Merge commit from fork

kojiromike · claude · web-flow · commit b1e3fe8a9ed8 · 2026-01-02T09:30:51.000-05:00
* refactor: use escaped translation functions consistently Replace direct xl() calls with properly escaped wrappers to ensure consistent string sanitization in translation output: - Add xlx() function for XML context (xl + xmlEscape) - Add type declarations to xl wrapper functions (xlt, xla, xlj, xlx) - Update Smarty {xl} plugin to use xlt() for HTML context - Use xmlEscape/xlx() for XML output in AclExtended.php - Use xlt() for HTML output in controllers and templates - Use text() for dynamic values in HTML context * refactor: replace xls() with xlj() for JavaScript strings Migrate all xls() calls to xlj() which uses proper js_escape() instead of addslashes() for consistent JavaScript string handling. Updated 28 occurrences across 10 files. * refactor(Billing): remove unused return value from arSetupSecondary The return value was never used by any caller - the function is called purely for its side effects (updating claims via BillingUtilities). Added void return type to make this explicit. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(Smarty): remove unescaped xl translation function Remove the {xl} Smarty plugin and migrate all usages to escaped variants: - {xlt} for text content - {xla} for HTML attributes This forces developers to use explicit escaped variants and eliminates a potential XSS footgun. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(Zend): remove unsafe z_xl() translation wrapper Remove z_xl() which wrapped the unescaped xl() function. All usages migrated to z_xlt() which properly escapes output for HTML text context. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/controllers/C_Document.class.php b/controllers/C_Document.class.php
@@ -416,7 +416,7 @@ public function note_action_process($patient_id)
                 $temp_url = $GLOBALS['OE_SITE_DIR'] . '/documents/' . $from_pathname . '/' . $from_filename;
             }
             if (!file_exists($temp_url)) {
-                echo xl('The requested document is not present at the expected location on the filesystem or there are not sufficient permissions to access it.') . ' ' . $temp_url;
+                echo xlt('The requested document is not present at the expected location on the filesystem or there are not sufficient permissions to access it.') . ' ' . text($temp_url);
             }
             $url = $temp_url;
             $pdetails = getPatientData($patient_id);
diff --git a/controllers/C_Prescription.class.php b/controllers/C_Prescription.class.php
@@ -649,7 +649,7 @@ function multiprintcss_preheader()
         echo ("}\n");
         echo ("</style>\n");
 
-        echo ("<title>" . xl('Prescription') . "</title>\n");
+        echo ("<title>" . xlt('Prescription') . "</title>\n");
         echo ("</head>\n");
         echo ("<body>\n");
     }
@@ -706,8 +706,8 @@ function multiprint_footer(&$pdf)
     function multiprintcss_footer()
     {
         echo ("<div class='signdiv'>\n");
-        echo (xl('Signature') . ":________________________________<br />");
-        echo (xl('Date') . ": " . date('Y-m-d'));
+        echo (xlt('Signature') . ":________________________________<br />");
+        echo (xlt('Date') . ": " . text(date('Y-m-d')));
         echo ("</div>\n");
         echo ("</div>\n");
     }
diff --git a/interface/billing/sl_eob_process.php b/interface/billing/sl_eob_process.php
@@ -841,7 +841,7 @@ class: $class,
     <?php echo xlt('Amount'); ?>&nbsp;
       </td>
       <td class="dehead" align="right">
-    <?php echo xl('Balance'); ?>&nbsp;
+    <?php echo xlt('Balance'); ?>&nbsp;
       </td>
      </tr>
 
diff --git a/interface/clickmap/template/general_new.html b/interface/clickmap/template/general_new.html
@@ -26,13 +26,13 @@
         {if !$reportMode}
             <div class="col-12">
                 <div class="btn-group">
-                    <button class="btn btn-primary btn-save" id="btn_save">{xl t="Save"}</button>
-                    <button class="btn btn-secondary btn-delete" id="btn_clear">{xl t="Clear"}</button>
-                    <button class="btn btn-secondary btn-cancel" onclick="top.restoreSession(); location.href='javascript:parent.closeTab(window.name, false)'">{xl t="Cancel"}</button>
+                    <button class="btn btn-primary btn-save" id="btn_save">{xlt t="Save"}</button>
+                    <button class="btn btn-secondary btn-delete" id="btn_clear">{xlt t="Clear"}</button>
+                    <button class="btn btn-secondary btn-cancel" onclick="top.restoreSession(); location.href='javascript:parent.closeTab(window.name, false)'">{xlt t="Cancel"}</button>
                 </div>
                 <p>
-                    {xl t="Click a spot on the graphic to add a new annotation, click it again to remove it"} <br/>
-                    {xl t="The 'Clear' button will remove all annotations."}
+                    {xlt t="Click a spot on the graphic to add a new annotation, click it again to remove it"} <br/>
+                    {xlt t="The 'Clear' button will remove all annotations."}
                 </p>
             </div>
         {/if}
diff --git a/interface/forms/ros/templates/ros/general_new.html b/interface/forms/ros/templates/ros/general_new.html
@@ -10,7 +10,7 @@
 <html>
 <head>
 
