Changelog

This page includes a partial list of changes with each version of REDCap, including new features, improvements, and bug fixes.

• Major security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered when uploading files for a File Upload field on a data entry form or survey page, in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into a URL. This can be exploited by anyone who has a link to a survey with a File Upload field (i.e., does not require authentication). Bug exists in all REDCap versions for the past 10 years.

• Improvement/change: The user list table on the Project Home page now displays “EHR Access” in its own column in CDIS projects, separate from the user information. The table style was also slightly tweaked to enhance responsiveness, making the interface cleaner and more user-friendly across devices.

• Improvement: The “Help & FAQ” page has been updated with new content (thanks to the FAQ Committee).

• Change/improvement: All rich text editors now utilize the browser’s native spell check functionality by putting a red underline under a misspelled word. (Ticket #246649)

• Change: Text and phrases on certain MyCap-related pages were abstracted to allow for translation.

• Minor security fix: Removed outdated dependencies on the external libraries (jQuery, Bootstrap, Popper) in the “Launch from EHR” process for CDIS projects, specifically due to a vulnerability in Bootstrap 4. These libraries were previously locked to older versions to maintain compatibility with older browsers like IE11, required in specific Epic integration settings. This update eliminates potential security risks associated with the outdated libraries and improves overall maintainability. Note: The vulnerability is only exploitable if the Clinical Data Pull service is enabled in CDIS.

• Medium security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered on the Data Import Tool page in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into a CSV data file being uploaded for the Background Data Import process. This can only be exploited by an authenticated user. Bugs exists in REDCap 13.8.0 and higher.

• Major security fix: An SQL Injection vulnerability was found on the User Rights page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way when adding new User Roles. This can only be exploited by authenticated users. Bug exists in REDCap 10.3.3 and higher.

• Bug fix: If MyCap is disabled at the system level and then a user creates a project via a Project XML file, in which the Project XML is set to have MyCap enabled, the MyCap settings for the project would mistakenly get loaded into the new project.

• Bug fix: In extremely rare situations, the survey page might return the error message “An unknown error has caused the REDCap page to halt”, thus possibly preventing the survey response from being saved properly and ending the survey prematurely.

• Bug fix: Several missing LOINC codes were added to the CDIS mapping features.

• Bug fix: When a user enables Draft Preview Mode in a production project and then views a data entry form for an existing record, some checkboxes on the form might not display the correct value (i.e., checked/unchecked state), especially for checkboxes that exist only in Draft Mode (i.e., are not “live” yet).

• Bug fix: When using inline comments inside the “Action Tag/Field Annotation” text, specifically for the IF action tag, the logic might mistakenly not get parsed correctly, thus causing it not to behave as expected. (Ticket #246704)

• Bug fix: Fields might mistakenly fail to be embedded inside a Descriptive field if the Descriptive field already has some input elements contained inside it (in its pre-embedded state). (Ticket #246424)

• Bug fix: For logic-based PDF snapshots stored in the PDF Snapshot Archive in the File Repository, the record link for the snapshot in the snapshot table on the page would mistakenly not navigate the user to the record correctly.

• Bug fix: The “Read introduction to Data Resolution Workflow” link does not work from the “Resolution Metrics” tab of the Data Quality page due to a JavaScript error. (Ticket #246592)

• Bug fix: The Configuration Check page and main Control Center page might mistakenly note that something is wrong with the database structure, specifically the table “redcap_ehr_resource_imports”. This was merely a false positive, and it only occurs when running MySQL 8. (Ticket #246426)

• Bug fix: When a user is performing the “Re-evaluate ASI” action in the Online Designer, in which they select the “Test Run” option, the process might mistakenly run many more SQL queries than is intended, which might result in database server performance degradation while the process is running. (Ticket #246170)

• Bug fix: When importing clinical notes for Clinical Data Mart projects via CDIS, the system would fail to identify existing clinical notes, resulting in duplicate entries being stored in CDM projects. REDCap now properly detects and prevents duplicates.

• Bug fix: When using CDIS, the Patient resource would return a blank gender value if a blank gender is provided (i.e., exists in the EHR), instead of defaulting to ‘UNK’. This change ensures consistent handling of blank gender values, particularly in “Break the Glass” scenarios.

• Bug fix: When using Custom Event Labels in a longitudinal project, in very specific cases when field variables are prepended with a unique event name in the label, that field’s value might mistakenly not get displayed in the Custom Event Label in the table header on the Record Home Page. (Ticket #246409)

• Bug fix: When using REDCap’s Two-Factor Authentication feature with the Microsoft/Google Authenticator 2FA option enabled while also using an “X & Table-based” authentication method, the table of user attributes on the Browse Users page in the Control Center would mistakenly display the “Send instructions via email” option for Microsoft/Google Authenticator when an administrator is viewing a non-Table-based user when the “Enforce two-factor authentication ONLY for Table-based users?” 2FA setting is enabled. If 2FA is enabled only for Table-based users, then that option on the Browse Users page should not be displayed when viewing a non-Table-based user’s account. Additionally, the “Expiration time for 2-step login code” row should also be hidden in this case. (Ticket #246329)

• Bug fix: When using the “Break the Glass” feature for CDIS, the selection would mistakenly not be cleared after a successful “Break the Glass” action, leaving the “Submit” button enabled. The selection now clears as expected, and the button is properly disabled.

• Improvement: A new FHIR Statistics page has been added to the Control Center to allow admins to view counts and visualize the EHR data being imported into REDCap via CDIS. There are date-range controls to filter the data by a min/max date, and an export option also exists on the page for exporting the counts. Note: Due to issues with the stats collection not being accurate in previous versions, REDCap will unfortunately be starting with a blank slate stats-wise with this version. For more details, see the FHIR stats-related bug listed below.

• Improvement: When a REDCap administrator is in a project uploading a data dictionary that contains Dynamic SQL fields, the page now displays the following warning to provide more info and transparency when a SQL field is being added or modified: “Allowable warnings found in your Data Dictionary: An ‘sql’ field is being modified or added in this project. Please confirm that this is acceptable.” (Ticket #246357)

• Improvement: When using MyCap together with MLM, the MyCap language codes are now more flexible when adding a language on the MLM setup page. For example, if the language code is “en”, “en-US”, or “en-UK” on the MLM page, the MyCap mobile app will recognize any of those generally as “English”.

• Medium security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered at the survey end-point in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into a survey URL. This can be exploited by anyone and does not require authentication; however, this exploit is only successful when the outgoing email service being used allows invalid email addresses (e.g., those containing HTML tags or JavaScript) to be used in the recipient email address and returns a status of True that the email sent successfully. Thus, this bug does not occur if using SendGrid, MailGun, or Mandrill third-party email services. Bugs exists in all versions of REDCap.

• Major bug fix: When a record in a longitudinal project belongs to a Data Access Group, in which the record has data in only one event, if a user clicks the red X on the Record Home Page to “Delete all data on event” for the one event that contains data, it would mistakenly cause the record to no longer be assigned to the DAG. Additionally, the Logging page would not note the record being unassigned from the DAG. (Ticket #246056)

• Bug fix: If a multi-page survey has the “Save & Return Later” option enabled and has the “Allow respondents to return without needing a return code” option enabled, if data is entered on that instrument via data entry form (but not via survey) and then the survey is opened, the survey page might mistakenly open on a later page rather than on the first page, as expected. (Ticket #245967)

• Bug fix: If a survey has invitations that have been scheduled or sent, and that survey instrument is later deleted (i.e., the instrument, not the survey settings), those invitations would still appear in the Survey Invitation Log. (Ticket #246034)

• Bug fix: In a MyCap-enabled project that also uses MLM, the base language in MLM would be included in the list of languages in MyCap even if MyCap is not utilized in MLM.

• Bug fix: The “Break the Glass” feature for CDIS when pulling data from Epic into REDCap was no longer working due to changes on the Epic side. The issue has been fixed to allow CDIS users to be able to perform “Break the Glass” operations on multiple records again in the REDCap interface.

• Bug fix: The FHIR statistics collection process for CDIS (i.e., counting the number of values and types of data imported from the EHR via Clinical Data Mart and Clinical Data Pull) was mistakenly storing inaccurate counts for a long time. Much of the stats of data being imported from the EHR was not stored due to a bug. In response to this issue, the old stats data will have to be abandoned but will remain in the REDCap backend database in the table “redcap_ehr_import_counts” for legacy purposes, and that table will no longer be used by the application. As of this version, REDCap has two new database tables “redcap_ehr_resource_imports” and “redcap_ehr_resource_import_details” to collect accurate CDIS stats going forward. The new tables and stats page enhance monitoring, enable improved reporting, and ensure accurate categorization of imported resources in REDCap.

• Bug fix: When a PDF Snapshot is being triggered using a data import or if a PDF is being generated via the REDCap::getPDF() method in an External Module, it would mistakenly output the error message “PDF cannot be output because some content has already been output to buffer” onto the page if some of the webpage had already been rendered. (Ticket #246037)

• Bug fix: When a user is assigning another user to a data query via email for the Data Resolution Workflow, the recipient’s first and last name would mistakenly be used as the email sender’s Display Name in the email. (Ticket #245946)

• Bug fix: When saving API secrets/keys on various configuration-related Control Center pages, the values of the secrets/keys would mistakenly get logged in the “redcap_log_event” database table. These values are already being encrypted when added to the “redcap_config” table, and as such, they should not be stored in plain text in the internal REDCap logging either. Thus, going forward, any such values will be stored with the value “[REDACTED]” in the logging table rather than as their literal value. (Ticket #245886)

• Bug fix: When using the Survey Login feature in a project, if a survey participant leaves all survey login fields empty and they try to log in by submitting blank values, the survey login would mistakenly be successful, regardless of the number of login fields and the minimum number of fields above that are required for login. (Ticket #246295)

• Improvement: Allow for multiple IdPs for Shibboleth authentication - This allows multiple Shibboleth Login Options to be configured on the Security & Authentication page in the Control Center when using Shibboleth authentication. Previously, this was only possible when using Shibboleth+Table-based authentication. If no Login Option is defined, then authentication functions as normal for Shibboleth. However, if at least one Login Option is defined, then authentication functions much more like Shibboleth+Table-based authentication. Specifically, users will be presented with a login screen identical with the Shibboleth+Table screen except that there is no option for local REDCap login.

• Improvement: Public project dashboard links can now be turned into QR codes. If a public link is created for a project dashboard (including custom/short links), a button next to the public URL on the Edit Project Dashboard view will appear that (when clicked) will display the QR code representing the dashboard link. The QR code image can also be downloaded in SVG format or copied to the user’s clipboard.

• Change/improvement: The “View modules available in the REDCap Repo” button in the External Modules Module Manager in the Control Center now opens the REDCap Repo website in a new tab, whereas in previous versions it opened in the same tab. (Ticket #245904)

• Change/improvement: When using MyCap in a project, a new UI improvement has been made for making the ‘enable/disable for event’ buttons more noticeable on the MyCap Task setup page for longitudinal projects.

• Major bug fix: Reverted the cookie-related security improvement in REDCap 14.9.0 so that the SameSite attribute for cookies will now default to the value “Lax” again as it did in pre-14.9.0 versions of REDCap. The change of the cookie SameSite attribute in REDCap 14.9.0 broke authentication for some folks using specific configurations of OpenID Connect and Entra ID authentication. (Ticket #245768)

• Bug fix: In the “Modify the MyCap task settings” section in the Online Designer, some of the settings were mistakenly not translatable in a language INI file.

• Bug fix: On the CDP Mapping page for CDIS, any HTML existing inside the field label of fields being mapped would mistakenly not get stripped out, thus possibly causing readability issues and other issues on that page.

• Bug fix: The C# code generated by the API Playground had some errors. (Ticket #241561)

• Bug fix: The MyCap API call “getStudyImages” would mistakenly fail due to a PHP fatal error. Bug emerged in REDCap 14.9.0.

• Bug fix: The Randomization Dashboard display would appear to be missing a column in one of the table rows if the project has a single stratification factor with a level value of 0. (Ticket #245697)

• Bug fix: The link text for a Descriptive Popup was mistakenly case-sensitive when it should instead match text on the page in a case-insensitive manner. Bug emerged in REDCap 14.8.1.

