the To-Do List page, in which the user making the request has an apostrophe in their email address, it might cause the request not to load successfully in the dialog on the To-Do List page. This only affects certain types of requests, such as moving a project to production. (Ticket #96958)

• Bug fix: When a matrix field is embedded inside another field on a survey page or data entry form, in which some other fields on the page contain branching logic that reference the embedded matrix field, the branching logic might silently fail to show or hide the other field correctly. (Ticket #97114)

• Bug fix: When accessing the REDCap server from a domain that is not the domain seen in the REDCap Base URL value (i.e., when using REDCap over multiple domains), the HTTP redirecting that occurs when REDCap is building a project's record list cache (which is an automatic process), would mistakenly redirect the user to the other domain that is set in the REDCap Base URL. Thus the user ends up on the other server/domain by mistake. It now keeps the user on the current domain during this redirect process. (Ticket #97777)

• Bug fix: When an administrator is using the "View Project as User" feature, the "Dynamic Query (SQL) Field" option would mistakenly be displayed for them when adding a new field in the Online Designer. (Ticket #96865)

• Bug fix: The Java code that is auto-generated by the API Playground mistakenly had some missing closing parentheses in the MyClass constructor. (Ticket #96565)

• Bug fix: The Java code that is auto-generated by the API Playground mistakenly had some syntactical errors for certain API methods. (Ticket #97855)

• Bug fix: In a longitudinal project where a field is used both in a non-repeating context and in a repeating instrument or repeating event, if a calculation or branching logic references the field in which it has the Smart Variable "[current-instance]" appended to it, the calc/logic might not get parsed correctly in the non-repeating context and thus would cause the calculation/branching logic not to evaluate correctly. (Ticket #96777)

• Bug fix: When a field is embedded using the ":icons" attribute (e.g., {date_of_birth:icons}), it might not display correctly on the page, in which it might be displaying too widely or creating unnecessary text wrapping. (Ticket #96838)

Version 10.0.31 (released on 2020-12-10)

CHANGES IN THIS VERSION:

• Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the URL on certain REDCap pages. (Ticket #97362)

• Minor security fix: A Blind SQL Injection vulnerability was found on the User Rights page, in which a malicious user could potentially exploit it by manipulating an HTTP request on that page. (Ticket #97347)

• Minor security fix: An Unrestricted File Upload vulnerability was found on the API Playground page, in which a malicious user could potentially exploit it by manipulating an HTTP request on that page for the Import File API method. (Ticket #97372)

• Bug fix: When an Automated Survey Invitation is triggered by a data import where a new record is being create, and the ASI email body contains a [survey-link] or [survey-url] Smart Variable that points to a survey other than the current one for which the ASI is being triggered, it would mistakenly not pipe the survey link/URL successfully into the email body. (Ticket #96305)

• Bug fix: If the REDCap web server is running a version of PHP that is higher than the recommended PHP versions supported by REDCap, the "Server info" text at the top of the main Control Center page might mistakenly display a warning with incorrect text about the need to upgrade PHP. (Ticket #96749)

• Bug fix: When viewing certain adaptive instruments that have been downloaded from the REDCap Shared Library, in which one of the multiple choice options has both a code and value of "0", the label for that choice would mistakenly not be displayed next to its radio button, so it would appear not to have a label.

• Bug fix: For the Data Mart and Clinical Data Pull services, the action “Fetching data from FHIR endpoint” was mistakenly getting logged on the project Logging page for every time that REDCap would make a call to the EHR, even when no new data is stored in REDCap from the EHR. It should not have been logging that but instead only logging when data points are actually imported.

• Bug fix: When moving a project to production and deleting all records in the process, or if a user clicks the "Erase all data" button in a development project, any records that have been locked at the record level would mistakenly still have their locked status maintained after the record deletion. This could cause issues in the future if a record is created afterward and has the same record name as a previously-locked record. (Ticket #97167)

• Bug fix: When a plugin, hook, or external module calls the method REDCap::getProjectXML(), it would mistakenly not include the "redcap::SurveysGroup" entry and other project-level information in the resulting XML. (Ticket #97151)

• Bug fix: When viewing a data entry form that has drop-down fields with the auto-complete option enabled, the drop-down list might mistakenly be displayed incorrectly as if it is very narrow and has no options to select. Note: This issue occurs on data entry forms but not on survey pages.

• Bug fix: The survey-date-complete or survey-time-complete Smart Variable would mistakenly not work correctly in some calculations and in many cases would display a calculation error message. Bug emerged in REDCap 10.0.29 LTS and 10.5.2 Standard. (Ticket #97057)

Version 10.0.30 (released on 2020-11-30)

CHANGES IN THIS VERSION:

• Bug fix: If a user is using REDCap Messenger, the height of the Messenger window might not get calculated correctly and thus might mistakenly run off the bottom of the page (making it impossible to read all the messages) or else might leave unnecessary extra space at the bottom of the page.

• Bug fix: In a longitudinal project where a checkbox field is referenced in the branching logic and/or calculation of another field on the same instrument, in which the branching logic or calculation references that checkbox field on the same event and also on other events (i.e., cross-event logic/calc), the branching logic and/or calculation will evaluate correctly when the page is initially loaded, but if the checkbox's value gets modified on that page by checking/unchecking any of its choices, the branching logic and/or calculation might begin not to evaluate correctly anymore on that page until the page is refreshed or returned to at a later time. (Ticket #95744)

• Bug fix: Forty-three Laboratory fields and their associated LOINC codes were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.

• Bug fix: The "View project as user" feature would mistakenly not work correctly on the Other Functionality page in a project, and thus it might display some things that it should not and also might hide some things that should be displayed.

• Bug fix: The "Time Limit for Survey Completion" option on the Survey Settings page would mistakenly not function correctly if using MySQL 8. (Ticket #94256)

• Bug fix: When a repeating instrument is enabled as a repeating multi-page survey in a longitudinal project, and all the fields on a given survey page are hidden by branching logic, in which the the fields in the branching logic does not have [current-instance] appended to them, then in certain circumstances a survey page might mistakenly get skipped while a participant is taking the survey. (Ticket #96426)

• Bug fix: The ontology Current Procedural Terminology (CPT) was removed from the list of BioPortal Ontology Services since that ontology is no longer usable by the BioPortal service due to licensing reasons.

Version 10.0.29 (released on 2020-11-20)

CHANGES IN THIS VERSION:

• Bug fix: In the Add/Edit Field popup in the Online Designer, if the user selects "Slider" from the Field Type drop-down, whenever they have their cursor inside any of the fields in the "Labels displayed above slider" section in the popup and then they click Enter on their keyboard, it would mistakenly display an unrelated popup dialog about SQL Fields. (Ticket #96061)

• Bug fix: If using the Smart Variables [form-link], [form-url], [survey-link], [survey-url], [survey-queue-link], [survey-queue-url], [survey-time-completed], or [survey-date-completed] in branching logic or in a calculated field's equation, an error message might mistakenly display on the data entry form or survey page saying that there is something syntactically incorrect about the logic/calculation. (Ticket #96080)

• Bug fix: When new records are created rapidly in a project, especially when they are created nearly simultaneously, it could cause the record list cache on the database back-end to mistakenly get out of sync, thus causing record dashboards, reports, etc. to display the records in an incorrect order. (Ticket #94027)

• Bug fix: If a field with variable name "title" is used in the branching logic of another field, it would mistakenly display a branching logic error on the page. (Ticket #96154)

• Bug fix: If a data entry form or survey page has many fields with branching logic, the page might load unexpectedly slow because of an inefficiency with the process of checking if any embedded fields exist on the page. The inefficient code has been fixed so that if field embedding is not being used on a data entry form or survey page, the branching logic of all fields on the page will be processed 10x-30x faster than in previous versions of REDCap 10.X, thus making the page load much more quickly, especially when the instrument contains many fields. (Ticket #92556)

• Bug fix: If a Signature field or File Upload field is embedded inside another field on an instrument, if the field is Left-aligned (LV or LH) and the instrument has been taken as a survey, in which the survey participant has uploaded a file for the field, the field would fail to embed and would appear invisible when viewed on a data entry form prior to the user clicking the "Edit response" button.

• Bug fix: If the record name is very long for a record in a project, the record name in the Action column of the Logging page might overflow onto other text in the Logging table, thus sometimes making it unreadable.

• Bug fix: If a survey has the e-Consent Framework enabled and is using a survey theme, the e-Consent certification box and text on the last page of the survey would mistakenly not respect the survey theme colors. (Ticket #96277)

Version 10.0.28 (released on 2020-11-12)

CHANGES IN THIS VERSION:

• Major bug fix: If a user is in a classic/non-longitudinal project and selects an instrument after clicking the "Show data collection instruments" link on the left-hand menu, the instrument page displaying the record drop-down lists would mistakenly be only partially displayed due to a fatal PHP error on the page.

Version 10.0.27 (released on 2020-11-12)

CHANGES IN THIS VERSION:

• Bug fix: One Laboratory field and its associated LOINC code was not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.

• Bug fix: When using Missing Data Codes in a project that has a drop-down field or a radio button field with a @NOMISSING action tag, in which one of the choice codings of the drop-down/radio is exactly the same as a Missing Data Code, if the field's value was set to a choice that corresponds to a Missing Data Code, after saving the data entry form and then returning to it later, the field would mistakenly be disabled on the page, thus preventing anyone from changing its value. In this scenario, the field should not be disabled if the @NOMISSING action tag is being used. (Ticket #95510)

• Bug fix: When an admin is using the "View Project as User" feature in a project, it might mistakenly display the "External Modules" link on the left-hand menu, even though the user being impersonated would never actually see that link displayed. (Ticket #95371)

• Bug fix: When exporting a PDF of saved data, if the PDF contains a survey response in which a Participant Identifier value had been entered into the Participant List for that participant, the PDF would mistakenly always display the Participant Identifier at the top right corner of the PDF. If a user that has De-Identified export privileges or Remove Identifier export privileges is exporting the PDF, or if a survey participant is exporting the PDF of their own responses, it should not display the Participant Identifier inside the PDF. (Ticket #95435)

• Bug fix: When importing certain PROMIS instruments or batteries from the REDCap Shared Library in which the instrument contains a T-Score and Standard Error field, if the PROMIS instrument is viewed as a data entry form in the REDCap interface, it might mistakenly display a branching logic error on the page. In these cases, the bug cannot be fixed except by deleting the instrument from the project (beware: this might delete or orphan any already-collected survey responses for the PROMIS instrument) and then by re-downloading it from the Shared Library. Bug emerged in REDCap 9.10.0 Standard and 9.5.28 LTS. NOTE: This would not impact the display of the PROMIS instrument when being taken as a survey by a participant.

• Bug fix: When assigning records to Data Access Groups via data import, in certain scenarios the records being imported would get assigned to DAGs properly but the Record List Cache would mistakenly not get updated during the import process, thus causing specific pages (e.g., reports, Record Status Dashboard) not to display those records when filtering by their DAG. If this issue occurred, the only thing that would fix it would be for an admin to know to click the "Clear the Record List Cache" button in the project. (Ticket #95133)

• Bug fix: When an alert is set to be triggered by "Using conditional logic during a data import or data entry", in which the conditional logic contains "datediff" with the "today" or "now" parameter, even if the alert is set to only send once per record, it would mistakenly keep re-sending/re-scheduling the alert every four hours, which is the frequency of the Alert+Datediff cron job. (Ticket #93783)

• Bug fix: The User Access Dashboard's drop-down list filter of project statuses mistakenly included "Archived" projects, which is a mistake since "Archived" is no longer a valid option for a project status as of REDCap 9.8.0.

Version 10.0.26 (released on 2020-11-06)

CHANGES IN THIS VERSION:

• Bug fix: If a checkbox field whose variable name matches a PHP function (including REDCap-defined PHP functions) is used in conditional logic, report filter logic, branching logic, calculations, etc., it would not get parsed correctly, and the logic/calculation would mistakenly be considered syntactically invalid.

• Bug fix: When viewing the project Logging page, any "Sent Alert" logged events that pertain to records would mistakenly not be displayed on the page when filtering by record name. (Ticket #95222)

• Bug fix: When importing data via the Data Import Tool for a Text Field with min/max range validation, if the value being imported is out of range, it would correctly display it inside an orange box but would mistakenly fail to list the existing value in red below the new value if the field already contained an existing value.

• Bug fix: When an administrator is approving Draft Mode changes for a production project in the To-Do List, the dialog popup on the page would mistakenly not close itself after an action was taken on that To-Do List item. (Ticket #95292)

• Bug fix: When using the @DEFAULT action tag on an instrument that is not the first instrument, if the record has the record name "0" and is an existing record, the action tag would fail to work successfully. (Ticket #95296)

Version 10.0.25 (released on 2020-10-30)

CHANGES IN THIS VERSION:

• Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags with JavaScript event attributes in a very specific way into text that ultimately gets displayed on a webpage (e.g., via a message in REDCap Messenger, via field labels on a survey or data entry form).

• Bug fix: If a checkbox field whose variable name ends with "round" is used in conditional logic, report filter logic, branching logic, calculations, etc., it would not get parsed correctly and would mistakenly be considered syntactically invalid. (Ticket #94109)

• Bug fix: The "redcap_survey_complete" hook was mistakenly being called at incorrect/additional times on a survey when it should only be called when the survey had just been completed. (Ticket #93703)

• Bug fix: In specific situations where both Field Embedding and branching logic are used together on a multi-page survey, in which fields on one page have branching logic referencing fields from previous pages, it might mistakenly display a branching logic error prompt on the page. (Ticket #94536)

• Bug fix: The "View Project as User" feature was not behaving accurately on the "Designate Instruments for My Events" page in longitudinal projects. (Ticket #79227)

• Bug fix: When exporting data to SAS, the "format" of a multiple choice field might not get represented correctly in the SAS syntax file, thus causing errors to occur when loading the data into SAS for certain types of REDCap projects and for certain SAS clients/versions.

• Bug fix: In the API Playground, the example Ruby output was slightly incorrect due to a variable naming issue and would throw an error if someone attempted to run it. (Ticket #94486)

• Bug fix: When utilizing Missing Data Codes in a project and performing a data export to a stats package (R, Stata, SAS, SPSS), in which the export contains a checkbox field that has a @NOMISSING action tag, the resulting syntax file for the stats package would mistakenly include the Missing Data Code options for the checkbox even though the CSV file would correctly omit them. This would cause an issue when loading the exported data into the stats package. (Ticket #94334)

• Bug fix: If a user contains an apostrophe in their username (because LDAP allows this), the username search functionality and some buttons might not work on the Browse Users and Browse Projects pages in the Control Center. (Ticket #79647)

• Bug fix: REDCap might mistakenly fail to correctly parse logic (conditional logic, branching logic, calculations) in certain contexts if the logic contains Smart Variables that have parameters appended to them after a colon, such as [form-link:instrument]. (Ticket #93955)

• Bug fix: The R code that gets auto-generated by the API Playground was out of date and was no longer valid.

• Bug fix: In a project that has a project-level or survey-level designated email field, in which the project is longitudinal or has repeating events or instruments, if a designated email field is being updated via a data import for a given event or repeating instance, it would mistakenly fail to additionally update that email field in all events/instances that contain data for the given record being imported. This could cause records to end up with differing values of the email field on different events/instances, which should never happen. (Ticket #94408)

• Bug fix: When running Data Quality rule B, it might mistakenly not return discrepancies that exist on repeating instruments or repeating events. (Ticket #94979)

• Bug fix: When running Data Quality rule F, it might mistakenly return false positives for fields that exist on repeating events. (Ticket #94985)

• Bug fix: When uploading a new Instrument Zip file via the Online Designer, if a field in the Instrument Zip file contains branching logic or a calculation that references a checkbox field, it might mistakenly not auto-fix the branching logic/calculation correctly if the checkbox field's variable name already exists in the project and is thus renamed on the fly. This would cause branching logic or calculation errors to be displayed on the new instrument when viewing on a data entry form or survey. (Ticket #95101)

Version 10.0.24 (released on 2020-10-23)

CHANGES IN THIS VERSION:

• Medium security fix: If a malicious user has knowledge of REDCap's infrastructure and code, they might be able to inject specific PHP code into conditional logic or calculations that get evaluated by PHP. Note: This same security fix from a recent release was not fully remediated in that previous version.

• Minor security fix: Due to concern regarding the possible exploitation of vulnerabilities inside “public projects” by non-authenticated users, the concept of “public projects” have been removed and thus the My Projects page will no longer display the list of public projects at the bottom of the page. This means that the first 13 projects in a fresh installation of REDCap (and subsequently any projects having “Public/None” authentication) will no longer be accessible via the “site_admin” user anymore. They will no longer be accessible to the public web. This feature has been removed to reduce the overall attack surface area in REDCap to protect against potential malicious users who would like to use these public projects as a testing ground.

• Minor security fix: A Cross-Site Request Forgery (CSRF) vulnerability was discovered where a malicious user (who must be logged in) could potentially exploit it by adding some specific parameters to POST requests in the application.

• Minor security fixes: Various Cross-site Scripting and SQL Injection vulnerabilities were discovered where a malicious user (who must be logged in) could potentially exploit them by adding some specific parameters and values to GET and/or POST requests in the application.

• Minor security fix: If a malicious user has knowledge of REDCap's infrastructure and code, they might be able to pass possibly dangerous values into input parameters that eventually pass through PHP's unserialize() function, which could possibly be used for remote code execution. The usage of unserialize() has been modified to protect against dangerous values passed to it.

• Bug fix: When a data entry form is being viewed for a record that has not been created yet, it was mistakenly displaying the "H" icon to view the Data History popup, which is nonsensical if the record does not exist yet. It no longer displays the "H" icon on the page until the record has been created. (Ticket #94427)

• Bug fix: If the Clinical Data Mart feature is enabled at the system level but the Clinical Data Pull is disabled at the system level, then the user-level option to grant a user Data Mart privileges would mistakenly not be displayed on the Browser Users page in the Control Center.

• Bug fix: When a matrix of checkboxes are embedded individually inside another field on the same page, any change to those embedded checkboxes (either checked or unchecked) would mistakenly not take effect and thus its value would not get saved appropriately. (Ticket #94519)

• Bug fix: When using the PDF Auto-Archiver option for a survey, if the survey response is completed and then is later deleted via the Delete button on the data entry form, if that survey is taken again for that same record, then it would mistakenly not save a new PDF in the File Repository for the new response but would only retain the original one.

Version 10.0.23 (released on 2020-10-13)

CHANGES IN THIS VERSION:

• Critical security fix: If a malicious user has knowledge of REDCap's infrastructure and code, they could potentially manipulate the URL of certain project-level pages in REDCap and bypass authentication to view those pages without ever having logged in. Note: There is no known report of this vulnerability ever having been exploited in the wild on any REDCap installation. Given that this vulnerability is present in all versions of REDCap beginning with 9.1.16 (LTS) and 9.3.7 (Standard), and given the fact that a previously patched vulnerability affects all versions beginning with REDCap 6.18.0, it is recommended that anyone on REDCap 6.18.0 or higher should immediately upgrade to this version: 10.3.7 (Standard), 10.0.23 (LTS), or 9.5.36 (LTS).

• Bug fix: When evaluating logic for large amounts of records, such as with the "datediff" cron jobs for both Alerts and ASIs, REDCap was making an inordinate amount of calls to the database and was also performing too much logic processing unnecessarily. These unnecessary processes have been removed, which should improve general performance of logic parsing/processing in REDCap. (Ticket #93787)

Version 9.5.36 (released on 2020-10-13)

CHANGES IN THIS VERSION:

• Critical security fix: If a malicious user has knowledge of REDCap's infrastructure and code, they could potentially manipulate the URL of certain project-level pages in REDCap and bypass authentication to view those pages without ever having logged in. Note: There is no known report of this vulnerability ever having been exploited in the wild on any REDCap installation. Given that this vulnerability is present in all versions of REDCap beginning with 9.1.16 (LTS) and 9.3.7 (Standard), and given the fact that a previously patched vulnerability affects all versions beginning with REDCap 6.18.0, it is recommended that anyone on REDCap 6.18.0 or higher should immediately upgrade to this version: 10.3.7 (Standard), 10.0.23 (LTS), or 9.5.36 (LTS).

Version 10.0.22 (released on 2020-10-09)

CHANGES IN THIS VERSION:

• Bug fix: If an SQL field is used in a Custom Record Label, it would mistakenly run that same SQL query for every record being displayed on the Add/Edit Records page and Record Status Dashboard, which could cause performance degradation to the REDCap server for larger projects.

• Bug fix: If a Notes field has text data that contains tab characters, those tab characters would mistakenly be represented in an exported PDF as square box characters.

• Bug fix: When exporting an instrument as a PDF with data, if a given page in the PDF ends with a Signature field displayed at the bottom (but not necessarily being the last field on the instrument or survey), it might get confused about inserting a page break directly after the signature, thus causing the next page to be overwritten on top of the first. This would typically make the two pages unreadable.

• Bug fix: If a calculated field's equation begins with the function "log", "min", or "max", then the PHP-side processing of the calculations (via Data Import or Data Quality rule H) would cause the calculation to not return the correct result if one or more fields used in the equation contained a blank value. (Ticket #93169)

• Bug fix: When upgrading REDCap to v9.6.0 or higher from a lower version, an SQL error might occur for the redcap_mobile_app_log table when running the SQL upgrade script. (Ticket #92240)

• Bug fix: When a survey that has the e-Consent Framework enabled also has the option enabled to prevent users from editing e-Consent responses, if a user is on the data entry form at the same time that a respondent is consenting that instrument as a survey, then the user could mistakenly overwrite the respondent's survey results and nullify their consent if the user submits the page after the respondent does. Now in this scenario, if the respondent has already consented and the user attempts to save the data entry form, it will not save the data the user submitted and will instead display an error that explains why their data cannot be saved. (Ticket #92297)

• Bug fix: When viewing the survey login screen for a survey on certain devices (e.g., Safari on iOS), the browser would mistakenly suggest to the participant that they should use the fields as if they are creating a new password, which is incorrect and confusing. (Ticket #93095)

• Bug fix: When running a custom Data Quality rule that contains checkbox fields, the resulting display of discrepancies might mistakenly not display the checkbox fields but would display all other field types.

• Bug fix: When using logic for report filters, ASIs, DQ rules, etc., in which the logic has an [X-event-name] Smart Variable that is prepended to a checkbox field, it might mistakenly not parse and process the logic correctly, thus possibly returning incorrect results. (Ticket #93534)

• Bug fix: When using the Survey Queue in which a survey in the queue has been completed and is either 1) a repeating survey, or 2) a survey that allows the respondent to return and modify completed responses, the rows in the Survey Queue for such surveys might get hidden and thus can only be seen when clicking the "view all" link. This could prevent some respondents from finding these hidden surveys in the queue if the respondent needs to add another response for the repeating survey or to modify the completed, editable survey.

• Bug fix: When a checkbox field is a required field and is embedded inside another field that has an @HIDDEN action tag (including @HIDDEN-SURVEY or @HIDDEN-FORM), if the checkbox had some checkboxes checked (after being saved previously) and then a user saved the form/survey, it would mistakenly uncheck all the checked checkboxes for that hidden, embedded checkbox field. (Ticket #93766)

Version 10.0.21 (released on 2020-10-02)

CHANGES IN THIS VERSION:

• Medium security fix: If a malicious user has knowledge of REDCap's infrastructure and code, they might be able to read certain files from the web server’s filesystem by manipulating the URL for a file uploaded as a rich text file in an External Module’s configuration. Bug fix: If a field is embedded inside the choice label of a multiple choice field that is used in the Custom Record Label, it would mistakenly not embed the field correctly on the page at all. Bug emerged in the previous release. (Ticket #92551B)

• Medium security fix: If a malicious user has knowledge of REDCap's infrastructure and code, they might be able to inject specific PHP code into conditional logic or calculations that get evaluated by PHP. Note: This same security fix in last week's release was not fully remediated in that version.

• Minor security fix: A Blind SQL Injection vulnerability and a Cross-Site Scripting vulnerability were found on the To-Do List page, in which a malicious user could potentially exploit it by manipulating the query string of an HTTP request on that page.

• Major bug fix: When two users are about to create a new record with the same record name on a data entry form, in which they both upload a file to a File Upload or Signature field on that form prior to pressing the Save button, the last file uploaded might mistakenly get attached to the first record and possibly also to the second record at the same time, thus orphaning the file originally uploaded to the first record. Note: This bug does not exist on surveys. (Ticket #89678)

• Major bug fix: When using Twilio to send voice calls for Alerts & Notifications, the message of the voice call would mistakenly be blank, in which it would simply hang up after being picked up by the recipient. (Ticket #93384)

• Bug fix: Four Laboratory fields and their associated LOINC codes were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.

• Bug fix: If randomizing a record while the randomization field and/or a strata field on the page are radio button fields (as opposed to being drop-down fields), after the record has been randomized, those fields would mistakenly not appear to be selected until the page is reloaded or revisited later. This would not affect the data values of the fields at all but could be confusing to users because it seemingly implies that perhaps the randomization process was not completely successful. (Ticket #92825)

• Bug fix: REDCap Messenger would mistakenly not open when on the External Modules page in the Control Center.

• Bug fix: When copying a project and selecting the option to copy "All settings for Survey Queue and Automated Survey Invitations", it would mistakenly fail to copy the time lag fields of "before/after" and "the ASI has been triggered/[date or time field]" (if defined) for Automated Survey Invitations. (Ticket #92213)

• Bug fix: When a project has some alerts set to send as SMS or Voice Calls, but the Twilio functionality has been completely disabled at the system-level in the Control Center, the REDCap page would mistakenly crash with a fatal PHP error when those alerts get triggered. (Ticket #92179)

• Bug fix: When a user copies a project or creates a new project via a Project Template, in which a survey in the original project had enabled the Survey Confirmation Email and had its option "Include PDF of completed survey as attachment" checked, that checkbox option would mistakenly not be saved/checked in the new resulting project. (Ticket #92058)

• Bug fix: When the system-level setting "Utilize the Display Name in all outgoing emails?" is turned off, the user interface on the Alerts & Notifications page would still mistakenly display the "Display name" text box in the "Create new alert"/"Edit alert" dialog. (Ticket #92245)

• Bug fix: When creating/editing an Automated Survey Invitation and clicking the "Save & Copy to..." button, it would mistakenly fail to copy the time lag fields of "before/after" and "the ASI has been triggered/[date or time field]" (if defined) for the ASI. (Ticket #92213B)

• Bug fix: When downloading or uploading a CSV file containing the settings for Automated Survey Invitations on the Online Designer, it would mistakenly forget to include the time lag fields of "before/after" and "the ASI has been triggered/[date or time field]" (if defined) for the ASIs in both the import and export files.

• Bug fix: When an alert has been created in a project containing repeating instruments, in which the alert is to be triggered when a record is saved on a specific form/survey (i.e., either the first or second radio button in Step 1A), if the specified instrument is a repeating instrument and a data import is being performed, in which the imported data contains repeating instances of that repeating instrument, then it would mistakenly trigger the alert. When an alert has either the first or second radio button selected in Step 1A, the alert should never be triggered by a data import (including API import or REDCap::saveData) but only when clicking a Save button on a survey page or data entry form.

• Bug fix: If the Data Transfer Services (DTS) are enabled at the system level and the current user has access to a project that has DTS enabled, then a fatal PHP error would be displayed on the My Projects page if on PHP 7.3+. (Ticket #93190)

• Bug fix: When viewing the My Projects page or Home page on a mobile device, the Send-It option would mistakenly not be visible in the pull-down navigation menu (i.e., 3-line button at top right).

• Bug fix: On the Alerts & Notifications page, the red asterisk in Step 1A of the Edit Alert dialog did not have a corresponding explanation in that section regarding what the asterisk implies. It was mistakenly removed in a previous version, and has now been re-added.