-<title>{xl t='Review Of Systems'|text}</title>
+<title>{xlt t='Review Of Systems'}</title>
 
 {headerTemplate}
 
diff --git a/interface/modules/zend_modules/module/Application/src/Application/Controller/IndexController.php b/interface/modules/zend_modules/module/Application/src/Application/Controller/IndexController.php
@@ -50,7 +50,7 @@ public function ajaxZxlAction()
     {
         $request  = $this->getRequest();
         $message  = $request->getPost()->msg;
-        $array    = ['msg' => $this->listenerObject->z_xl($message)];
+        $array    = ['msg' => $this->listenerObject->z_xlt($message)];
         $return   = new JsonModel($array);
         return $return;
     }
diff --git a/interface/modules/zend_modules/module/Application/src/Application/Listener/Listener.php b/interface/modules/zend_modules/module/Application/src/Application/Listener/Listener.php
@@ -51,16 +51,6 @@ public function detach(EventManagerInterface $events, $priority = 1)
         }
     }
 
-  /**
-   * Language converter
-   * @param string $str
-   * @return string
-   */
-    public static function z_xl($str)
-    {
-        return xl($str);
-    }
-
   /**
    * Language converter
    * @param string $str
@@ -80,5 +70,4 @@ public static function z_xla($str)
     {
         return xla($str);
     }
-
 }
diff --git a/interface/modules/zend_modules/module/Carecoordination/src/Carecoordination/Model/EncounterccdadispatchTable.php b/interface/modules/zend_modules/module/Carecoordination/src/Carecoordination/Model/EncounterccdadispatchTable.php
@@ -4336,7 +4336,7 @@ public function getPlanOfCare($pid, $encounter)
                 <code_text>" . xmlEscape($row['codetext']) . "</code_text>
                 <date>" . xmlEscape($row['date']) . "</date>
                 <date_formatted>" . xmlEscape(str_replace("-", '', $row['date'])) . "</date_formatted>
-                <assessment>" . xmlEscape(xl('Encounter')) . "</assessment>
+                <assessment>" . xlx('Encounter') . "</assessment>
              </concern>";
             }
             // Goal (SNOMED CT or LOINC)
diff --git a/interface/modules/zend_modules/module/Multipledb/src/Multipledb/Controller/MultipledbController.php b/interface/modules/zend_modules/module/Multipledb/src/Multipledb/Controller/MultipledbController.php
@@ -56,7 +56,7 @@ public function indexAction()
         $this->getCssFiles();
         $this->layout()->setVariable('jsFiles', $this->jsFiles);
         $this->layout()->setVariable('cssFiles', $this->cssFiles);
-        $this->layout()->setVariable("title", $this->listenerObject->z_xl("Multiple DataBase"));
+        $this->layout()->setVariable("title", $this->listenerObject->z_xlt("Multiple DataBase"));
         $this->checkAcl();
 
         return new ViewModel([
@@ -74,7 +74,7 @@ public function editAction()
         $this->getCssFiles();
         $this->layout()->setVariable('jsFiles', $this->jsFiles);
         $this->layout()->setVariable('cssFiles', $this->cssFiles);
-        $this->layout()->setVariable("title", $this->listenerObject->z_xl("Multiple DataBase"));
+        $this->layout()->setVariable("title", $this->listenerObject->z_xlt("Multiple DataBase"));
         $this->checkAcl('write');
 
         return new ViewModel([
@@ -130,7 +130,7 @@ public function generatesafekeyAction()
         $this->getCssFiles();
         $this->layout()->setVariable('jsFiles', $this->jsFiles);
         $this->layout()->setVariable('cssFiles', $this->cssFiles);
-        $this->layout()->setVariable("title", $this->listenerObject->z_xl("Multiple DataBase"));
+        $this->layout()->setVariable("title", $this->listenerObject->z_xlt("Multiple DataBase"));
         $this->checkAcl('write');
 