• Bug fix: When an admin clicks the “Auto-fill form/survey” link on a form or survey, and specific number-validated fields (e.g., number_2dp_comma_decimal) have a min or max range validation, this would result in an out-of-range validation error on the page. (Ticket #226377b)

• Bug fix: When creating an instrument via an Instrument Zip file in the Online Designer for a MyCap Task, the file upload process would fail, and the error message popup would display blank text as a result.

• Bug fix: When modifying the label of a field in a matrix while in Draft Mode in production status, in which the field contains data for one or more records, a red warning saying “*Possible data loss if a matrix field’s label changes” should be displayed on the Project Modifications page; however, that warning was mistakenly not being displayed in that situation. Bug emerged in REDCap 14.5.0. (Ticket #245793)

• Bug fix: When trying to click the “Delete” or “View Summary” action for a Descriptive Popup when using PHP 7, the action might fail due to a PHP error, thus preventing the user from performing the actions. Bug emerged in REDCap 14.8.0.

• Bug fix: When using SendGrid as the outgoing email provider, if the system-level setting “Utilize the Display Name in all outgoing emails?” is turned off, the Reply-To Display Name might mistakenly still get added to outgoing emails. (Ticket #245904)

• Bug fix: When using the DAG Switcher in a project, and the current user clicks the Switch button to open the DAG Switcher dialog, the drop-down list of DAGs in the dialog would mistakenly not look completely like a drop-down element, thus potentially causing confusion. (Ticket #245627)

• Bug fix: When using the Local File Storage setting “Organize the stored files into subfolders by project”, if an internal REDCap process is copying a file inside a project, the file might mistakenly not get copied successfully. Bug emerged in REDCap 14.9.0.

• Bug fix: When using the NONEOFTHEABOVE action tag on a field that contains a Descriptive Popup, the popup text might mistakenly be repeated many times over inside the popup. (Ticket #245577)

• Bug fix: When using the Smart Variables [rand-time] and [rand-utc-time] while using Randomization, they would mistakenly always return a value in Y-M-D date format when being piped without “:value” appended to them. Instead, by default they should return a value formatted using the user’s desired date format as specified on their Profile page. Bug emerged in REDCap 14.7.0.

• Bug fix: When using the URL of a website (e.g., public survey link) as the Embed Media URL for a Descriptive field, the embedded website would mistakenly not display properly when viewing the survey page or data entry form on an iOS device. (Ticket #245700)

• Critical bug fix: Under specific circumstances when using PHP 8, data entry forms and survey pages might mistakenly always crash with a fatal PHP error, thus making data collection impossible. Bug emerged in REDCap 14.9.0 Standard. (Ticket #245574)

• New feature: Organize stored files into subfolders by project (for “Local” storage only)
  • This is an optional feature that allows files for a given project to be stored in a subdirectory named “pidXXXX”, in which XXXX is the PID of the project, rather than storing the files associated with that project in the main local storage directory on the web server. This feature can aid in the organization of files if IT/server admins are not happy with there being thousands or millions of files stored in the main storage directory.
  • Once enabled, this setting will be applied to new projects that are created after the fact. This setting will not apply to any existing projects that were created before this setting was enabled.
  • This feature can be enabled near the top of the File Upload Settings page in the Control Center. When upgrading, this setting will be disabled by default, although it will be enabled by default when performing a fresh install of REDCap.
  • This feature is only applicable for REDCap installations that are using “Local” file storage or “Google Cloud Storage (for Google App Engine hosting only)”.
  • When enabled, if REDCap is unable (due to a directory permissions issue, etc.) to create a project-level subfolder when a new project is created, it will instead default to storing all project files in the main Local File Storage directory (specified above) for that project.

• Improvement/change: Added 8 new MTB measures for use in MyCap-enabled projects: Spanish versions of Arranging Pictures, Arrows, FNAME Learning, FNAME Test, Number Match, Sequences, Shape-Color Sorting, Word Meaning Form 1.

• Improvement: The PDF Snapshot Archive page in the File Repository now contains a new button to allow users to download the PDF Archive’s file list as a CSV file. (Ticket #245337)

• Improvement: When a project is created from a Project XML file, additional info about the file (source system REDCap version and the XML file’s creation date) is displayed on the page, or a warning message is displayed if the XML file appears not to be a proper REDCap Project XML file. (Ticket #245469)

• Minor security improvement: The SameSite attribute for cookies utilized by REDCap now defaults to the value “Strict”, which provides more security by preventing cookie information leakage to first-party or same-site context. In previous versions, the default value for the SameSite attribute was “Lax”.

• Change: A cookie policy was added that specifies the details of how cookies are utilized by a person’s web browser when using REDCap. A link to the policy exists at the bottom of every webpage in REDCap.

• Change: When an admin clicks the “Compose confirmation email” button to send an email to the user via the Project Modifications Review page for Draft Mode, the logged event description (i.e., “Send email to user from admin”) now includes the recipient’s email address so that their email appears in the project logging to provide more context.

• Various changes for the External Module Framework, including 1) Relaxed tag vs. release zip comparison during security scans, 2) EM Logs table within the project context will now properly maintain PID context (this prevents it from navigating away to the Control Center when trying to use search parameters), 3) Added ‘Record’ and ‘UserName’ columns to the report table of EM logs, 4) Included the framework’s twig dependency when checking for composer conflicts, and 5) Misc. minor changes.

• Minor security fix: If REDCap Messenger is enabled, a malicious user could impersonate another user in the system specifically when uploading a file into a Messenger conversation by manipulating an HTTP request in a specially-crafted way. Note: This would not give the user being impersonated access to a Messenger conversation to which they do not have access to, but it would make it appear as if the other user uploaded the file to the conversation. This can only be exploited by authenticated users. Bugs exists in all versions of REDCap in the past 8 years.

• Medium security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into the record name of a record being imported via the Data Import Tool or API, after which the exploit could be activated in a specific place in the Online Designer. This can only be exploited by authenticated users. Bugs exists in all versions of REDCap in the past 8 years.

• Major bug fix: If a project has randomization enabled, in which the randomization field itself has branching logic, it is possible that the randomization field could mistakenly be hidden by branching logic even after the record has been randomized (in pre-14.7.0 versions, this could not happen), thus causing the randomization field’s value to be erased if the instrument is saved afterward. Bug emerged in REDCap 14.7.0 Standard. (Ticket #243375)

• Major bug fix: When attempting to perform a traditional installation of REDCap on a PHP 8 web server, the install page would crash with a fatal PHP error, thus preventing the admin from completing the installation process successfully. Bug emerged in REDCap 14.8.0 Standard. (Ticket #244721, #245265, #245371)

• Bug fix: A missing LOINC code was added to the CDIS mapping features.

• Bug fix: An outdated version of jQuery was mistakenly included in REDCap as part of a third-party library. That outdated version has been removed since it did not serve a functional role in the library. (Ticket #245523)

• Bug fix: If a Text field or Dropdown field is embedded on an instrument but is not using the “:icons” notation (e.g., {myfield:icons}), then if Missing Data Codes are being used in the project and the field’s current saved value is a MDC, there would be no way for a user to clear out the MDC and thus change the field’s value. In this situation, the M icon will now be displayed next to the field to allow users to unset the MDC value. (Ticket #245398)

• Bug fix: If a project contains surveys, the “Filter by user name” drop-down list on the Logging page would mistakenly not display the “[survey respondent]” option. That option will now be displayed if surveys are enabled in the project. Bug emerged in REDCap 14.8.1 Standard. (Ticket #245290)

• Bug fix: When a user attempts to resize the Choices textbox (for a multiple choice field) inside the Edit Field dialog in the Online Designer, the elements below the textbox would not move in response to the resizing, thus allowing the textbox to be stretched and mistakenly appear underneath the other elements. (Ticket #245180)

• Bug fix: When an admin clicks the “Auto-fill form/survey” link on a form or survey, and a DMY or MDY formatted date field has the literal value “today” as the min or max range validation, this would result in an out-of-range validation error on the page. (Ticket #226377)

• Bug fix: When downloading the Notification Log on the Alerts & Notifications page, the resulting CSV file’s filename would mistakenly end with “.csv.csv”. (Ticket #245440)

• Bug fix: When exporting data to SPSS, the SPSS Pathway Mapper batch file would mistakenly remove the BOM (byte order mark) from the SPSS file, leading to UTF-8 characters in the SPSS file getting mangled.

• Bug fix: When modifying a matrix of fields in the Online Designer, in which the variable names of some fields are changed, the fields would mistakenly not be saved correctly, and attributes of some fields in the matrix might get merged into other fields in the matrix. (Ticket #244773)

• Bug fix: When performing a data import that contains values for the Secondary Unique Field in the project, in which the SUF’s value happens to be a Missing Data Code and another record already has the same Missing Data Code saved for the SUF in the other record, the import process would stop with an error message saying the value of the field duplicates the value from another record. The SUF uniqueness check should not be performed when importing a Missing Data Code. (Ticket #245182)

• Bug fix: When the “Require a reason when making changes to existing records” feature is enabled in a project and a user goes to import data using the Data Import Tool, the user is given a warning message if a “reason” is not provided for all existing records being modified by the import, but it would mistakenly allow the import to take place without a reason provided, which should not be allowed. (Ticket #245514)

• Bug fix: When uploading a consent form file for a survey on the e-Consent Framework page, in which the file uploaded is not a PDF file, it would mistakenly add a placeholder in the consent file version table (but with a blank value for the PDF file), which would prevent users thereafter from uploading the correct file with the same consent form version number (because the version number is already used by the previous mistaken upload). (Ticket #245561)

• Bug fix: When using Twilio/Mosio telephony services in a project that is utilizing the setting to use a mappable multiple choice field for the Delivery Preference, if a new record is created via a data import or via the API, in which the mappable field value is set during the import process, the new record’s delivery preference would mistakenly be set to the project default delivery preference (or instead as “Email”) rather than to the correct delivery preference value for the record. (Ticket #245186)

• Bug fix: When viewing the field-view in the Online Designer, in which a date/datetime field is embedded and also has the CALCDATE action tag, the green “Field is embedded elsewhere on page” button would mistakenly be hidden for that field. (Ticket #245243)

• Bug fixes for Clinical Data Interoperability Services (CDIS): 1) Resolved incorrect display of mapped status for “Device - Implants” resources in the CDIS Mapping Helper, and 2) Fixed saving functionality for “Device - Implants” resources in the matching form for CDM projects.

• Improvement: When creating an alert in a longitudinal project, users can now select an email field from the current event where the alert is triggered to be used as the “Email To” setting for the alert. This allows for flexibility when using different email addresses on each event in the project. In previous versions, email fields in specific events only could be selected.

• Minor security improvement: The HTTP header “Referrer-Policy: strict-origin-when-cross-origin” was added to prevent the leakage of referrer information when navigating to external websites from REDCap.

• Change/improvement: Allow multiple PHP errors to be logged in the “redcap_error_log” database table for a single request (i.e., single log_view_id).

• Change: REDCap is now officially compatible with PHP 8.4. Note: It was noted in a previous release that REDCap 14.7.4 and higher was compatible with PHP 8.4, but that was incorrect. Only REDCap 14.8.3 and higher are compatible with PHP 8.4. Additionally, the current recommended PHP versions for REDCap are PHP 8.1, 8.2, 8.3, and 8.4. Note: REDCap is currently compatible with PHP version 7.3.0 and all later versions (including PHP 8.4.X).

• Minor security fix: A vulnerability was discovered in REDCap Messenger in which a malicious user could potentially exploit it by manipulating an HTTP request in a specially-crafted way that would potentially allow them to enumerate a list of all usernames in the whole system, including users' first and last name. This can only be exploited by authenticated users. Bugs exists in all versions of REDCap 7.4.0 and later.

• Bug fix: If a survey ends via a Stop Action and the Alternate Survey Completion Text has been left blank, it would display no text at all at the end of the survey when it should instead default to displaying the regular Survey Completion Text. (Ticket #245008)

• Bug fix: If users are using Firefox ESR (Extended Support Release) 115 as their browser, the Font Awesome icons (i.e., most of the icons used in REDCap) would mistakenly be invisible on all REDCap pages due to an incompatibility issue with Font Awesome 6.7.0 (that library was upgraded to 6.7.0 in the previous REDCap version). The Font Awesome library in REDCap has been upgraded to 6.7.1 to resolve this issue for users using Firefox ESR 115. Note: This should not affect users using the latest Firefox version in its default release channel, and this also does not affect users using other browsers. Bug emerged in the previous REDCap version.