• Bug fix: The datediff+today/now cron job for Alerts & Notifications that runs every 4 hours might mistakenly fail to remove any scheduled/unsent alerts if the alert's conditional logic no longer evaluated as TRUE at the time of the cron job running.

• Bug fix: Signature fields would mistakenly not work (or not work well) or certain non-mobile touchscreen devices because the jSignature library being used was very out of date. (Ticket #67122)

Version 10.0.20 (released on 2020-09-25)

CHANGES IN THIS VERSION:

• Medium security fix: If a malicious user has knowledge of REDCap's infrastructure and code, they might be able to inject specific PHP code into conditional logic or calculations that get evaluated by PHP.

• Bug fix: When loading a public survey for a project that contains 10K+ or 100K+ records, the initial loading of the survey page could be unnecessarily slow due to incorrect assumptions in the code regarding the employment of record auto-numbering for public surveys. Thus it should now load much faster.

• Bug fix: When loading a public survey for a project that contains 10K+ or 100K+ records, the initial loading of the survey page could be unnecessarily slow if the project's back-end "record list cache" has not been recently built, which may occur if users have not been active in the project recently even while many participants are taking the public survey very often. This was caused due to incorrect assumptions in the code regarding when to trigger the auto-build process for the "record list cache". Thus it should now load much faster.

• Bug fix: In longitudinal projects that contain repeating instruments, if the "designated email field for sending survey invitations" is used or else the survey-level designated email field is used, then it is possible that the designated email field might mistakenly receive repeating values even when its instrument is not a repeating instrument. In this case, the email field's instrument would mistakenly display a repeating instance status icon (i.e., the stack status icon) on the Record Status Dashboard, but would confusingly prevent the user from navigating inside that instrument for a given record on the dashboard page.

• Bug fix: If clicking the pencil icon for a Signature field on the Codebook page, when it opens the field for editing in the Online Designer, it would mistakenly set it as a File Upload field rather than a Signature field, which would cause the field to be modified and saved incorrectly as a File Upload field if the user clicked the Save button in the dialog without changing the field type. (Ticket #92271)

• Bug fix: When using Clinical Data Interability Services (CDP or Data Mart), all non-Integer record IDs would mistakenly not get inserted into the redcap_ehr_import_counts database table, which tracks the amount of data points/records that have had clinical data imported into them. (Ticket #92426)

• Bug fix: If an existing Automated Survey Invitation is modified so that the "Ensure logic is still true?" option is checked (when previously it was unchecked), in which it is the only setting that was modified during this save, it would mistakenly not save that option being checked. (Ticket #92372)

• Bug fix: If the survey confirmation email option is enabled for a survey, it would mistakenly include the participant's email address on the project logging page, which is a privacy concern because it makes anonymous survey responses no longer anonymous and also because it is inconsistent with the text listed below the survey's Completion Text that says "Your email address will not be stored". Instead of listing the participant's email on the logging page, it now displays "To: [undisclosed email address]" instead. (Ticket #92210)

• Bug fix: If a field is embedded inside the choice label of a multiple choice field that is used in the Custom Record Label, it would mistakenly attempt to embed the field inside the blue/green row near the top of the data entry form. This would also cause an embedding error to be displayed on the page if the field were embedded elsewhere on that page. (Ticket #92551)

Version 10.0.19 (released on 2020-09-17)

CHANGES IN THIS VERSION:

• Medium security fix: Since it has been determined that REDCap versions 10.3.1 Standard Release and lower and 10.0.17 LTS and lower contain security vulnerabilities that are still executable if those version directories continue to remain on the REDCap web server, the Configuration Check page in the Control Center now recommends that you remove those older version directories that contain specific major vulnerabilities that they cannot be exploited by a malicious user.

• Minor security fix: To prevent potentially malicious users from harvesting Table-based usernames from REDCap via the Password Recovery page, it now displays a deterministic (but fake) security question if the username entered does not exist in the system. This behavior makes it impossible for the malicious user to determine if the username entered was a real username or not.

• Bug fix: If a new user is accessing REDCap for the first time while using an external authentication method (i.e., not using Table-based authentication), the page that asks them to enter their name and email address would not get saved and would mistakenly display the "multiple tabs open" error message.

• Bug fix: If using the Twilio telephony feature on the Public Survey Link page of a project to send an SMS message containing a link to the public survey, it would mistakenly omit the survey link in the content of the SMS if the content contains the Smart Variables [survey-url] and [survey-link] with no "instrument" parameter defined inside the square brackets.

• Bug fix: If a data entry form contains a Descriptive field with an embedded audio or video file, it might mistakenly allow two users to access and modify values on that form at the same time, thus allowing them to mistakenly bypass the Simultaneous User Prevention feature. (Ticket #91334)

• Bug fix: If a field is embedded inside the choice label of a checkbox field, it might cause issues if the embedded field contains branching logic to hide/show it when its associated checkbox option is clicked. In many cases, clicking the embedded field might cause the parent checkbox to mistakenly uncheck itself, thus making normal data collection in this way impossible.

• Bug fix: If a radio button field is embedded inside the choice label of a checkbox field, the radio field's "reset" link would mistakenly not uncheck a selected radio button.

Version 10.0.18 (released on 2020-09-11)

CHANGES IN THIS VERSION:

• Critical security fix:If a malicious user has knowledge of REDCap's infrastructure and code, they could potentially manipulate the URL of certain non-project pages in REDCap (e.g., Control Center pages, non-project External Module pages) to bypass authentication and view those pages without ever having logged in. And in very specific cases, the user might (if they have specialized knowledge of REDCap) be able to submit the page and actually affect system configuration settings. Note: There is no known report of this vulnerability ever having been exploited in the wild on any REDCap installation. This vulnerability is present in all versions of REDCap beginning with REDCap 6.18.0.

  • Manual code fix: If you are unable to upgrade REDCap but are able to modify the REDCap PHP files on your server, open the file /redcap_vX.X.X/Classes/System.php and in the function defineAppConstants(), modify the line if ($Route->get()) define("PAGE", $Route->get()); to replace it with if ($Route->get() && strpos(PAGE_FULL, "/redcap_v{$redcap_version}/index.php") !== false) define("PAGE", $Route->get());

• Minor security fixes: Various minor security vulnerabilities (including SQL injection, Cross-site Request Forgery, and Cross-site Scripting) were found on various pages throughout REDCap and were remediated.

• Major bug fix: If a survey participant's email address was added to an initial survey on the Participant List, and then the participant takes the survey using their private survey link, in which they fail to enter a value for a required field on the first page of that survey, it would mistakenly cause their partial survey completion status to be mistakenly orphaned (thus not displaying the partial response status icon but a red/Incomplete status icon) and might cause their email address to disappear from the Participant List. Additionally, it would cause the next record name in the project to be skipped, thus leaving a gap in the list of record names.

• Bug fix: When a participant loads a public survey, if the tentative record name that was generated when the survey loaded somehow matches the record name of an existing record that has been locked via Record-level Locking, it would mistakenly display the erroneous message that the public survey cannot be taken because the record is currently locked, which is not correct.

• Bug fix: If a user is running Data Quality rule H to fix calculations that exist on a survey that has been completed via the e-Consent Framework, although it might note that some calc fields' values need to be fixed, clicking the "Fix calcs now" button for DQ rule H would mistakenly not fix them and would not explain why.

• Bug fix: Queries would mistakenly get displayed on the page momentarily right after logging in via Shibboleth or Shibboleth+Table. (Ticket #91504)

• Bug fix: If a value is being entered into a "Phone (North America)" validated field, and the field's value is formatted slightly after being entered (to add parentheses, spaces, and dashes), any branching logic or calculations triggered by the field would mistakenly use the hand-entered value of the field rather than the final formatted value, which could cause issues in certain scenarios. (Ticket #91722)

Version 9.5.35 (released on 2020-09-11)

CHANGES IN THIS VERSION:

• Critical security fix:If a malicious user has knowledge of REDCap's infrastructure and code, they could potentially manipulate the URL of certain non-project pages in REDCap (e.g., Control Center pages, non-project External Module pages) to bypass authentication and view those pages without ever having logged in. And in very specific cases, the user might (if they have specialized knowledge of REDCap) be able to submit the page and actually affect system configuration settings. Note: There is no known report of this vulnerability ever having been exploited in the wild on any REDCap installation. This vulnerability is present in all versions of REDCap beginning with REDCap 6.18.0.

  • Manual code fix: If you are unable to upgrade REDCap but are able to modify the REDCap PHP files on your server, open the file /redcap_vX.X.X/Classes/System.php and in the function defineAppConstants(), modify the line if ($Route->get()) define("PAGE", $Route->get()); to replace it with if ($Route->get() && strpos(PAGE_FULL, "/redcap_v{$redcap_version}/index.php") !== false) define("PAGE", $Route->get());

Version 10.0.17 (released on 2020-09-03)

CHANGES IN THIS VERSION:

• Bug fix: When using Twilio, it would mistakenly not send SMS messages to U.S. phone numbers with an 854 area code. (Ticket #90686)

• Bug fix: If a calc field is using the function sum, min, max, stdev, mean, or abs, and the variable names referenced inside those functions are not numeric-type fields (i.e., has number/integer validation, is a calc or slider field), it would not return a correct result if one of more of the fields referenced in the function had a negative value. (Ticket #90881)

• Bug fix: The automatic procedures that are intended to truncate long field labels and long multiple choice option labels in SAS data exports were malfunctioning for various unknown reasons and were mistakenly causing the content of the resulting SAS syntax file to be partly missing (i.e., not just the truncated labels). To remediate this issue, the field label truncating methodology needed to be removed until further testing can be done to evaluate this issue. (Ticket #90309)

• Bug fix: When adding choices that do not contain a comma for a multiple choice field in the Add New Field dialog on the Online Designer, it would not always automatically set the raw coded values correctly if the user provided a mix of numeric and non-numeric values for the options. (Ticket #83895)

• Bug fix: If the e-Consent Framework is enabled on a one-page survey that contains a field that is required and is also embedded inside another field on the survey page, if the participant loads the e-Consent certification page and then clicks the "Previous Page" button, it would mistakenly delete the value of the field that was both required and embedded on the previous page. (Ticket #91139)

• Bug fix: The External Modules link on the left-hand menu both in projects and in the Control Center would mistakenly be a full link rather than a relative link to the page, which could cause some issues in specific situations. (Ticket #91223)

• Bug fix: When entering a value into a field that has been designated as the Secondary Unique Field in a project, each time the user/participant leaves the field and then re-enters the field, it will cause the amount of SUF unique value checks performed to double each time (e.g., 1 check, then 2, 4, 8), when it should only be running once after entering a value in the field. This could cause the page to get really slow and unresponsive. (Ticket #91344)

• Bug fix: When using Shibboleth or Shibboleth+Table for authentication, it might mistakenly not update a user's "Time of last login" as noted on the Browse Users page. (Ticket #85105)

Version 10.0.16 (released on 2020-08-27)

CHANGES IN THIS VERSION:

• Critical bug fix: When collecting data using a public survey where multiple participants are entering data near-simultaneously, if piping is being performed on the first page of the public survey, a scenario may arise in which a survey participant may mistakenly see some piped data that was entered by another participant that had just saved their responses at the same time as (or moments before) the current participant had loaded the survey page. While this issue is fairly rare, the worst-case scenario could be that a participant ends up viewing another participant's response, thus possibly resulting in a privacy leak if private and/or identifying information (e.g., PHI) has been entered on the survey.

• Bug fix: If a longitudinal project is utilizing the randomization module and is randomizing by group/site by using Data Access Groups in Step B, then it would mistakenly display an erroneous message about erasing the randomization model because the event designation is missing for the randomization field or criteria fields.

Version 9.5.34 (released on 2020-08-27)

CHANGES IN THIS VERSION:

• Critical bug fix: When collecting data using a public survey where multiple participants are entering data near-simultaneously, if piping is being performed on the first page of the public survey, a scenario may arise in which a survey participant may mistakenly see some piped data that was entered by another participant that had just saved their responses at the same time as (or moments before) the current participant had loaded the survey page. While this issue is fairly rare, the worst-case scenario could be that a participant ends up viewing another participant's response, thus possibly resulting in a privacy leak if private and/or identifying information (e.g., PHI) has been entered on the survey.

Version 10.0.15 (released on 2020-08-21)

CHANGES IN THIS VERSION:

• Bug fix: When using an AWS-hosted REDCap installation that was deployed using the AWS Quickstart process, the REDCap Easy Upgrade process would not work successfully if Amazon Linux 2 had been used as the server operating system for the AWS deployment. This fix makes the REDCap Easy Upgrade process work with both Amazon Linux 1 and 2.

• Bug fix: If a longitudinal project contains repeating events, in which a record has multiple repeating instances saved for a repeating event but the first instance of the repeating event was deleted, the Record Home Page would mistakenly still display a column for the first instance even though it has no data. It should not be displaying that column at all if it has no data.

• Bug fix: When upgrading to REDCap 10.0.0, the encoding/collation of a column in one database table might not get set correctly depending on the default collation setting of the REDCap installation. (Ticket #90343)

• Bug fix: Small aesthetic issues with the width of contents inside the DIV color classes (e.g., red, blue, green).

• Bug fix: If a survey page or data entry form has several Signature fields (i.e., Signature field type), if a user downloads a PDF of that instrument/survey, the PDF file might mistakenly cause the signatures not to be placed correctly inside the PDF, and in some more extreme cases might cause some of the signatures not to display at all depending on their placement relative to the end of the page in the PDF. (Ticket #90310)

• Bug fix: If a field is embedded inside itself, which is not allowed, it would throw a JavaScript error and prevent the survey page or data entry form from loading fully. Instead it now displays a proper error on the page when this occurs. (Ticket #90394)

• Bug fix: When using the Double Data Entry module in a project, if a DDE user attempts to create a new record that has already been created by the other DDE group, it would mistakenly re-number the record name to a new name (as if record auto-numbering were enabled) when saving the record *only if* some fields on the data entry form were required and were left blank. (Ticket #89152)

• Bug fix: The variable "target" was added to the reserved list of illegal variable names because it might cause JavaScript errors to occur on a survey page or data entry form when a field with that variable name is being used in branching logic or a calculation.

• Bug fix: Data Quality rule B might return false positives or might fail to return true discrepancies if a field with no value has certain branching logic. (Ticket #89337)

Version 10.0.14 (released on 2020-08-14)

CHANGES IN THIS VERSION:

• Major bug fix: When on a survey page or data entry form, the Secondary Unique Field (if enabled in the project) would mistakenly not be checking for the uniqueness of the field's value when a value was entered/changed for that field on page. Note: This issue did not affect values being imported via Data Import Tool, API, or Mobile App.

• Major bug fix: When using the randomization module and utilizing strata fields that exist on a different instrument and/or event from the randomization field, if a user adds or changes a strata field's value during the process of randomization, it mistakenly would not save the new values for the strata fields, thus leaving them with their value prior to when randomization took place. (Ticket #89686)

• Bug fix: When using the Smart Variable [survey-link] when the survey title is blank (i.e., has no value entered), it would mistakenly output an invisible hyperlink. In this particular case, it will instead now set the hyperlink label to be the URL of the link itself.

• Bug fix: Seven Laboratory fields and their associated LOINC codes were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.

• Bug fix: In certain unknown situations when importing large amounts of records at the same time into a project that contains Data Access Groups, in which a user that is not assigned to a DAG is performing the import and is assigning records to DAGs during the import process using the "redcap_data_access_group" field, the back-end Record List Cache might get out of sync and might cause some pages (e.g., Record Status Dashboard) to mistakenly show that the imported records are not assigned to a DAG. This situation would often require a REDCap administrator to have to clear the Record List Cache via the button on the Other Functionality page in order for the record(s) to display as if assigned to their proper DAG.

• Bug fix: When viewing the Data History dialog of a field in a multi-arm longitudinal project, in which a record exists on multiple arms and then is deleted from one of the arms, it might mistakenly display the history of data values incorrectly in the Data History dialog. (Ticket #67037)

• Bug fix: When using the randomization module while a project is in production status, and then a REDCap administrator moves the project back to development status and then back to production again, the randomization field's values do correctly get erased for all records when moving back to production; however, it mistakenly does not set all the records back to a pre-randomized state. Instead, all the records are still listed as having been randomized, even though they no longer have a value for the randomization field, which results in an error being displayed on the data entry form. (Ticket #89334)

• Bug fix: The "Edit project settings" link next to the tabs on the Project Setup page would mistakenly disappear if the browser window was not very wide or if the user was using the text enlarge/zoom feature in the browser. (Ticket #89772)

• Bug fix: When downloading very large data export CSV files, due to various server configurations, it might mistakenly result in a CSV file that is 0 bytes in size, thus preventing the user from actually downloading the exported data file. (Ticket #89117)

• Bug fix: The performance of the getAutoId() function was noted as severely degraded for specific large projects and thus might consume an unnecessary amount of database server resources, even causing some systems to hang momentarily. The function has been modified to utilize a more efficient database query to reduce the drastic performance hit currently seen by certain projects. (Ticket #89389)

• Bug fix: A foreign key on the "redcap_alerts" database table was not set up correctly.

• Bug fix: While some of REDCap's pages were widened in version 10, the DIV color classes (e.g., red, blue, green) were not, thus causing some pages not to look like they are aligned correctly, especially if using custom banners at the top of the Home Page, login page, or My Projects page. (Ticket #89979)

• Bug fix: When assigning a user to multiple Data Access Groups using the DAG Switcher, if the user's current DAG assignment has not been enabled for them in the DAG Switcher, it would mistakenly allow the DAG Switcher to work but could lead to a confusing user experience because the user would not be able to move themselves back to their original DAG assignment after moving out of it. This has been changed so that an error message is now displayed in this use case and informs the user how to address it.

Version 10.0.13 (released on 2020-08-07)

CHANGES IN THIS VERSION:

• Major bug fix: When upgrading REDCap using the Easy Upgrade process, it would mistakenly not execute all the incremental upgrade scripts required during this process, thus resulting in the "YOUR REDCAP DATABASE STRUCTURE IS INCORRECT!" error message that would be displayed in the Control Center immediately after the upgrade. Note: This issue might still occur when upgrading to this version, but it will not occur when you upgrade to another version after this version. (Ticket #89382)

• Bug fix: Depending on the type of deployment initially made in AWS via the REDCap AWS Quickstart, REDCap might not always be able to successfully determine if it is currently running on AWS Elastic Beanstalk.

• Bug fix: When performing piping of a field with both ":value" and the Smart Variable [X-instance] appended to the field variable (e.g., [field:value][last-instance]), it would sometimes mistakenly not perform the piping at all. (Ticket #59671)

• Bug fix: If a longitudinal project is utilizing the randomization module but randomization has not been fully set up yet, the Randomization Setup page would mistakenly display an erroneous message about erasing the randomization model because the event designation is missing for the randomization field or criteria fields.

• Bug fix: The Easy Upgrade feature might mistakenly display two columns for "Standard Release versions" (in which the second one is empty) when notifying an administrator that a new REDCap version is available. It should not display the second, empty column. (Ticket #89356)

• Bug fix: Prevent a user's IP address from getting auto-banned if somehow the IP address is a blank/empty string value. (Ticket #89367)

• Bug fix: When a report filter references a field from a repeating event or repeating instance, in which the filter logic is checking if the field's value is blank ([field] = "") or non-blank ([field] <> ""), it might mistakenly return too many rows in the report as false positives for the filter logic. (Ticket #89256)

• Bug fix: The action tag @HIDECHOICE would fail to function correctly for a matrix of checkbox fields, thus mistakenly displaying all the checkboxes for the field in the matrix when it should instead be hiding some. (Ticket #88810)

• Bug fix: If the Secondary Unique Field is enabled in a project and its value is being pre-filled via 1) the @DEFAULT action tag, 2) the GET/query string parameter method for surveys, or 3) the POST parameter method for surveys, it would fail to perform the duplicate value check on the field when the form/survey initially loads, thus mistakenly allowing for duplicate values to be entered. (Ticket #88854)

• Bug fix: When using the "View project as user" feature, the left-hand menu would mistakenly not display only the reports to which the user being impersonated has access to view. (Ticket #82697)

• Bug fix: When using the "View project as user" feature, some parts of the Other Functionality page would mistakenly be displayed to admins that the impersonated user normally would not see. (Ticket #88759)

• Bug fix: If an instrument label is very long with no spaces or hyphens, it might cause the Data Entry Rights table in the Editing Existing User dialog on the User Rights page to spill over and push the radio buttons into incorrect places.

• Bug fix: When sending SMS messages via Twilio for alerts or for survey invitations, if the Smart Variables [survey-link] or [survey-queue-link] are included in the SMS text, it will mistakenly remove the URL from the message but leave the link's label. (Ticket #89621)

Version 10.0.12 (released on 2020-07-31)

CHANGES IN THIS VERSION:

• Bug fix: When using the Clinical Data Interoperability Services with Cerner EHR, the FHIR results could mistakenly return as paginated, thus not returning the entire data set expected.

• Bug fix: If an alert is set to be recurring or is set to send only once but not "Immediately", then if the alert fails to send (e.g., if the recipient's address is blank/has no value), it would mistakenly keep trying to send repeatedly every minute. And if the "Email to send email-failure errors" option is set, then the recipient defined for that option would mistakenly get sent an email every minute for every record upon which the alert has been triggered, which could mean that thousands or tens of thousands of emails will get inadvertently sent per day.

• Bug fix: A bug fix was made in REDCap 9.5.26 LTS and 10.0.3 Standard to truncate long field labels and multiple choice labels for fields in any stats package file downloaded from the Data Exports page. However, this should have only been applied specifically to SAS exports since the truncation can cause issues in other stats packages when certain labels are very similar, thus making it difficult to tell fields apart from one another. This truncation of labels now only occurs during SAS exports.

• Bug fix: When REDCap is using an SSL database connection, while most pages in REDCap will work normally, some pages might mistakenly crash due with a fatal PHP error for some types of database connections pertaining to the use of specific SSL certificate-related parameters. (Ticket #89096)

• Bug fix: The "Redirect to a URL" survey termination option would allow survey URLs to be entered but would mistakenly not allow survey queue URLs to be entered.

• Bug fix: When using the datediff() function in a calculated field or branching logic in which the date format parameter is not provided but the returnSignedValue parameter is provided as the fourth parameter, then it would mistakenly result in an error popup on the survey page or data entry form. Bug emerged in REDCap 9.9.2. (Ticket #89007)

• Bug fix: When a REDCap administrator is adding or editing an alert in a project in which they are not a user, if the admin selects their own email address as the Email To, CC, or BCC for the alert, it would mistakenly not save their email address correctly for the alert, which would often prevent the alert from sending successfully upon being triggered. (Ticket #89226)

Version 10.0.11 (released on 2020-07-24)

CHANGES IN THIS VERSION:

• Minor security fix: If a malicious user has knowledge of REDCap's infrastructure and code, they could potentially make calls to a specific REDCap end-point that is used to ping third-party web services that REDCap utilizes throughout the application, in which carefully-crafted calls to this end-point could cause service account information from the platform to be returned back and leaked to the user. This issue appears to only exist when hosting REDCap on certain cloud-based hosting platforms, such as Google Cloud.

• Bug fix: If the [survey-link] Smart Variable is being utilized for an instrument that is not enabled as a survey, it would mistakenly return a blank value/string rather than of six underscores, and if custom text is provided as a parameter for the Smart Variable, it would return a hyperlink with a blank value for the "href" attribute.

• Bug fix: Addressed issues with regard to incremental upgrades in which SQL errors might occur when upgrading from very old versions.

• Bug fix: When downloading a PDF of an instrument/survey containing data, if a single word in the text data of a Notes field exceeds the maximum width of the text in the PDF, such as if a long URL exists in the text data, it would mistakenly cause the text to get split up with one word on each line, thus making the text unnecessarily tall in the resulting PDF. (Ticket #86991)

• Bug fix: If a longitudinal project is utilizing the randomization module, and somehow the event mapped for a strata field or randomization field has been set to NULL (missing a mapped event) on the backend (possibly due to various changes in the project after the randomization model had been saved), it would fail to display the randomization button on the data entry form for any event. To make users aware of this issue when this occurs, it will now display a warning message on the randomization setup page and inform the user how to correct the issue. (Ticket #88594)

• Bug fix: The "email" field validation was slightly incorrect and would allow a period/dot to be entered immediately before the @ symbol in an email address that was entered in an email-validated field, in which this should not be considered a valid email address.

• Bug fix: On PHP 7.4.6+, some pages in REDCap (e.g. Add/Edit Records page) were loading much slower than expected. This fix should resolve this slowness; however, it has not been officially confirmed.

• Bug fix: When an embedded field has branching logic and is also a required field, if the embedded field is currently hidden by branching logic when the survey page or data entry form is submitted, REDCap will mistakenly display the "Some fields are required" message for that field. It should never display that message for fields hidden by branching logic. (Ticket #88864)

Version 10.0.10 (released on 2020-07-17)

CHANGES IN THIS VERSION:

• Major bug fix: When piping is being performed or when logic is being evaluated that contains an event-based Smart Variable that is prepended to a field variable (e.g., [first-event-name][age]), it might not get parsed correctly and might mistakenly return an incorrect result.

• Bug fix: When more than one auto-complete drop-down field is embedded inside another field on a data entry form or survey page, only the first embedded auto-complete drop-down in that table row would get enabled and function correctly. Thus all other drop-downs in that row would mistakenly not function.

Version 10.0.9 (released on 2020-07-17)

CHANGES IN THIS VERSION:

• Bug fix: When sending emails via the Mandrill Email API or while using the Google App Engine platform for hosting, attachments on emails would mistakenly not retain their original file name in the email received.

• Bug fix: In the API Playground, the example R code produced for API method "Export PDF file of instruments" was missing certain arguments (record, instrument, event), and also was mistakenly missing quotes around the API token value. (Ticket #88079)

• Bug fix: When a calculation or branching logic references a field from a repeating instrument or repeating event, in which the instance number or an [X-instance] Smart Variable is explicitly provided (e.g., [field][current-instance] + [field][2] + [field][3]), the JavaScript version of calculations and branching logic that runs on a form/survey page might mistakenly assume the value as a string of text even when the field is a number/integer field type, thus resulting in an incorrect value displayed on the page. However, the correct value would be saved for a calculated field on the page after clicking the Save button. Note: For calculations, data imports and Data Quality rule H would still be correct and store the correct value. (Ticket #88143)

• Bug fix: When a field is embedded inside another field that is being hidden by branching logic on the page, it might cause a "BRANCHING LOGIC ERRORS EXIST!" error to mistakenly appear on the data entry form or survey page. (Ticket #88134)

• Bug fix: When importing a CSV of arms on the Define My Events page, it would mistakenly allow an arm's number to be imported with a value of "0", which is not allowed and causes issues with accessing records in that arm afterward in the user interface.

• Bug fix: When using a calculation or conditional logic in a longitudinal project that contains repeating instruments and/or repeating events, if a checkbox field is referenced in the calc/logic and has an [X-instance] Smart Variable appended to it (e.g., [checkbox_name(2)][last-instance]), the calc/logic might mistakenly not get parsed correctly and might return an incorrect result. This only occurs for checkboxes on repeating instruments/events in longitudinal projects. (Ticket #88065)

• Bug fix: When viewing the instrument/event options for Report B on the "Data Exports, Reports, and Stats" page in a project, the instrument/event multi-select fields would mistakenly be too narrow and would often prevent users from being able to distinguish which instruments/events they are selecting. (Ticket #88261)

• Bug fix: CSV files that are exported for the following places might be exported as UTF-8 encoded but would mistakenly be missing the BOM (Byte Order Mark): export for randomization template allocation tables, export for Automated Survey Invitations in the Online Designer, and the export for the "E-signature and Locking Management" page. (Ticket #87787)

• Bug fix: If users have bookmarked the link to the PDF archive tabs in the File Repository for either the survey PDF Auto-Archiver or the Record-level Locking Enhancement (PDF confirmation & automatic external file storage) feature, and either of those features have been disabled in a given project, the user would mistakenly be able to view those pages in the File Repository and possibly download PDF files from those pages if those features were previously enabled and utilized in the project.