         return new ViewModel([
diff --git a/interface/modules/zend_modules/module/Patientvalidation/src/Patientvalidation/Controller/PatientvalidationController.php b/interface/modules/zend_modules/module/Patientvalidation/src/Patientvalidation/Controller/PatientvalidationController.php
@@ -79,7 +79,7 @@ public function indexAction()
         $this->getCssFiles();
         $this->layout()->setVariable('jsFiles', $this->jsFiles);
         $this->layout()->setVariable('cssFiles', $this->cssFiles);
-        $this->layout()->setVariable("title", $this->listenerObject->z_xl("Patient validation"));
+        $this->layout()->setVariable("title", $this->listenerObject->z_xlt("Patient validation"));
         $this->layout()->setVariable("translate", $this->translate);
 
          $relatedPatients =  $this->getAllRealatedPatients();
diff --git a/library/FeeSheetHtml.class.php b/library/FeeSheetHtml.class.php
@@ -372,7 +372,7 @@ function jsLineItemValidation(f) {
         } // end if male patient
         if ($this->patient_age < 10 || $this->patient_age > 65) {
             $s .= "
-   if (!confirm(" . xlj('Warning: Contraception for a patient under 10 or over 65.') . "))
+    if (!confirm(" . xlj('Warning: Contraception for a patient under 10 or over 65.') . "))
     return false;
 ";
         } // end if improper age
diff --git a/library/htmlspecialchars.inc.php b/library/htmlspecialchars.inc.php
@@ -257,8 +257,11 @@ function xla($key)
     return attr(hsc_private_xl_or_warn($key));
 }
 
-/*
- * Translate via xl() and then escape via js_escape for use with javascript literals
+/**
+ * Translate via xl() and then escape via js_escape() for use with JavaScript literals.
+ *
+ * @param string $key The string to translate and escape.
+ * @return string The translated string escaped for JavaScript.
  */
 function xlj($key)
 {
@@ -275,4 +278,3 @@ function xlx($key)
 {
     return xmlEscape(hsc_private_xl_or_warn($key));
 }
-
diff --git a/library/smarty/plugins/function.xl.php b/library/smarty/plugins/function.xl.php
diff --git a/non-standard-translation-functions.md b/non-standard-translation-functions.md
@@ -13,9 +13,8 @@ Adapter class for OpenEMR language conversion within the Zend module system.
 
 | Line | Function | Wraps |
 |------|----------|-------|
-| 59 | `z_xl($str)` | `xl()` |
-| 69 | `z_xlt($str)` | `xlt()` |
-| 79 | `z_xla($str)` | `xla()` |
+| 59 | `z_xlt($str)` | `xlt()` |
+| 69 | `z_xla($str)` | `xla()` |
 
 ## interface/modules/zend_modules/module/Application/src/Application/Helper/TranslatorViewHelper.php
 
diff --git a/src/Billing/SLEOB.php b/src/Billing/SLEOB.php
@@ -258,7 +258,7 @@ public static function arGetPayerID($patient_id, $date_of_service, $payer_type)
 
     // Make this invoice re-billable, new style.
     //
-    public static function arSetupSecondary($patient_id, $encounter_id, $debug, $crossover = 0)
+    public static function arSetupSecondary($patient_id, $encounter_id, $debug, $crossover = 0): void
     {
         if ($crossover == 1) {
             //if claim forwarded setting a new status
@@ -290,7 +290,5 @@ public static function arSetupSecondary($patient_id, $encounter_id, $debug, $cro
                 BillingUtilities::updateClaim(true, $patient_id, $encounter_id, -1, -1, $status, 0, '', '', '', $crossover);
             }
         }
-
-        return xl("Encounter ") . $encounter_id . xl(" is ready for re-billing.");
     }
 }
diff --git a/src/Common/Acl/AclExtended.php b/src/Common/Acl/AclExtended.php
@@ -595,18 +595,18 @@ public static function aclListingsXml($err)
                 //                         Translate return value
                 //                         Translate description
                 $message .= "\t<acl>\n" .
-                    "\t\t<value>" . $value . "</value>\n" .
-                    "\t\t<title>" . xl_gacl_group($value) . "</title>\n" .
-                    "\t\t<returnid>" . $ret  . "</returnid>\n" .
-                    "\t\t<returntitle>" . xl($ret)  . "</returntitle>\n" .
-                    "\t\t<note>" . xl($note)  . "</note>\n" .
+                    "\t\t<value>" . xmlEscape($value) . "</value>\n" .
+                    "\t\t<title>" . xmlEscape(xl_gacl_group($value)) . "</title>\n" .
+                    "\t\t<returnid>" . xmlEscape($ret)  . "</returnid>\n" .
+                    "\t\t<returntitle>" . xlx($ret)  . "</returntitle>\n" .
+                    "\t\t<note>" . xlx($note)  . "</note>\n" .
                     "\t</acl>\n";
             }
         }
 
         if (isset($err)) {
             foreach ($err as $value) {
-                $message .= "\t<error>" . $value . "</error>\n";
+                $message .= "\t<error>" . xmlEscape($value) . "</error>\n";
             }
         }
 