• Bug fix: In very specific situations where a date/datetime field has the READONLY action tag, the calendar datepicker icon next to the field would mistakenly still be displayed, thus allowing users to inadvertently modify the field value using the datepicker widget. (Ticket #244986)

• Bug fix: The Data Search feature on the “Add/Edit Records” page might mistakenly keep saying “Searching…” even when nothing has been returned if certain keys on the keyboard are clicked, such as Enter, when typing the search term. (Ticket #54818b)

• Bug fix: The piping documentation mistakenly did not specify that piping essentially bypasses a user’s Data Viewing Rights, so even if a user has ‘No Access’ Data Viewing Rights for the instrument of a piped field, any user will be able to view the data of the piped field regardless of where the field is being piped. More information has now been added to the piping documentation to clarify this missing piece of information. (Ticket #244827)

• Bug fix: When MLM is active, the redirection of completed surveys via the survey termination option “Redirect to a URL” would not work as expected. (Ticket #244741)

• Bug fix: When uploading a file into a REDCap Messenger conversation while inside a REDCap project, the Upload File dialog would mistakenly be covered by the left-hand project menu.

• Major bug fix: The Multi-Language Management page in the Control Center would mistakenly fail to load due to a JavaScript error. Bug emerged in REDCap 14.8.0 (Standard).

• Minor security improvement: A couple different project pages might mistakenly allow knowledgeable malicious users to email any recipient as many times as they wish (i.e., spam any email address), although the email itself would still have to come “From” one of the user’s email addresses as listed in their REDCap user profile. Exploiting this feature is no longer possible.

• Change/improvement: When using the Data Resolution Workflow, the “assign user” drop-down list in the DRW dialog is now displayed as an auto-complete drop-down to help users more easily select a user from the list in projects that have a large number of users.

• Change: Performance improvements on the MLM setup page, which should load faster than in previous versions.

• Minor security fix: A security vulnerability was discovered in the Moment.js library that is utilized by REDCap. That library has been removed from the REDCap code to remediate this issue.

• Minor security fix: Due to a ReDoS (Regular expression Denial of Service) vulnerability discovered in the Vue third-party library that is bundled in REDCap, the Vue library utilized specifically on the CDP Mapping page has been upgraded to a newer version that does not contain the vulnerability.

• Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in REDCap Messenger and in the Data Quality module in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way. These can only be exploited by authenticated users. Bugs exists in all versions of REDCap 7.4.0 and later.

• Major security fix: An SQL Injection vulnerability was found on a MyCap-related page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. This can only be exploited by authenticated users. Bugs exists in all versions of REDCap 13.0.0 and later.

• Bug fix: If a Descriptive Popup’s link text is an exact match for the choice label in a checkbox field, the choice label text would mistakenly be shifted to the left, in which the checkbox itself might not be visible. (Ticket #244425)

• Bug fix: If a Descriptive Popup’s link text matches a choice label in a drop-down field, the popup’s content would mistakenly be inserted into the choice label. Descriptive Popups should not work for drop-down field choices due to general HTML limitations. (Ticket #244425)

• Bug fix: If a Descriptive Popup’s link text matches a choice label in a radio field, the popup’s content (when displayed) might mistakenly be indented and not fit well inside the popup. (Ticket #244425)

• Bug fix: If one or more fields are piped into the survey instructions of a survey, in which the fields being piped are located on the first page of the survey, the real-time piping action might not occur when entering data into those fields on the first survey page unless those same fields happen to be piped elsewhere on the page.

• Bug fix: If the MyCap External Module had previously been enabled at the system level, and a user enables Draft Preview Mode in a production project, the Record Status Dashboard might mistakenly fail to load due to a fatal PHP error for PHP 8. (Ticket #244458)

• Bug fix: In a multi-arm project that utilizes the Survey Queue or certain [survey-X] Smart Variables, in which individual records will exist on multiple arms at the same time, if a record exists in one arm and then a participant uses the Survey Queue to navigate to a survey in another arm where the record does not yet exist, the participant would mistakenly be redirected to the survey page that asks them to enter a survey access code. And if using a [survey-X] Smart Variable that refers to a survey on another arm, it would mistakenly return a blank value.

• Bug fix: In the External Modules Framework, the method $module->getFirstEventId() would mistakenly not return the true first Event ID as listed on the My Events page in longitudinal projects.

• Bug fix: Several missing LOINC codes were added to the CDIS mapping features.

• Bug fix: The API Playground page might load unusually slowly for older projects or busy projects (i.e., with lots of logged events).

• Bug fix: When a matrix of fields contains no choices, the Online Designer field-view page, data entry form, and survey page containing that matrix might mistakenly crash due to a fatal PHP error when using PHP 8. (Ticket #244669)

• Bug fix: When exporting a report in “labels” format for a report that is sorted by a multiple choice field that has integers for every choice value, the resulting exported data would mistakenly not be sorted according to the choice labels but would often revert to being sorted by the record ID field instead. (Ticket #244525)

• Bug fix: When using Multi-Language Management and translating field labels, in certain cases some text in the field label might not align horizontally with other text that should be displayed on the same line.

• Bug fix: When using a CDIS service, the Date of Death value of a patient was mistakenly displayed in Zulu (UTC) time instead of the expected local formatted time. The date is now converted to local time and formatted to YYYY-MM-DD HH:MM format for consistency.

• New feature: Descriptive Popups

  • This feature represents the integration of Mark McEver’s “Inline Descriptive Popup” External Module. Note: Upgrading to this version will not disable the “Inline Descriptive Popup” EM nor will it migrate any settings from the EM if the EM is being used in a project.
  • Summary: Descriptive popups are custom popups of text that become visible after hovering over a specific word or phrase on a data entry form or survey. They have two main components: 1) the link text, which should match a word or phrase used on a form or survey, and 2) the custom text for the popup content. Users may set a descriptive popup to work on all instruments/surveys (default) or on specific ones. Descriptive popups are a great way to convey extra information on a form or survey without the text taking up space on the page. Users may configure their descriptive popups to be activated only on specific instruments. By default, they are enabled on all instruments. Additionally, if the popups are enabled to work on a survey, especially a multi-page survey, users can specify specific page numbers on which the popups will be activated.
  • When copying a project or exporting a project via a Project XML file, there is now an option to copy/export the descriptive popup settings, respectively.
  • Web accessibility: Descriptive popups are WCAG compliant, thus they will work with screen readers.
  • MLM: Both the link text and popup content text of descriptive popups can be translated using Multi-Language Management.

• New feature: Draft Preview Mode

  • Draft Preview Mode allows users to preview their data entry forms with their current drafted changes as if they were live. This allows users to fully test the changes they have made in Draft Mode, including all branching logic, calculations, action tags, and embedded fields, before submitting their drafted changes for approval.
  • Additionally, Draft Preview Mode will simulate live data entry on data entry forms, thus allowing users to enter ephemeral data that is stored only in their session; however, no data will actually be saved to the project. Once a user leaves Draft Preview Mode, all ephemeral data that has been entered will vanish.
  • Limitations: While in Draft Preview Mode, the following limitations exist: No new records can be created. No data can be changed or stored in the project (all data changes are transient and are bound to the user’s login session). Only changes to already existing forms can be previewed. Delete operations (deleting whole records or deleting data for forms/events) are disabled. Several more limitations exist and are delineated in the Online Designer before enabling Draft Preview Mode.
  • Note: Draft Preview Mode only operates on data entry pages, the Record Status Dashboard, and the Record Home Page. It does not impact any other pages, and it currently does not work on survey pages.

• Improvement: REDCap now supports the “address” HTML tag so that it may be utilized in user input (e.g., field labels, survey instructions). (Ticket #244390)

• Change: In a MyCap-enabled project, REDCap now prevents the user from accessing the “View participant QR code” and “Invite Template” popups until the first MyCap app version has been published for the project.

• Change: In a MyCap-enabled project, the “Messages” feature is now disabled in the MyCap participants list for participants that have not yet joined the project using the MyCap mobile app (i.e., their install date is blank).

• Change: The “Learn Advanced Design Features” link on the left-hand project menu is now only displayed to users with Project Setup & Design privileges. (Ticket #244150)

• Bug fix: If the Survey Base URL is being used together with Clickjacking Prevention in the REDCap installation, “Custom Surveys for Project Status Transitions” survey pages would initially load in a user’s browser, but after clicking a submit button on the survey, the page would be blocked and would not load any more pages. Note: This was supposedly fixed in REDCap 14.5.16 (LTS) and 14.6.10 (Standard), but it was only partially fixed. (Ticket #240644b)

• Bug fix: If using the AWS CloudFormation deployment of REDCap, the REDCap upgrade process might mistakenly fail or have issues due to the “upgrade-aws-eb.sh” file inside the REDCap source code not being up-to-date with the same file stored in the GitHub repo for REDCap’s AWS CloudFormation (https://github.com/vanderbilt-redcap/redcap-aws-cloudformation/). The file inside REDCap has now been updated to match the GitHub file.

• Bug fix: In a MyCap-enabled project, REDCap was mistakenly listing DAG-specific announcements in a participant’s message thread even if they are not in the DAG.

• Bug fix: In a MyCap-enabled project, fields with the action tag MC-PARTICIPANT-CODE would mistakenly not get updated with the participant code value for records created via the API.

• Bug fix: The System Statistics might mistakenly fail to load due to a fatal PHP error in PHP 8. In PHP 7, the Randomization project count on the System Statistics page would instead be a blank value instead of a number. Bug emerged in REDCap 14.7.4.

• Bug fix: When downloading a PDF containing saved data, in which the PDF contains data for repeating instruments and/or repeating events, the repeating instances might be mistakenly displayed out of order in the PDF (with the instances of different repeating instruments being ordered by instance number instead of being ordered by instrument then instance number). Additionally, some of the repeating instruments might be duplicated as empty forms (as if they have no data) on certain pages in the PDF. (Ticket #244080)

• Bug fix: When using field embedding on a Descriptive field that has an “Embed media” URL that is set to be displayed “Inline”, the resulting “View media” button and/or field label would mistakenly not appear where the field is supposed to be embedded on a survey page or data entry form. (Ticket #243847)

• Bug fix: When using the “Erase all data” option on the Other Functionality page or when moving a project to production while erasing all records, any PDF Snapshots that are stored in the “PDF Snapshot Archive” in the File Repository would mistakenly not be deleted during this process. (Ticket #244073)

• Bug fix: When using the [stats-table] Smart Variable with one or more unique event names appended to it (in order to limit the table data to specific events), the resulting stats table would mistakenly always display counts from all events for the given field instead of the specified events. (Ticket #244162)

• Major bug fix: In several places in a project where survey links are generated, such as using the Smart Variable [survey-link] or the EM developer method REDCap::surveyLink(), those might return a blank value instead of a real URL. Additionally, if a survey has the “Allow participants to download a PDF of their responses at end of survey?” option set to “Yes” on the Survey Settings page, participants would get a 404 error in their browser when clicking the PDF Download button after completing the survey, thus preventing them from downloading the survey. Bug emerged in the previous version. (Ticket #244103, 244176)

• Security improvement: When using REDCap’s Two-Factor Authentication, the OTP (One Time Password) encryption secret, which is stored for a user in the back-end database and is used to generate their QR code for 2FA, has been increased to 160 bits to meet certain security standards. Note: This change will not affect existing users' ability to continue using their already-established Microsoft/Google Authenticator mobile app for 2FA in REDCap.

• Change: Updated REDCap’s session handler functions to be compatible with the upcoming PHP 8.4 release. Thus, the only REDCap versions that are compatible with PHP 8.4 are REDCap 14.7.4 and higher.

• Change/improvement: The dates displayed in the “Other useful info” box on the main Control Center page are now listed in the date format dictated by the user’s profile date format preference.

• Change: On the Survey Invitation Log and Notification Log, a new warning has been added to the page when a project is in Analysis/Cleanup project status to denote that any already-scheduled survey invitations or alerts will not be sent while in Analysis/Cleanup status, despite the fact that the user may see scheduled invitations/alerts on those pages.

• Change: The “Online Designer” video on the Training Videos page was updated, and a new video “Randomization” was added.

• Change: When using Multi-Language Management in a MyCap-enabled project, the MLM setup page will now display a warning to users when adding an MLM language when the country code isn’t supported in the MyCap mobile app.