• Bug fix: When piping the [form-url] or [form-link] Smart Variable when they have an [X-instance] Smart Variable appended to them, in which the "instrument" parameter of [form-url] or [form-link] is not specified, it might mistakenly return a blank value instead of the URL/link.

• Bug fix: When a slider field's value is being piped onto the same instrument or survey page in which the slider itself is located, it might mistakenly not update the piped value on the page when the user modifies the slider value, such as when initially clicking on the slider to activate it or when clicking the slider's "reset" link.

• Bug fix: The documentation for the developer method REDCap::saveData() was incorrect with regard to what "item_count" represents in the returned response, specifically for type="flat" data. (Ticket #88378)

• Bug fix: When a REDCap administrator is using the "View Project as User" feature on a user that has been assigned to multiple Data Access Groups via the DAG Switcher, the "Current Data Access Group" banner would mistakenly not be displayed at the top of the page for the administrator. (Ticket #88392)

Version 10.0.8 (released on 2020-07-10)

CHANGES IN THIS VERSION:

• Major bug fix: If calculated fields in a project have the exact same calculation/equation as another calc field in that project, it could cause incorrect values to be returned and saved for those calc fields when submitting a form/survey, when importing data, or when running Data Quality rule H. Bug emerged in REDCap 10.0.7 (LTS) and 10.1.1 (Standard). This bug might also affect the results of custom Data Quality rules, but it is currently unknown if this is true. This would only affect calculations that were triggered by data changes after upgrading to 10.0.7 (LTS) and 10.1.1 (Standard), in which they can be fixed afterward by running Data Quality rule H in a given project.

• Bug fix: The Easy Upgrade feature might mistakenly not execute the entire SQL upgrade script for certain web server or database server configurations (the ultimate cause is unknown). This could cause problems after the upgrade completes in which the Auto-Fix feature might not be able to fix it without some extra SQL needing to be run. (Ticket #87994)

• Bug fix: The parsing of some conditional logic might mistakenly fail with a fatal PHP error for unknown reasons, possibly only for specific PHP versions. (Ticket #87983)

• Bug fix: If a "Designated email field for sending survey invitations" is being used in a project, in which that email field exists on a repeating instrument or repeating event, then the Survey Invitation Log page would mistakenly fail to display the record name for a scheduled/sent invitation and would instead display the slash-eye icon to indicate that the record name is not displayable. (Ticket #87795)

Version 10.0.7 (released on 2020-07-09)

CHANGES IN THIS VERSION:

• Critical bug fix: When collecting data using a public survey where multiple participants are entering data near-simultaneously (i.e., submitting the survey within the same fraction of a second), a scenario may arise in which those multiple responses could get partially merged together. When this occurs, it appears in the logging that two new records were created, but on some occasions the second participant ends up overwriting the first participant's responses. This issue only occurs when the project's back-end Record List Cache gets out of date and somehow doesn't include some of the new records created via the public survey. While this issue is fairly rare, it can cause data loss when a participant accidentally overwrites another's response, and the worst-case scenario could be that a participant ends up viewing another participant's response, thus possibly resulting in a privacy leak if private and/or identifying information (e.g., PHI) has been entered on the survey.

• Major bug fix: If a record has been locked at the record level and the record is renamed, the record will mistakenly no longer appear to be locked anymore.

• Major bug fix: If a record has been locked at the record level and then the record is deleted and another record is created with the same name, the new record will mistakenly be initially locked after creation and have the same lock status and lock time as the original record bearing its name.

• Bug fix: Branching logic now works for embedded fields - A JavaScript issue (which is resolved separately in this release) was affecting embedded fields and made it impossible for a field's branching logic to function if it was embedded inside another field. Now that the other issue has been resolved, it has unblocked the issue that prevented branching logic from functioning for embedded fields. Thus, fields embedded inside other fields will now be hidden/displayed appropriately according to their own defined branching logic, as was originally intended with the embedded fields feature. Note: The documentation regarding branching logic for embedded fields has been modified accordingly to reflect this change in behavior due to the fix.

• Bug fix: If a slider or file upload field is being hidden by branching logic, they would mistakenly not get reset back to their original state with the slider placed back at mid-position and the file upload field reset back to the "Upload file" link, respectively. This would be very confusing to users if the fields were hidden by branching logic, in which their field was erased, and then while on the same page, the fields were revealed again looking as if they had a value when they actually did not.

• Bug fix: When clicking the "All custom" button on the Data Quality page, it would mistakenly execute rule I.

• Bug fix: When using Data Access Groups in a project, if a user was added to the project's User Rights page with a capital letter in their username, then the Data Access Groups page would mistakenly display the user's username and name as blank (with only a comma displayed) in the "Users in group" column no the page. (Ticket #86811)

• Bug fix: If a File Upload field is embedded in the choice label of a radio button or checkbox field, it would mistakenly overlap the choice label text.

• Bug fix: When importing data via the API for a repeating instrument, many of the normal checks that ensure that the fields "redcap_repeat_instrument" and "redcap_repeat_instance" have valid values where mistakenly getting bypassed and thus not performing all the necessary checks to ensure the best data quality during the import. For example, importing a field on a repeating instrument but leaving the "redcap_repeat_instance" field blank would not return an error but would instead assume the value is "1", which should not be assumed. (Ticket #75854)

• Bug fix: When using the Clickjacking Prevention feature, it would mistakenly prevent REDCap from being embedded inside an EHR when using the Clinical Data Pull (CDP) EHR launch.

• Bug fix: If using the Mandrill Email API integration to send emails from REDCap, it would mistakenly fail to add the appropriate file attachments (when applicable) to any outgoing emails and would instead send emails successfully without any attachments.

• Bug fix: If a text field or notes field is embedded inside a radio button or checkbox field on a survey, in which the Enhanced Radio/Checkbox setting has been enabled for the survey, it would prevent participants from using the Space key when entering a text value for the embedded field.

• Minor security fix: Prevention of CSV injection - Users or survey participants could enter +, -, @, or = at the beginning of a text field's value, and if a user is performing a CSV export of the data and opening the file in Excel (and possibly other spreadsheet software), it could cause that data to be inferred as a formula by Excel, which could have some security consequences. In these cases if a data value in a CSV Raw or CSV Labels export begins with one of those characters, a space will be prepended to the text value to prevent this issue from occurring.

Version 9.5.33 (released on 2020-07-09)

CHANGES IN THIS VERSION:

• Critical bug fix: When collecting data using a public survey where multiple participants are entering data near-simultaneously (i.e., submitting the survey within the same fraction of a second), a scenario may arise in which those multiple responses could get partially merged together. When this occurs, it appears in the logging that two new records were created, but on some occasions the second participant ends up overwriting the first participant's responses. This issue only occurs when the project's back-end Record List Cache gets out of date and somehow doesn't include some of the new records created via the public survey. While this issue is fairly rare, it can cause data loss when a participant accidentally overwrites another's response, and the worst-case scenario could be that a participant ends up viewing another participant's response, thus possibly resulting in a privacy leak if private and/or identifying information (e.g., PHI) has been entered on the survey.

Version 10.0.6 (released on 2020-06-30)

CHANGES IN THIS VERSION:

• Bug fix: When using the color-picker to edit the text color or background color of a Project Folder on the My Projects page, the text field to add/modify the hex color code would mistakenly be disabled when it should instead be editable.

• Bug fix: If an External Module is calling REDCap::saveData() in a project using Twilio for surveys or Alerts & Notifications, depending on the context it might mistakenly throw a fatal PHP error if the call to REDCap::saveData() triggers a voice call or SMS message via Twilio.

• Bug fix: On the System Statistics page, the number of Completed projects would mistakenly not get included in the count of Total Projects. (Ticket #86998)

• Bug fix: The iOS version number would mistakenly not be detected accurately for iPads running iOS 13. (Ticket #87081)

• Bug fix: If the Clickjacking Prevention setting is enabled on the "Security & Authentication" page in the Control Center, it might prevent the Clinical Data Pull feature from working correctly when performing an EHR Launch in which a REDCap window is embedded inside an EHR user interface.

• Bug fix: When editing an alert on the Alerts & Notifications page, the "Email From" drop-down might mistakenly list the current user's email address twice, in which the second instance might have the text "[email no longer belongs to a project user]" appended to it.

• Bug fix: When adding a new Table-based user via the "Create User (bulk upload)" tab on the "Add Users (Table-based Only)" page in the Control Center, it might give an inaccurate and confusing message if that user account already exists. (Ticket #87143)

Version 10.0.5 (released on 2020-06-23)

CHANGES IN THIS VERSION:

New LTS branch based off of REDCap 10.0.4 (Standard)

Version 9.5.32 (released on 2020-06-19)

CHANGES IN THIS VERSION:

• Bug fix: If using the HTML tags OL or UL inside the choice label of a radio button or checkbox field, the labels might mistakenly overlap on top of the bullets and make them hard to read.

• Bug fix: When viewing the Sponsor Dashboard page, if the user is a sponsor of many users, then when the page is scrolled downward, the table header would mistakenly get obstructed and covered by the top navbar.

• Bug fix: If a survey title contained HTML tags, those tags would mistakenly get displayed as escaped characters in the Survey Queue setup dialog and on a record's Survey Queue page.

• Bug fix: When an administrator is resetting the password of a Table-based user's account on the Browse Users page, it would mistakenly send the email with the From as the admin's name/email when it should instead send it with the From as the general administrator name and email address that is defined for the system.

• Bug fix: When adding users to a project using the API Import Users method, the format of the usernames were mistakenly not being checked and thus would allow usernames containing invalid characters to be added to projects.

• Bug fix: When using the Clinical Data Pull (CDP) module when launching the REDCap window from inside the EHR user interface, it would mistakenly crash with a fatal PHP error. (Ticket #86644)

• Bug fix: When using Twilio telephony services for surveys, in which the default invitation preference for new survey participants has been set to a value other than "Email", when new records are created in the project specifically via the API Import Records method, those participant's invitation preference in the Participant List would mistakenly not get set to the correct value but would always get set to "Email". Note: If importing data via the Data Import Tool, the invitation preference would get set correctly. (Ticket #86673)

• Bug fix: If the Save & Return Later feature has been enabled on a survey but participants are not allowed to return once they have completed the survey, then there is a scenario in which a participant could mistakenly erase all their survey responses after having completed the survey. If they partially complete the survey and then return back to the survey page, in which it asks them to either enter their Return Code or erase all their responses and start over, if that page is opened twice in two different browser tabs, and then the participant completes the survey in one tab and then later views the other tab and clicks the "Start Over" button, it would mistakenly erase all their responses, even though they should not be able to modify their responses after having completed the survey.

• Bug fix: When an alert has the option "Using conditional logic during a data import or data entry" selected in Step 1 in the "Edit Alert" dialog, in which the alert's conditional logic contains the datediff() function with "now" or "today" as a parameter, if the project is longitudinal and the logic also explicitly references a field in a specific event (i.e., has the unique event name prepended to the field variable), if that particular event being specified has no data in it, then the logic would mistakenly not get evaluated correctly, and the alert would not get triggered/scheduled correctly by the "AlertsNotificationsDatediffChecker" cron job. (Ticket #86689)

Version 9.5.31 (released on 2020-06-11)

CHANGES IN THIS VERSION:

• Bug fix: If a hyperlink is used inside a field label or section header text for a field on a survey or data entry form, in which the hyperlink is merely an anchor link to point to another place on the current page, then in some cases clicking the link would mistakenly prompt the "Save your changes?" dialog to be displayed unnecessarily if data had been added/modified on the page. (Ticket #85880)

• Bug fix: When the survey option "Allow survey respondents to view aggregate survey results after completing the survey?" is enabled on a public survey and a respondent completes the public survey, it would mistakenly not display the button to allow the respondent to view the aggregate survey results. Bug emerged in REDCap 9.10.0 Standard and 9.5.28 LTS.

• Bug fix: The API method "Export a Survey Queue Link" would mistakenly fail with a fatal error. Bug emerged in REDCap 10.0.1 Standard and 9.5.30 LTS. (Ticket #86155)

• Bug fix: If using the HTML tags OL or UL inside the choice label of a radio button or checkbox field, the labels might mistakenly overlap on top of the bullets and make them hard to read.

• Bug fix: When using the Twilio telephony services for surveys in a project, if the "SMS Conversation" option has not been enabled in the project but a participant mistakenly replies back to an SMS they received from REDCap, it would begin the survey as if using the "SMS Conversation" option, which is incorrect. In this case, it now will reply back to them with an SMS saying "Auto-Reply: This SMS phone number is not monitored". (Ticket #61331)

• Bug fix: When the Save & Return Later option for a survey has been disabled but somehow a user has enabled the sub-option to "Allow respondents to return without needing a return code" for the survey, it would create a scenario via the Survey Queue in which the survey participant might be able to return to the survey even with Save & Return Later having been disabled. (Ticket #85891)

• Bug fix: In some very specific cases when an External Module is calling the REDCap::evaluateLogic() method in a repeating event context, it might not mistakenly parse the logic correctly if the logic contains a stand-alone [X-instance] Smart Variable (i.e., when it is not appended to a field variable). (Ticket #85914)

• Bug fix: When executing Data Quality rule E ("Outliers for numerical fields") for a project that has Missing Data Codes defined, it might mistakenly return discrepancies for records that have a numerical Missing Data Code. It should instead be ignoring Missing Data Code values in this DQ rule. (Ticket #85991)

Version 9.5.30 (released on 2020-06-05)

CHANGES IN THIS VERSION:

• Bug fix: If two users load the same data entry form in a project (i.e., same record, event, instrument, instance), in which one of the users has clicked the plus/minus icon on the left-hand menu to collapse/uncollapse a menu section after loading the form, it would mistakenly not display the Simultaneous User Prevention warning and thus would allow both users to have edit access on that from. (Ticket #85305)

• Bug fix: For certain screen widths, the search box displayed above a report might mistakenly be displayed too far to the right on the page. (Ticket #85415)

• Bug fix: When updating third-party packages for bug fixes in a previous REDCap release, the sabre/uri package was updated to the latest version, which supports only PHP 7.1+. The package has been downgraded in REDCap to support PHP 5.5, 5.6, and 7.0 again. (Ticket #85523)

• Bug fix: The database query used to generate the list of a record's repeating instances for a given instrument was not correctly optimized and was causing major performance issues for certain projects on certain installations. (Ticket #84936)

• Bug fix: When a Yes-No or True-False field is piped into an Alert's email subject or message text, in which the alert is set to be sent after a delay (not immediately) and/or on a recurring schedule, then the value of the Yes-No or True-False field would fail to be piped into the text and instead would be replaced with 6 underscores as if the value did not exist.

• Bug fix: Reports that are very wide and very tall would have the fixed headers and fixed first column behavior automatically employed on the report table, but often times the scrollable width of the resulting table would be too wide and would run off the page, thus causing the user to have to scroll the main viewport first and then scroll the table second. It now tries to ensure that the scrollable table itself will fit on the page so that only one instance of horizontal scrolling is required.

• Bug fix: The Easter Egg functionality of appending ""&__display_errors=1" to the URL in order to force output a PHP error onto the webpage has now been removed for all cases except for authenticated REDCap administrators because it is a potential security issue.

• Bug fix: Nearly 200 Laboratory and Vital Signs fields and their associated LOINC codes were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.

• Bug fix: When using the Smart Variable [survey-queue-link] in a context where the current record does not yet exist (e.g., on the first page of a public survey), it would mistakenly return a URL that might not actually be associated with the record after the record has been created. Instead it now returns a blank value if the record does not yet exist. (Ticket #85602)

• Bug fix: The REDCap hook named "redcap_survey_complete" would get mistakenly called when a survey participant would attempt to return to a completed survey that has the "Save & Return Later" option enabled when the sub-option is enabled to allow respondents to return without needing a return code - i.e., when it displays the message "Thank you for your interest, but you have already completed this survey". (Ticket #80109)

Version 9.5.29 (released on 2020-05-29)

CHANGES IN THIS VERSION:

• Bug fix: Report B would return incomplete returns when viewed on a webpage (but not when exported) under certain conditions, especially if the project is longitudinal. (Ticket #84937)

• Bug fix: When piping data into a drop-down field on a survey or data entry form that is a repeating instrument or exists on a repeating event, although piping would occur correctly when initially loading the page (using saved values), it would mistakenly not perform real-time piping on the page as fields were modified if those modified fields' values were being piped into drop-down fields on that same page. (Ticket #84951)

• Bug fix: When the Double Data Entry module is enabled in a project, the Current Users table on the Project Home page might mistakenly get partially covered by the Project Statistics table. (Ticket #84903)

• Bug fix: When setting a Missing Data Code for a field, it would mistakenly hide all buttons in that row instead of only the Today/Now button for date/datetime fields. (Ticket #84909)

• Bug fix: When composing multiple batches of survey invitations on the Participant List page without refreshing the page in between batches and the user uses their mouse to highlight the existing email body text and then pastes new text using Ctrl-V into the email body without typing on the keyboard while the cursor is inside the email body text box, then the new pasted text might mistakenly not be used in that batch of invitations being sent, but instead it would send invitations using the default email body text. (Ticket #84351)

• Bug fix: When executing a custom Data Quality rule that has logic containing fields from both repeating and non-repeating contexts, in some cases the hyperlink for the data value displayed in the discrepancy dialog popup might mistakenly be pointing to a repeating context (e.g., URL contains "&instance=??") even though the field does not exist on a repeating instrument or repeating event. (Ticket #84934)

• Bug fix: The left-hand instrument menu in a project would mistakenly denote the maximum instance number of a repeating instrument rather than the total count of repeating instances, which can be confusing to users if some instances had been deleted after having been created. If the total count of repeating instances does not match the maximum instance number, then it will now display "max: X, total: Y" next to the instrument name to provide this distinction. Also, the "plus" icon next to a repeating instrument on the left-hand menu would mistakenly not appear if the first instance of the instrument had been deleted (this would occur when viewing the left-hand menu while on another instrument). Additionally, if a repeating instrument had its first repeating instance deleted, the form link on the left-hand menu would still mistakenly point to the first instance by default, which is not intuitive. It now points to the lowest existing instance of that instrument as the default. (Ticket #84943)

• Bug fix: The note "You may use HTML formatting in the email message..." was mistakenly still being displayed below the rich text editors when composing survey invitations in various places in a project. That note no longer makes sense now that the rich text editor must be used in these places, so the note has been removed.

• Bug fix: In some situations where a data entry form or survey is being submitted after an External Module has relocated some fields on the page (e.g., Shazam), it may prevent the page from being saved successfully due to a JavaScript error. (Ticket #47120)

• Bug fix: The color picker popup used for Project Folders and for Survey Themes would not be displayed correctly after being opened, so the preset color palette of squares in the color picker had to be removed since they could not otherwise be fixed.

• Bug fix: When using Missing Data Codes in a project and a radio button or checkbox field has been assigned a missing data code for a given record, and then the user clicks one of the seemingly disabled choices of the field and then clicks Save, it would mistakenly change the value of the field to the choice that was clicked, even though it did not appear as if the field's value changed prior to saving it. (Ticket #85220)

Version 9.5.28 (released on 2020-05-21)

CHANGES IN THIS VERSION:

• Major bug fix: When submitting a one-page public survey, in some specific scenarios after completing the survey, a participant could incidentally cause the survey to get resubmitted (minutes, hours, or even days later), thus creating a duplicate record in the project. This appears to occur mostly for certain mobile devices, in which returning to a tab containing the completed survey might mistakenly cause the survey to get resubmitted somehow. (Ticket #75626)

• Bug fix: When using the Clinical Data Pull feature and viewing the embedded REDCap page in an EHR user interface, it would mistakenly display some escaped HTML on the page. (Ticket #84422)

• Bug fix: When uploading an MP3 audio file to be embedded in a Descriptive field on a survey page or data entry form, it might mistakenly not play in Internet Explorer.

• Bug fix: Seven Laboratory fields and their associated LOINC codes were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.

• Bug fix: If a project is longitudinal and has either repeating instruments or repeating events, in which a field exists on both a non-repeating event/instrument and on a repeating event/instrument, then if that field is used as a report filter, the report might mistakenly return partially incorrect results. Part of this issue was caused by another fix in REDCap 9.9.1 Standard and 9.5.26 LTS, and the other part is a longer-standing issue caused by difficulty in parsing logic referencing different repeating and non-repeating contexts. (Ticket #84330)

• Bug fix: For longitudinal projects, the project Logging page would mistakenly display the name of the first event next to the record name for logged events related to Data Access Group assignments for records. It should not display the event name because assigning DAGs is performed at the record level and not at the event level, so displaying the event name for the logged event is misleading.

• Bug fix: The cron job to routinely reset the record list cache for all active projects was mistakenly not resetting the cache as often as it should.

• Bug fix: If a calculated field's equation contains certain Smart Variables (e.g., [project-id]), when saving the calc field in the Online Designer, it would note that it is syntactically incorrect, which is untrue. (Ticket #84524)

• Bug fix: When importing an instrument from the REDCap Shared Library, in which the instrument contains a checkbox field that is used in branching logic or in calculations in the imported instrument, and also that checkbox field's variable name already exists in the project as an existing variable, then when the variable is being automatically renamed during the instrument import process to prevent a conflict with the existing variable, it would mistakenly fail to perform the renaming successfully for checkbox fields, which require a slightly different syntax when being referenced in calc fields and branching logic.

• Bug fix: In the Required Fields dialog on data entry forms and surveys, one of the buttons mistakenly did not have its language abstracted for translation. (Ticket #81638)

• Bug fix: When exporting data to SAS while using Missing Data Codes in a project, if any fields contain the @NOMISSING action tag, such fields would mistakenly not be made exempt from the Missing Data Codes when importing the data into SAS. (Ticket #83910)

• Change: When exporting data to SAS, the line "OPTIONS nofmterr;" is now added to the SAS script to prevent any formatting issues from throwing fatal errors.

• Bug fix: When rendering a report or performing a data export in which the report contains some report filters, some extra processing was being done unnecessarily that was making the report slower than it should have been. This unnecessary code was removed, which now makes reports load faster (up to 2x faster in some cases) for reports with report filters.

• Bug fix: When a project that has record auto-numbering enabled exceeds 25,000 records in the project, then the text input field that is displayed (in lieu of a drop-down list) on the Add/Edit Records page would mistakenly allow users to free-form type a new record name that might not comply with the record auto-numbering scheme. To prevent this issue, it now checks to ensure the record being typed already exists.

Version 9.5.27 (released on 2020-05-15)

CHANGES IN THIS VERSION:

• Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered on the project Logging page where a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags into the record name of a record imported via the API or Data Import Tool.

• Bug fix: If the foreign key of a database table is not defined correctly in the REDCap database, the SQL provided by the Control Center warning "Your REDCap database structure is incorrect" would mistakenly fail to fix the issue and would keep appearing after being run. It now provides the correct SQL to run in order to fix the database structure issues. (Ticket #83951, #84054)

• Bug fix: When using Twilio Telephony Services to send SMS messages from a Short Code phone number, it would fail to send the messages because REDCap would mistakenly prepend a "+" to the Short Code when attempting to send it via Twilio's API.

• Bug fix: The "redcap_survey_complete" hook would mistakenly get called when a survey participant loads their survey queue when navigating directly to their queue as opposed to navigating there after completing a survey.

• Bug fix: The REDCap installation page would mistakenly crash with a fatal PHP error and would prevent anyone from going through the full installation process. Bug emerged in the previous version. (Ticket #84111)

• Bug fix: If an alert on the Alerts & Notifications page contains attachment files in which two or more attachments have the exact same file name, then it would mistakenly not attach all the files to the email but only the last one listed. (Ticket #83903)

• Bug fix: Two Laboratory fields and their associated LOINC codes were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.

• Bug fix: The sum() function would mistakenly not work as expected and would return a blank value for a calculated field if one or more of the fields used inside sum() have a blank value. (Ticket #84284)

• Bug fix: In certain cases, if new records are being created in a project while the project's Record List Cache is being built, it might mistakenly cause new records to appear orphaned (as if they were never created) and not appear in reports, dashboards, etc. in the project for a few days (or until the cache is rebuilt). (Ticket #84159)

• Bug fix: When performing a data import into a repeating instrument, in which all the fields in the row in the data import file have blank values (excluding the record id field, redcap_repeat_instance field, and redcap_repeat_instrument field), it would return a confusing error message and prevent the import from completing. (Ticket #84359)

• Bug fix: When exporting a Project XML for a longitudinal project, in which the project contains reports with report filters that have the "in All Events" drop-down option selected for a given filter field, the resulting XML file would contain advanced filter logic that would work successfully in a new project created from the XML file, but if a user went to modify that report afterward in the newly created project, REDCap would note that the logic was not syntactically correct (even though the filter logic would work correctly when displaying the report). This is due to the fact that in the XML file it was mistakenly not prepending "[event-name]" to all fields in the advanced logic that did not already have a prepended unique event name. For longitudinal projects with advanced filter logic, all fields must have a prepended event name or else must have [event-name] prepended to the field.

• Bug fix: If the setting "Email to send email-failure errors" has been defined for an alert in Alerts & Notifications, the email received after an error occurs would mistakenly not contain the real error message of why the alert did not send and also would not contain the alert number of the alert being triggered. (Ticket #84004)

• Bug fix: When running Data Quality rule D ("Field validation errors (out of range)"), it would mistakenly return discrepancies for valid number values if a field had "Number (comma as decimal)" validation. (Ticket #84004)

Version 9.5.26 (released on 2020-05-08)

CHANGES IN THIS VERSION:

• Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered where a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags and/or JavaScript into the query string of a data entry form or record home page.

• Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered where a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags into the uploaded CSV data file on the Data Import Tool page.

• Bug fix: Certain menu toggles, such as the "hamburger menu" at the top right of the My Projects page when using a mobile device, were not working correctly due to a breaking change in jQuery 3.5.0 in REDCap 9.9.0 Standard and 9.5.25 LTS. A makeshift patch has been applied to fix this in lieu of a proper fix from jQuery. (Ticket #83490)

• Bug fix: When creating a new record via the Schedule module in a project, especially if the user creating the record belongs to a Data Access Group, the record would mistakenly not appear in record lists, record status dashboards, or reports for up to several days due to a record list caching issue, in which the cache was not getting updated appropriately when creating the record via the Scheduling module. (Ticket #83478)

• Bug fix: If some Alerts & Notifications had been created in a longitudinal project, in which recurring alerts had been scheduled for some records, it might prevent a user from deleting an event on the Define My Events page due to foreign key restrictions in the back-end database. (Ticket #83438)

• Bug fix: When moving a project to production and selecting the option to "delete all data", if the Survey Queue is enabled in the project and some existing records had had a survey queue link generated for them, then even though the records would correctly get deleted when moving to production, the survey queue links for those deleted records would mistakenly not get cleared out of the back-end database and thus could mistakenly get reused by new records. (Ticket #83341)

• Bug fix: When using a Missing Data Code value of "0", "1", or "2" in a project, the Missing Data Code would mistakenly get used on the Form Status Complete field on any given instrument and thus cause issues with being able to set that field's value correctly. (Ticket #83423)

• Bug fix: When branching logic or a calc field references a checkbox choice that has been hidden by the @HIDECHOICE action tag, it would mistakenly display a branching logic/calculation error alert on the survey page or data entry form. (Ticket #83376)

• Bug fix: If an Automated Survey Invitation has conditional logic using the datediff() function with “today” or “now” as a parameter, in which “today” or “now” are not in lowercase form, the ASI Datediff cron job would mistakenly not run for these ASIs, thus causing invitations not to get scheduled at the appropriate time.