@@ -650,7 +650,7 @@ public static function acoListingsXml($group, $return_value, $err)
 
                         // Modified 6-2009 by BM - Translate gacl aco section name
                         $message .= "\t\t<section>\n" .
-                            "\t\t\t<name>" . xl($aco_section_title) . "</name>\n";
+                            "\t\t\t<name>" . xlx($aco_section_title) . "</name>\n";
                     }
 
                     $aco_id = $gacl->get_object_id($key, $value2, 'ACO');
@@ -659,9 +659,9 @@ public static function acoListingsXml($group, $return_value, $err)
                     $message .= "\t\t\t<aco>\n";
 
                     // Modified 6-2009 by BM - Translate gacl aco name
-                    $message .= "\t\t\t\t<title>" . xl($aco_title) . "</title>\n";
+                    $message .= "\t\t\t\t<title>" . xlx($aco_title) . "</title>\n";
 
-                    $message .= "\t\t\t\t<id>" . $aco_id . "</id>\n";
+                    $message .= "\t\t\t\t<id>" . xmlEscape($aco_id) . "</id>\n";
                     $message .= "\t\t\t</aco>\n";
                 }
             }
@@ -679,7 +679,7 @@ public static function acoListingsXml($group, $return_value, $err)
 
             // Modified 6-2009 by BM - Translate gacl aco section name
             $message .= "\t\t<section>\n" .
-                "\t\t\t<name>" . xl($aco_section_title) . "</name>\n";
+                "\t\t\t<name>" . xlx($aco_section_title) . "</name>\n";
 
             foreach ($active_aco_objects[$key] as $value2) {
                 $aco_id = $gacl->get_object_id($key, $value2, 'ACO');
@@ -688,9 +688,9 @@ public static function acoListingsXml($group, $return_value, $err)
                 $message .= "\t\t\t<aco>\n";
 
                 // Modified 6-2009 by BM - Translate gacl aco name
-                $message .= "\t\t\t\t<title>" . xl($aco_title) . "</title>\n";
+                $message .= "\t\t\t\t<title>" . xlx($aco_title) . "</title>\n";
 
-                $message .= "\t\t\t\t<id>" . $aco_id . "</id>\n";
+                $message .= "\t\t\t\t<id>" . xmlEscape($aco_id) . "</id>\n";
                 $message .= "\t\t\t</aco>\n";
             }
 
@@ -700,7 +700,7 @@ public static function acoListingsXml($group, $return_value, $err)
         $message .= "\t</active>\n";
         if (isset($err)) {
             foreach ($err as $value) {
-                $message .= "\t<error>" . $value . "</error>\n";
+                $message .= "\t<error>" . xmlEscape($value) . "</error>\n";
             }
         }
 
@@ -727,8 +727,8 @@ public static function returnValuesXml($err)
                 if (!in_array($ret, $returns)) {
                     // Modified 6-2009 by BM - Translate return value
                     $message .= "\t<return>\n";
-                    $message .= "\t\t<returnid>" . $ret  . "</returnid>\n";
-                    $message .= "\t\t<returntitle>" . xl($ret)  . "</returntitle>\n";
+                    $message .= "\t\t<returnid>" . xmlEscape($ret)  . "</returnid>\n";
+                    $message .= "\t\t<returntitle>" . xlx($ret)  . "</returntitle>\n";
                     $message .= "\t</return>\n";
 
                     array_push($returns, $ret);
@@ -738,7 +738,7 @@ public static function returnValuesXml($err)
 
         if (isset($err)) {
             foreach ($err as $value) {
-                $message .= "\t<error>" . $value . "</error>\n";
+                $message .= "\t<error>" . xmlEscape($value) . "</error>\n";
             }
         }
 
diff --git a/templates/documents/general_upload.html b/templates/documents/general_upload.html
@@ -48,7 +48,7 @@ <h3>{if !empty($error)}{$error|text|nl2br}{/if}</h3>
             </div>
             {/if}
             <div>
-                <input type="submit" class="btn btn-primary" value="{xl t='Upload'|attr}" />
+                <input type="submit" class="btn btn-primary" value="{xla t='Upload'}" />
             </div>
         </div>
         <input type="hidden" name="patient_id" value="{$patient_id|attr}" />