• Minor security fix: A security vulnerability was discovered in the Twig library that is utilized by the External Module Framework. Twig has been upgraded to version 3.11.2 in the REDCap code to remediate this issue.

• Minor security fix: Due to a ReDoS (Regular expression Denial of Service) vulnerability discovered in the Vue third-party library that is bundled in REDCap, the Vue library has been upgraded to a newer version that does not contain the vulnerability.

• Bug fix: A PHP fatal error might occur when enabling a PROMIS battery measure for MyCap.

• Bug fix: A duplicate language key for MyCap existed in the English.ini file. (Ticket #243930)

• Bug fix: In certain cases, when creating a new project using a Project XML file that contains Custom Record Status Dashboards, the “Select instruments/events” attribute might not get set correctly during the import, thus causing that dashboard not to display any instruments when viewing it. (Ticket #243909)

• Bug fix: In some rare cases when upgrading from a REDCap version lower than 14.3.1, the upgrade page might mistakenly fail to load completely. Bug emerged in REDCap 14.3.1 Standard. Note: This was supposedly fixed in the previous release, but mistakenly it was not.

• Bug fix: The Smart Variable [mycap-participant-code] might display a blank value when being utilized on an instrument with a different event or page where the event ID is set in the URL (if different from the event ID stored in redcap_survey_participants database table).

• Bug fix: When certain record-based [survey-X] Smart Variables are utilized on a survey or data entry form (e.g., CALCTEXT([survey-access-code])), in which the record has not been created yet, duplicate rows might mistakenly be added for the resulting record in the Participant List.

• Bug fix: When clicking the “Download all” button when viewing the PDF Snapshot Archive in the File Repository, any PDF snapshots created using a logic-based snapshot trigger would mistakenly not be included in the downloaded zip file. (Ticket #243743)

• Bug fix: When enabling MyCap on a project that has existing records, the MyCap participant code would mistakenly not get populated for fields with the action tag @MC-PARTICIPANT-CODE.

• Bug fix: When importing data using the Data Import Tool or API, it would mistakenly not be possible to import Missing Data Codes for a Slider field. (Ticket #243896)

• Bug fix: When uploading user role assignments via CSV on the User Rights page, if the username in the CSV file has trailing spaces, those spaces might mistakenly not get removed when saving the user role assignments in the project. (Ticket #243138b)

• Change/improvement: Better error reporting during CSV file import into MLM.

• Change/improvement: Minor changes have been made to how the syntax files for R and SPSS are generated in order to improve the coding of labels in the syntax files. (Ticket #225047)

• Change: New clarifying text was added to the instructional text displayed above the “Consent Form (Rich Text)” option in the “Add Consent Form” dialog on the e-Consent Framework page in order to indicate that images added via the rich text editor there will not be rendered in PDF exports or in stored PDF snapshots that include that consent form text.

• Various changes for the External Module Framework, including the following: 1) The External Modules Framework error handling behavior has changed significantly. Every module error detected is now logged in the database instead of emailed. When errors occur, one email is sent per module per hour asking admins to check the “Recent Errors” page in Control Center for more details. And 2) Misc. security scan improvements.

• Medium security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into the value of a Text field or Notes field by authenticated users on a data entry form or by survey participants on a survey. It can only be exploited by entering text containing the HTML “embed” tag when dynamic piping is happening on the current page via JavaScript. Bug emerged in REDCap 14.5.0.

• Bug fix: If a user assigned to a Data Access Group is viewing the Notification Log for “Alerts & Notifications”, in which one or more alerts have been set as a recurring alert, the page would mistakenly display future notifications for records not in the user’s DAG. (Ticket #243195)

• Bug fix: If a user is importing data via the API or Data Import Tool, in which the user is not assigned to a DAG and the data import file contains the “redcap_data_access_group” field, if the import file contains multiple records and the “Overwrite data with blank values?” setting is set to “Yes”, then any records that are currently assigned to a DAG but have a blank value for the “redcap_data_access_group” field in the import file would get correctly unassigned from their current DAG, but the Record List Cache would mistakenly not get updated to reflect this DAG unassignment. This means that until the Record List Cache is reset, the record might appear to be in a DAG even though it is technically not assigned to a DAG anymore. (Ticket #242983)

• Bug fix: If an alert has been created with the “When to send the alert” setting as “Send the alert X [units] after the day (beginning at midnight) that the alert was triggered”, then downloading the alerts as a CSV file and then re-uploading them would result in an error for this particular setting. (Ticket #237215)

• Bug fix: In rare cases, a fatal PHP error might occur on a survey when using PHP 8. (Ticket #243300)

• Bug fix: In some cases, the Background Data Import process might mistakenly fail to finalize itself even after all records appear to have been successfully imported. (Ticket #243425)

• Bug fix: In some rare cases when upgrading from a REDCap version lower than 14.3.1, the upgrade page might mistakenly fail to load completely. Bug emerged in REDCap 14.3.1 Standard.

• Bug fix: The “Download form display logic setup” drop-down option in the Online Designer form-view would mistakenly not be visible because it would be obscured by the table immediately below it. (Ticket #243052)

• Bug fix: The API method “Export a List of Files/Folders from the File Repository” would mistakenly require API Import privileges. It should only require API Export privileges and File Repository privileges in the project. (Ticket #243161)

• Bug fix: The Email Users page would mistakenly list users that do not have the “Display user on ‘Email Users’ page?” checkbox checked for them on the Browse Users page in the Control Center. (Ticket #234149)

• Bug fix: When downloading a PDF of a survey instrument or when REDCap is storing a PDF Snapshot of a survey instrument, certain HTML tags that exist in the survey instruction text might mistakenly get stripped out before being properly processed into line breaks, etc. for the PDF. Bug emerged in REDCap 14.5.0. (Ticket #243240)

• Bug fix: When uploading user-DAG assignments via CSV on the Data Access Groups page, if the username in the CSV file has trailing spaces, those spaces might mistakenly not get removed when saving the user-DAG mappings in the project, which could cause the DAG page’s table not to display all DAG users in the “Users in group” column. (Ticket #243138)

• Bug fix: When using Multi-Language Management, if a field has the @LANGUAGE-SET action tag, the language-switching functionality will not work for it if the field is embedded. (Ticket #243593)

• Improvement: Users may now pipe the field label of a given field (instead of its data value) by appending “:field-label” to the variable name inside the square brackets. (Ticket #229991)

• Change/improvement: Added a new “Learn Advanced Design Features” link on the project left-hand menu that, when clicked, opens a panel displaying buttons to learn about Smart Variables, Piping, Action Tags, Embedding, and Special Functions.

• Change/improvement: The API Token Request Email that is sent to an administrator when a user requests a token (if this behavior is enabled at the system level) now contains the project PID number and a link to the project. (Ticket #242747)

• Change: The “Video Tutorials” link on the project left-hand menu now takes the user to the Training Video page rather than displaying a list of specific video links below it.

• Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into a Text field or Notes field whose value is being piped on the same page of a survey or data entry form. This vulnerability can be exploited by authenticated users and also by survey participants entering data. Bug emerged in REDCap 14.5.0.

• Bug fix: Adding a new field via the Online Designer would result in a JavaScript error in the user’s browser console.

• Bug fix: If an email contains a piped File Upload field variable using the “:inline” piping option (e.g., [my_file:inline]), for certain email servers and certain email configurations in REDCap (e.g., SMTP), the file would mistakenly not get attached to the email as a regular attachment if the file is not an image file. (Ticket #242935b)

• Bug fix: If an email contains a piped File Upload field variable using the “:link” piping option (e.g., [my_file:link]), clicking the download link in the email would mistakenly display the error message “NOTICE: This file is no longer available for download” rather than downloading the file. (Ticket #242935)

• Bug fix: If upgrading from a REDCap version lower than 13.10.0, the upgrade page might mistakenly fail to load completely. Bug emerged in REDCap 14.6.11 Standard.

• Bug fix: In certain situations, one of the Clinical Data Pull (CDP) cron jobs for CDIS might crash unexpectedly.

• Bug fix: Modifying the value of a drop-down field, specifically one that has autocomplete enabled, would mistakenly not trigger the “Save your changes?” dialog or the “Reason for change” dialog (if enabled) in the project. (Ticket #242610)

• Bug fix: Some of the CDP performance improvements released in the previous release (14.7.1) were mistakenly not optimized in certain situations, thus causing the CDP cron job to cause some SQL queries to run slow and slow down the cron job.

• Bug fix: When data is exported from the Database Query Tool while “query context” was used in the query, this context was not properly evaluated and the page crashed during the export.

• Bug fix: When exporting data via the Export Records API method with parameter type=eav, if any duplicate values somehow exist in the backend data table for a single field, those duplicates would mistakenly be output in the resulting data that is returned from the API. (Ticket #242493)

• Bug fix: When importing data into a longitudinal project (whether via API, Data Import Tool, Mobile App, or data in a Project XML file), in which data for a repeating event or repeating instrument is being imported when the first instrument in the project is not designated for the event of data being imported, in certain situations the form status field for the first instrument might mistakenly receive a “0” (Incomplete) value during the import, even when that field is not included in the data being imported. This inadvertently creates data values that are automatically orphaned and never accessible in the user interface except in reports and data exports. (Ticket #242590)

• Bug fix: When the e-Consent Framework is enabled for a survey, the “Save & Mark Survey as Complete” button would mistakenly be displayed when viewing the instrument as a data entry form. Clicking this save button would mark the survey as complete and log it as if an e-Consent certification took place, when in fact it did not because the certification was essentially bypassed. e-Consent surveys should only ever be completed on the survey page itself and not on a data entry form. Going forward, the “Save & Mark Survey as Complete” button will no longer be displayed on the data entry form for any survey instrument that has the e-Consent Framework enabled. (Ticket #242860)

• Bug fix: When uploading a file for a File Upload field, in which the file exceeds the system-level maximum file size setting for File Upload fields, the file would mistakenly remain on the server for 30 days until it was then permanently deleted. Going forward, the file will never be initially stored in the system if it exceeds the file size limit.

• Bug fix: When using the “Go to field” functionality in the Online Designer (Ctrl-G or Cmd-G) and searching for a field by typing in part of the variable name or field label, a JavaScript error would be thrown in the browser console if the current instrument does not have any fields. (Ticket #242884)

• Improvement: Better error handling in PHP for External Modules. Additionally, a new Control Center menu item named “Recent Errors” now appears on the left-hand menu in the “Dashboards & Activity” section.

• Improvement: In MyCap-enabled projects, a new “Form completion status” setting has been added in the Online Designer that controls how a MyCap task’s form completion status value is set when a task is submitted by a participant from the MyCap mobile app to the REDCap server.

  • In previous versions, the MyCap task’s form completion status would always be set to Incomplete. But now, it can be set to Incomplete, Unverified, or Complete so that the form status value is set to that specified status value any time that a participant completes a MyCap task. This setting can be modified at any point during data collection in a MyCap project.
  • Note: Existing projects will maintain their existing default status setting of Incomplete, but that setting can be changed after the fact if desired. In contrast, all newly created projects will default to a status setting of Complete. However, if a new project is created using a Project Template that has MyCap enabled, the new project will adopt the MyCap form status setting of the Project Template. If you wish to change the default MyCap form status setting for all Project Templates that have MyCap enabled, run the following SQL (this is optional). This will ensure that all new projects, including those created via Project Templates will have this new setting set to Complete by default. Optional SQL: UPDATE redcap_projects p, redcap_projects_templates t SET p.task_complete_status = ‘2’ WHERE p.mycap_enabled AND p.project_id = t.project_id;

• Improvement: MLM languages now have a “Notes” field that can hold general notes regarding each MLM language on the MLM setup page (inside the Add/Edit Language dialog). These notes have no impact on MLM performance.

• Improvements: New CDIS-related resource monitor which helps manage resource-intensive processes more effectively. This does not have a user interface but just helps improve performance in the background. Additionally, the number of queued records for Clinical Data Pull (CDP) being fetched from the EHR system during a single cron job batch has been increased to allow for more records to be processed in a given period of time.