• Bug fix: The cron job for scheduling Automated Survey Invitations that contain datediff+today/now in their conditional logic and are set to send "Immediately" would mistakenly send invitations immediately in real time by that cron, which can be a slow process and delay the scheduling of other invitations in some situations. Instead, the cron job should have been only scheduling the invitations and then letting the email-sending cron job actually send those scheduled invitations. (Ticket #83596)

• Bug fix: When entering an X-event-name Smart Variable into conditional logic for an ASI, report filter, etc., when validating the logic, it might mistakenly return a confusing error saying that the syntax is not valid even when it is.

• Bug fix: When upgrading to REDCap 9.5.24 or 9.5.25, it might mistakenly not create the redcap_new_record_cache database table correctly and/or result in a MySQL error when running the upgrade SQL script. This release will fix that table if it did not get created correctly.

• Bug fix: If one or more External Modules have been enabled in a project and have a link displayed for a module page in the "External Modules" section on the project's left-hand menu, then if Report Folders have been created in the project and a user toggles a Report Folder to open or close the folder, it would mistakenly cause the reports section on the left-hand menu to be moved below the "External Modules" section when it should instead remain above it.

• Bug fix: For a project where Missing Data Codes are defined, when exporting data to a stats package (R, Stata, SAS, SPSS) when the export file contains checkbox fields and the report being exported is set to include the Missing Data Codes, the extra fields/columns for the Missing Data Codes for the checkbox would mistakenly not get added to the stats package syntax file, even though they get added to the CSV data file, thus causing the data not to load properly into the stats package because of the column number mismatch. (Ticket #83329)

• Bug fix: If running Data Quality rule A or B in a project, in which a blank field has branching logic based off of another blank field, then in certain cases it might not return discrepancies correctly for all the fields with blank values. (Ticket #82655)

• Bug fix: When downloading a PDF of an instrument, sometimes rich text might mistakenly not display well in the PDF, such as paragraphs and tables being too far spaced out.

Version 9.5.25 (released on 2020-04-30)

CHANGES IN THIS VERSION:

• Minor security fix: Due to a Cross-Site Scripting (XSS) vulnerability, the JavaScript library jQuery 3.4.1 was updated to version 3.5.0. (Ticket #82867)

• Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered where a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags and/or JavaScript into the query string of the Data Access Groups page.

• Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered on some External Module Framework pages, in which a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags into places where such HTML gets reflected back on a page that a user is viewing.

• Bug fix: The Missing Data Codes in the Additional Customizations popup on the Project Setup page could mistakenly be modified or removed while collecting data in production, which could cause issues with the saved data during analysis and in reports. It now displays a warning prompt to the user beforehand to inform them that re-labeling or removing Missing Data Codes after data collection has begun could cause data issues, but they will still be allowed to make modifications to the codes if they wish. (Ticket #82977)

• Bug fix: When using Missing Data Codes in a project and selecting a missing data code for a radio button field on a data entry form, the missing data codes popup would mistakenly not close after the code had been clicked. (Ticket #82977)

• Bug fix: When exporting data to Stata, it would mistakenly output the incorrect syntax in the .do file for text fields with datetime_seconds validation. (Ticket #83001)

• Bug fix: If upgrading to 9.5.24 LTS or higher or upgrading to 9.8.5 Standard or higher, the upgrade SQL script might throw a MySQL error during the upgrade process due to a foreign key constraint on a database table. (Ticket #83098)

• Bug fix: Slider fields that are vertically aligned and have the "Display number value (0-100)?" option enabled will mistakenly display the number value field too narrowly and thus will not display the full value if its value is "100". (Ticket #83234)

• Bug fix: If running REDCap on the Google App Engine platform and the email quota has been exceeded when sending outgoing emails, it would mistakenly crash with a fatal PHP error. It now continues to run and finish the script instead of halting the script with an error.

Version 9.5.24 (released on 2020-04-24)

CHANGES IN THIS VERSION:

• Medium security fix: A Cross-Site Scripting (XSS) vulnerability was discovered where a malicious user or survey participant could potentially exploit it by adding some specific HTML tags and JavaScript into a Text field on a survey page or data entry form, after which such HTML would get reflected back on the page and get executed for another user.

• Major bug fix: If a multi-arm longitudinal project is collecting data via public surveys across multiple arms at a time, in which each public survey has its own URL that corresponds to a distinct arm, then if survey participants are submitting a survey at near the same time but for a different arm, then it is possible that those two responses might mistakenly get saved with the same record name, even though the records exist in different arms. This is easily remedied by renaming the record in one of the arms afterward, but it may be hard to detect when it occurs and might be confusing for users when it does.

• Major bug fix: If a user in a longitudinal project clicks the "Delete data for this form only" button at the bottom of a data entry form, in which multiple instruments on the current event contain data for the current record, if all the data on that event had been imported via data import *and* no values for form status fields were imported during the data import process *and* no user ever clicked a Save button on an instrument in that event after the import was performed, then all the data on all instruments in that event would mistakenly get deleted, when instead it should only delete the data from the current instrument.

• Bug fix: When entering conditional logic for Automated Survey Invitations or adding branching logic via the Online Designer, if the logic contained certain Smart Variables (.e.g., [survey-date-completed]), the logic check status displayed immediately below the logic text box would mistakenly state "Error in syntax" even when the logic's syntax is correct.

• Bug fix: When using the standalone launch to login to one’s EHR system when using the Clinical Data Mart or Clinical Data Pull features, it might mistakenly redirect to the wrong page (causing a 404 error). (Ticket #82449)

• Bug fix: If a large amount of HEAD requests hit a survey page, it might cause a disproportionate amount of load to be put on the web server and database server. (Ticket #82501)

• Bug fix: The advanced function isblankormissingcode() would mistakenly not work correctly when used in the equation of a calculated field. (Ticket #82653)

• Bug fix: When a survey participant attempts to close their browser window by clicking the "Close survey" button on the page after completing the survey, if their browser prevents the tab/window from being closed, then the text displayed on the page afterward would mistakenly always be in the language of the system-level language setting rather than the project-level language. (Ticket #82631)

• Bug fix: The generic "Alert" jQuery UI dialog would often have its title and/or buttons displayed in hard-coded English rather than using the language file's text for that particular project in which it is being displayed. (Ticket #81638)

• Bug fix: Dots/periods were mistakenly allowed to be used in the raw coded values for Missing Data Codes. Dots/periods are not compatible to be used in checkbox codings and thus cannot be used as Missing Data Codes. (Ticket #82476)

• Bug fix: When using a field from a repeating instrument in the logic of a Data Quality rule, in which the logic is trying to find instances of the field where its value is blank (e.g., [field] = ""), it might mistakenly not return the expected results in the discrepancy list. (Ticket #82201)

• Bug fix: When using Data Quality rule I to find Missing Data Codes, the rule would mistakenly ignore checkbox fields and not include them in the results. (Ticket #82636)

• Bug fix: When setting up Randomization in a project that is not longitudinal and then later the project is converted to a longitudinal project, it would cause issues and might prevent the randomization process from working properly. (Ticket #82757)

Version 9.5.23 (released on 2020-04-16)

CHANGES IN THIS VERSION:

• Minor security fix: A Blind SQL Injection vulnerability was found using the Data Search feature, in which a malicious user could potentially exploit it by manipulating the query string or POST parameters of an HTTP request.

• Bug fix: When using the [previous-event-name] and [next-event-name] Smart Variables when prepended to field variables in piping, calculations, or logic, they might mistakenly point to the previous/next designated event of the current instrument rather than the previous/next designated event of the field to which the Smart Variable is prepended. Note: This does not affect [previous-event-name] and [next-event-name] when they are used as standalone without being prepended to a field. (Ticket #81976)

• Bug fix: When viewing Report B for a project that contains repeating instruments, the "total number of records queried" in the report might mistakenly be incorrect and not match the "number of results returned".

• Bug fix: When exporting data to SAS, it might throw an error when loading the CSV data into SAS in some cases if a field variable name ends in a number. Additionally, if the project is utilizing Missing Data Codes, it might throw an error on a numerical field if some of the Missing Data Codes are non-numerical.

• Bug fix: Custom Record Status Dashboards that are set to sort by a field's value would mistakenly sort in a case sensitive manner when instead it should be sorting in a case insensitive manner. (Ticket #82092)

• Bug fix: When clicking the "All Status Types" link on the Record Status Dashboard, it would mistakenly hide the [+] buttons next to the status icons of repeating instruments. Instead they should remain displayed. (Ticket #82092)

• Bug fix: If custom "Help & FAQ" text has been defined, then the navigation bar would mistakenly obscure the custom text on the "Help & FAQ" page. (Ticket #82192)

• Bug fix: When a production project is in draft mode and a user deletes an entire instrument in draft mode, it would mistakenly delete any Descriptive field attachments that belong to fields on that instrument from the live version of the instrument in production, thus permanently losing the attachments. (Ticket #82322)

• Bug fix: When a survey participant is viewing their Survey Queue, in which it contains a repeating survey, the "Take this survey again" button next to the repeating survey would mistakenly not be visible in the survey queue when viewing the page on a mobile device with a narrow screen. (Ticket #82335)

Version 9.1.25 (released on 2020-04-09)

CHANGES IN THIS VERSION:

• Critical bug fix: When collecting data using a public survey where multiple participants are entering data near-simultaneously (i.e., submitting the survey within the same fraction of a second), some scenarios may arise in which those multiple responses could get mistakenly merged together as a single record rather than as separate new records. When this occurs, it appears in the logging that one participant has created the record while another participant modified the record afterward, in which it should instead log the events as two separate "create response" events. It is difficult to know when this kind of incident has occurred, and if discovered, might take some work (using the Logging page as a reference) to split the record back into separate proper records and resave them. While this issue occurs very seldom, the worst-case scenario can be if the survey allows the participant to download their responses as a PDF or have their responses emailed to them after completing the survey, in which it might possibly result in a privacy leak if private and/or identifying information (e.g., PHI) has been entered on the survey. (Ticket #81104, #81559)

Version 9.5.22 (released on 2020-04-09)

CHANGES IN THIS VERSION:

• Critical bug fix: When collecting data using a public survey where multiple participants are entering data near-simultaneously (i.e., submitting the survey within the same fraction of a second), some scenarios may arise in which those multiple responses could get mistakenly merged together as a single record rather than as separate new records. When this occurs, it appears in the logging that one participant has created the record while another participant modified the record afterward, in which it should instead log the events as two separate "create response" events. It is difficult to know when this kind of incident has occurred, and if discovered, might take some work (using the Logging page as a reference) to split the record back into separate proper records and resave them. While this issue occurs very seldom, the worst-case scenario can be if the survey allows the participant to download their responses as a PDF or have their responses emailed to them after completing the survey, in which it might possibly result in a privacy leak if private and/or identifying information (e.g., PHI) has been entered on the survey. (Ticket #81104, #81559)

• Bug fix: A database query would fail invisibly but do little harm when importing data to a project via the REDCap Mobile App. (Ticket #81815)

• Bug fix: If the e-Consent Framework is enabled on a survey that is a repeating instrument, in which the first name, last name, and/or date of birth fields (designated in the e-Consent Framework options) also exist on that same survey/instrument, then those name/DOB values would mistakenly not pipe correctly when REDCap adds them to the footer of the e-Consent PDF and also to the Identifier column in the PDF Archive table in the File Repository. Unfortunately, it is not possible to fix the missing piped values for survey responses that have already gone through the e-Consent process prior to this bug fix. (Ticket #81790)

• Bug fix: The IE-specific Conditional Comments to detect Internet Explorer 9 (e.g., <!--[if IE 9]>) were mistakenly not formatted correctly and might cause some users using Internet Explorer to have issues loading pages.

• Bug fix: When exporting a Project XML file for a project via the API, the resulting XML file would mistakenly be missing a lot of the project settings, such as surveys, Alerts & Notifications, Data Quality rules, reports, etc. (Ticket #81879)

• Bug fix: When using the Clinical Data Pull (CDP) feature, the new line separator for storing repeated values (labs, vitals, medications...) was changed slightly. Those repeated values in CDP are stored in a single field using a string separator containing line breaks. The previous new line separator was mistakenly causing false positives in the CDP adjudication table when checking for new values to adjudicate.

• Bug fix: A link in the "Piping" section of the "Help & FAQ" page would point to a non-existent page on the Vanderbilt REDCap server.

• Bug fix: When editing an alert and changing Step 1A from the second option (form save + conditional logic) to the third option (only conditional logic), it would mistakenly not save the alert correctly and might cause the dialog not to reload properly when editing that same alert again later.

Version 9.5.21 (released on 2020-04-03)

CHANGES IN THIS VERSION:

• Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered on several pages, in which a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags into places in REDCap where such HTML gets reflected back on a page that a user is viewing.

• Bug fix: When calling the API method "Export Metadata (Data Dictionary)" and providing values for the "fields" parameter, it would mistakenly ignore that parameter unless the "forms" parameter was also provided with a value. Bug emerged in the previous release.

• Bug fix: The plain text section of outgoing emails (which is not ever displayed by most email clients unless they do not support HTML email) would mistakenly have links converted into text and might have unnecessary tabs or line breaks. Most extra tabs and line breaks have been removed from the plain text section of emails, and all links in the email body will have their URL extracted and placed in parentheses directly following the link text so as not to lose that information. (Ticket #80878)

• Bug fix: The redcap_connect.php file was mistakenly not returning an HTTP 500 status error in the incident that the database connection fails. Following the upgrade to this version, REDCap will prompt administrators to replace their redcap_connect.php file.

• Bug fix: If still using the old bit.ly (http://j.mp ) URL shortener service for public surveys (instead of the newer https://redcap.link URL shortener), then when fetching a short survey link on the Public Survey Link page, it would appear to spin forever and never return the shortened URL. This is due to BITLY changing how their API web service works.

• Bug fix: Some reports and data quality rules in longitudinal projects might run 2x-10x slower than expected in certain situations, such as if a field in the report filter logic or DQ logic does not have a prepended event name or if the report filter has "all events" selected for a filter field drop-down. The slowness is especially pronounced in projects having large numbers of events defined and/or a large amount of records in the project. (Ticket #79830)

• Bug fix: When viewing the participant list of a longitudinal project containing multiple arms, the paging drop-down list for the participant list would mistakenly provide an incorrect number of participants for the given survey/event and might not be able to display subsequent pages in the participant list after changing the paging drop-down list to select another page to view. (Ticket #81118)

• Bug fix: If a project does not have record auto-numbering enabled, and the record ID field has min/max validation, then the min/max validation would mistakenly not be applied when a user is entering a new record name via the Record Status Dashboard or Add/Edit Record page. (Ticket #81117)

Version 9.5.20 (released on 2020-03-26)

CHANGES IN THIS VERSION:

• Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered on the Scheduling page, in which a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags into places in REDCap where such HTML gets reflected back on a page that a user is viewing. (Ticket #80773)

• Bug fix/change: 350 Laboratory fields (including 30 related to COVID-19) and their associated LOINC codes were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.

• Bug fix: If a checkbox field exists on a repeating event or repeating instrument and is utilized in a calculation or branching logic, in which the field is referenced on another repeating instance than the current repeating instance, then while the checkbox's checked value will save correctly, if a field choice is unchecked later, it might mistakenly not clear/delete the checked value successfully. (Ticket #78956)

• Bug fix: If using "LDAP" or "LDAP & Table-based" authentication, any user containing an apostrophe in their LDAP username would mistakenly not be able to be added to a user role in a project, in which it would fail silently when attempting to add a user to a role. (Ticket #79647)

• Bug fix: If a user attempts to add a field comment to a field on a data entry form prior to creating the record (via Save button), when the user clicks the "Save and then open Field Comment Log" button to reload the page, the cursor's focus might mistakenly be on a field on the form underneath the dialog rather than inside the dialog, possibly causing the user to get stuck and not be able to enter a field comment successfully. (Ticket #80511)

• Bug fix: When clicking the Compose Survey Invitations the first time on the Participant List page in a project, it might mistakenly not load the list of participants to email inside the popup, but it would load it successfully if the popup was closed and then reopened. (Ticket #80584)

• Bug fix: A database query would fail invisibly but do no harm whenever a record is renamed in a project. (Ticket #80895)

• Bug fix: A database query would fail invisibly but do no harm whenever previewing a survey theme in the Online Designer. (Ticket #80940)

• Bug fix: A database query would fail invisibly but do no harm whenever viewing a survey response on a data entry form. (Ticket #80901)

• Bug fix: In a multi-arm longitudinal project that has record auto-numbering disabled, if the record names contain non-Latin/multi-byte characters, then the record names would mistakenly get scrambled whenever rebuilding the record list. (Ticket #74092)

• Bug fix: A database query would fail invisibly in certain scenarios surrounding the piping of repeating instances, which might cause the piping not to work correctly. (Ticket #80901)

• Bug fix: When performing a data import (via API or Data Import Tool) for a multi-arm project, in which a record is being imported into multiple arms during the import, the record might not initially appear as if it has been created in the subsequent arms when viewing the Record Status Dashboard (even though it had been created in the arm correctly). Note: This issue would automatically resolve itself within five days of the import. (Ticket #55039)

• Bug fix: When using the randomization module in a project, the act of randomizing a record does not trigger any Alert & Notifications if an alert was set to be triggered based on the randomization field or strata fields having their values changed. (Ticket #80985)

• Bug fix: When using the randomization module in a project, the act of randomizing a record does not trigger the REDCap hook "redcap_save_record".

• Bug fix: If survey notifications have been enabled on a survey that is a repeating instrument or is on a repeating event, then the link back to the survey response on the data entry form would mistakenly always point back to the first instance of that instrument rather than to the correct instance. (Ticket #81009)

• Bug fix: A database query would fail invisibly in certain API methods being called. (Ticket #81041)

• Bug fix: A database query would fail invisibly in very specific occasions when using the Online Designer to add/edit fields. (Ticket #81020)

• 9.8.0: Bug fix: A database query would fail invisibly to the redcap_log_view_requests table when a user is logging in to REDCap. (Ticket #81056)

Version 9.5.19 - (released 3/12/2020)

BUG FIXES AND OTHER CHANGES:

• Major bug fix: If a participant is taking a public survey (via the public survey link) that allows them to "Save & Return Later", in which the survey requires Return Codes to be used in order to return to the survey, then if the participant returns to the survey using the private/unique survey link (rather than the public survey link), it would mistakenly allow the participant to view their responses without having entered the return code first. However, if they clicked the "Save & Return Later" button again on the survey after returning, then the next time they return to the survey, it would correctly require that they enter a return code. This does not occur for follow-up surveys but only for public surveys with "Save & Return Later" enabled using return codes.

• Bug fix: If the feature "File Upload field enhancement: Password verification & automatic external file storage" is enabled for the system and for a given project, a file uploaded into a File Upload field in the project would be stored on the external server mistakenly using the user's filename of the file rather than the filename of the file as it is stored in the backend of REDCap. This could potentially cause naming conflicts and prevent the file from being stored successfully on the external server. It will now store the file on the external file server using REDCap's backend "stored_name" filename for the file.

• Bug fix: When using a rich text editor that exists inside a modal dialog (e.g., the "Create new alert" dialog, the "Automated Survey Invitation" setup dialog), the rich text editor's "Link" menu option would not function correctly and would prevent users from adding a URL value to a link in their rich text.

• Bug fix: If entering a value on a data entry form for a field that is designated as a Secondary Unique Field, in which a value is entered that duplicates a value in another record in the project, if the user clicks the Enter key on their keyboard after typing the value (instead of clicking outside the field or clicking the Tab button), it would correctly display the error dialog popup about the duplicate value, but the dialog would mistakenly not be able to be closed, thus forcing the user to reload the page and potentially lose any data entered thus far on the page. (Ticket #79910)

• Bug fix: When importing data via the API or Data Import Tool, an alert might not get sent/scheduled for any records that are being created during the data import if the data being imported is expected to trigger an alert. This does not affect existing records but only records that did not exist prior to the data import.

• Bug fix: The Configuration Check page in the Control Center was mistakenly noting that the PHP cURL extension was "recommended" when it should instead state that it is "required". This is because so many major features in REDCap rely on cURL specifically. The warning for cURL on the Config Check page has now been modified accordingly to accurately reflect this. (Ticket #80121)

• Bug fix: The REDCap hook named "redcap_survey_complete" would get mistakenly called when a survey participant would attempt to return to a completed survey that has the "Save & Return Later" option disabled - i.e., when it displays the message "Thank you for your interest, but you have already completed this survey". (Ticket #80109)

• Bug fix: When exporting data in CDISC ODM XML format, in certain situations, the resulting XML might mistakenly omit the ending ODM tag - e.g., "</ODM>". (Ticket #80084)

• Bug fix: When a calculated field exists on a repeating event and its calculation references fields on the same event, in which one or more of those fields exist on instruments that are not designated for that event, then while the calculation would work correctly when viewing the calc field on a survey or data entry form, it would mistakenly return a ""/blank value for the calc field when performing a data import or running Data Quality rule H. (Ticket #79874)

• Bug fix: The text for the confirmation email set at the bottom of the Survey Settings page for an instrument in the Online Designer would mistakenly have extra line breaks added between all the text if the email text was saved and then the page was re-opened later and saved again, thus adding more extra space each time. (Ticket #79836)

• Bug fix: If a custom Data Quality rule has logic that contains a field that is utilized in both a repeating and non-repeating context, especially for a longitudinal project, then it might not return all the correct discrepancies. (Ticket #80102)

• Bug fix: When viewing the "Stats & Charts" page for a user-defined report (i.e., not report A or B) that has filter logic defined, the "missing" count displayed in the descriptive stats table for a given field might mistakenly be a negative number. (Ticket #79994)

• Bug fix: If using "LDAP" or "LDAP & Table-based" authentication, any user containing an apostrophe in their LDAP username would mistakenly not be able to be added as a user on a project, in which it would display a popup error message when attempting such. (Ticket #79647)

• Bug fix: If a user has "No access" data entry form level privileges for the first instrument in a project, the Data Search feature on the "Add/Edit Records" page would mistakenly not include the record ID field in the search. (Ticket #80282)

Version 9.5.18 - (released 3/3/2020)

BUG FIXES AND OTHER CHANGES:

• Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered on the Send-It upload page and the Survey Link Lookup page in the Control Center, in which a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags into places in REDCap where such HTML gets reflected back on a page that a user is viewing.

• Bug fix: Twenty "Laboratory" fields, two "Vital Signs" fields, and their associated LOINC codes were mistakenly missing from the field mapping page for Clinical Data Pull and Clinical Data Mart.

• Bug fix: If a URL is included in a message posted on REDCap Messenger (including those sent via General Notifications from an administrator), the URL might not get displayed properly as a clickable link if the URL is immediately followed by a dot/period or a line break/carriage return.

• Bug fix: If a longitudinal project with repeating instruments or repeating events contains a report that has simple filters (i.e., fields selected via drop-down options) where a field is selected along with the "All events" option, OR if the report has advanced filter logic that references fields that exist on both repeating and non-repeating instruments/events, in which the fields on repeating instruments/events do not have anything appended to them, such as a numeral instance designation or instance Smart Variable and those fields also do not have a unique event name explicitly prepended to them, then the report might return incorrect results *if a field in the logic exists on both repeating and non-repeating events in the project*. This appears only to occur if the report setting "Show data for all events or repeating instruments for each record returned" is left unchecked. (Ticket #79058)

• Bug fix: When clicking the "Use advanced logic" link when building a report that has simple filters (i.e., fields selected via drop-down options), in which a filter field is selected with the "All events" option, when creating the advanced filter logic, it would mistakenly fail to prepend the field with "[event-name]" and thus would throw an error that says the logic is invalid when attempting to save the report.

• Bug fix: When sending emails, REDCap was mistakenly attempting to employ DKIM in all outgoing emails, which might cause emails to no longer be received if hosting REDCap on certain platforms, such as AWS. To ensure emails keep sending as expected, the usage of DKIM is no longer attempted when sending emails.

• Bug fix: When sending survey invitations via the Participant List, if some invitations are sent first and then the user clicks the Compose Survey Invitations button to send another batch without leaving the page, the survey invitation message text would appear to still be the same for the new batch as with the previous batch but instead it would actually send the default invitation text that gets loaded in the text editor when opened the first time. This could cause users to mistakenly send the wrong text in the invitation when sending multiple batches on that page at a time. (Ticket #79507)

• Bug fix: When using Missing Data Codes in a project, and a missing data code is saved for a checkbox field on a record, then that field would mistakenly be returned as a discrepancy in Data Quality rule G. (Ticket #79553)

• Bug fix: If a slider field has the "Display number value?" option checked for it, then when entering data on a survey or form, if the slider has focus put on it (either by tabbing through the survey/form, or if an instrument is opened in which the slider is the first field on the instrument), then a value of "50" would get initially displayed in the slider's associated text box even though the slider value is actually blank/null and will remain so until the slider is clicked or if the user uses their keyboard's left/right arrow keys. So seeing the value of "50" when the slider gets focus might give the impression that its value has been set when in fact it has not been set yet. This has been changed so that the text box value only changes when the slider value itself has been changed by the user, thus eliminating this ambiguity regarding the slider's current value. (Ticket #79430)

• Bug fix: While REDCap prevents users from viewing all pages of a given report at the same time if it estimates that the report contains more than 500k data points, it would mistakenly calculate the number of total data points incorrectly while determining this. (Ticket #79657)

Version 9.5.17 - (released 2/28/2020)

BUG FIXES AND OTHER CHANGES:

• Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered on a page in the External Module Framework, in which a malicious user (who must be logged in) could potentially exploit it by manipulating the query string of certain HTTP requests utilized within that page.

• Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered on several pages, in which a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags into places in REDCap where such HTML gets reflected back on a page that a user is viewing.

• Minor security fix: A Blind SQL Injection vulnerability was discovered on a page in the External Module Framework, in which a malicious user could potentially exploit it by manipulating the query string of certain HTTP requests utilized within that page.

• Minor security fix: All web links on REDCap pages that link to an external website and contain the target="_blank" attribute, which opens the website in a new browser tab, will automatically have the HTML tag attribute 'rel="noopener noreferrer"' added to the link's underlying HTML. This will occur automatically and invisibly for links either added by user input on forms/surveys or those that are hard-coded as part of REDCap itself. This will improve overall security to prevent the passing of referrer information from REDCap onto the third-party website.

• Bug fix: If a text field that has min/max validation is changed to another field type, such as a drop-down, in the Online Designer, it would mistakenly not nullify the min/max validation values for the field when saving it as a new field type, which would cause an error to be displayed when downloading the data dictionary and then re-uploading it. (Ticket #29422)

• Bug fix: When using Live Filters in a report, if any of the Live Filter fields have choices whose label contains HTML tags, it would mistakenly display the HTML tags inside the Live Filter drop-downs at the top of the report.

• Bug fix: The PHP function for validating URLs for certain outgoing HTTP calls from REDCap might mistakenly allow certain invalid URLs to pass the validation test.