Original file line number	Diff line number	Diff line change
`@@ -416,7 +416,7 @@ public function note_action_process($patient_id)`
`416`	`416`	`$temp_url = $GLOBALS['OE_SITE_DIR'] . '/documents/' . $from_pathname . '/' . $from_filename;`
`417`	`417`	`}`
`418`	`418`	`if (!file_exists($temp_url)) {`
`419`		`- echo xl('The requested document is not present at the expected location on the filesystem or there are not sufficient permissions to access it.') . ' ' . $temp_url;`
	`419`	`+ echo xlt('The requested document is not present at the expected location on the filesystem or there are not sufficient permissions to access it.') . ' ' . text($temp_url);`
`420`	`420`	`}`
`421`	`421`	`$url = $temp_url;`
`422`	`422`	`$pdetails = getPatientData($patient_id);`
Original file line number	Diff line number	Diff line change
`@@ -649,7 +649,7 @@ function multiprintcss_preheader()`
`649`	`649`	`echo ("}\n");`
`650`	`650`	`echo ("</style>\n");`
`651`	`651`
`652`		`- echo ("<title>" . xl('Prescription') . "</title>\n");`
	`652`	`+ echo ("<title>" . xlt('Prescription') . "</title>\n");`
`653`	`653`	`echo ("</head>\n");`
`654`	`654`	`echo ("<body>\n");`
`655`	`655`	`}`
`@@ -706,8 +706,8 @@ function multiprint_footer(&$pdf)`
`706`	`706`	`function multiprintcss_footer()`
`707`	`707`	`{`
`708`	`708`	`echo ("<div class='signdiv'>\n");`
`709`		`- echo (xl('Signature') . ":________________________________<br />");`
`710`		`- echo (xl('Date') . ": " . date('Y-m-d'));`
	`709`	`+ echo (xlt('Signature') . ":________________________________<br />");`
	`710`	`+ echo (xlt('Date') . ": " . text(date('Y-m-d')));`
`711`	`711`	`echo ("</div>\n");`
`712`	`712`	`echo ("</div>\n");`
`713`	`713`	`}`
Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@ public function ajaxZxlAction()`
`50`	`50`	`{`
`51`	`51`	`$request = $this->getRequest();`
`52`	`52`	`$message = $request->getPost()->msg;`
`53`		`- $array = ['msg' => $this->listenerObject->z_xl($message)];`
	`53`	`+ $array = ['msg' => $this->listenerObject->z_xlt($message)];`
`54`	`54`	`$return = new JsonModel($array);`
`55`	`55`	`return $return;`
`56`	`56`	`}`
Original file line number	Diff line number	Diff line change
`@@ -51,16 +51,6 @@ public function detach(EventManagerInterface $events, $priority = 1)`
`51`	`51`	`}`
`52`	`52`	`}`
`53`	`53`
`54`		`- /**`
`55`		`- * Language converter`
`56`		`- * @param string $str`
`57`		`- * @return string`
`58`		`- */`
`59`		`- public static function z_xl($str)`
`60`		`- {`
`61`		`- return xl($str);`
`62`		`- }`
`63`		`-`
`64`	`54`	`/**`
`65`	`55`	`* Language converter`
`66`	`56`	`* @param string $str`
`@@ -80,5 +70,4 @@ public static function z_xla($str)`
`80`	`70`	`{`
`81`	`71`	`return xla($str);`
`82`	`72`	`}`
`83`		`-`
`84`	`73`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4336,7 +4336,7 @@ public function getPlanOfCare($pid, $encounter)`
`4336`	`4336`	`<code_text>" . xmlEscape($row['codetext']) . "</code_text>`
`4337`	`4337`	`<date>" . xmlEscape($row['date']) . "</date>`
`4338`	`4338`	`<date_formatted>" . xmlEscape(str_replace("-", '', $row['date'])) . "</date_formatted>`
`4339`		`- <assessment>" . xmlEscape(xl('Encounter')) . "</assessment>`
	`4339`	`+ <assessment>" . xlx('Encounter') . "</assessment>`
`4340`	`4340`	`</concern>";`
`4341`	`4341`	`}`
`4342`	`4342`	`// Goal (SNOMED CT or LOINC)`