• Various changes and improvements for the External Module Framework, including the following:

  • Added isMlmActive() method and getCurrentLanguage() method to javascript external module objects
  • Renamed the bundled “Configuration Example” external module to “Module Development Examples”
  • Added the $module->getSelectedCheckboxes() method
  • Added a Twig development exercise to the external module documentation
  • Prevented an error when “Export list with design rights users” is selected for modules not enabled on any projects
  • Misc. security scan improvements

• Change/improvement: In MyCap-enabled projects, several MyCap settings (Baseline Date Settings, Custom Event Label Settings, and new Form Completion Status setting) in the Online Designer have now been aggregated in a new"Additional Settings" dialog on that page.

• Change: The instructional text for the “Automatic Triggering Option” on the Randomization page has been modified for improved clarity.

• Major bug fix: In some extremely rare cases, it might be possible that the same return code could be generated for two different participants taking the same public survey. In certain situations, this could possibly allow one participant to inadvertently view the responses of another participant. (Ticket #241815)

• Bug fix: If a record is deleted when the data privacy/GDPR feature “Delete a record’s logging activity when deleting the record?” is enabled in a project, the email log associated with that record would mistakenly not get deleted along with the regular logging information. Note: This fix will not retroactively remove the email logging of already-deleted records in projects with this feature enabled, but it will prevent this issue from occurring in the future. (Ticket #242184)

• Bug fix: If data exists for a field used in branching logic or in a calculation in a longitudinal project, in which the data is orphaned from a previously-repeating instrument or event (i.e., it is no longer repeating but had data collected for it back when it was repeating), then some of the orphaned data might mistakenly be used on a survey/form for cross-event branching logic and calculations, thus causing the branching/calc not to behave as expected.

• Bug fix: In specific instances when a field in the Online Designer is edited and then moved via drag-n-drop, the field might end up located in the wrong position on the instrument afterward.

• Bug fix: In very specific situations after submitting the first page of a multi-page survey, the Required Field dialog might mistakenly be displayed saying that a field that is not present on the first page (but is present on the second page) has a missing value. (Ticket #236511)

• Bug fix: Minor text error in the Smart Variable documentation.

• Bug fix: Multi-instrument PDF Snapshots were likely to be malformed in larger/complex projects when MLM was enabled. (Ticket #242031)

• Bug fix: The Custom Event Label might cause significant performance issues to arise on the Record Home Page for certain projects.

• Bug fix: The cron job responsible for fetching data from the EHR system via CDIS might be unable to retrieve a valid FHIR access token under specific conditions, causing the fetch process to fail. Additionally, the EHR ID might mistakenly not get logged in the FHIR Logs database table during CDIS processes.

• Bug fix: Typo in randomization setup instructions. (Ticket #242219)

• Bug fix: When a REDCap administrator is viewing an allocation/sequence on the randomization dashboard for a single-strata randomization model, in which the current strata value being viewed has a raw value of “0”, an incorrect error message might be displayed. (Ticket #242219)

• Bug fix: When a given REDCap page does not contain any “h” HTML tags, a JavaScript error would be thrown in the browser console.

• Bug fix: When a project is utilizing the Survey Queue together with the Survey Login feature, in which a survey participant has already logged in to a survey but then later reopens that same survey during the same “session”, the icon/link to the Survey Queue would mistakenly not appear at the top-right of the first page of that survey as it should, even when some surveys exist in the participant’s survey queue. (Ticket #242182)

• Bug fix: When a repeating instrument is enabled as a survey, and a participant navigates to that survey with “&new” appended to the URL to denote that a new repeating instance should be created from that response, branching logic and/or calculations on the survey page would mistakenly not work as expected if the fields used in the branching/calculations exist on a different instrument. Bug emerged in REDCap 14.5.14 LTS and 14.6.8 Standard Release.

• Bug fix: When certain video types (e.g., MP4) are added to the Embed Media URL of a Descriptive field, the video might not be playable for certain mobile browsers, such as Mobile Safari on iOS, if the project has MLM enabled on the current form/survey. (Ticket #241505b)

• Bug fix: When creating a new project via a Project XML file, in which the project contains one or more logic-based PDF Snapshot triggers, it might cause the project not to be fully created and thus not accessible to the user afterward.

• Bug fix: When exporting a Project XML file containing data for a longitudinal project that has repeating instruments, the resulting XML might be malformed in the file, thus causing some of the repeating instrument data not to get transferred to a new project created from the XML file.

• Bug fix: When moving an entire matrix of fields in the Online Designer to the top of another instrument, an error would result, thus preventing the matrix from being moved successfully.

• Bug fix: When moving an entire matrix of fields in the Online Designer, especially when moving them to another instrument, some fields in the matrix may not get moved successfully and/or the fields in the instrument might be messed up in various ways in the backend database, thus causing things not to display correctly for the instrument. (Ticket #236128, #241606)

• Bug fix: When uploading an Instrument Zip file or when copying an instrument in the Online Designer, if a field in the instrument has branching logic that contains an inline comment with and odd number of single quotes and/or double quotes, it would prevent the instrument from being uploaded or copied, respectively. (Ticket #241955)

• Bug fix: When using Multi-Language Management, floating matrix headers were not aligned properly on surveys for right-to-left languages. (Ticket #222689b)

• Bug fix: When using Twilio or Mosio telephony features in a project, in which an Automated Survey Invitation is set to be triggered and sent using the “participant’s preference” for the ASI invitation type, if the mappable invitation preference field is being utilized in the project, then if a user sets the value for the invitation preference field on a form/survey, in which the ASI gets triggered and one or more calculated fields from other forms/events get subsequently triggered from the form/survey save, then the ASI will be sent/scheduled using the project’s default value for delivery preference rather than using the participant’s already-set delivery preference (from the invitation preference field). (Ticket #242434)

• Bug fix: When using Twilio or Mosio, it would mistakenly not send SMS messages to U.S. phone numbers with certain newer area codes, specifically 235, 324, 329, 353, 436, 624, 645, 686, 728, and 861.

• Bug fix: When using the Automatic Triggering Option for Randomization in a project, a record might mistakenly be automatically randomized on a survey (assuming the logic evaluates as true) when the Automatic Triggering Option is set to only trigger for users with the Randomize permission (i.e., not for survey respondents). (Ticket #242300)

• Bug fix: When using the Automatic Triggering Option for Randomization in a project, in which data is being saved on a form or survey for an already-randomized record, the automatic triggering might mistakenly attempt to randomize the record again, thus resulting in a fatal PHP error. (Ticket #242300)

• Bug fix: When using the Automatic Triggering Option for Randomization in a project, the data value saved for the randomization field itself might mistakenly not get explicitly recorded in the project Logging. However, the randomization event itself does get correctly logged. (Ticket #242300)

• New features: Randomization enhancements
  • Note: Thanks to Luke Stevens (Murdoch Children’s Research Institute) for his contribution in building these new randomization features.
  • A) Multiple randomizations in a project - Users may now define more than one randomization model in a single project. Each randomization model has its own settings (e.g., strata, randomization field, allocation table), and is completely independent of the other models.
  • B) Blinded randomization support - Users may now create a randomization model that is blinded/concealed as a means of concealing the allocation (randomization value) from users to be able to have a truly blinded randomized clinical trial, for example. Users may still choose to create an “open” randomization model (as they always could) by choosing a single-select multiple choice field (e.g., drop-down or radio) to be the randomization field. Alternatively, users may now choose any text field [that does not have field validation] to represent the “randomization number”. The randomization number can be uploaded as part of the allocation table, and when a record is then randomized, the field is given the randomization number as its value.
  • C) New Smart Variables
  • • [rand-number] - The randomization number assigned to the record. For randomization in a text field (blinded allocation), this is equivalent to piping the randomization field. For randomization in a categorical field (open allocation), this will be the randomization number associated with the randomization group allocation, if one has been uploaded (this is optional). Use :n to refer to a specific randomization where a project has more than one (default=1).
  • • [rand-time] - The server date and time at which a record was randomized. In a piping context, such as in a field label, survey invitation, or inside the @default action tag, the format of the date and time will be displayed based on the current user’s date/time display preferences. If you wish to have it return the raw value, which will instead be in ‘YYYY-MM-DD HH:MM:SS’ format and would be more appropriate for conditional logic or calculated fields, simply append :value. Use :n to refer to a specific randomization where a project has more than one (default=1).
  • • [rand-utc-time] - The UTC date and time at which a record was randomized. In a piping context, such as in a field label, survey invitation, or inside the @default action tag, the format of the date and time will be displayed based on the current user’s date/time display preferences. If you wish to have it return the raw value, which will instead be in ‘YYYY-MM-DD HH:MM:SS’ format and would be more appropriate for conditional logic or calculated fields, simply append :value. Use :n to refer to a specific randomization where a project has more than one (default=1).
  • D) New “Randomize Record” API method - This method allows an API user to randomize a record using the API. The API parameters required are content=“record”, action=“randomize”, record=Record name of record to randomize, and randomization_id=The unique id of the randomization (viewable on the Randomization page for users with Design permissions or on the API Playground page), which corresponds to a specific target field and event. This API method returns the value for the target randomization field (plus optionally the alternative target value), or an error message on failure (such as if the record does not exist or if stratification information is missing).
  • E) New developer methods
  • • REDCap::getNextRandomizationAllocation() - Returns the integer allocation id if an unallocated entry is found, or string ‘0’ if no entry is available (allocation table is exhausted). Returns false on error, e.g. if incorrect stratification information provided.
  • • REDCap::updateRandomizationTableEntry() - Updates the target (randomization field or number), alternate target (randomization group or number), or “is_used_by” (e.g., the record to which this allocation/sequence belongs) details for a specified allocation table entry. For example, this method can be utilized to effectively perform the randomization action itself.
  • F) New External Module Hook “redcap_module_randomize_record” - Allows custom actions to be performed prior to the randomization of a record - e.g., to override the default randomization allocation. This hook enables implementation of custom randomization allocation routines, e.g. dynamic randomization via minimization. It is expected that only one external module implementing this hook will be enabled in a single project. A warning will be generated if multiple external modules return results from this hook. Location of Execution: The function is executed immediately prior to lookup and assignment of the next available entry in the randomization allocation table. This lookup and allocation is skipped if all redcap_randomize_record hooks return false.
  • G) Real-Time Trigger Logic - Randomization can be automated to occur in real time when an instrument is saved and a specified logic expression becomes True, in which all required stratification information must be present. At the bottom of the randomization setup page for a given randomization model, the following options are displayed.
  • • Manual only (default) - A user with “Randomize” user permissions must click the “Randomize” button on the data entry form where the randomization field is located.
  • • Trigger logic, for users with Randomize permissions only - When the Save button on a specified data entry form is clicked, if the logic expression provided evaluates to True and the current user has “Randomize” user permissions, the record will automatically be randomized (i.e., without clicking a “Randomize” button).
  • • Trigger logic, for all users (including survey respondents) - When the Save button on a specified data entry form or survey page is clicked, if the logic expression provided evaluates to True (despite the user’s permissions if on a data entry form), the record will automatically be randomized.
  • H) New options for REDCap administrators [only] to perform the actions below, which are meant to be used in rare/unexpected situations. These can be found when viewing the allocation table under the Dashboard section of a randomization model. Note: Whenever an administrator uses one of the actions, they must provide a “reason” as text, which gets added to the project Logging.
  • • Manually randomize a record - Provide a value for a randomization group or number to manually set the randomization value for a specified record.
  • • Remove the randomization for a record (un-randomize it) - If a record has already been randomized, remove that record’s randomization allocation so that it will no longer appear randomized and so that another record might possibly get assigned that allocation.
  • • Edit an allocation/sequence - Modify the randomization group and/or randomization number value for an unallocated sequence. This is essentially the equivalent of modifying an existing allocation table.
  • • Make an allocation/sequence unavailable - Remove an allocation/sequence so that it will not be used in a future randomization. This is essentially the equivalent of removing a row from an existing allocation table.
  • I) Project XML & Copy Project - Randomization model settings have now been added as an optional component to copy when doing a “Copy Project” action or when exporting->creating a project via a Project XML file.

• Improvement: In a MyCap-enabled project that is using Multi-Language Management, users can now more easily populate the MyCap Language ID and Language display name by clicking the MLM language ID from the allowed languages list on the MLM setup page for the MyCap mobile app (via the Add/Edit Language popup). These were merely displayed in previous versions, but now they are clickable, which makes them easier to add to the MLM setup page.

• Improvement: In a MyCap-enabled project, the “View Task Details” popup in the Online Designer now includes detailed scheduling information per event for longitudinal projects.