• Bug fix: If a longitudinal project with repeating instruments or repeating events contains reports with report filter logic that references fields on both repeating and non-repeating instruments/events, in which the fields on repeating instruments/events do not have anything appended to them, such as a numeral instance designation or instance Smart Variable, then the report might return incorrect results *if a field in the logic exists on both repeating and non-repeating events in the project*. This appears only to occur if the report setting "Show data for all events or repeating instruments for each record returned" is left unchecked. (Ticket #79058)

• Bug fix: If using the Missing Data Codes feature in a project that also has Randomization enabled, it would mistakenly allow the missing data codes icon to appear next the randomization field on the data entry form. The missing data codes icon should never appear for the randomization field because it is not applicable there. (Ticket #79057)

• Bug fix: If the "Import Records" API method was called or if a user was saving a survey or data entry form that triggered the calculation of calc fields on other instruments/events, then the internal record list cache in the project would mistakenly get reset in the back-end database, thus forcing the cache to be rebuilt the next time a report, record dashboard, or record list was viewed in the project. This could cause unnecessary slowness for the project and possibly affect performance of the entire REDCap server in some cases.

• Bug fix: If a new data collection instrument is added to a production project that is currently in draft mode, in which the user has submitted some field/form changes to an administrator and is awaiting approval, it is mistakenly possible for the user to enable that instrument as a survey. Instead it should display a notice on the Survey Settings page that the instrument cannot be enabled as a survey until the project is no longer in draft mode (i.e., after the submitted changes have been approved). (Ticket #79192)

• Bug fix: When using iOS and entering data on a survey or data entry form, "number"-validated text fields would not enforce the client-side validation and would mistakenly allow non-numerical values to be entered. This has been fixed so that it will now display the number pad keyboard to allow only numbers and a dot decimal as an option. Note: If the field has "number (comma as decimal)" validation, then it will instead use the full QWERTY keyboard (this is a limitation of iOS) instead of the number pad keyboard. (Ticket #79317)

• Bug fix: In a longitudinal project, if an alert that has a field that is piped into the alert's message or subject, in which the field variable is not prepended with the unique event name, then when that alert gets triggered by saving a form/survey, it would mistakenly not pipe the field's value correctly unless the field's event's unique event name had been explicitly referenced by another field in the message text, subject text, or conditional logic.

Version 9.5.16 - (released 2/21/2020)

BUG FIXES AND OTHER CHANGES:

• Major bug fix: Surveys and data entry forms were mistakenly displaying the "errors exist" popup relating to branching logic errors in many situations.

Version 9.5.15 - (released 2/21/2020)

BUG FIXES AND OTHER CHANGES:

• Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered on several pages, in which a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags into places in REDCap where such HTML gets reflected back on a page that a user is viewing. This mostly involves the names/labels of data collection instruments.

• Major bug fix: A user with "No Access" Data Export privileges in a project would [correctly] neither be able to perform data exports nor access the Data Export Files tab in the File Repository, but if that user had been given the direct URL to download a specific archived data export file from the File Repository (i.e., exported by another user in the project at a previous time) or if they were simply guessing URLs through trial and error by modifying the "id" URL parameter for the "FileRepository/file_download.php" end-point, they would be able to successfully download that data file even though they have no data export privileges. Note: The user must have access to the project in order to do this. (Ticket #72652)

• Bug fix: If a user is piping a field that uses the BioPortal Ontology Service, and they're wanting to pipe the field's coded value and not the choice value, then adding ":value" to the variable name (e.g., [icd10:value]) would mistakenly return the choice label and not the coded value.

• Bug fix: On the CDIS Standalone Launch page, the "Go to projects" button would not work when clicked due to a JavaScript error. (Ticket #78558)

• Bug fix: If a user is suspended, the page displaying the notice that they are suspended when the user attempts to log in would mistakenly throw an invisible JavaScript error in the browser console. (Ticket #78850)

• Bug fix: In completed survey responses on a repeating survey, if there is somehow no Form Status value (in the back-end database) for the survey instrument or if its value was somehow set to "Incomplete" mistakenly (e.g., through direct database interaction via an external module), then if the current repeating instance of the survey that is being viewed is not the first instance, it would mistakenly set the value of the first instance of the survey to "Completed" whenever someone views the instrument/survey page.

• Bug fix: The word "Page" used to display the page number in PDFs of exported instruments was mistakenly hardcoded instead of coming from the language translation file. (Ticket #78771)

• Bug fix: If the @DEFAULT action tag is used on a field, then users would always receive the "save changes?" prompt when attempting to leave the form without clicking a Save button, even when no field values had been changed. Instead it should only display this prompt when the form has no data (i.e., has gray form status icon) and leaving the form. It should not display the prompt every time afterward. (Ticket #78807)

• Bug fix: When attempting to add a user via the User Rights page to a project that currently has no users, it would mistakenly return no user suggestions when typing the username in the text field. (Ticket #78929)

• Bug fix: When performing a data export of a report to a stats package, in which the first instrument in the project is a survey and the report is set to output all survey-related fields (e.g., completion timestamp), then if the record ID field is the first field in the report, the resulting syntax file for the stats package would mistakenly be missing the survey completion timestamp for the first instrument, thus causing the data not to load properly into the stats package.

• Bug fix: When using the dateRangeBegin parameter for the "Export Records" API method, if the dateRangeEnd was left blank or not included as a parameter in the API request, then the API would not function correctly and would mistakenly return no data in the API response.

• Bug fix: A third-party PHP library was using code that is deprecated in PHP 7.4. (Ticket #79001)

• Bug fix: If a field on a data entry form or survey has an @HIDDEN action tag and also has branching logic, then in certain cases the field might flicker (i.e., appear then disappear momentarily) when the page initially loads. (Ticket #78697)

Version 9.5.14 - (released 2/13/2020)

BUG FIXES AND OTHER CHANGES:

• Bug fix: When copy-and-pasting text from Microsoft Word (or similar products) into the rich text editor used throughout REDCap, the underlying HTML that is added to the rich text editor after the paste would be extremely bloated and superfluous. Additionally, for field labels on instruments, it could cause the text to become so long (although appearing to be normal length) that it might cause some text to be truncated when downloading->uploading the Data Dictionary. To prevent this issue, it now automatically removes a lot of the extra, hidden styling and unnecessary HTML when copy-and-pasting text into the rich text editor. (Ticket #77555)

• Bug fix: The pseudo user "site_admin" (which is only used as a default account when authentication is disabled) could mistakenly be added to a conversation in REDCap Messenger by a user. As a result, it might mistakenly send the administrators a notification email that the "site_admin" has unread messages in Messenger. Users will now no longer be able to find "site_admin" when searching for users to add to a Messenger conversation. (Ticket #78117)

• Bug fix: When running Data Quality rule A, B, or F for projects that are longitudinal and/or have repeating instruments/event, it might mistakenly run out of memory and return an error message to the user, even when the project doesn't appear to have a large amount of records.

• Bug fix: If the Secondary Unique Field (SUF) is used in a longitudinal project in which the value of the SUF is currently blank and then a data entry form or survey containing the field is saved where the field's value still remains blank, then if the SUF exists in events that currently do not have data (i.e., it has gray status icons for all forms in the event), then it would mistakenly save a blank value for the SUF in those empty events, thus causing their form status icon to be red instead of gray, which could be confusing to users.

• Bug fix: If a custom Data Quality rule has logic that contains a field from a repeating instrument in a non-longitudinal project, then it might mistakenly not find valid discrepancies that exist for that DQ rule in reference to data from repeating instruments.

• Bug fix: On the Project Setup page of a DDP-enabled or CDP-enabled project, the step to "Set up Dynamic Data Pull (DDP)"/"Set up Clinical Data Pull (CDP)" would have its progress icon mistakenly set to "Complete!" (big checkmark icon) when the project is in production status, regardless of whether the field mapping setup had actually been completed, which was confusing. It now can only be marked as "Complete!" if the user clicks the "I'm done!" button, which is how it has always behaved while in development status.

• Bug fix: When uploading a file or signature for a File Upload field on a repeating instrument or repeating event, in which record auto-numbering is enabled in the project, then the project's Logging page would mistakenly add an unnecessary "Created Record" event immediately before the "Uploaded Document" event in the logging history.

• Bug fix: If REDCap has two-factor authentication enabled and it is set to enforce 2FA only for certain IP addresses, it would mistakenly only support IPv4 changes and would not support IPv6. It now supports IPv6 ranges/subnet masks. (Ticket #77195)

• Bug fix: If users were using Internet Explorer 11 with Compatibility View enabled, it would get logged mistakenly as Internet Explorer 7 in the redcap_log_view database table.

• Bug fix: If a project has the Data Resolution Workflow enabled, and a user clicks the "Export" button on the Resolve Issues page in the project, the resulting CSV file would mistakenly have the text comments truncated in the First Update and Last Update columns. Those should be truncated on the webpage view but not in the CSV export file.

• Bug fix: If logic or calculations contain a checkbox field whose variable name ends with "min", "max", or "log", then it might cause the logic/calculation to be considered invalid or syntactically incorrect while being parsed, thus resulting in an error message in many places. (Ticket #78083)

• Bug fix: In the API Playground, the "csvDelimiter" parameter was mistakenly missing as a drop-down in the user interface for the API methods "Export Records" and "Export Reports". (Ticket #77754)

• Bug fix: When viewing the "Stats & Charts" page for a user-defined report (i.e., not report A or B) that has filter logic defined, the "missing" count displayed in the descriptive stats table for a given field might mistakenly be incorrect if the report is displaying fields from a repeating instrument or repeating event. (Ticket #77050)

Version 9.5.13 - (released 2/6/2020)

BUG FIXES AND OTHER CHANGES:

• Bug fix: The logic parsing algorithms in REDCap might mistakenly fail and not return accurate results when the logic contains an empty/blank value (represented as two quotes/apostrophes) on either side of an "=" operator or an "<>" operator, such as ' ""<>"" ' or ' ""=1 '. While such logic is less likely to be entered in this form by a user, some logic could end up in this form prior to parsing after certain Smart Variables in the logic are replaced by literal values during the logic-processing phase. This means that logic used in certain Data Quality rules or report filter logic, among other places, might not behave accurately. Bug emerged in REDCap 9.5.11 (LTS) and 9.7.0 (Standard).

• Bug fix: Users could mistakenly access the Online Designer and Data Dictionary pages in an Inactive project and thus could make field changes, which should only be allowed while in Development or Production status. (Ticket #66286)

• Bug fix: If an administrator is processing a "Delete Project" user request for a production project, then it might mistakenly not display the "Delete Project" prompt when loading the project's Other Functionality page while processing the request.

• Bug fix: If a field on a form or survey has the @DEFAULT action tag, and that same field has its value being piped into somewhere else on the same page, then when the form/survey is initially loaded with no data saved for it yet (i.e., has gray status icon), the piping of the default value would mistakenly not occur when the page is initially loaded but only after the field's value is modified while on that page.

• Bug fix: If using Table-based authentication, and a user was somehow added to a project even though the user has not yet had a REDCap user account created for them, then when attempting to delete the user from the project or modify their user rights, it would always return an erroneous error message, which prevents the user from being modified or deleted from the project.

Version 9.5.12 - (released 2/4/2020)

BUG FIXES AND OTHER CHANGES:

• Medium security fix: A Cross-Site Scripting (XSS) vulnerability was discovered on many pages, in which a malicious user (who must be logged in) could potentially exploit it by adding some very specific, malformed HTML tags with certain attributes into places in REDCap where such HTML gets reflected back on a page that a user is viewing. This includes field labels, field choice labels, survey instructions, etc. on data entry forms and surveys, as well as other places throughout REDCap where user input is displayed on a webpage.

• Bug fix: There is a small chance that a cron job might have multiple simultaneous instances running of the job when there should only ever be one instance of it running. This mostly applies to External Module cron jobs since most internal cron jobs in REDCap have built-in ways of preventing issues with this.

• Bug fix: Nine "Laboratory" fields and their associated LOINC codes were mistakenly missing from the field mapping page for Clinical Data Pull and Clinical Data Mart.

• Bug fix: When using the operators "&&" and "||" in place of "and" and "or", respectively, in report filtering logic, it would mistakenly fail to filter the report correctly. Bug emerged in the previous version. (Ticket #77738)

• Bug fix: Reports were loading unexpectedly slowly in certain cases where report logic was being used when data from repeating instruments/events were being displayed in the report.

• Bug fix: Reports that contained the record ID field and also contained fields from repeating instruments/events were mistakenly displaying blank rows in the report (i.e., all fields in the row were blank *except* for the record ID field) if the report contained filtering logic that evaluated as TRUE on the first repeating instance. If the filtering logic did not evaluate as TRUE on the first repeating instance (but perhaps on other repeating instances), the blank row would not be displayed, as expected.

• Bug fix: When creating a new project using a super API token via the Create Project API method using a Project XML file, it would mistakenly output some junk code in the API response that was only meant for debugging purposes. (Ticket #77798)

• Bug fix: When using a logic tester to validate if logic has correct syntax (e.g., when creating a Data Quality Rule, adding report filter logic), if the logic contained certain Smart Variables, it would mistakenly say that the logic is not correct syntax when it actually is correct. (Ticket #77741)

• Bug fix: When using certain Smart Variables inside the the Custom Label for Repeating Instruments, it might mistakenly replace the Smart Variable with a blank value rather than the correct value when displaying the custom label in the repeating instrument tables on the Record Home Page and in the drop-down of repeating instances at the top of data entry forms. (Ticket #77575)

• Bug fix: If any Automated Survey Invitations get triggered via the ASI DataDiff cron job (because an ASI has conditional logic that contains datediff+today/now) in a longitudinal project, then invitations might not get successfully scheduled if the conditional logic refers to a field on an event for which its instrument has not been designated. For example, if we have logic such as "[event1][field1] = '2'", and field1's instrument is not designated for event1, then invitations would never get scheduled by the ASI datediff cron job when attempting to process this logic. (Ticket #77812)

Version 9.5.11 - (released 1/31/2020)

BUG FIXES AND OTHER CHANGES:

• Bug fix: When putting the cursor in the Variable Name text box in the Edit Field dialog in the Online Designer, if the variable name is longer than 26 characters and the project is currently in production status in Draft Mode, it might mistakenly pile several different dialogs on top of each other and make it impossible to close them all. This is often exacerbated if clicking the "X" icon or Escape key when attempting to close the dialogs. (Ticket #75072)

• Bug fix: It might mistakenly report an error that the "database structure is incorrect" in the Control Center or on the Configuration Check page when in fact the database structure is correct. And if the "Easy Upgrade" feature is enabled, the "Auto-Fix" option would fail if attempted. This issue is due to a previous fix that was meant to address idiosyncrasies in MySQL 8.0 but did not fully, and in fact the previous fix caused issues with installations that were not running MySQL 8.0. So this should now fix the issue on all versions of MySQL where these errors are occurring. (Ticket #76872)

• Bug fix: If using the Clinical Data Pull in a project, and the setting “Convert source system timestamps from GMT to local server time?” is set to “Yes” on the Clinical Data Interoperability Services page in the Control Center, then if a user in the project is adjudicating data values, in which a single temporal value (i.e., Labs or Vitals) is displayed on multiple fields/events within the adjudication popup for that record, then that value’s associated timestamp would mistakenly get shifted by the same amount (e.g., by 6 hours if in Central Time) for *every* time that value is displayed in the popup. Thus the timestamp value would be incorrect for every place where it is displayed in the popup except for the first one. Note: This issue does not affect the data value being imported at all.

• Bug fix: When viewing the Project Modification Module for a production project in Draft Mode, it might mistakenly display false positives for field changes as if some fields are being modified when in fact they are not. This can happen if the old field attributes and new field attributes are the same except that one has Windows newline characters (which represent line breaks in text) and the other has Linux newline characters, or vice versa. So the text looks the same on the page, but REDCap thinks they are different and thus flags them as yellow on the page. When comparing them, it no longer pays attention to what type of newline character is being used. (Ticket #76811)

• Bug fix: If a field's branching logic contained the datediff() function with a literal date (e.g., "01-01-2020") as one of the first two parameters in the function, in which the date value was either in MDY or DMY date format, then certain server-side logic-parsing operations (e.g., Data Quality rule A and B, the use of branching logic in downloaded PDFs) would fail to work correctly.

• Bug fix: Data Quality rule F would use a bit too much web server memory while processing. (Ticket #77606)

• Bug fix: If exporting a report to a stats package (SAS, SPSS, R, Stata) in which the first instrument in the project is enabled as a survey and the record ID field is the only field from the first instrument that is included in the report, then the resulting syntax file for the stats package would mistakenly reference the survey timestamp field of the first instrument, and since that timestamp field would not be included in the CSV data file in the export, it would cause errors to occur when loading the exported data into the stats package. (Ticket #77574)

Version 9.5.10 - (released 1/28/2020)

BUG FIXES AND OTHER CHANGES:

• Bug fix/change: Email Alerts converter has been removed - The Email Alerts external module has diverged from Alerts & Notifications in both its feature set and its back-end storage structure to the point where the option to convert alerts from the Email Alerts module into Alerts & Notifications is no longer a viable or reliable option, and in some cases the converter has caused major issues on some installations by not successfully converting alerts correctly. To prevent further damage, the EA->A&N converter will be removed from the user interface (it exists as a green button at the top right of the "Configure Email Alerts" page, which opens a dialog popup). This change will not in any way affect the functionality of the Email Alerts external module or the Alerts & Notifications feature, and they will both continue to function and exist separately with no conflict to each other. NOTE: This fix/change is only relevant if you have the Email Alerts external module installed on your REDCap system. REVERTING BACK: If for some reason you want to expose the EA->A&N converter feature to use it again, you may execute the following SQL query on the MySQL database, after which the green converter button will appear again in all projects where the Email Alerts module has been enabled: UPDATE redcap_config SET value = '1' WHERE field_name = 'email_alerts_converter_enabled'; WARNING: Please be aware that no guarantee is given regarding the success of the EA->A&N converter if you choose to re-enable it and use it. It is HIGHLY recommended that you leave it disabled.

• Bug fix: Certain types of cookies created by REDCap were not getting stored correctly in a user's browser if the “session.cookie_secure” setting is set to “On” in the server’s PHP.INI configuration file while using a version of PHP lower than PHP 7.3.0. For example, this would likely prevent the Google reCAPTCHA feature from working successfully on public surveys, thus preventing survey participants from taking those surveys. This bug emerged in the previous release.

• Bug fix: When a user adds a full REDCap survey link (as opposed to using the [survey-link] smart variable) into the rich text editor when composing a survey invitation (i.e., in the "Compose Survey Invitations" popup or "Automated Survey Invitations" popup), the warning dialog that suggests to remove the hard-coded survey link would mistakenly get displayed multiple times on top of itself, thus making it impossible for the user to actually close them all and forcing the user to refresh the page. (Ticket #77086)

Version 9.5.9 - (released 1/27/2020)

BUG FIXES AND OTHER CHANGES:

• Bug fix: If running REDCap on MySQL 8.0, it might mistakenly report an error that the "database structure is incorrect" in the Control Center or on the Configuration Check page when in fact the database structure is correct. This is due to the ZEROFILL attribute for numeric field types that exist in MySQL 8.0. Note: This issue was thought to have been fixed in the previous release but was not. (Ticket #76872)

• Bug fix: The project templates created during a fresh install of REDCap contained fields that mistakenly conflated the concepts of sex and gender (e.g., having "Gender" as the field label with "sex" as the variable name) and often did not provide enough inclusive options as choices. These fields in the project templates have thus been modified.

• Bug fix: When viewing a project's Logging page and the text displayed in the last table column is very long with no spaces, it might mistakenly overflow out of the table and sometimes off the page.

• Due to changes in the default cookie settings in the Google Chrome browser (in Chrome v80 and later), any REDCap pages embedded on another website (via iframe) might mistakenly not be able to start an authenticated session successfully when logging in to REDCap. This may also affect surveys' ability to collect some data and behave correctly if the survey page is embedded on another website. REDCap now manually sets the cookie "SameSite" attribute with the value "None" by default in all compatible web browsers for all cookies generated by PHP in REDCap. Note: This is only applicable for REDCap installations using SSL/HTTPS that have the setting “session.cookie_secure” set to “On” in the server’s PHP.INI configuration file. If session.cookie_secure is not set to On, then the SameSite cookie attribute will not be added by REDCap.

• Bug fix: The main Notifications page in the Control Center and the Configuration Check page might not load completely if using PHP 5.5 or 5.6. Bug emerged in the previous REDCap version.

• Bug fix: A couple words were mistakenly not translated on Copy Project page. (Ticket #77083)

• Bug fix: If a user has clicked the "Request delete project" button on the "Other Functionality" page in a production project, after which they then click the "Cancel request" button to cancel that project-deletion request, then an administrator who is processing user requests via email notifications (as opposed to via the To-Do List) might not realize that the request was cancelled and thus might process the request and mistakenly delete the user's project unwittingly.

Version 9.5.8 - (released 1/21/2020)

BUG FIXES AND OTHER CHANGES:

• Bug fix: The Survey Confirmation Email feature might mistakenly display too many line breaks in the email text when viewing it on the Survey Settings page for an instrument or when viewing the received confirmation email in an email client.

• Bug fix: When importing data via API or Data Import Tool, it would mistakenly output a bunch of seemingly random text (e.g., "redcap_repeat_instrument, $repeat_instrument: ...") that was only meant for debugging purposes.

• Bug fix: If running REDCap on MySQL 8.0, it might mistakenly report an error that the "database structure is incorrect" in the Control Center or on the Configuration Check page when in fact the database structure is correct. This is due to the ZEROFILL attribute for numeric field types that exist in MySQL 8.0. (Ticket #76768)

• Bug fix: If the setting "Auto-suspend users after period of inactivity" is enabled, and some users who are suspended have not had any activity within the designated period of inactivity, then if the user has a sponsor and the user's sponsor puts in a request to have them unsuspended, the user would mistakenly get re-suspended within a day. (Ticket #58909)

• Bug fix: When clicking the "Cancel" button on a data entry form, it would mistakenly display the alert "Are you sure you wish to CANCEL and lose all changes made on this page?" when no values had actually changed on the page, which could be confusing to users. It now only displays the alerts when values have been added or modified. (Ticket #76818)

• Bug fix: When using Missing Data Codes in a project where a field in the project has the same value as a missing data code but has the @NOMISSING action tag, it would mistakenly interpret the field value as a missing data code in the following places: 1) the Data History popup on a data entry form, and 2) in the CSV Labels data export file. (Ticket #76813)

• Bug fix: When using Missing Data Codes in a project, if a file has been uploaded for a File Upload field and then a user clicks the "M" icon next to the field to open the missing data code choices, if they then click "[Clear value]", it would mistakenly hide the filename of the existing uploaded file, even though the user might choose to cancel the operation and not delete the file. This could be confusing to the user since it is hiding the file's filename prematurely in the process of entering a missing data code, thus making it appear as if perhaps the file has been deleted when in fact it has not. (Ticket #76810)

Version 9.5.7 - (released 1/20/2020)

BUG FIXES AND OTHER CHANGES:

• Major security fix: An “information leakage” security vulnerability was discovered, in which a malicious user could exploit it by manipulating the URL’s query string parameters for certain paths used to access External Module pages. This is not related to any specific External Module but is a vulnerability in the External Module Framework bundled with REDCap. The user could potentially access the contents of any plain-text files (excluding PHP files) that exist on the REDCap web server, including files that sit outside the server’s web root, which could include files with sensitive information. Note: In order to exploit this, the user must be a valid user that is currently logged in. This exploit is not able to reveal the contents of any PHP files on the server but other plain-text files instead, such as files with file extensions TXT, JSON, XML, or YAML. And in order to view the contents of a file, the malicious user must first know or guess the exact filename *and* directory location of the file on the server.

• Bug fix: External Modules could not be enabled if the user was using Internet Explorer. (Ticket #76276)

• Bug fix: When exporting data into SAS, it would result in errors upon loading into SAS for datetime fields if Missing Data Codes are not utilized in the project.

• Bug fix: When exporting data into SAS, it would mistakenly not apply choice label formats onto multiple choice values when loading into SAS.

• Bug fix: If a REDCap plugin, hook, or external module is calling REDCap::saveData() from outside the scope of the project in which it is saving the data, then if any Automated Survey Invitations in the project have conditional logic, then those ASIs might not get triggered successfully because in most cases the logic will never evaluate to TRUE. (Ticket #75607)

• Bug fix: When clicking the table header for a date or datetime field in a report, in which the dates/datetimes are in either MDY or DMY date format, it would mistakenly not sort the values correctly in the report. (Ticket #76377)

• Bug fix: If the Survey Confirmation Email setting has been enabled at the bottom of the Survey Settings page for a data collection instrument, and then a user disables it by setting its drop-down value to "No" and then saves the page, then even though the setting does get properly disabled upon save, if a user re-opens the Survey Settings page again later, it would mistakenly display the Survey Confirmation Email setting as still being enabled - even though it is not. (Ticket #76354)

• Bug fix: If the User Settings option "Allow normal users to move projects to production?" is set to "No, only Administrators can move projects to production," and email notifications are enabled for administrators to receive these user requests via email, then if a user requests that a project be moved to production but then cancels their own request on the Project Setup page, an administrator could still move the project to production afterward if they click the link received in the email (however, this could not be done via the To-Do List interface). This could cause some projects to have all their data mistakenly deleted if the requesting user clicked the wrong option in the "move to production" dialog and didn't notify the admin immediately afterward so that the admin would not approve their request. From now on, if the admin clicks the link in the email and the user has already cancelled the request, it will display an error to the admin and prevent them from approving the deleted request. (Ticket #76068)

• Bug fix: When executing a custom Data Quality rule in a longitudinal project, in which the rule's logic references fields on multiple events, in certain scenarios it might mistakenly display a false positive discrepancy from another unrelated event that is not referenced in the logic. (Ticket #76090)

• Bug fix: When viewing a project's Calendar page, the Agenda tab might mistakenly display "No calendar events to display" even though one calendar event is being displayed.

• Bug fix: When accessing the "Help & FAQ" page via the top nav bar on the My Projects page and Control Center pages, the search box at the top of the "Help & FAQ" page would be mostly obscured when initially loading the page, thus making it unusable until you scrolled down the page some to reveal it.

• Bug fix: The email Display Name will no longer be utilized for the "REDCap access granted" emails and "Verify your email address" emails that are sent to users from REDCap because the Display Name for these particular emails were causing them to get disproportionately flagged as spam by many institutions' email servers, thus preventing users from receiving them. (Ticket #75941)

• Bug fix: When using the CSV import functionality for the field mapping page of the Clinical Data Pull (CDP) feature, it would mistakenly not allow composite mapping of fields (i.e., many-to-one or one-to-many mapping) and thus might ignore some field mappings included in the CSV import file.

• Bug fix: If data had been entered into multiple instances of a repeating instrument or repeating event and then that instrument or event was later set to no longer be repeating (while there still exist other repeating instruments/events in the project), then the orphaned data from the repeating instances might mistakenly get included and displayed in reports or data exports. And in some cases, this orphaned data might cause Data Quality rule H to behave erratically, such as stating that there are some discrepancies to fix, but after clicking the button to auto-fix them, it would say that "0" were fixed.

• Bug fix: For many popup dialogs whose content is obtained from an AJAX call that returns a JSON-encoded payload, there are some cases where the popup might fail to open if there are certain non-Latin/UTF-8 characters in the text that will be displayed in the popup (e.g., Field Comments dialog, Survey Login dialog, Survey Queue Setup dialog, Edit Matrix Fields dialog). A new process has been added to most of these places to ensure that at least some of the content gets displayed in the dialog popup rather than never being able to open the dialog at all. (Ticket #76619)

• Bug fix: If an alert has been created in which its content/message contains one or more Smart Variables that allow you to provide custom text, such as survey-link, form-link, and survey-queue-link (e.g., [survey-link:prescreening:My Custom Text]), then if the Smart Variable's custom text contains a forward slash "/", then it would mistakenly prevent the alert's notification from being sent.

• Bug fix: If Missing Data Codes are enabled in a project, then the Missing Data Codes "M" icon on a data entry form would mistakenly be displayed and would function even when the entire form is disabled due to limited user rights or if viewing an un-editable survey response. Note: Clicking an option in the Missing Data Codes popup would change the value of the associated field, but since there would be no way to save that value, it would never affect any data. (Ticket #76688)

• Bug fix: When a user requests changes in a production project, the display name for the "Review & Approve Project Changes" email sent to the REDCap admin gets set to the project contact name instead of the user's first and last name. (Ticket #76685)

• Bug fix: If exporting a report in JSON format via the REDCap API, in which the report has filter logic defined and contains many thousands of records that will be returned, the beginning of the JSON string returned in the API response might mistakenly get malformed and begin with "[,{" instead of "[{". (Ticket #76602)

• Bug fix: When importing data via the API in "EAV" format for a repeating instrument or repeating event, many of the normal checks that ensure that the fields "redcap_repeat_instrument" and "redcap_repeat_instance" have valid values where mistakenly getting bypassed and thus not performing all the necessary checks to ensure the best data quality during the import. For example, importing a field on a repeating instrument but leaving the "redcap_repeat_instance" field blank would not return an error but would instead assume the value is "1", which should not be assumed. (Ticket #75854)

Version 9.5.6 - (released 1/9/2020)

BUG FIXES & OTHER CHANGES:

• Minor security fix: REDCap now automatically removes the "X-Powered-By" response header produced by the REDCap server so that it doesn't reveal the server's PHP version (the default behavior), which is considered to be a minor security issue.

• Bug fix: If the record ID field has min/max validation, it would mistakenly prevent records from being created on the "Add/Edit Records" page and "Record Status Dashboard" if a record ID was entered in the correct format but whose value was out of range. It should allow the creation of the record even when out of range. (Ticket #60352)

• Bug fix: If any Alerts & Notifications get triggered via the Alerts DataDiff cron job (because an alert has conditional logic that contains datediff+today/now), then it might not perform all piping correctly if any field variables are piped into the email subject, email content, or are used for recipients or attachments.

• Bug fix: If an alert is set to be triggered "Using conditional logic during a data import or data entry" and is set to send "Just once", then if the conditional logic has become true when importing or entering data for a repeating instrument, it would mistakenly keep sending a new notification every time the record is saved (assuming the logic is still true). Instead it should only send it once (per repeating instance).

• Bug fix: If any Alerts & Notifications get triggered via the Alerts DataDiff cron job (because an alert has conditional logic that contains datediff+today/now), then they might mistakenly only get scheduled once per record rather than for all events and all repeating instances within a given record. Warning: This fix might inadvertently cause the cron job to schedule/send any alerts that were supposed to have been scheduled/sent in the past but mistakenly were not sent because of this bug. There is unfortunately no way to prevent this.

• Bug fix: When attempting to change the version of an External Module while using Firefox, it would mistakenly fail due to a JavaScript error. (Ticket #76009)

• Bug fix: The act of deleting a custom record status dashboard would mistakenly not get logged on the project's Logging page.

• Bug fix: When exporting data into SAS, it would result in errors upon loading into SAS for multiple choice fields that contain only numerical codings (including True/False, Yes/No, and form complete status fields) and also for number/integer fields, but only if Missing Data Codes are not utilized in the project.

• Bug fix: Some CSS (i.e., affecting "a.btn") was added to REDCap's styling in a recent version that was mistakenly overriding some Bootstrap CSS, which might negatively affect some REDCap plugins, hooks, or modules. (Ticket #75943)

• Bug fix: If the setting "Domain whitelist for user email addresses" is enabled and Table-based authentication is being used, then the "Set Up Password Recovery Question" popup would mistakenly fail to enforce the domain whitelist if a user attempts to modify their primary email address in that popup. (Ticket #75990)

• Bug fix: For users with visual impairments that are using screen reader software on survey pages, there are certain conditions, such as if the Text-To-Speech feature is enabled on that survey, where screen readers might not be able to interpret all the labels on the page correctly.

• Bug fix: When viewing a project's Logging page using Internet Explorer or Edge browser, if the username is long as displayed in the logging table, it might cause some of the columns in the table to overflow onto each other, thus making them nearly unreadable. (Ticket #76109)

• Bug fix: False positives may appear as discrepancies when running Data Quality rule F in a longitudinal project when fields have branching logic that does not have a unique event name explicitly prepended to all field variables in the logic. (Ticket #66789)

• Bug fix: When attempting to add a new user on the User Rights page in a project, if a user being searched for has a first or last name that contains undecipherable/mangled characters, then it would fail to return any users in the auto-suggest list as the user types the user's username. (Ticket #76053)

Version 9.5.32 (released on 2020-06-19)

CHANGES IN THIS VERSION:

• Bug fix: If using the HTML tags OL or UL inside the choice label of a radio button or checkbox field, the labels might mistakenly overlap on top of the bullets and make them hard to read.

• Bug fix: When viewing the Sponsor Dashboard page, if the user is a sponsor of many users, then when the page is scrolled downward, the table header would mistakenly get obstructed and covered by the top navbar.

• Bug fix: If a survey title contained HTML tags, those tags would mistakenly get displayed as escaped characters in the Survey Queue setup dialog and on a record's Survey Queue page.

• Bug fix: When an administrator is resetting the password of a Table-based user's account on the Browse Users page, it would mistakenly send the email with the From as the admin's name/email when it should instead send it with the From as the general administrator name and email address that is defined for the system.

• Bug fix: When adding users to a project using the API Import Users method, the format of the usernames were mistakenly not being checked and thus would allow usernames containing invalid characters to be added to projects.

• Bug fix: When using the Clinical Data Pull (CDP) module when launching the REDCap window from inside the EHR user interface, it would mistakenly crash with a fatal PHP error. (Ticket #86644)

• Bug fix: When using Twilio telephony services for surveys, in which the default invitation preference for new survey participants has been set to a value other than "Email", when new records are created in the project specifically via the API Import Records method, those participant's invitation preference in the Participant List would mistakenly not get set to the correct value but would always get set to "Email". Note: If importing data via the Data Import Tool, the invitation preference would get set correctly. (Ticket #86673)

• Bug fix: If the Save & Return Later feature has been enabled on a survey but participants are not allowed to return once they have completed the survey, then there is a scenario in which a participant could mistakenly erase all their survey responses after having completed the survey. If they partially complete the survey and then return back to the survey page, in which it asks them to either enter their Return Code or erase all their responses and start over, if that page is opened twice in two different browser tabs, and then the participant completes the survey in one tab and then later views the other tab and clicks the "Start Over" button, it would mistakenly erase all their responses, even though they should not be able to modify their responses after having completed the survey.

• Bug fix: When an alert has the option "Using conditional logic during a data import or data entry" selected in Step 1 in the "Edit Alert" dialog, in which the alert's conditional logic contains the datediff() function with "now" or "today" as a parameter, if the project is longitudinal and the logic also explicitly references a field in a specific event (i.e., has the unique event name prepended to the field variable), if that particular event being specified has no data in it, then the logic would mistakenly not get evaluated correctly, and the alert would not get triggered/scheduled correctly by the "AlertsNotificationsDatediffChecker" cron job. (Ticket #86689)

Version 9.5.31 (released on 2020-06-11)

CHANGES IN THIS VERSION:

• Bug fix: If a hyperlink is used inside a field label or section header text for a field on a survey or data entry form, in which the hyperlink is merely an anchor link to point to another place on the current page, then in some cases clicking the link would mistakenly prompt the "Save your changes?" dialog to be displayed unnecessarily if data had been added/modified on the page. (Ticket #85880)

• Bug fix: When the survey option "Allow survey respondents to view aggregate survey results after completing the survey?" is enabled on a public survey and a respondent completes the public survey, it would mistakenly not display the button to allow the respondent to view the aggregate survey results. Bug emerged in REDCap 9.10.0 Standard and 9.5.28 LTS.

• Bug fix: The API method "Export a Survey Queue Link" would mistakenly fail with a fatal error. Bug emerged in REDCap 10.0.1 Standard and 9.5.30 LTS. (Ticket #86155)

• Bug fix: If using the HTML tags OL or UL inside the choice label of a radio button or checkbox field, the labels might mistakenly overlap on top of the bullets and make them hard to read.

• Bug fix: When using the Twilio telephony services for surveys in a project, if the "SMS Conversation" option has not been enabled in the project but a participant mistakenly replies back to an SMS they received from REDCap, it would begin the survey as if using the "SMS Conversation" option, which is incorrect. In this case, it now will reply back to them with an SMS saying "Auto-Reply: This SMS phone number is not monitored". (Ticket #61331)

• Bug fix: When the Save & Return Later option for a survey has been disabled but somehow a user has enabled the sub-option to "Allow respondents to return without needing a return code" for the survey, it would create a scenario via the Survey Queue in which the survey participant might be able to return to the survey even with Save & Return Later having been disabled. (Ticket #85891)

• Bug fix: In some very specific cases when an External Module is calling the REDCap::evaluateLogic() method in a repeating event context, it might not mistakenly parse the logic correctly if the logic contains a stand-alone [X-instance] Smart Variable (i.e., when it is not appended to a field variable). (Ticket #85914)

• Bug fix: When executing Data Quality rule E ("Outliers for numerical fields") for a project that has Missing Data Codes defined, it might mistakenly return discrepancies for records that have a numerical Missing Data Code. It should instead be ignoring Missing Data Code values in this DQ rule. (Ticket #85991)

Version 9.5.30 (released on 2020-06-05)

CHANGES IN THIS VERSION:

• Bug fix: If two users load the same data entry form in a project (i.e., same record, event, instrument, instance), in which one of the users has clicked the plus/minus icon on the left-hand menu to collapse/uncollapse a menu section after loading the form, it would mistakenly not display the Simultaneous User Prevention warning and thus would allow both users to have edit access on that from. (Ticket #85305)

• Bug fix: For certain screen widths, the search box displayed above a report might mistakenly be displayed too far to the right on the page. (Ticket #85415)

• Bug fix: When updating third-party packages for bug fixes in a previous REDCap release, the sabre/uri package was updated to the latest version, which supports only PHP 7.1+. The package has been downgraded in REDCap to support PHP 5.5, 5.6, and 7.0 again. (Ticket #85523)

• Bug fix: The database query used to generate the list of a record's repeating instances for a given instrument was not correctly optimized and was causing major performance issues for certain projects on certain installations. (Ticket #84936)

• Bug fix: When a Yes-No or True-False field is piped into an Alert's email subject or message text, in which the alert is set to be sent after a delay (not immediately) and/or on a recurring schedule, then the value of the Yes-No or True-False field would fail to be piped into the text and instead would be replaced with 6 underscores as if the value did not exist.

• Bug fix: Reports that are very wide and very tall would have the fixed headers and fixed first column behavior automatically employed on the report table, but often times the scrollable width of the resulting table would be too wide and would run off the page, thus causing the user to have to scroll the main viewport first and then scroll the table second. It now tries to ensure that the scrollable table itself will fit on the page so that only one instance of horizontal scrolling is required.

• Bug fix: The Easter Egg functionality of appending ""&__display_errors=1" to the URL in order to force output a PHP error onto the webpage has now been removed for all cases except for authenticated REDCap administrators because it is a potential security issue.

• Bug fix: Nearly 200 Laboratory and Vital Signs fields and their associated LOINC codes were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.

• Bug fix: When using the Smart Variable [survey-queue-link] in a context where the current record does not yet exist (e.g., on the first page of a public survey), it would mistakenly return a URL that might not actually be associated with the record after the record has been created. Instead it now returns a blank value if the record does not yet exist. (Ticket #85602)

• Bug fix: The REDCap hook named "redcap_survey_complete" would get mistakenly called when a survey participant would attempt to return to a completed survey that has the "Save & Return Later" option enabled when the sub-option is enabled to allow respondents to return without needing a return code - i.e., when it displays the message "Thank you for your interest, but you have already completed this survey". (Ticket #80109)

Version 9.5.29 (released on 2020-05-29)

CHANGES IN THIS VERSION:

• Bug fix: Report B would return incomplete returns when viewed on a webpage (but not when exported) under certain conditions, especially if the project is longitudinal. (Ticket #84937)

• Bug fix: When piping data into a drop-down field on a survey or data entry form that is a repeating instrument or exists on a repeating event, although piping would occur correctly when initially loading the page (using saved values), it would mistakenly not perform real-time piping on the page as fields were modified if those modified fields' values were being piped into drop-down fields on that same page. (Ticket #84951)

• Bug fix: When the Double Data Entry module is enabled in a project, the Current Users table on the Project Home page might mistakenly get partially covered by the Project Statistics table. (Ticket #84903)

• Bug fix: When setting a Missing Data Code for a field, it would mistakenly hide all buttons in that row instead of only the Today/Now button for date/datetime fields. (Ticket #84909)

• Bug fix: When composing multiple batches of survey invitations on the Participant List page without refreshing the page in between batches and the user uses their mouse to highlight the existing email body text and then pastes new text using Ctrl-V into the email body without typing on the keyboard while the cursor is inside the email body text box, then the new pasted text might mistakenly not be used in that batch of invitations being sent, but instead it would send invitations using the default email body text. (Ticket #84351)

• Bug fix: When executing a custom Data Quality rule that has logic containing fields from both repeating and non-repeating contexts, in some cases the hyperlink for the data value displayed in the discrepancy dialog popup might mistakenly be pointing to a repeating context (e.g., URL contains "&instance=??") even though the field does not exist on a repeating instrument or repeating event. (Ticket #84934)

• Bug fix: The left-hand instrument menu in a project would mistakenly denote the maximum instance number of a repeating instrument rather than the total count of repeating instances, which can be confusing to users if some instances had been deleted after having been created. If the total count of repeating instances does not match the maximum instance number, then it will now display "max: X, total: Y" next to the instrument name to provide this distinction. Also, the "plus" icon next to a repeating instrument on the left-hand menu would mistakenly not appear if the first instance of the instrument had been deleted (this would occur when viewing the left-hand menu while on another instrument). Additionally, if a repeating instrument had its first repeating instance deleted, the form link on the left-hand menu would still mistakenly point to the first instance by default, which is not intuitive. It now points to the lowest existing instance of that instrument as the default. (Ticket #84943)

• Bug fix: The note "You may use HTML formatting in the email message..." was mistakenly still being displayed below the rich text editors when composing survey invitations in various places in a project. That note no longer makes sense now that the rich text editor must be used in these places, so the note has been removed.

• Bug fix: In some situations where a data entry form or survey is being submitted after an External Module has relocated some fields on the page (e.g., Shazam), it may prevent the page from being saved successfully due to a JavaScript error. (Ticket #47120)

• Bug fix: The color picker popup used for Project Folders and for Survey Themes would not be displayed correctly after being opened, so the preset color palette of squares in the color picker had to be removed since they could not otherwise be fixed.

• Bug fix: When using Missing Data Codes in a project and a radio button or checkbox field has been assigned a missing data code for a given record, and then the user clicks one of the seemingly disabled choices of the field and then clicks Save, it would mistakenly change the value of the field to the choice that was clicked, even though it did not appear as if the field's value changed prior to saving it. (Ticket #85220)

Version 9.5.28 (released on 2020-05-21)

CHANGES IN THIS VERSION:

• Major bug fix: When submitting a one-page public survey, in some specific scenarios after completing the survey, a participant could incidentally cause the survey to get resubmitted (minutes, hours, or even days later), thus creating a duplicate record in the project. This appears to occur mostly for certain mobile devices, in which returning to a tab containing the completed survey might mistakenly cause the survey to get resubmitted somehow. (Ticket #75626)

• Bug fix: When using the Clinical Data Pull feature and viewing the embedded REDCap page in an EHR user interface, it would mistakenly display some escaped HTML on the page. (Ticket #84422)

• Bug fix: When uploading an MP3 audio file to be embedded in a Descriptive field on a survey page or data entry form, it might mistakenly not play in Internet Explorer.

• Bug fix: Seven Laboratory fields and their associated LOINC codes were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.

• Bug fix: If a project is longitudinal and has either repeating instruments or repeating events, in which a field exists on both a non-repeating event/instrument and on a repeating event/instrument, then if that field is used as a report filter, the report might mistakenly return partially incorrect results. Part of this issue was caused by another fix in REDCap 9.9.1 Standard and 9.5.26 LTS, and the other part is a longer-standing issue caused by difficulty in parsing logic referencing different repeating and non-repeating contexts. (Ticket #84330)

• Bug fix: For longitudinal projects, the project Logging page would mistakenly display the name of the first event next to the record name for logged events related to Data Access Group assignments for records. It should not display the event name because assigning DAGs is performed at the record level and not at the event level, so displaying the event name for the logged event is misleading.

• Bug fix: The cron job to routinely reset the record list cache for all active projects was mistakenly not resetting the cache as often as it should.

• Bug fix: If a calculated field's equation contains certain Smart Variables (e.g., [project-id]), when saving the calc field in the Online Designer, it would note that it is syntactically incorrect, which is untrue. (Ticket #84524)

• Bug fix: When importing an instrument from the REDCap Shared Library, in which the instrument contains a checkbox field that is used in branching logic or in calculations in the imported instrument, and also that checkbox field's variable name already exists in the project as an existing variable, then when the variable is being automatically renamed during the instrument import process to prevent a conflict with the existing variable, it would mistakenly fail to perform the renaming successfully for checkbox fields, which require a slightly different syntax when being referenced in calc fields and branching logic.

• Bug fix: In the Required Fields dialog on data entry forms and surveys, one of the buttons mistakenly did not have its language abstracted for translation. (Ticket #81638)

• Bug fix: When exporting data to SAS while using Missing Data Codes in a project, if any fields contain the @NOMISSING action tag, such fields would mistakenly not be made exempt from the Missing Data Codes when importing the data into SAS. (Ticket #83910)

• Change: When exporting data to SAS, the line "OPTIONS nofmterr;" is now added to the SAS script to prevent any formatting issues from throwing fatal errors.

• Bug fix: When rendering a report or performing a data export in which the report contains some report filters, some extra processing was being done unnecessarily that was making the report slower than it should have been. This unnecessary code was removed, which now makes reports load faster (up to 2x faster in some cases) for reports with report filters.

• Bug fix: When a project that has record auto-numbering enabled exceeds 25,000 records in the project, then the text input field that is displayed (in lieu of a drop-down list) on the Add/Edit Records page would mistakenly allow users to free-form type a new record name that might not comply with the record auto-numbering scheme. To prevent this issue, it now checks to ensure the record being typed already exists.

Version 9.5.27 (released on 2020-05-15)

CHANGES IN THIS VERSION:

• Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered on the project Logging page where a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags into the record name of a record imported via the API or Data Import Tool.

• Bug fix: If the foreign key of a database table is not defined correctly in the REDCap database, the SQL provided by the Control Center warning "Your REDCap database structure is incorrect" would mistakenly fail to fix the issue and would keep appearing after being run. It now provides the correct SQL to run in order to fix the database structure issues. (Ticket #83951, #84054)

• Bug fix: When using Twilio Telephony Services to send SMS messages from a Short Code phone number, it would fail to send the messages because REDCap would mistakenly prepend a "+" to the Short Code when attempting to send it via Twilio's API.

• Bug fix: The "redcap_survey_complete" hook would mistakenly get called when a survey participant loads their survey queue when navigating directly to their queue as opposed to navigating there after completing a survey.

• Bug fix: The REDCap installation page would mistakenly crash with a fatal PHP error and would prevent anyone from going through the full installation process. Bug emerged in the previous version. (Ticket #84111)

• Bug fix: If an alert on the Alerts & Notifications page contains attachment files in which two or more attachments have the exact same file name, then it would mistakenly not attach all the files to the email but only the last one listed. (Ticket #83903)

• Bug fix: Two Laboratory fields and their associated LOINC codes were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.

• Bug fix: The sum() function would mistakenly not work as expected and would return a blank value for a calculated field if one or more of the fields used inside sum() have a blank value. (Ticket #84284)

• Bug fix: In certain cases, if new records are being created in a project while the project's Record List Cache is being built, it might mistakenly cause new records to appear orphaned (as if they were never created) and not appear in reports, dashboards, etc. in the project for a few days (or until the cache is rebuilt). (Ticket #84159)

• Bug fix: When performing a data import into a repeating instrument, in which all the fields in the row in the data import file have blank values (excluding the record id field, redcap_repeat_instance field, and redcap_repeat_instrument field), it would return a confusing error message and prevent the import from completing. (Ticket #84359)

• Bug fix: When exporting a Project XML for a longitudinal project, in which the project contains reports with report filters that have the "in All Events" drop-down option selected for a given filter field, the resulting XML file would contain advanced filter logic that would work successfully in a new project created from the XML file, but if a user went to modify that report afterward in the newly created project, REDCap would note that the logic was not syntactically correct (even though the filter logic would work correctly when displaying the report). This is due to the fact that in the XML file it was mistakenly not prepending "[event-name]" to all fields in the advanced logic that did not already have a prepended unique event name. For longitudinal projects with advanced filter logic, all fields must have a prepended event name or else must have [event-name] prepended to the field.

• Bug fix: If the setting "Email to send email-failure errors" has been defined for an alert in Alerts & Notifications, the email received after an error occurs would mistakenly not contain the real error message of why the alert did not send and also would not contain the alert number of the alert being triggered. (Ticket #84004)

• Bug fix: When running Data Quality rule D ("Field validation errors (out of range)"), it would mistakenly return discrepancies for valid number values if a field had "Number (comma as decimal)" validation. (Ticket #84004)

Version 9.5.26 (released on 2020-05-08)

CHANGES IN THIS VERSION:

• Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered where a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags and/or JavaScript into the query string of a data entry form or record home page.

• Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered where a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags into the uploaded CSV data file on the Data Import Tool page.

• Bug fix: Certain menu toggles, such as the "hamburger menu" at the top right of the My Projects page when using a mobile device, were not working correctly due to a breaking change in jQuery 3.5.0 in REDCap 9.9.0 Standard and 9.5.25 LTS. A makeshift patch has been applied to fix this in lieu of a proper fix from jQuery. (Ticket #83490)

• Bug fix: When creating a new record via the Schedule module in a project, especially if the user creating the record belongs to a Data Access Group, the record would mistakenly not appear in record lists, record status dashboards, or reports for up to several days due to a record list caching issue, in which the cache was not getting updated appropriately when creating the record via the Scheduling module. (Ticket #83478)

• Bug fix: If some Alerts & Notifications had been created in a longitudinal project, in which recurring alerts had been scheduled for some records, it might prevent a user from deleting an event on the Define My Events page due to foreign key restrictions in the back-end database. (Ticket #83438)

• Bug fix: When moving a project to production and selecting the option to "delete all data", if the Survey Queue is enabled in the project and some existing records had had a survey queue link generated for them, then even though the records would correctly get deleted when moving to production, the survey queue links for those deleted records would mistakenly not get cleared out of the back-end database and thus could mistakenly get reused by new records. (Ticket #83341)

• Bug fix: When using a Missing Data Code value of "0", "1", or "2" in a project, the Missing Data Code would mistakenly get used on the Form Status Complete field on any given instrument and thus cause issues with being able to set that field's value correctly. (Ticket #83423)

• Bug fix: When branching logic or a calc field references a checkbox choice that has been hidden by the @HIDECHOICE action tag, it would mistakenly display a branching logic/calculation error alert on the survey page or data entry form. (Ticket #83376)

• Bug fix: If an Automated Survey Invitation has conditional logic using the datediff() function with “today” or “now” as a parameter, in which “today” or “now” are not in lowercase form, the ASI Datediff cron job would mistakenly not run for these ASIs, thus causing invitations not to get scheduled at the appropriate time.

• Bug fix: The cron job for scheduling Automated Survey Invitations that contain datediff+today/now in their conditional logic and are set to send "Immediately" would mistakenly send invitations immediately in real time by that cron, which can be a slow process and delay the scheduling of other invitations in some situations. Instead, the cron job should have been only scheduling the invitations and then letting the email-sending cron job actually send those scheduled invitations. (Ticket #83596)

• Bug fix: When entering an X-event-name Smart Variable into conditional logic for an ASI, report filter, etc., when validating the logic, it might mistakenly return a confusing error saying that the syntax is not valid even when it is.

• Bug fix: When upgrading to REDCap 9.5.24 or 9.5.25, it might mistakenly not create the redcap_new_record_cache database table correctly and/or result in a MySQL error when running the upgrade SQL script. This release will fix that table if it did not get created correctly.

• Bug fix: If one or more External Modules have been enabled in a project and have a link displayed for a module page in the "External Modules" section on the project's left-hand menu, then if Report Folders have been created in the project and a user toggles a Report Folder to open or close the folder, it would mistakenly cause the reports section on the left-hand menu to be moved below the "External Modules" section when it should instead remain above it.

• Bug fix: For a project where Missing Data Codes are defined, when exporting data to a stats package (R, Stata, SAS, SPSS) when the export file contains checkbox fields and the report being exported is set to include the Missing Data Codes, the extra fields/columns for the Missing Data Codes for the checkbox would mistakenly not get added to the stats package syntax file, even though they get added to the CSV data file, thus causing the data not to load properly into the stats package because of the column number mismatch. (Ticket #83329)

• Bug fix: If running Data Quality rule A or B in a project, in which a blank field has branching logic based off of another blank field, then in certain cases it might not return discrepancies correctly for all the fields with blank values. (Ticket #82655)

• Bug fix: When downloading a PDF of an instrument, sometimes rich text might mistakenly not display well in the PDF, such as paragraphs and tables being too far spaced out.

Version 9.5.25 (released on 2020-04-30)

CHANGES IN THIS VERSION:

• Minor security fix: Due to a Cross-Site Scripting (XSS) vulnerability, the JavaScript library jQuery 3.4.1 was updated to version 3.5.0. (Ticket #82867)

• Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered where a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags and/or JavaScript into the query string of the Data Access Groups page.

• Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered on some External Module Framework pages, in which a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags into places where such HTML gets reflected back on a page that a user is viewing.

• Bug fix: The Missing Data Codes in the Additional Customizations popup on the Project Setup page could mistakenly be modified or removed while collecting data in production, which could cause issues with the saved data during analysis and in reports. It now displays a warning prompt to the user beforehand to inform them that re-labeling or removing Missing Data Codes after data collection has begun could cause data issues, but they will still be allowed to make modifications to the codes if they wish. (Ticket #82977)

• Bug fix: When using Missing Data Codes in a project and selecting a missing data code for a radio button field on a data entry form, the missing data codes popup would mistakenly not close after the code had been clicked. (Ticket #82977)

• Bug fix: When exporting data to Stata, it would mistakenly output the incorrect syntax in the .do file for text fields with datetime_seconds validation. (Ticket #83001)

• Bug fix: If upgrading to 9.5.24 LTS or higher or upgrading to 9.8.5 Standard or higher, the upgrade SQL script might throw a MySQL error during the upgrade process due to a foreign key constraint on a database table. (Ticket #83098)

• Bug fix: Slider fields that are vertically aligned and have the "Display number value (0-100)?" option enabled will mistakenly display the number value field too narrowly and thus will not display the full value if its value is "100". (Ticket #83234)

• Bug fix: If running REDCap on the Google App Engine platform and the email quota has been exceeded when sending outgoing emails, it would mistakenly crash with a fatal PHP error. It now continues to run and finish the script instead of halting the script with an error.

Version 9.5.24 (released on 2020-04-24)

CHANGES IN THIS VERSION:

• Medium security fix: A Cross-Site Scripting (XSS) vulnerability was discovered where a malicious user or survey participant could potentially exploit it by adding some specific HTML tags and JavaScript into a Text field on a survey page or data entry form, after which such HTML would get reflected back on the page and get executed for another user.