• Improvement: New MLM action tag LANGUAGE-MENU-STATIC - When this action tag is present on any field of an instrument enabled as a survey, and Multi-Language Management is active with at least two active languages, the language selection menu will remain visible at all times (i.e., it will not collapse after a language button has been clicked). (Ticket #241790)

• Improvement: New piping option “:hideunderscore” - If a field value or Smart Variable value is blank/null (i.e., does not exist), then by default the blank value will be piped as six underscore characters (literally ______) as a placeholder to visually indicate that no value exists. However, if this behavior is not desired, users may append :hideunderscore to the variable name inside the square brackets (e.g., [first_name:hideunderscore], [race:value:hideunderscore]), and this will cause value to be piped as-is, that is, as a blank/null/invisible value. Note: The :hideunderscore notation may be appended to both field variables and Smart Variables.

• Change: On the MyCap Configuration Check page in the Control Center, the PID has been added for each project displayed in the project drop-down list on that page.

• Change: The newer-style “disabled” buttons in the Online Designer (added in REDCap 14.6.11) have been slightly modified from an encircled X to an encircled dash since it is thought that an X might imply a “delete” action rather than a “disabled” state. Additionally, the event-level ASI “Modify” buttons that are displayed in longitudinal projects when clicking the “Automated Invitations” button next to each survey in the Online Designer were updated with the new icons that were added elsewhere in the previous version.

• Change: Two new videos were updated: “Field Types” and “Online Designer”.

• Change: Various minor bug fixes and enhancements for Multi-Language Management (mostly related to export and change tracking with regard to MyCap items).

• Major bug fix: If a project has one or more [non-e-Consent] PDF Snapshots enabled to be triggered by the completion of a specific survey, in which that same survey has had the e-Consent Framework enabled in the past but is currently disabled for the survey, in certain situations the active PDF Snapshots would mistakenly not get triggered and saved when the survey is completed by a participant. Bug emerged in REDCap 14.5.11 LTS and 14.6.5 Standard. (Ticket #241710)

• Bug fix: When a participant has completed an e-Consent survey, in which a consent form has been defined on the e-Consent Framework page for that survey, and then a PDF of that response is later downloaded or a PDF Snapshot of that response is later saved, the resulting PDF would mistakenly not always contain the consent form that the participant saw when they completed the survey, but (especially when MLM is not being used) they would see a newer version of the consent form, assuming a newer version of the consent form has been added to that survey. (Ticket #241501)

• Bug fix: When certain video types (e.g., MP4) are added to the Embed Media URL of a Descriptive field, the video might not be playable for certain mobile browsers, such as Mobile Safari on iOS. (Ticket #241505)

• Bug fix: When exporting a Project XML file that contains e-Consent Framework settings, if the project is longitudinal and the e-Consent settings have a “Last name field” or “Date of birth field” defined, the e-Consent settings might not get successfully imported into the new project created using the Project XML file. Bug emerged in REDCap 14.5.0.

• Improvement: A new PDF download button has been added to the instrument-view of the Online Designer to allow users to download all instruments as a single PDF.

• Improvement: REDCap now supports the “progress” and “meter” HTML tags so that they may be utilized in user input (e.g., field labels, survey instructions).

• Improvement: Slight aesthetic changes have been made to the buttons displayed in the instrument-view of the Online Designer. Additionally, the “e-Consent and PDF Snapshot” button has been separated into two separate buttons under Survey Options and Form Options, respectively.

• Improvement: The improved “Field Navigator” on the Online Designer now always floats on the right-hand side of the page and also has links to allow users to jump to specific Section Headers on the page.

• Improvement: When the Google reCAPTCHA feature is enabled, administrators may now set the default state of that feature (as either initially enabled or disabled) in newly created projects. This can be set in the Google reCAPTCHA section of the Modules/Services Configuration page in the Control Center. By default, this new setting is set to “Disabled by default for new projects”. (Ticket #237045)

• Change: For predefined ResearchKit active tasks in MyCap-enabled longitudinal projects, the “Active Task Settings” section on the task setup page has been moved to the task-level instead of the event-level (as seen in previous versions). Thus, there will be only one “active task setting” per task available even if multiple events are enabled on the task setup.

• Change: Question Numbering on surveys is now set to “Custom numbered” by default when enabling an instrument as a survey.

• Change: The “Preview instrument” button on the field-view page of the Online Designer has now been removed due to seldom use and also because in recent years it no longer provides a reliable presentation of the instrument for moderately-complex projects. (Ticket #241293)

• Major security fix: If a malicious user is logged in and has access to at least one report in one project, they could potentially manipulate the URL of specific REDCap end-points in order to view the results of any report for any project, even when they do not have access to that report or project.

• Major bug fix: Some of the AJAX end-points used by the Email Users page in the Control Center would mistakenly allow non-administrators to access them (if a user knows how), which could allow normal users to possibly view the list of all users (usernames, names, and emails) in the system.

• Bug fix: An issue would occur for Clinical Data Pull (CDP) projects in which entries in the redcap_ddp_records database table were incorrectly marked with a “future date count” > 0 if no temporal fields were mapped but date fields were present in the project. This would cause affected records not to be queued for automatic fetching in the background.

• Bug fix: For some server configurations, the MyCap logo displayed on the Multi-Language Management setup page might either not be displayed or might cause the whole page not to be displayed in MyCap-enabled projects. (Ticket #241449)

• Bug fix: In very rare situations, when a person receives a file via Send-It, they would not be able to download it because it may appear to have already expired prematurely.

• Bug fix: The question-mark popover in Step 2A option 3 when adding/editing an alert on the Alerts & Notifications page would mistakenly display escaped HTML in the popover rather than interpreting the HTML tags.

• Bug fix: When a radio or drop-down field has numeric-only choice codes, in which the field has a blank/null value and is used in the concat_ws() function, the field would mistakenly be represented as “NaN” (in JavaScript) and as “NAN” (in PHP) in the result of concat_ws(). (Ticket #241098)

• Bug fix: When a survey has the e-Consent Framework enabled and also has “Save & Return Later” enabled with the “Allow respondents to return without needing a return code” option checked, the survey would mistakenly display a Return Code when the participant clicks the “Save & Return Later” button, and it would also ask for a Return Code when loading the survey page after having not completed it. Bug emerged in REDCap 14.5.15 and 14.6.9. (Ticket #241142)

• Bug fix: When clicking a value displayed in the results of a Data Quality rule, which opens the data entry form in a new tab, it would mistakenly not put the focus on the field if the field is a Notes field type. (Ticket #241058)

• Bug fix: When deleting a user account when viewing an individual account on the Browse Users page in the Control Center, the User Search text box on the page would mistakenly no longer be functional for searching unless the page is reloaded. (Ticket #241142)

• Bug fix: When the first field on a given instrument has a section header above it, and then in the Online Designer a user attempts to add a field between the section header and the field immediately below it, if the project is in draft mode while in production, the newly added might get added but would end up in a weird limbo state so that the field might not be visible afterward. (Ticket #241530)

• Bug fix: When using MLM for translating survey invitations, specifically those sent via SMS, it could cause a fatal PHP error for the cron job when using PHP 8. (Ticket #92266b)

• Bug fix: When using Multi-Language Management, the wrong message was shown on the Misc tab for the base language on the MLM setup page.

• Bug fix: When using the READONLY action tag on the Secondary Unique Field on a survey that has the SUF prefilled via URL variables, the field would mistakenly be editable and not read-only. Note: This occurs only on the SUF when viewed specifically in survey mode, and only when prefilling is being performed. Also, this was supposedly fixed in REDCap 14.5.8 LTS and 14.6.2 Standard, but it was apparently only fixed in specific use cases. (Ticket #237623b)

• Improvement: Accessibility improvements have been made to all Control Center pages and other non-project pages (e.g., My Projects, REDCap Home Page) with specific regard to improving the color contrast of text on the page.

• Improvement: More documentation has been added for Shibboleth authentication on the Security & Authentication page to set up the auto-import feature for a user’s first name, last name, and/or email address.

• Major bug fix: If the REDCap installation has opted in to the feature of adding an auto-incremented Primary Key to every database table, an SQL query would prevent all draft mode changes from being committed while in production. Thus the user is not able to make any production changes. (Ticket #240564)

• Bug fix: For certain PHP versions, a JavaScript error might occur on the Project Setup page when enabling the Mosio feature.

• Bug fix: For projects in draft mode using the e-Consent Framework that have had a field modified or deleted on an e-Consent survey, the notice displayed to the user prior to submitting their drafted changes for approval (which mentions that the user should probably change the e-Consent version number) is no longer applicable in v14.5.0+ because the version number is no longer necessarily connected to the survey or its fields anymore in v14.5.0+ but instead is connected only to the consent form displayed on the survey. Given this, it no longer makes sense to display this notice to the user. Thus, the notice will no longer appear to users in this specific situation. (Ticket #240518)

• Bug fix: If the Survey Base URL is being used together with Clickjacking Prevention in the REDCap installation, it would prevent any of the “Custom Surveys for Project Status Transitions” survey pages from loading in a user’s browser. (Ticket #240644)

• Bug fix: The style/CSS of certain elements on the “Help & FAQ” page were not correct.

• Bug fix: The text of some dialogs that appear on PROMIS surveys were mistakenly not available to be translated via Multi-Language Management. (Ticket #239286)

• Improvement: For MyCap projects that are longitudinal with multiple arms, users may now designate a Baseline Date Field for every arm on the baseline date setup popup in the Online Designer.

• Improvement: When using Shibboleth authentication for REDCap, admins may now enable a new setting on the Security & Authentication page to allow REDCap to automatically import a user’s first name, last name, and/or email address the first time they log in or every time they log in to REDCap. Note: This may require some configuration changes on the Shibboleth side so that these user attributes appear as new $_SERVER variables.

• Major bug fix: When importing data (via Data Import Tool, API, Mobile App, etc.) into a project that contains Data Access Groups, an erroneous message might be returned stating that the records being imported cannot be modified because they do not belong to the user’s DAG, in which it names existing records in the project (not the records being imported). This would prevent the data import process from starting, and if using the Background Data Import, that process might mistakenly fail midway through the import, thus needing to be re-imported. Bug emerged in the previous version. (Ticket #240514)

• Bug fix: Further fixes for a possible upgrade error with regard to foreign keys on specific tables that occur for some installations under specific circumstances.

• Bug fix: If a survey has the e-Consent Framework enabled and also has “Save & Return Later” enabled with “Allow respondents to return and modify completed responses”, this combination could cause major issues with regard to the state of the data of a participant’s informed consent if they are allowed to modify their own completed e-Consent response. In this specific situation going forward, the “Allow respondents to return and modify completed responses” setting will be automatically disabled and thus will prevent participants from modifying their completed e-Consent response. Additionally, the “Allow respondents to return and modify completed responses” setting will be disabled on the Survey Settings page if the current survey has the e-Consent Framework enabled, and it will display a note beneath the setting to inform users why it is disabled. (Ticket #240265)

• Bug fix: The page number that is displayed near the top right of multi-page surveys would mistakenly not be fully right-aligned on the page when using a non-fixed width setting for the survey page.

• Bug fix: When exporting data to SPSS, any field labels longer than 256 bytes would result as an error when loaded into SPSS.

• Bug fix: When using Shibboleth authentication for REDCap, and a survey participant opens a survey page that contains an inline PDF, the PDF might mistakenly not be displayed but would display a login page inside an iframe. (Ticket #240240)

• Bug fix: When using the Data Resolution Workflow along with Data Access Groups in a project, if a user attempts to assign a data query to a user, in some situations the drop-down list of assignable users would mistakenly list users that are not currently eligible to be assigned to the data query because they are not currently assigned to the record’s DAG. It should only list users that are currently in the record’s DAG (or users not in any DAG) if the record itself is assigned to a DAG. This bug was supposedly fixed in REDCap 13.10.2 but mistakenly was not. (Ticket #213770b)

• Various changes and fixes for the External Modules Framework, including: 1) Added a warning about External Module composer dependency conflicts above the Control Center module management list, 2) Fixed an error with the “external_modules” framework development dir’s out of date detection, 3) Updated Twig from v3.11.0 to v3.11.1, and 4) Misc. security scan updates.

• Change/improvement: Better support for handling various authentication methods in a CDIS context (e.g., logging into REDCap via “Launch from EHR” context for CDP).