• Major bug fix: If a multi-arm longitudinal project is collecting data via public surveys across multiple arms at a time, in which each public survey has its own URL that corresponds to a distinct arm, then if survey participants are submitting a survey at near the same time but for a different arm, then it is possible that those two responses might mistakenly get saved with the same record name, even though the records exist in different arms. This is easily remedied by renaming the record in one of the arms afterward, but it may be hard to detect when it occurs and might be confusing for users when it does.

• Major bug fix: If a user in a longitudinal project clicks the "Delete data for this form only" button at the bottom of a data entry form, in which multiple instruments on the current event contain data for the current record, if all the data on that event had been imported via data import *and* no values for form status fields were imported during the data import process *and* no user ever clicked a Save button on an instrument in that event after the import was performed, then all the data on all instruments in that event would mistakenly get deleted, when instead it should only delete the data from the current instrument.

• Bug fix: When entering conditional logic for Automated Survey Invitations or adding branching logic via the Online Designer, if the logic contained certain Smart Variables (.e.g., [survey-date-completed]), the logic check status displayed immediately below the logic text box would mistakenly state "Error in syntax" even when the logic's syntax is correct.

• Bug fix: When using the standalone launch to login to one’s EHR system when using the Clinical Data Mart or Clinical Data Pull features, it might mistakenly redirect to the wrong page (causing a 404 error). (Ticket #82449)

• Bug fix: If a large amount of HEAD requests hit a survey page, it might cause a disproportionate amount of load to be put on the web server and database server. (Ticket #82501)

• Bug fix: The advanced function isblankormissingcode() would mistakenly not work correctly when used in the equation of a calculated field. (Ticket #82653)

• Bug fix: When a survey participant attempts to close their browser window by clicking the "Close survey" button on the page after completing the survey, if their browser prevents the tab/window from being closed, then the text displayed on the page afterward would mistakenly always be in the language of the system-level language setting rather than the project-level language. (Ticket #82631)

• Bug fix: The generic "Alert" jQuery UI dialog would often have its title and/or buttons displayed in hard-coded English rather than using the language file's text for that particular project in which it is being displayed. (Ticket #81638)

• Bug fix: Dots/periods were mistakenly allowed to be used in the raw coded values for Missing Data Codes. Dots/periods are not compatible to be used in checkbox codings and thus cannot be used as Missing Data Codes. (Ticket #82476)

• Bug fix: When using a field from a repeating instrument in the logic of a Data Quality rule, in which the logic is trying to find instances of the field where its value is blank (e.g., [field] = ""), it might mistakenly not return the expected results in the discrepancy list. (Ticket #82201)

• Bug fix: When using Data Quality rule I to find Missing Data Codes, the rule would mistakenly ignore checkbox fields and not include them in the results. (Ticket #82636)

• Bug fix: When setting up Randomization in a project that is not longitudinal and then later the project is converted to a longitudinal project, it would cause issues and might prevent the randomization process from working properly. (Ticket #82757)

Version 9.5.23 (released on 2020-04-16)

CHANGES IN THIS VERSION:

• Minor security fix: A Blind SQL Injection vulnerability was found using the Data Search feature, in which a malicious user could potentially exploit it by manipulating the query string or POST parameters of an HTTP request.

• Bug fix: When using the [previous-event-name] and [next-event-name] Smart Variables when prepended to field variables in piping, calculations, or logic, they might mistakenly point to the previous/next designated event of the current instrument rather than the previous/next designated event of the field to which the Smart Variable is prepended. Note: This does not affect [previous-event-name] and [next-event-name] when they are used as standalone without being prepended to a field. (Ticket #81976)

• Bug fix: When viewing Report B for a project that contains repeating instruments, the "total number of records queried" in the report might mistakenly be incorrect and not match the "number of results returned".

• Bug fix: When exporting data to SAS, it might throw an error when loading the CSV data into SAS in some cases if a field variable name ends in a number. Additionally, if the project is utilizing Missing Data Codes, it might throw an error on a numerical field if some of the Missing Data Codes are non-numerical.

• Bug fix: Custom Record Status Dashboards that are set to sort by a field's value would mistakenly sort in a case sensitive manner when instead it should be sorting in a case insensitive manner. (Ticket #82092)

• Bug fix: When clicking the "All Status Types" link on the Record Status Dashboard, it would mistakenly hide the [+] buttons next to the status icons of repeating instruments. Instead they should remain displayed. (Ticket #82092)

• Bug fix: If custom "Help & FAQ" text has been defined, then the navigation bar would mistakenly obscure the custom text on the "Help & FAQ" page. (Ticket #82192)

• Bug fix: When a production project is in draft mode and a user deletes an entire instrument in draft mode, it would mistakenly delete any Descriptive field attachments that belong to fields on that instrument from the live version of the instrument in production, thus permanently losing the attachments. (Ticket #82322)

• Bug fix: When a survey participant is viewing their Survey Queue, in which it contains a repeating survey, the "Take this survey again" button next to the repeating survey would mistakenly not be visible in the survey queue when viewing the page on a mobile device with a narrow screen. (Ticket #82335)

Version 9.1.25 (released on 2020-04-09)

CHANGES IN THIS VERSION:

• Critical bug fix: When collecting data using a public survey where multiple participants are entering data near-simultaneously (i.e., submitting the survey within the same fraction of a second), some scenarios may arise in which those multiple responses could get mistakenly merged together as a single record rather than as separate new records. When this occurs, it appears in the logging that one participant has created the record while another participant modified the record afterward, in which it should instead log the events as two separate "create response" events. It is difficult to know when this kind of incident has occurred, and if discovered, might take some work (using the Logging page as a reference) to split the record back into separate proper records and resave them. While this issue occurs very seldom, the worst-case scenario can be if the survey allows the participant to download their responses as a PDF or have their responses emailed to them after completing the survey, in which it might possibly result in a privacy leak if private and/or identifying information (e.g., PHI) has been entered on the survey. (Ticket #81104, #81559)

Version 9.5.22 (released on 2020-04-09)

CHANGES IN THIS VERSION:

• Critical bug fix: When collecting data using a public survey where multiple participants are entering data near-simultaneously (i.e., submitting the survey within the same fraction of a second), some scenarios may arise in which those multiple responses could get mistakenly merged together as a single record rather than as separate new records. When this occurs, it appears in the logging that one participant has created the record while another participant modified the record afterward, in which it should instead log the events as two separate "create response" events. It is difficult to know when this kind of incident has occurred, and if discovered, might take some work (using the Logging page as a reference) to split the record back into separate proper records and resave them. While this issue occurs very seldom, the worst-case scenario can be if the survey allows the participant to download their responses as a PDF or have their responses emailed to them after completing the survey, in which it might possibly result in a privacy leak if private and/or identifying information (e.g., PHI) has been entered on the survey. (Ticket #81104, #81559)

• Bug fix: A database query would fail invisibly but do little harm when importing data to a project via the REDCap Mobile App. (Ticket #81815)

• Bug fix: If the e-Consent Framework is enabled on a survey that is a repeating instrument, in which the first name, last name, and/or date of birth fields (designated in the e-Consent Framework options) also exist on that same survey/instrument, then those name/DOB values would mistakenly not pipe correctly when REDCap adds them to the footer of the e-Consent PDF and also to the Identifier column in the PDF Archive table in the File Repository. Unfortunately, it is not possible to fix the missing piped values for survey responses that have already gone through the e-Consent process prior to this bug fix. (Ticket #81790)

• Bug fix: The IE-specific Conditional Comments to detect Internet Explorer 9 (e.g., <!--[if IE 9]>) were mistakenly not formatted correctly and might cause some users using Internet Explorer to have issues loading pages.

• Bug fix: When exporting a Project XML file for a project via the API, the resulting XML file would mistakenly be missing a lot of the project settings, such as surveys, Alerts & Notifications, Data Quality rules, reports, etc. (Ticket #81879)

• Bug fix: When using the Clinical Data Pull (CDP) feature, the new line separator for storing repeated values (labs, vitals, medications...) was changed slightly. Those repeated values in CDP are stored in a single field using a string separator containing line breaks. The previous new line separator was mistakenly causing false positives in the CDP adjudication table when checking for new values to adjudicate.

• Bug fix: A link in the "Piping" section of the "Help & FAQ" page would point to a non-existent page on the Vanderbilt REDCap server.

• Bug fix: When editing an alert and changing Step 1A from the second option (form save + conditional logic) to the third option (only conditional logic), it would mistakenly not save the alert correctly and might cause the dialog not to reload properly when editing that same alert again later.

Version 9.5.21 (released on 2020-04-03)

CHANGES IN THIS VERSION:

• Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered on several pages, in which a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags into places in REDCap where such HTML gets reflected back on a page that a user is viewing.

• Bug fix: When calling the API method "Export Metadata (Data Dictionary)" and providing values for the "fields" parameter, it would mistakenly ignore that parameter unless the "forms" parameter was also provided with a value. Bug emerged in the previous release.

• Bug fix: The plain text section of outgoing emails (which is not ever displayed by most email clients unless they do not support HTML email) would mistakenly have links converted into text and might have unnecessary tabs or line breaks. Most extra tabs and line breaks have been removed from the plain text section of emails, and all links in the email body will have their URL extracted and placed in parentheses directly following the link text so as not to lose that information. (Ticket #80878)

• Bug fix: The redcap_connect.php file was mistakenly not returning an HTTP 500 status error in the incident that the database connection fails. Following the upgrade to this version, REDCap will prompt administrators to replace their redcap_connect.php file.

• Bug fix: If still using the old bit.ly (http://j.mp ) URL shortener service for public surveys (instead of the newer https://redcap.link URL shortener), then when fetching a short survey link on the Public Survey Link page, it would appear to spin forever and never return the shortened URL. This is due to BITLY changing how their API web service works.

• Bug fix: Some reports and data quality rules in longitudinal projects might run 2x-10x slower than expected in certain situations, such as if a field in the report filter logic or DQ logic does not have a prepended event name or if the report filter has "all events" selected for a filter field drop-down. The slowness is especially pronounced in projects having large numbers of events defined and/or a large amount of records in the project. (Ticket #79830)

• Bug fix: When viewing the participant list of a longitudinal project containing multiple arms, the paging drop-down list for the participant list would mistakenly provide an incorrect number of participants for the given survey/event and might not be able to display subsequent pages in the participant list after changing the paging drop-down list to select another page to view. (Ticket #81118)

• Bug fix: If a project does not have record auto-numbering enabled, and the record ID field has min/max validation, then the min/max validation would mistakenly not be applied when a user is entering a new record name via the Record Status Dashboard or Add/Edit Record page. (Ticket #81117)

Version 9.5.20 (released on 2020-03-26)

CHANGES IN THIS VERSION:

• Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered on the Scheduling page, in which a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags into places in REDCap where such HTML gets reflected back on a page that a user is viewing. (Ticket #80773)

• Bug fix/change: 350 Laboratory fields (including 30 related to COVID-19) and their associated LOINC codes were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.

• Bug fix: If a checkbox field exists on a repeating event or repeating instrument and is utilized in a calculation or branching logic, in which the field is referenced on another repeating instance than the current repeating instance, then while the checkbox's checked value will save correctly, if a field choice is unchecked later, it might mistakenly not clear/delete the checked value successfully. (Ticket #78956)

• Bug fix: If using "LDAP" or "LDAP & Table-based" authentication, any user containing an apostrophe in their LDAP username would mistakenly not be able to be added to a user role in a project, in which it would fail silently when attempting to add a user to a role. (Ticket #79647)

• Bug fix: If a user attempts to add a field comment to a field on a data entry form prior to creating the record (via Save button), when the user clicks the "Save and then open Field Comment Log" button to reload the page, the cursor's focus might mistakenly be on a field on the form underneath the dialog rather than inside the dialog, possibly causing the user to get stuck and not be able to enter a field comment successfully. (Ticket #80511)

• Bug fix: When clicking the Compose Survey Invitations the first time on the Participant List page in a project, it might mistakenly not load the list of participants to email inside the popup, but it would load it successfully if the popup was closed and then reopened. (Ticket #80584)

• Bug fix: A database query would fail invisibly but do no harm whenever a record is renamed in a project. (Ticket #80895)

• Bug fix: A database query would fail invisibly but do no harm whenever previewing a survey theme in the Online Designer. (Ticket #80940)

• Bug fix: A database query would fail invisibly but do no harm whenever viewing a survey response on a data entry form. (Ticket #80901)

• Bug fix: In a multi-arm longitudinal project that has record auto-numbering disabled, if the record names contain non-Latin/multi-byte characters, then the record names would mistakenly get scrambled whenever rebuilding the record list. (Ticket #74092)

• Bug fix: A database query would fail invisibly in certain scenarios surrounding the piping of repeating instances, which might cause the piping not to work correctly. (Ticket #80901)

• Bug fix: When performing a data import (via API or Data Import Tool) for a multi-arm project, in which a record is being imported into multiple arms during the import, the record might not initially appear as if it has been created in the subsequent arms when viewing the Record Status Dashboard (even though it had been created in the arm correctly). Note: This issue would automatically resolve itself within five days of the import. (Ticket #55039)

• Bug fix: When using the randomization module in a project, the act of randomizing a record does not trigger any Alert & Notifications if an alert was set to be triggered based on the randomization field or strata fields having their values changed. (Ticket #80985)

• Bug fix: When using the randomization module in a project, the act of randomizing a record does not trigger the REDCap hook "redcap_save_record".

• Bug fix: If survey notifications have been enabled on a survey that is a repeating instrument or is on a repeating event, then the link back to the survey response on the data entry form would mistakenly always point back to the first instance of that instrument rather than to the correct instance. (Ticket #81009)

• Bug fix: A database query would fail invisibly in certain API methods being called. (Ticket #81041)

• Bug fix: A database query would fail invisibly in very specific occasions when using the Online Designer to add/edit fields. (Ticket #81020)

• 9.8.0: Bug fix: A database query would fail invisibly to the redcap_log_view_requests table when a user is logging in to REDCap. (Ticket #81056)

Version 9.5.19 - (released 3/12/2020)

BUG FIXES AND OTHER CHANGES:

• Major bug fix: If a participant is taking a public survey (via the public survey link) that allows them to "Save & Return Later", in which the survey requires Return Codes to be used in order to return to the survey, then if the participant returns to the survey using the private/unique survey link (rather than the public survey link), it would mistakenly allow the participant to view their responses without having entered the return code first. However, if they clicked the "Save & Return Later" button again on the survey after returning, then the next time they return to the survey, it would correctly require that they enter a return code. This does not occur for follow-up surveys but only for public surveys with "Save & Return Later" enabled using return codes.

• Bug fix: If the feature "File Upload field enhancement: Password verification & automatic external file storage" is enabled for the system and for a given project, a file uploaded into a File Upload field in the project would be stored on the external server mistakenly using the user's filename of the file rather than the filename of the file as it is stored in the backend of REDCap. This could potentially cause naming conflicts and prevent the file from being stored successfully on the external server. It will now store the file on the external file server using REDCap's backend "stored_name" filename for the file.

• Bug fix: When using a rich text editor that exists inside a modal dialog (e.g., the "Create new alert" dialog, the "Automated Survey Invitation" setup dialog), the rich text editor's "Link" menu option would not function correctly and would prevent users from adding a URL value to a link in their rich text.

• Bug fix: If entering a value on a data entry form for a field that is designated as a Secondary Unique Field, in which a value is entered that duplicates a value in another record in the project, if the user clicks the Enter key on their keyboard after typing the value (instead of clicking outside the field or clicking the Tab button), it would correctly display the error dialog popup about the duplicate value, but the dialog would mistakenly not be able to be closed, thus forcing the user to reload the page and potentially lose any data entered thus far on the page. (Ticket #79910)

• Bug fix: When importing data via the API or Data Import Tool, an alert might not get sent/scheduled for any records that are being created during the data import if the data being imported is expected to trigger an alert. This does not affect existing records but only records that did not exist prior to the data import.

• Bug fix: The Configuration Check page in the Control Center was mistakenly noting that the PHP cURL extension was "recommended" when it should instead state that it is "required". This is because so many major features in REDCap rely on cURL specifically. The warning for cURL on the Config Check page has now been modified accordingly to accurately reflect this. (Ticket #80121)

• Bug fix: The REDCap hook named "redcap_survey_complete" would get mistakenly called when a survey participant would attempt to return to a completed survey that has the "Save & Return Later" option disabled - i.e., when it displays the message "Thank you for your interest, but you have already completed this survey". (Ticket #80109)

• Bug fix: When exporting data in CDISC ODM XML format, in certain situations, the resulting XML might mistakenly omit the ending ODM tag - e.g., "</ODM>". (Ticket #80084)

• Bug fix: When a calculated field exists on a repeating event and its calculation references fields on the same event, in which one or more of those fields exist on instruments that are not designated for that event, then while the calculation would work correctly when viewing the calc field on a survey or data entry form, it would mistakenly return a ""/blank value for the calc field when performing a data import or running Data Quality rule H. (Ticket #79874)

• Bug fix: The text for the confirmation email set at the bottom of the Survey Settings page for an instrument in the Online Designer would mistakenly have extra line breaks added between all the text if the email text was saved and then the page was re-opened later and saved again, thus adding more extra space each time. (Ticket #79836)

• Bug fix: If a custom Data Quality rule has logic that contains a field that is utilized in both a repeating and non-repeating context, especially for a longitudinal project, then it might not return all the correct discrepancies. (Ticket #80102)

• Bug fix: When viewing the "Stats & Charts" page for a user-defined report (i.e., not report A or B) that has filter logic defined, the "missing" count displayed in the descriptive stats table for a given field might mistakenly be a negative number. (Ticket #79994)

• Bug fix: If using "LDAP" or "LDAP & Table-based" authentication, any user containing an apostrophe in their LDAP username would mistakenly not be able to be added as a user on a project, in which it would display a popup error message when attempting such. (Ticket #79647)

• Bug fix: If a user has "No access" data entry form level privileges for the first instrument in a project, the Data Search feature on the "Add/Edit Records" page would mistakenly not include the record ID field in the search. (Ticket #80282)

Version 9.5.18 - (released 3/3/2020)

BUG FIXES AND OTHER CHANGES:

• Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered on the Send-It upload page and the Survey Link Lookup page in the Control Center, in which a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags into places in REDCap where such HTML gets reflected back on a page that a user is viewing.

• Bug fix: Twenty "Laboratory" fields, two "Vital Signs" fields, and their associated LOINC codes were mistakenly missing from the field mapping page for Clinical Data Pull and Clinical Data Mart.

• Bug fix: If a URL is included in a message posted on REDCap Messenger (including those sent via General Notifications from an administrator), the URL might not get displayed properly as a clickable link if the URL is immediately followed by a dot/period or a line break/carriage return.

• Bug fix: If a longitudinal project with repeating instruments or repeating events contains a report that has simple filters (i.e., fields selected via drop-down options) where a field is selected along with the "All events" option, OR if the report has advanced filter logic that references fields that exist on both repeating and non-repeating instruments/events, in which the fields on repeating instruments/events do not have anything appended to them, such as a numeral instance designation or instance Smart Variable and those fields also do not have a unique event name explicitly prepended to them, then the report might return incorrect results *if a field in the logic exists on both repeating and non-repeating events in the project*. This appears only to occur if the report setting "Show data for all events or repeating instruments for each record returned" is left unchecked. (Ticket #79058)

• Bug fix: When clicking the "Use advanced logic" link when building a report that has simple filters (i.e., fields selected via drop-down options), in which a filter field is selected with the "All events" option, when creating the advanced filter logic, it would mistakenly fail to prepend the field with "[event-name]" and thus would throw an error that says the logic is invalid when attempting to save the report.

• Bug fix: When sending emails, REDCap was mistakenly attempting to employ DKIM in all outgoing emails, which might cause emails to no longer be received if hosting REDCap on certain platforms, such as AWS. To ensure emails keep sending as expected, the usage of DKIM is no longer attempted when sending emails.

• Bug fix: When sending survey invitations via the Participant List, if some invitations are sent first and then the user clicks the Compose Survey Invitations button to send another batch without leaving the page, the survey invitation message text would appear to still be the same for the new batch as with the previous batch but instead it would actually send the default invitation text that gets loaded in the text editor when opened the first time. This could cause users to mistakenly send the wrong text in the invitation when sending multiple batches on that page at a time. (Ticket #79507)

• Bug fix: When using Missing Data Codes in a project, and a missing data code is saved for a checkbox field on a record, then that field would mistakenly be returned as a discrepancy in Data Quality rule G. (Ticket #79553)

• Bug fix: If a slider field has the "Display number value?" option checked for it, then when entering data on a survey or form, if the slider has focus put on it (either by tabbing through the survey/form, or if an instrument is opened in which the slider is the first field on the instrument), then a value of "50" would get initially displayed in the slider's associated text box even though the slider value is actually blank/null and will remain so until the slider is clicked or if the user uses their keyboard's left/right arrow keys. So seeing the value of "50" when the slider gets focus might give the impression that its value has been set when in fact it has not been set yet. This has been changed so that the text box value only changes when the slider value itself has been changed by the user, thus eliminating this ambiguity regarding the slider's current value. (Ticket #79430)

• Bug fix: While REDCap prevents users from viewing all pages of a given report at the same time if it estimates that the report contains more than 500k data points, it would mistakenly calculate the number of total data points incorrectly while determining this. (Ticket #79657)

Version 9.5.17 - (released 2/28/2020)

BUG FIXES AND OTHER CHANGES:

• Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered on a page in the External Module Framework, in which a malicious user (who must be logged in) could potentially exploit it by manipulating the query string of certain HTTP requests utilized within that page.

• Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered on several pages, in which a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags into places in REDCap where such HTML gets reflected back on a page that a user is viewing.

• Minor security fix: A Blind SQL Injection vulnerability was discovered on a page in the External Module Framework, in which a malicious user could potentially exploit it by manipulating the query string of certain HTTP requests utilized within that page.

• Minor security fix: All web links on REDCap pages that link to an external website and contain the target="_blank" attribute, which opens the website in a new browser tab, will automatically have the HTML tag attribute 'rel="noopener noreferrer"' added to the link's underlying HTML. This will occur automatically and invisibly for links either added by user input on forms/surveys or those that are hard-coded as part of REDCap itself. This will improve overall security to prevent the passing of referrer information from REDCap onto the third-party website.

• Bug fix: If a text field that has min/max validation is changed to another field type, such as a drop-down, in the Online Designer, it would mistakenly not nullify the min/max validation values for the field when saving it as a new field type, which would cause an error to be displayed when downloading the data dictionary and then re-uploading it. (Ticket #29422)

• Bug fix: When using Live Filters in a report, if any of the Live Filter fields have choices whose label contains HTML tags, it would mistakenly display the HTML tags inside the Live Filter drop-downs at the top of the report.

• Bug fix: The PHP function for validating URLs for certain outgoing HTTP calls from REDCap might mistakenly allow certain invalid URLs to pass the validation test.

• Bug fix: If a longitudinal project with repeating instruments or repeating events contains reports with report filter logic that references fields on both repeating and non-repeating instruments/events, in which the fields on repeating instruments/events do not have anything appended to them, such as a numeral instance designation or instance Smart Variable, then the report might return incorrect results *if a field in the logic exists on both repeating and non-repeating events in the project*. This appears only to occur if the report setting "Show data for all events or repeating instruments for each record returned" is left unchecked. (Ticket #79058)

• Bug fix: If using the Missing Data Codes feature in a project that also has Randomization enabled, it would mistakenly allow the missing data codes icon to appear next the randomization field on the data entry form. The missing data codes icon should never appear for the randomization field because it is not applicable there. (Ticket #79057)

• Bug fix: If the "Import Records" API method was called or if a user was saving a survey or data entry form that triggered the calculation of calc fields on other instruments/events, then the internal record list cache in the project would mistakenly get reset in the back-end database, thus forcing the cache to be rebuilt the next time a report, record dashboard, or record list was viewed in the project. This could cause unnecessary slowness for the project and possibly affect performance of the entire REDCap server in some cases.

• Bug fix: If a new data collection instrument is added to a production project that is currently in draft mode, in which the user has submitted some field/form changes to an administrator and is awaiting approval, it is mistakenly possible for the user to enable that instrument as a survey. Instead it should display a notice on the Survey Settings page that the instrument cannot be enabled as a survey until the project is no longer in draft mode (i.e., after the submitted changes have been approved). (Ticket #79192)

• Bug fix: When using iOS and entering data on a survey or data entry form, "number"-validated text fields would not enforce the client-side validation and would mistakenly allow non-numerical values to be entered. This has been fixed so that it will now display the number pad keyboard to allow only numbers and a dot decimal as an option. Note: If the field has "number (comma as decimal)" validation, then it will instead use the full QWERTY keyboard (this is a limitation of iOS) instead of the number pad keyboard. (Ticket #79317)

• Bug fix: In a longitudinal project, if an alert that has a field that is piped into the alert's message or subject, in which the field variable is not prepended with the unique event name, then when that alert gets triggered by saving a form/survey, it would mistakenly not pipe the field's value correctly unless the field's event's unique event name had been explicitly referenced by another field in the message text, subject text, or conditional logic.

Version 9.5.16 - (released 2/21/2020)

BUG FIXES AND OTHER CHANGES:

• Major bug fix: Surveys and data entry forms were mistakenly displaying the "errors exist" popup relating to branching logic errors in many situations.

Version 9.5.15 - (released 2/21/2020)

BUG FIXES AND OTHER CHANGES:

• Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered on several pages, in which a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags into places in REDCap where such HTML gets reflected back on a page that a user is viewing. This mostly involves the names/labels of data collection instruments.

• Major bug fix: A user with "No Access" Data Export privileges in a project would [correctly] neither be able to perform data exports nor access the Data Export Files tab in the File Repository, but if that user had been given the direct URL to download a specific archived data export file from the File Repository (i.e., exported by another user in the project at a previous time) or if they were simply guessing URLs through trial and error by modifying the "id" URL parameter for the "FileRepository/file_download.php" end-point, they would be able to successfully download that data file even though they have no data export privileges. Note: The user must have access to the project in order to do this. (Ticket #72652)

• Bug fix: If a user is piping a field that uses the BioPortal Ontology Service, and they're wanting to pipe the field's coded value and not the choice value, then adding ":value" to the variable name (e.g., [icd10:value]) would mistakenly return the choice label and not the coded value.

• Bug fix: On the CDIS Standalone Launch page, the "Go to projects" button would not work when clicked due to a JavaScript error. (Ticket #78558)

• Bug fix: If a user is suspended, the page displaying the notice that they are suspended when the user attempts to log in would mistakenly throw an invisible JavaScript error in the browser console. (Ticket #78850)

• Bug fix: In completed survey responses on a repeating survey, if there is somehow no Form Status value (in the back-end database) for the survey instrument or if its value was somehow set to "Incomplete" mistakenly (e.g., through direct database interaction via an external module), then if the current repeating instance of the survey that is being viewed is not the first instance, it would mistakenly set the value of the first instance of the survey to "Completed" whenever someone views the instrument/survey page.

• Bug fix: The word "Page" used to display the page number in PDFs of exported instruments was mistakenly hardcoded instead of coming from the language translation file. (Ticket #78771)

• Bug fix: If the @DEFAULT action tag is used on a field, then users would always receive the "save changes?" prompt when attempting to leave the form without clicking a Save button, even when no field values had been changed. Instead it should only display this prompt when the form has no data (i.e., has gray form status icon) and leaving the form. It should not display the prompt every time afterward. (Ticket #78807)

• Bug fix: When attempting to add a user via the User Rights page to a project that currently has no users, it would mistakenly return no user suggestions when typing the username in the text field. (Ticket #78929)

• Bug fix: When performing a data export of a report to a stats package, in which the first instrument in the project is a survey and the report is set to output all survey-related fields (e.g., completion timestamp), then if the record ID field is the first field in the report, the resulting syntax file for the stats package would mistakenly be missing the survey completion timestamp for the first instrument, thus causing the data not to load properly into the stats package.