• Major bug fix: Resolved an issue in the CDIS module that caused errors and disrupted normal operations in environments running PHP versions lower than 8.0. This bug affected: CDP auto-adjudication process, Mapping helper usage, and Data Mart operations. The fix ensures proper handling of user data, allowing CDIS to function smoothly across different PHP versions. Bug emerged in the previous release. (Ticket #240182)

• Bug fix: Fix possible upgrade error with regard to foreign keys on specific tables that occurs for some installations under specific circumstances.

• Bug fix: When a repeating instrument is enabled as a survey, and a participant navigates to that survey with “&new” appended to the URL to denote that a new repeating instance should be created from that response, the survey page would mistakenly get pre-filled with existing data if instance 1 of the instrument contains data and was created via a data entry form. When “&new” is appended to a survey URL, the survey should never get pre-filled with any saved data. (Ticket #239909)

• Bug fix: When executing a custom data quality rule on a multi-arm project, in which the rule’s logic implies that only records in certain arms should be returned in the results, the results might mistakenly return false positives of data from arms in which the records do not actually exist. (Ticket #237137)

• Bug fix: When exporting the Logging page as a CSV file, some logged events (e.g., “Invalid SMS response”) might mistakenly say “Record 101” rather than just “101” in the record column of the CSV file. This is inconsistent with how the record name is displayed in that column for other logged events. (Ticket #239394)

• Bug fix: When reports or data exports are sorted by a multiple choice field that has only integers as its choice codes, the data for that field would mistakenly be sorted as a text string rather than appropriately sorted as a number.

• Bug fix: When upgrading from a REDCap version lower than 14.6.2 to version 14.6.2 or higher, the upgrade page would mistakenly note that REDCap must first be taken offline for X minutes prior to upgrading. However, this is not true but a mistake. REDCap does not need to be taken offline during this specific situation.

• Bug fix: When using Shibboleth authentication, in which the “URL for Shibboleth SP Session Initiator” is defined, the user might not get redirected back to their current page after performing a successful login.

• Bug fix: When using Twilio or Mosio, it would mistakenly not send SMS messages to U.S. phone numbers with certain newer area codes, including 787 and 939. This bug was supposedly fixed in REDCap 14.0.33 LTS and 14.4.1 Standard Release, but mistakenly it was not. (Ticket #234300b)

• Bug fix: When using surveys with enhanced radios/checkboxes together with LH orientation and an RTL language for Multi-Language Management, the standard radios/checkboxes would mistakenly be visible, and the order of the enhanced radios was not following proper RTL alignment.

• Bug fix: When viewing a survey page with date or datetime fields, in which the “Size of survey text” setting is “Large” or “Very large”, the values inside the date/datetime fields might appear truncated/cut off on the page. Note: This does not affect the actual value from being saved. (Ticket #239174)

• Medium security fix: A Blind SQL Injection vulnerability was found on certain Clinical Data Mart (CDM) related pages, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. The user must have “Access to all projects and data with maximum user privileges” administrator privileges in order to exploit this. This bug affects all known REDCap versions.

• Medium security fix: A Blind SQL Injection vulnerability was found on several Control Center pages, in which a malicious user who has co-opted a REDCap admin account could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. The user must have “Modify system configuration pages” administrator privileges in order to exploit this. This bug affects all known REDCap versions.

• Medium security fix: A Blind SQL Injection vulnerability was found on the Edit Project Settings page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. The user must have “Access to all projects and data with maximum user privileges” administrator privileges in order to exploit this. This bug affects all known REDCap versions.

• Medium security fix: A Blind SQL Injection vulnerability was found on the Online Designer page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. The user must be logged in to REDCap in order to exploit this. This bug affects all known REDCap versions.

• Medium security fix: A Blind SQL Injection vulnerability was found on the Send-It upload page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. The user must be logged in to REDCap in order to exploit this. This bug affects all known REDCap versions.

• Major security fix: A Cross-Site Request Forgery (CSRF) Bypass vulnerability was found in which a malicious user could potentially exploit it by manipulating an HTTP request to any URL in the system by tricking an authenticated user to click a specially-crafted link that could bypass the CSRF check and submit information (including changing REDCap system configuration values) on behalf of the user or admin. This vulnerability exists in REDCap 13.4.0 and higher.

• Major security fix: A Local File Inclusion (LFI) vulnerability was discovered in which a malicious user could potentially exploit it by setting the path of the hook function file on the General Configuration page to a value containing specific characters in order to bypass the check that ensures that the file path points to a PHP file. The user must have “Modify system configuration pages” administrator privileges in order to exploit this. This bug affects all known REDCap versions.

• Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way that can be exploited on the following pages: Alerts & Notifications, Stats & Charts, and the main REDCap Home Page. This vulnerability can only be exploited by authenticated users. Bug exists in all REDCap versions.

• Critical security fix: A Remote Code Execution vulnerability was found in which a malicious user who is logged in could potentially exploit it by manipulating an HTTP request to a specific External Module Framework endpoint. If successfully exploited, this could allow the attacker to remotely execute arbitrary code on the REDCap server. This vulnerability exists in REDCap 11.0.0 and higher.

• Critical security fix: A Remote Code Execution vulnerability was found in which a malicious user who is logged in could potentially exploit it by manipulating an HTTP request to the Data Import Tool page while uploading a specially-crafted CDISC ODM XML file. If successfully exploited, this could allow the attacker to remotely execute arbitrary code on the REDCap server. This vulnerability exists in REDCap 6.12.0 and higher.

• Improvement: Enhancement to the information provided for the existing EHR access status and auto-login indicators in the CDIS panel of REDCap projects.

  • EHR Access Status: Detailed information about the user’s current EHR access is now available when clicking on the EHR access indicator within the CDIS panel. Additionally, this information is also displayed on the Project Home page of CDIS projects.
  • Auto-login Indicator: Clicking on the auto-login indicator in the CDIS panel now provides users with additional details about how the auto-login feature works, including the process of mapping REDCap and EHR accounts during the “Launch from EHR” process.

• Improvement: The field validation type is now displayed below each Text field in the Online Designer (similar to how action tags are displayed for each field).

• Major bug fix: In rare cases where radio field choices are being piped on a form or survey, the page might mistakenly never fully load due to a JavaScript error.

• Bug fix: Mapped fields in projects marked as both CDP and CDM were not displaying correctly in the CDIS Mapping Helper tool.

• Bug fix: Some text inside red boxes throughout REDCap would mistakenly appear in a much lighter red color than intended.

• Bug fix: When reactivating all deactivated alerts on the Alerts & Notifications page, the page would mistakenly be blank, which could be confusing. Bug emerged in the previous version. (Ticket #239346)

• Bug fix: When users are deleting multiple fields in the Online Designer, in some rare cases a race condition might occur that scrambles the field order and results in fields being suddenly in the wrong location.

• Bug fix: When using the MyCap “App Design” page, a JavaScript error would occur when clicking the “Publish” button. This issue prevents a success message box from appearing on the page.

• Improvement: On the External Modules page in the Control Center, a new warning will be displayed when REDCap detects potentially incompatible Composer packages (i.e., third-party libraries) used inside the code of individual External Modules that may cause REDCap to crash unexpectedly. This warning will provide a list of which EMs might not be compatible with other EMs installed in the system, and provides information that can be given to the EM’s creator to resolve these potential compatibility issues.

• Improvement: When exporting the Project XML file for a project that has alerts, there is now a new checkbox “Leave Alerts enabled (unless disabled)” on the Other Functionality page below the “Alerts & Notifications” checkbox. Going forward, all alerts in the Project XML file will be disabled by default unless the user checks the new checkbox to keep them enabled. In previous versions, alerts in the Project XML file would import into the new project as is (i.e., if enabled, it would stay enabled, and if disabled, it would stay disabled). This new option gives users more control over the default state of alerts in the newly created project. (Ticket #238810)

• Change: When deleting a data quality rule when the Data Resolution Workflow feature is enabled in a project, the rule deletion dialog will now display a red warning to the user to inform them that deleting the rule will also delete any data queries (open or closed) that are currently associated with that data quality rule. (Ticket #219303)

• Major bug fix: When the e-Consent Framework has been set up but then later disabled for a given survey, a PDF Snapshot would mistakenly still get saved to the File Repository and/or specified File Upload field whenever a participant completes the survey. (Ticket #239030)

• Bug fix: MyCap participants would mistakenly not receive any push notifications upon a user (e.g., study coordinator) sending them an announcement via the MyCap messaging interface in the project.

• Bug fix: Radio fields with the action tags READONLY and DEFAULT or SETVALUE would mistakenly not pipe correctly on the page.

• Bug fix: Some unwanted text would mistakenly be displayed at the bottom of the Edit Project Settings page. (Ticket #238981)

• Bug fix: When opening the “Edit Branching Logic” dialog via the Quick Modify Fields popup on the Online Designer, the branching logic text box in the dialog would mistakenly retain the previous value entered by the user while on that same current page. The text box’s value should be cleared out each time the dialog is opened. (Ticket #238833)

• Bug fix: When performing a data import on the Data Import Tool page, in some rare situations, the import process might mistakenly fail due to a fatal PHP error when using PHP 8. (Ticket #238912)

• Bug fix: When using “OpenID Connect” or “OpenID Connect & Table-based” authentication, and a user logs out of REDCap and then later logs back in again, the login process might mistakenly fail silently when re-logging again. (Ticket #237124)

• Bug fix: When using Multi-Language Management in a project with MyCap enabled, the language ISO codes displayed for MyCap in the “Add New Language” dialog on the MLM setup page were incorrect for many of the languages listed. Those ISO codes have been corrected.

• Bug fix: When viewing a report that has report logic that includes checkbox fields that reference Missing Data Codes (e.g., [my_checkbox(NA)] = “1”), the report might mistakenly not return items/data that should be returned, specifically when displaying data for repeating instruments.

• Change/improvements: The following web accessibility improvements were added to the REDCap Home Page: 1) Fixed headings so that it starts with h1 tag, 2) Moved navigation section outside of main section, 3) Added “skip to main content” link (press the Tab key to reveal the link), and 4) Fixed headings within Messenger (i.e. proper h tag level for Notifications and Conversations in Messenger) on Home page.

• Various changes and improvements to the External Module Framework, including 1) Added built-in Twig support via module framework version 16, and 2) Expanded $module->getChoiceLabels() to support true/false & yes/no fields.

• Bug fix: Alerts with conditional logic containing datediff() with “today” or “now” as a parameter might mistakenly get triggered multiple times by the cron job, thus resulting in duplicate alerts being sent. This behavior appears to be sporadic and occurs very seldom for most installations. (Ticket #237341)

• Bug fix: Horizontally-aligned enhanced radios/checkboxes on surveys that do not have a question number column would mistakenly not be spaced out consistently between each choice on a given horizontal line. Note: This fix is slightly different from a similar one from last week, which did not get completely fixed.

• Bug fix: If a user has received a confirmation link via email for registering a new email address with their REDCap account, and then the REDCap server is upgraded to a new REDCap version after the email is received, the link in the email would mistakenly redirect to the wrong place in the new version, thus preventing the user from being able to complete the email registration process. (Ticket #238619)

• Bug fix: If an auto-incremented primary key (i.e., “pk_id”) has been added to all tables that do not have one (via the instructions at the bottom of the Control Center page), then the Copy Report functionality would mistakenly fail on the “My Reports & Exports” page. Bug emerged in REDCap 14.6.2 (Standard).

• Bug fix: In certain specific situations, logged events related to clicking Project Bookmarks might mistakenly be displayed on the Logging page when filtering by a specific record in the project. (Ticket #238547)

• Bug fix: In some cases when inline PDFs are attached to Descriptive fields, and a user downloads the PDF of the instrument, if the iMagick PHP extension is installed on the web server, the first page of the inline PDF might mistakenly get truncated in the resulting REDCap-generated PDF of the instrument.

• Bug fix: In some cases when inline PDFs are used as consent forms in the e-Consent Framework, and a user downloads the PDF of the instrument, if the iMagick PHP extension is installed on the web server, there would mistakenly be a blank page following the inline PDFs in the resulting REDCap-generated PDF of the instrument. (Ticket #237921)

• Bug fix: Several missing LOINC codes were added to the CDIS mapping features. Additionally, several Clinical Notes types were missing and not mappable, specifically pathology study, diagnostic imaging study, and laboratory report.