• Bug fix: When using the dateRangeBegin parameter for the "Export Records" API method, if the dateRangeEnd was left blank or not included as a parameter in the API request, then the API would not function correctly and would mistakenly return no data in the API response.

• Bug fix: A third-party PHP library was using code that is deprecated in PHP 7.4. (Ticket #79001)

• Bug fix: If a field on a data entry form or survey has an @HIDDEN action tag and also has branching logic, then in certain cases the field might flicker (i.e., appear then disappear momentarily) when the page initially loads. (Ticket #78697)

Version 9.5.14 - (released 2/13/2020)

BUG FIXES AND OTHER CHANGES:

• Bug fix: When copy-and-pasting text from Microsoft Word (or similar products) into the rich text editor used throughout REDCap, the underlying HTML that is added to the rich text editor after the paste would be extremely bloated and superfluous. Additionally, for field labels on instruments, it could cause the text to become so long (although appearing to be normal length) that it might cause some text to be truncated when downloading->uploading the Data Dictionary. To prevent this issue, it now automatically removes a lot of the extra, hidden styling and unnecessary HTML when copy-and-pasting text into the rich text editor. (Ticket #77555)

• Bug fix: The pseudo user "site_admin" (which is only used as a default account when authentication is disabled) could mistakenly be added to a conversation in REDCap Messenger by a user. As a result, it might mistakenly send the administrators a notification email that the "site_admin" has unread messages in Messenger. Users will now no longer be able to find "site_admin" when searching for users to add to a Messenger conversation. (Ticket #78117)

• Bug fix: When running Data Quality rule A, B, or F for projects that are longitudinal and/or have repeating instruments/event, it might mistakenly run out of memory and return an error message to the user, even when the project doesn't appear to have a large amount of records.

• Bug fix: If the Secondary Unique Field (SUF) is used in a longitudinal project in which the value of the SUF is currently blank and then a data entry form or survey containing the field is saved where the field's value still remains blank, then if the SUF exists in events that currently do not have data (i.e., it has gray status icons for all forms in the event), then it would mistakenly save a blank value for the SUF in those empty events, thus causing their form status icon to be red instead of gray, which could be confusing to users.

• Bug fix: If a custom Data Quality rule has logic that contains a field from a repeating instrument in a non-longitudinal project, then it might mistakenly not find valid discrepancies that exist for that DQ rule in reference to data from repeating instruments.

• Bug fix: On the Project Setup page of a DDP-enabled or CDP-enabled project, the step to "Set up Dynamic Data Pull (DDP)"/"Set up Clinical Data Pull (CDP)" would have its progress icon mistakenly set to "Complete!" (big checkmark icon) when the project is in production status, regardless of whether the field mapping setup had actually been completed, which was confusing. It now can only be marked as "Complete!" if the user clicks the "I'm done!" button, which is how it has always behaved while in development status.

• Bug fix: When uploading a file or signature for a File Upload field on a repeating instrument or repeating event, in which record auto-numbering is enabled in the project, then the project's Logging page would mistakenly add an unnecessary "Created Record" event immediately before the "Uploaded Document" event in the logging history.

• Bug fix: If REDCap has two-factor authentication enabled and it is set to enforce 2FA only for certain IP addresses, it would mistakenly only support IPv4 changes and would not support IPv6. It now supports IPv6 ranges/subnet masks. (Ticket #77195)

• Bug fix: If users were using Internet Explorer 11 with Compatibility View enabled, it would get logged mistakenly as Internet Explorer 7 in the redcap_log_view database table.

• Bug fix: If a project has the Data Resolution Workflow enabled, and a user clicks the "Export" button on the Resolve Issues page in the project, the resulting CSV file would mistakenly have the text comments truncated in the First Update and Last Update columns. Those should be truncated on the webpage view but not in the CSV export file.

• Bug fix: If logic or calculations contain a checkbox field whose variable name ends with "min", "max", or "log", then it might cause the logic/calculation to be considered invalid or syntactically incorrect while being parsed, thus resulting in an error message in many places. (Ticket #78083)

• Bug fix: In the API Playground, the "csvDelimiter" parameter was mistakenly missing as a drop-down in the user interface for the API methods "Export Records" and "Export Reports". (Ticket #77754)

• Bug fix: When viewing the "Stats & Charts" page for a user-defined report (i.e., not report A or B) that has filter logic defined, the "missing" count displayed in the descriptive stats table for a given field might mistakenly be incorrect if the report is displaying fields from a repeating instrument or repeating event. (Ticket #77050)

Version 9.5.13 - (released 2/6/2020)

BUG FIXES AND OTHER CHANGES:

• Bug fix: The logic parsing algorithms in REDCap might mistakenly fail and not return accurate results when the logic contains an empty/blank value (represented as two quotes/apostrophes) on either side of an "=" operator or an "<>" operator, such as ' ""<>"" ' or ' ""=1 '. While such logic is less likely to be entered in this form by a user, some logic could end up in this form prior to parsing after certain Smart Variables in the logic are replaced by literal values during the logic-processing phase. This means that logic used in certain Data Quality rules or report filter logic, among other places, might not behave accurately. Bug emerged in REDCap 9.5.11 (LTS) and 9.7.0 (Standard).

• Bug fix: Users could mistakenly access the Online Designer and Data Dictionary pages in an Inactive project and thus could make field changes, which should only be allowed while in Development or Production status. (Ticket #66286)

• Bug fix: If an administrator is processing a "Delete Project" user request for a production project, then it might mistakenly not display the "Delete Project" prompt when loading the project's Other Functionality page while processing the request.

• Bug fix: If a field on a form or survey has the @DEFAULT action tag, and that same field has its value being piped into somewhere else on the same page, then when the form/survey is initially loaded with no data saved for it yet (i.e., has gray status icon), the piping of the default value would mistakenly not occur when the page is initially loaded but only after the field's value is modified while on that page.

• Bug fix: If using Table-based authentication, and a user was somehow added to a project even though the user has not yet had a REDCap user account created for them, then when attempting to delete the user from the project or modify their user rights, it would always return an erroneous error message, which prevents the user from being modified or deleted from the project.

Version 9.5.12 - (released 2/4/2020)

BUG FIXES AND OTHER CHANGES:

• Medium security fix: A Cross-Site Scripting (XSS) vulnerability was discovered on many pages, in which a malicious user (who must be logged in) could potentially exploit it by adding some very specific, malformed HTML tags with certain attributes into places in REDCap where such HTML gets reflected back on a page that a user is viewing. This includes field labels, field choice labels, survey instructions, etc. on data entry forms and surveys, as well as other places throughout REDCap where user input is displayed on a webpage.

• Bug fix: There is a small chance that a cron job might have multiple simultaneous instances running of the job when there should only ever be one instance of it running. This mostly applies to External Module cron jobs since most internal cron jobs in REDCap have built-in ways of preventing issues with this.

• Bug fix: Nine "Laboratory" fields and their associated LOINC codes were mistakenly missing from the field mapping page for Clinical Data Pull and Clinical Data Mart.

• Bug fix: When using the operators "&&" and "||" in place of "and" and "or", respectively, in report filtering logic, it would mistakenly fail to filter the report correctly. Bug emerged in the previous version. (Ticket #77738)

• Bug fix: Reports were loading unexpectedly slowly in certain cases where report logic was being used when data from repeating instruments/events were being displayed in the report.

• Bug fix: Reports that contained the record ID field and also contained fields from repeating instruments/events were mistakenly displaying blank rows in the report (i.e., all fields in the row were blank *except* for the record ID field) if the report contained filtering logic that evaluated as TRUE on the first repeating instance. If the filtering logic did not evaluate as TRUE on the first repeating instance (but perhaps on other repeating instances), the blank row would not be displayed, as expected.

• Bug fix: When creating a new project using a super API token via the Create Project API method using a Project XML file, it would mistakenly output some junk code in the API response that was only meant for debugging purposes. (Ticket #77798)

• Bug fix: When using a logic tester to validate if logic has correct syntax (e.g., when creating a Data Quality Rule, adding report filter logic), if the logic contained certain Smart Variables, it would mistakenly say that the logic is not correct syntax when it actually is correct. (Ticket #77741)

• Bug fix: When using certain Smart Variables inside the the Custom Label for Repeating Instruments, it might mistakenly replace the Smart Variable with a blank value rather than the correct value when displaying the custom label in the repeating instrument tables on the Record Home Page and in the drop-down of repeating instances at the top of data entry forms. (Ticket #77575)

• Bug fix: If any Automated Survey Invitations get triggered via the ASI DataDiff cron job (because an ASI has conditional logic that contains datediff+today/now) in a longitudinal project, then invitations might not get successfully scheduled if the conditional logic refers to a field on an event for which its instrument has not been designated. For example, if we have logic such as "[event1][field1] = '2'", and field1's instrument is not designated for event1, then invitations would never get scheduled by the ASI datediff cron job when attempting to process this logic. (Ticket #77812)

Version 9.5.11 - (released 1/31/2020)

BUG FIXES AND OTHER CHANGES:

• Bug fix: When putting the cursor in the Variable Name text box in the Edit Field dialog in the Online Designer, if the variable name is longer than 26 characters and the project is currently in production status in Draft Mode, it might mistakenly pile several different dialogs on top of each other and make it impossible to close them all. This is often exacerbated if clicking the "X" icon or Escape key when attempting to close the dialogs. (Ticket #75072)

• Bug fix: It might mistakenly report an error that the "database structure is incorrect" in the Control Center or on the Configuration Check page when in fact the database structure is correct. And if the "Easy Upgrade" feature is enabled, the "Auto-Fix" option would fail if attempted. This issue is due to a previous fix that was meant to address idiosyncrasies in MySQL 8.0 but did not fully, and in fact the previous fix caused issues with installations that were not running MySQL 8.0. So this should now fix the issue on all versions of MySQL where these errors are occurring. (Ticket #76872)

• Bug fix: If using the Clinical Data Pull in a project, and the setting “Convert source system timestamps from GMT to local server time?” is set to “Yes” on the Clinical Data Interoperability Services page in the Control Center, then if a user in the project is adjudicating data values, in which a single temporal value (i.e., Labs or Vitals) is displayed on multiple fields/events within the adjudication popup for that record, then that value’s associated timestamp would mistakenly get shifted by the same amount (e.g., by 6 hours if in Central Time) for *every* time that value is displayed in the popup. Thus the timestamp value would be incorrect for every place where it is displayed in the popup except for the first one. Note: This issue does not affect the data value being imported at all.

• Bug fix: When viewing the Project Modification Module for a production project in Draft Mode, it might mistakenly display false positives for field changes as if some fields are being modified when in fact they are not. This can happen if the old field attributes and new field attributes are the same except that one has Windows newline characters (which represent line breaks in text) and the other has Linux newline characters, or vice versa. So the text looks the same on the page, but REDCap thinks they are different and thus flags them as yellow on the page. When comparing them, it no longer pays attention to what type of newline character is being used. (Ticket #76811)

• Bug fix: If a field's branching logic contained the datediff() function with a literal date (e.g., "01-01-2020") as one of the first two parameters in the function, in which the date value was either in MDY or DMY date format, then certain server-side logic-parsing operations (e.g., Data Quality rule A and B, the use of branching logic in downloaded PDFs) would fail to work correctly.

• Bug fix: Data Quality rule F would use a bit too much web server memory while processing. (Ticket #77606)

• Bug fix: If exporting a report to a stats package (SAS, SPSS, R, Stata) in which the first instrument in the project is enabled as a survey and the record ID field is the only field from the first instrument that is included in the report, then the resulting syntax file for the stats package would mistakenly reference the survey timestamp field of the first instrument, and since that timestamp field would not be included in the CSV data file in the export, it would cause errors to occur when loading the exported data into the stats package. (Ticket #77574)

Version 9.5.10 - (released 1/28/2020)

BUG FIXES AND OTHER CHANGES:

• Bug fix/change: Email Alerts converter has been removed - The Email Alerts external module has diverged from Alerts & Notifications in both its feature set and its back-end storage structure to the point where the option to convert alerts from the Email Alerts module into Alerts & Notifications is no longer a viable or reliable option, and in some cases the converter has caused major issues on some installations by not successfully converting alerts correctly. To prevent further damage, the EA->A&N converter will be removed from the user interface (it exists as a green button at the top right of the "Configure Email Alerts" page, which opens a dialog popup). This change will not in any way affect the functionality of the Email Alerts external module or the Alerts & Notifications feature, and they will both continue to function and exist separately with no conflict to each other. NOTE: This fix/change is only relevant if you have the Email Alerts external module installed on your REDCap system. REVERTING BACK: If for some reason you want to expose the EA->A&N converter feature to use it again, you may execute the following SQL query on the MySQL database, after which the green converter button will appear again in all projects where the Email Alerts module has been enabled: UPDATE redcap_config SET value = '1' WHERE field_name = 'email_alerts_converter_enabled'; WARNING: Please be aware that no guarantee is given regarding the success of the EA->A&N converter if you choose to re-enable it and use it. It is HIGHLY recommended that you leave it disabled.

• Bug fix: Certain types of cookies created by REDCap were not getting stored correctly in a user's browser if the “session.cookie_secure” setting is set to “On” in the server’s PHP.INI configuration file while using a version of PHP lower than PHP 7.3.0. For example, this would likely prevent the Google reCAPTCHA feature from working successfully on public surveys, thus preventing survey participants from taking those surveys. This bug emerged in the previous release.

• Bug fix: When a user adds a full REDCap survey link (as opposed to using the [survey-link] smart variable) into the rich text editor when composing a survey invitation (i.e., in the "Compose Survey Invitations" popup or "Automated Survey Invitations" popup), the warning dialog that suggests to remove the hard-coded survey link would mistakenly get displayed multiple times on top of itself, thus making it impossible for the user to actually close them all and forcing the user to refresh the page. (Ticket #77086)

Version 9.5.9 - (released 1/27/2020)

BUG FIXES AND OTHER CHANGES:

• Bug fix: If running REDCap on MySQL 8.0, it might mistakenly report an error that the "database structure is incorrect" in the Control Center or on the Configuration Check page when in fact the database structure is correct. This is due to the ZEROFILL attribute for numeric field types that exist in MySQL 8.0. Note: This issue was thought to have been fixed in the previous release but was not. (Ticket #76872)

• Bug fix: The project templates created during a fresh install of REDCap contained fields that mistakenly conflated the concepts of sex and gender (e.g., having "Gender" as the field label with "sex" as the variable name) and often did not provide enough inclusive options as choices. These fields in the project templates have thus been modified.

• Bug fix: When viewing a project's Logging page and the text displayed in the last table column is very long with no spaces, it might mistakenly overflow out of the table and sometimes off the page.

• Due to changes in the default cookie settings in the Google Chrome browser (in Chrome v80 and later), any REDCap pages embedded on another website (via iframe) might mistakenly not be able to start an authenticated session successfully when logging in to REDCap. This may also affect surveys' ability to collect some data and behave correctly if the survey page is embedded on another website. REDCap now manually sets the cookie "SameSite" attribute with the value "None" by default in all compatible web browsers for all cookies generated by PHP in REDCap. Note: This is only applicable for REDCap installations using SSL/HTTPS that have the setting “session.cookie_secure” set to “On” in the server’s PHP.INI configuration file. If session.cookie_secure is not set to On, then the SameSite cookie attribute will not be added by REDCap.

• Bug fix: The main Notifications page in the Control Center and the Configuration Check page might not load completely if using PHP 5.5 or 5.6. Bug emerged in the previous REDCap version.

• Bug fix: A couple words were mistakenly not translated on Copy Project page. (Ticket #77083)

• Bug fix: If a user has clicked the "Request delete project" button on the "Other Functionality" page in a production project, after which they then click the "Cancel request" button to cancel that project-deletion request, then an administrator who is processing user requests via email notifications (as opposed to via the To-Do List) might not realize that the request was cancelled and thus might process the request and mistakenly delete the user's project unwittingly.

Version 9.5.8 - (released 1/21/2020)

BUG FIXES AND OTHER CHANGES:

• Bug fix: The Survey Confirmation Email feature might mistakenly display too many line breaks in the email text when viewing it on the Survey Settings page for an instrument or when viewing the received confirmation email in an email client.

• Bug fix: When importing data via API or Data Import Tool, it would mistakenly output a bunch of seemingly random text (e.g., "redcap_repeat_instrument, $repeat_instrument: ...") that was only meant for debugging purposes.

• Bug fix: If running REDCap on MySQL 8.0, it might mistakenly report an error that the "database structure is incorrect" in the Control Center or on the Configuration Check page when in fact the database structure is correct. This is due to the ZEROFILL attribute for numeric field types that exist in MySQL 8.0. (Ticket #76768)

• Bug fix: If the setting "Auto-suspend users after period of inactivity" is enabled, and some users who are suspended have not had any activity within the designated period of inactivity, then if the user has a sponsor and the user's sponsor puts in a request to have them unsuspended, the user would mistakenly get re-suspended within a day. (Ticket #58909)

• Bug fix: When clicking the "Cancel" button on a data entry form, it would mistakenly display the alert "Are you sure you wish to CANCEL and lose all changes made on this page?" when no values had actually changed on the page, which could be confusing to users. It now only displays the alerts when values have been added or modified. (Ticket #76818)

• Bug fix: When using Missing Data Codes in a project where a field in the project has the same value as a missing data code but has the @NOMISSING action tag, it would mistakenly interpret the field value as a missing data code in the following places: 1) the Data History popup on a data entry form, and 2) in the CSV Labels data export file. (Ticket #76813)

• Bug fix: When using Missing Data Codes in a project, if a file has been uploaded for a File Upload field and then a user clicks the "M" icon next to the field to open the missing data code choices, if they then click "[Clear value]", it would mistakenly hide the filename of the existing uploaded file, even though the user might choose to cancel the operation and not delete the file. This could be confusing to the user since it is hiding the file's filename prematurely in the process of entering a missing data code, thus making it appear as if perhaps the file has been deleted when in fact it has not. (Ticket #76810)

Version 9.5.7 - (released 1/20/2020)

BUG FIXES AND OTHER CHANGES:

• Major security fix: An “information leakage” security vulnerability was discovered, in which a malicious user could exploit it by manipulating the URL’s query string parameters for certain paths used to access External Module pages. This is not related to any specific External Module but is a vulnerability in the External Module Framework bundled with REDCap. The user could potentially access the contents of any plain-text files (excluding PHP files) that exist on the REDCap web server, including files that sit outside the server’s web root, which could include files with sensitive information. Note: In order to exploit this, the user must be a valid user that is currently logged in. This exploit is not able to reveal the contents of any PHP files on the server but other plain-text files instead, such as files with file extensions TXT, JSON, XML, or YAML. And in order to view the contents of a file, the malicious user must first know or guess the exact filename *and* directory location of the file on the server.

• Bug fix: External Modules could not be enabled if the user was using Internet Explorer. (Ticket #76276)

• Bug fix: When exporting data into SAS, it would result in errors upon loading into SAS for datetime fields if Missing Data Codes are not utilized in the project.

• Bug fix: When exporting data into SAS, it would mistakenly not apply choice label formats onto multiple choice values when loading into SAS.

• Bug fix: If a REDCap plugin, hook, or external module is calling REDCap::saveData() from outside the scope of the project in which it is saving the data, then if any Automated Survey Invitations in the project have conditional logic, then those ASIs might not get triggered successfully because in most cases the logic will never evaluate to TRUE. (Ticket #75607)

• Bug fix: When clicking the table header for a date or datetime field in a report, in which the dates/datetimes are in either MDY or DMY date format, it would mistakenly not sort the values correctly in the report. (Ticket #76377)

• Bug fix: If the Survey Confirmation Email setting has been enabled at the bottom of the Survey Settings page for a data collection instrument, and then a user disables it by setting its drop-down value to "No" and then saves the page, then even though the setting does get properly disabled upon save, if a user re-opens the Survey Settings page again later, it would mistakenly display the Survey Confirmation Email setting as still being enabled - even though it is not. (Ticket #76354)

• Bug fix: If the User Settings option "Allow normal users to move projects to production?" is set to "No, only Administrators can move projects to production," and email notifications are enabled for administrators to receive these user requests via email, then if a user requests that a project be moved to production but then cancels their own request on the Project Setup page, an administrator could still move the project to production afterward if they click the link received in the email (however, this could not be done via the To-Do List interface). This could cause some projects to have all their data mistakenly deleted if the requesting user clicked the wrong option in the "move to production" dialog and didn't notify the admin immediately afterward so that the admin would not approve their request. From now on, if the admin clicks the link in the email and the user has already cancelled the request, it will display an error to the admin and prevent them from approving the deleted request. (Ticket #76068)

• Bug fix: When executing a custom Data Quality rule in a longitudinal project, in which the rule's logic references fields on multiple events, in certain scenarios it might mistakenly display a false positive discrepancy from another unrelated event that is not referenced in the logic. (Ticket #76090)

• Bug fix: When viewing a project's Calendar page, the Agenda tab might mistakenly display "No calendar events to display" even though one calendar event is being displayed.

• Bug fix: When accessing the "Help & FAQ" page via the top nav bar on the My Projects page and Control Center pages, the search box at the top of the "Help & FAQ" page would be mostly obscured when initially loading the page, thus making it unusable until you scrolled down the page some to reveal it.

• Bug fix: The email Display Name will no longer be utilized for the "REDCap access granted" emails and "Verify your email address" emails that are sent to users from REDCap because the Display Name for these particular emails were causing them to get disproportionately flagged as spam by many institutions' email servers, thus preventing users from receiving them. (Ticket #75941)

• Bug fix: When using the CSV import functionality for the field mapping page of the Clinical Data Pull (CDP) feature, it would mistakenly not allow composite mapping of fields (i.e., many-to-one or one-to-many mapping) and thus might ignore some field mappings included in the CSV import file.

• Bug fix: If data had been entered into multiple instances of a repeating instrument or repeating event and then that instrument or event was later set to no longer be repeating (while there still exist other repeating instruments/events in the project), then the orphaned data from the repeating instances might mistakenly get included and displayed in reports or data exports. And in some cases, this orphaned data might cause Data Quality rule H to behave erratically, such as stating that there are some discrepancies to fix, but after clicking the button to auto-fix them, it would say that "0" were fixed.

• Bug fix: For many popup dialogs whose content is obtained from an AJAX call that returns a JSON-encoded payload, there are some cases where the popup might fail to open if there are certain non-Latin/UTF-8 characters in the text that will be displayed in the popup (e.g., Field Comments dialog, Survey Login dialog, Survey Queue Setup dialog, Edit Matrix Fields dialog). A new process has been added to most of these places to ensure that at least some of the content gets displayed in the dialog popup rather than never being able to open the dialog at all. (Ticket #76619)

• Bug fix: If an alert has been created in which its content/message contains one or more Smart Variables that allow you to provide custom text, such as survey-link, form-link, and survey-queue-link (e.g., [survey-link:prescreening:My Custom Text]), then if the Smart Variable's custom text contains a forward slash "/", then it would mistakenly prevent the alert's notification from being sent.

• Bug fix: If Missing Data Codes are enabled in a project, then the Missing Data Codes "M" icon on a data entry form would mistakenly be displayed and would function even when the entire form is disabled due to limited user rights or if viewing an un-editable survey response. Note: Clicking an option in the Missing Data Codes popup would change the value of the associated field, but since there would be no way to save that value, it would never affect any data. (Ticket #76688)

• Bug fix: When a user requests changes in a production project, the display name for the "Review & Approve Project Changes" email sent to the REDCap admin gets set to the project contact name instead of the user's first and last name. (Ticket #76685)

• Bug fix: If exporting a report in JSON format via the REDCap API, in which the report has filter logic defined and contains many thousands of records that will be returned, the beginning of the JSON string returned in the API response might mistakenly get malformed and begin with "[,{" instead of "[{". (Ticket #76602)

• Bug fix: When importing data via the API in "EAV" format for a repeating instrument or repeating event, many of the normal checks that ensure that the fields "redcap_repeat_instrument" and "redcap_repeat_instance" have valid values where mistakenly getting bypassed and thus not performing all the necessary checks to ensure the best data quality during the import. For example, importing a field on a repeating instrument but leaving the "redcap_repeat_instance" field blank would not return an error but would instead assume the value is "1", which should not be assumed. (Ticket #75854)

Version 9.5.6 - (released 1/9/2020)

BUG FIXES & OTHER CHANGES:

• Minor security fix: REDCap now automatically removes the "X-Powered-By" response header produced by the REDCap server so that it doesn't reveal the server's PHP version (the default behavior), which is considered to be a minor security issue.

• Bug fix: If the record ID field has min/max validation, it would mistakenly prevent records from being created on the "Add/Edit Records" page and "Record Status Dashboard" if a record ID was entered in the correct format but whose value was out of range. It should allow the creation of the record even when out of range. (Ticket #60352)

• Bug fix: If any Alerts & Notifications get triggered via the Alerts DataDiff cron job (because an alert has conditional logic that contains datediff+today/now), then it might not perform all piping correctly if any field variables are piped into the email subject, email content, or are used for recipients or attachments.

• Bug fix: If an alert is set to be triggered "Using conditional logic during a data import or data entry" and is set to send "Just once", then if the conditional logic has become true when importing or entering data for a repeating instrument, it would mistakenly keep sending a new notification every time the record is saved (assuming the logic is still true). Instead it should only send it once (per repeating instance).

• Bug fix: If any Alerts & Notifications get triggered via the Alerts DataDiff cron job (because an alert has conditional logic that contains datediff+today/now), then they might mistakenly only get scheduled once per record rather than for all events and all repeating instances within a given record. Warning: This fix might inadvertently cause the cron job to schedule/send any alerts that were supposed to have been scheduled/sent in the past but mistakenly were not sent because of this bug. There is unfortunately no way to prevent this.

• Bug fix: When attempting to change the version of an External Module while using Firefox, it would mistakenly fail due to a JavaScript error. (Ticket #76009)

• Bug fix: The act of deleting a custom record status dashboard would mistakenly not get logged on the project's Logging page.

• Bug fix: When exporting data into SAS, it would result in errors upon loading into SAS for multiple choice fields that contain only numerical codings (including True/False, Yes/No, and form complete status fields) and also for number/integer fields, but only if Missing Data Codes are not utilized in the project.

• Bug fix: Some CSS (i.e., affecting "a.btn") was added to REDCap's styling in a recent version that was mistakenly overriding some Bootstrap CSS, which might negatively affect some REDCap plugins, hooks, or modules. (Ticket #75943)

• Bug fix: If the setting "Domain whitelist for user email addresses" is enabled and Table-based authentication is being used, then the "Set Up Password Recovery Question" popup would mistakenly fail to enforce the domain whitelist if a user attempts to modify their primary email address in that popup. (Ticket #75990)

• Bug fix: For users with visual impairments that are using screen reader software on survey pages, there are certain conditions, such as if the Text-To-Speech feature is enabled on that survey, where screen readers might not be able to interpret all the labels on the page correctly.

• Bug fix: When viewing a project's Logging page using Internet Explorer or Edge browser, if the username is long as displayed in the logging table, it might cause some of the columns in the table to overflow onto each other, thus making them nearly unreadable. (Ticket #76109)

• Bug fix: False positives may appear as discrepancies when running Data Quality rule F in a longitudinal project when fields have branching logic that does not have a unique event name explicitly prepended to all field variables in the logic. (Ticket #66789)

• Bug fix: When attempting to add a new user on the User Rights page in a project, if a user being searched for has a first or last name that contains undecipherable/mangled characters, then it would fail to return any users in the auto-suggest list as the user types the user's username. (Ticket #76053)