• Bug fix: The CSV file download option for the Choices Editor inside the Edit Field dialog for multiple choice fields in the Online Designer would mistakenly not do anything. (Ticket #238818)

• Bug fix: When a Data Entry Trigger is triggered on a data entry form for a record in a Data Access Group, the unique DAG name would mistakenly not get sent in the request to the Data Entry Trigger URL. Note: This issue does not occur on survey pages, and it also does not occur on data entry forms when a record is being assigned to a DAG while also being created there on the form. (Ticket #238727)

• Bug fix: When comparing two records in the Data Comparison Tool, the coded values of multiple choice fields would be mistakenly wrapped in escaped HTML italic tags, which would cause the tags to be visible (rather than interpreted) on the page. Bug emerged in REDCap 14.0.14 LTS and 14.2.1 Standard. (Ticket #238437)

• Bug fix: When copying a project via the “Copy the Project” page for a project that contains a repeating survey with a repeating Automated Survey Invitation, the ASI’s recurrence settings (e.g., “How many times to send it”) would mistakenly not get copied into the new project. Bug emerged in REDCap 12.5.0. (Ticket #238218)

• Bug fix: When downloading a PDF of “All forms/surveys with saved data” or “All forms/surveys with saved data (compact)” when some instruments contain embedded fields, some of the embedded fields might mistakenly not get converted into data values or underscores (if they have no value) in the resulting PDF. (Ticket #238683)

• Bug fix: When modifying a PDF Snapshot, some of the snapshot settings (specifically the checkbox options) might mistakenly not get saved successfully after being changed, and no error would be displayed to notify the user that their desired settings were not saved. This issue only affects web servers running PHP 7.3 or 7.4. (Ticket #236067)

• Bug fix: When participants are taking a survey that contains fields with the @HIDDEN-SURVEY action tag, in which the participant is using a non-standard web browser, the fields might mistakenly be displayed instead of hidden on the survey page. (Ticket #238129)

• Bug fix: When selecting instruments for the scope of a PDF Snapshot, the “Update” and “Cancel” buttons may disappear when scrolling downward when many instruments exist in the box, thus possibly causing confusion with regard to how to save one’s selected instruments. To fix this, the buttons now float at the top of the box regardless of scrolling. (Ticket #238698)

• Bug fix: When the Confirmation Email option has been enabled, specifically with the “Include PDF of completed survey as attachment” checkbox checked, for a survey that has the e-Consent Framework enabled, the PDF attached to the email received by the participant would mistakenly contain the record name of the participant’s record in the filename of the PDF. The record name should not be included in the PDF filename for PDFs received by participants. (Ticket #223899)

• Bug fix: When the Top Usage Report page displays a row that is a “Project” type, the project link displayed in that row would mistakenly be an invalid URL if the project title ends with text enclosed in parentheses. (Ticket #238523)

• Bug fix: When using Clinical Data Pull for CDIS, in the “launch from EHR” context of a CDIS project, events were not logged properly when a patient was added to a project. This improper logging prevented the record list cache in REDCap from rebuilding correctly, leading to issues when saving records in projects with auto-incrementing record IDs. (Ticket #234550)

• Bug fix: When using certain screen readers, such as JAWS, the individual options of drop-down fields might mistakenly not be able to be read by the screen reader. (Ticket #237629)

• Improvement: Slight change in the Database Query Tool’s “show more” link’s behavior to improve performance after being clicked on a page with large column values.

• Change: After completing a survey, the “Close survey” button is now displayed below the Survey Completion Text so that it is no longer the first thing that participants see on the page.

• Change: Background Data Imports would automatically be halted if they took more than 24 hours to complete. This limit has been increased to 48 hours to allow some very large imports more time to import all their data.

• Bug fix: Deleting fields via the Online Designer for projects with several hundred fields might cause the page to hang for unacceptable amounts of time.

• Bug fix: HTML “abbr” tags were mistakenly disallowed as an allowed tag that users can use in field labels, survey instructions, and other user input. Bug emerged in REDCap 14.5.4 Standard and 14.5.5 LTS.

• Bug fix: Horizontally-aligned enhanced radios/checkboxes on surveys that do not have a question number column would mistakenly not be spaced out properly with some space between each horizontal choice.

• Bug fix: If a Notes field has both the RICHTEXT and READONLY action tag at the same time, the “Source code” button in the toolbar of the rich text editor would still be clickable and could be used to modify the field’s value, which should not be allowed in this situation. (Ticket #237348b)

• Bug fix: If editing a matrix of fields, in which one of the fields has its variable name changed, that field’s branching logic would mistakenly be erased when saving the changes to the matrix. (Ticket #236685)

• Bug fix: Some CDIS-related text on the Edit Project Settings page was mistakenly not translatable via language INI files. (Ticket #238036)

• Bug fix: Some EM Framework related language text that stems from translated INI language files might mistakenly not appear as translated on the page in certain places. (Ticket #238038)

• Bug fix: The Upgrade page’s link to the REDCap ChangeLog on the REDCap Community website was outdated. (Ticket #237664)

• Bug fix: When attempting to upload the Survey Queue via a CSV file when using certain browsers, such as Firefox, the upload process might mistakenly fail with an unknown error. (Ticket #233684)

• Bug fix: When executing Data Quality rules in certain browsers and operating systems (e.g., Firefox on Linux), the “export

  • view” links to export and view the DQ results might mistakenly not be visible on the page.

• Bug fix: When using Multi-Language Management while the Secondary Unique Field is enabled, the duplicate value message might not be translated via MLM when the secondary unique check is triggered by pre-filling a field from a URL parameter. (Ticket #237182)

• Bug fix: When using the EHR Launch for Clinical Data Pull in CDIS, there could be possible compatibility issues, resulting in an HTTP 401 error, when using certain external authentication methods. (Ticket #237765)

• Various changes to the External Module Framework, including: 1) Added the $module->getDataClassical() method, 2) Updated the $module->createProject() function to select the smallest data & log tables for new projects, and 3) External Module “every page” hooks no longer execute by default on authenticated pages when users are not logged in. Modules can allow them to execute in this case going forward by setting enable-every-page-hooks-on-system-pages to true in config.json.

• New feature: Clinical Data Pull Dashboard - New admin-only page that appears on the left-hand menu in CDP projects. Key features:
  • Queueing and Fetching: The dashboard outlines the cron job processes for queueing records based on specific criteria and fetching queued data for caching and further review.
  • Manual Queueing: Users have the ability to manually mark non-queueable records as QUEUED, forcing their data to be fetched during the next data fetching cycle.
  • Cached Data Page: A dedicated “Cached” page allows users to view and decrypt detailed information for each record and field, including timestamps, to ensure data accuracy and timeliness.
  • Administrator Access: A link to the Dashboard is available exclusively for administrators in the “Clinical Data Interoperability Services” or “Clinical Data Pull” panels.

• Improvement/change: Optimization for the Background Data Import process for importing records faster for very large projects (e.g., >100K records). (Ticket #237549)

• Improvement: If MySQL/MariaDB clustering or replication is implemented on your REDCap database server, in which it might be required that every database table has an auto-incremented Primary Key, the Configuration Check (at the bottom of the page) will auto-generate and display all the SQL needed to add auto-incrementing Primary Keys to all REDCap database tables that currently do not have them. (Ticket #236440)

• Improvement: On the Security & Authentication page, administrators using “OpenID Connect” or “OpenID Connect & Table-based” authentication can now optionally set a custom logout URL to direct users to after logging out of the application. (Ticket #143391)

• Bug fix: A missing LOINC code was added to the CDIS mapping features.

• Bug fix: For certain MySQL/MariaDB configurations, the upgrade SQL script might mistakenly fail when upgrading from pre-14.1.1 to any post-14.1.1 version. The upgrade script has been updated for more compatibility to prevent this issue going forward.

• Bug fix: HTML “input” tags were mistakenly disallowed as an allowed tag that users can use in field labels, survey instructions, and other user input. Bug emerged in REDCap 14.5.4 Standard and 14.5.5 LTS. (Ticket #237448)

• Bug fix: If a Notes field has both the @richtext and @readonly action tag at the same time, the field would mistakenly not be displayed as a rich text editor but as a regular textarea field, which would contain visible HTML tags inside it if the field already has a value. (Ticket #237348)

• Bug fix: In the Online Designer, when editing a CALCTEXT field whose calculation contains references to fields with “:value” appended - e.g., [field:value], normal users might never be able to successfully edit the field to change its CALCTEXT syntax. Note: Administrators are able to modify the field though. This issue was caused by the [field:value] syntax, which is not necessary since fields should be referenced simply as [field] in logic and calculations. Going forward, using the [field:value] notation, which is technically not incorrect, will no longer cause the Edit Field popup to hang when saving a field in the Online Designer. (Ticket #236945)

• Bug fix: Some PHP 8 specific errors might occur on the MLM setup page in projects that do not have MyCap enabled.

• Bug fix: When deleting an entire record via the Bulk Record Delete feature in a project where the “Require a reason when making changes to existing records” setting is enabled, an error would always be returned saying “Reason for change was not provided” instead of deleting the record. That should not occur except when doing a partial delete of records. (Ticket #237499)

• Bug fix: When using LDAP authentication with PHP 8, an LDAP user that logs in with an incorrect password might mistakenly result in a fatal PHP error during the login process. (Ticket #237359)

• Bug fix: When using both MyCap and Multi-Language Management in a project, the MLM setup page (inside the “MyCap help” popup and “add/edit language” popup) was mistakenly not displaying the list of available language codes currently supported by the MyCap mobile app.

• Bug fix: When using both MyCap and Multi-Language Management in a project, the MLM setup page would mistakenly display a “MyCap” tab under the User Interface section. That tab was not meant to be added since it cannot be used yet.

• Bug fix: When using the EHR Launch for Clinical Data Pull in CDIS, there could be possible compatibility issues when using Internet Explorer as the default browser in the EHR.

• Bug fix: When using the EHR Launch for Clinical Data Pull in CDIS, there could be possible compatibility issues when using certain external authentication methods.

• Bug fix: When using the READONLY action tag on the Secondary Unique Field on a survey that has the SUF prefilled via URL variables, the field would mistakenly be editable and not read-only. Note: This occurs only on the SUF when viewed specifically in survey mode, and only when prefilling is being performed. (Ticket #237623)

• Medium security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into a specific API parameter’s value that is used in a specific API method. This vulnerability can be exploited only by users with a valid API token. Bug exists in all REDCap versions.

• Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into any user input that is then output on a page in REDCap (e.g., field labels, survey instructions, data displayed on a report). This vulnerability can be exploited by authenticated users and also by survey participants entering data. Bug exists in all REDCap versions.

• Major bug fix: If Multi-Language Management is enabled on a project, the datepicker for date/datetime fields would mistakenly appear in right-to-left mode all the time. Bug emerged in 14.5.4 Standard and 14.5.5 LTS.

• Bug fix: In some situations, the record name and “upcoming calendar events” button that appears above the table on the Record Home Page might mistakenly appear too narrow on the page. (Ticket #236702)

• Bug fix: In very specific situations, a user exporting the data for a report might mistakenly fail with a PHP error when using PHP 8. (Ticket #236555)

• Bug fix: When a user is performing a “partial delete” of instrument data on the Bulk Record Delete page, in which randomization is enabled in the project and the record being partially deleted has already been randomized, if the randomization field or strata fields exist on the instrument being deleted, those values would mistakenly get deleted. Once a record has been randomized, it should not be possible to delete values for the randomization field and strata fields. In this situation going forward, the instrument data will not be deleted for the selected records on the Bulk Record Delete page.

• Bug fix: When upgrading from a version of REDCap below 14.5.0, in some specific situations the upgrade might fail due to an SQL error. (Ticket #236740)

• Bug fix: When using Clinical Data Pull for CDIS, the auto-adjudication interface would be incorrectly displayed on the record dashboard after disabling CDP in the project or at the system level.

• Bug fix: When using MyCap together with Multi-Language Management, the “Notification Settings” tab was mistakenly not appearing in the correct location on the MyCap setup page.

• Bug fix: When using MyCap together with Multi-Language Management, the “version” attribute and list of languages in the MyCap config JSON (that is consumed by the MyCap mobile app) was mistakenly not getting updated automatically whenever a user clicks on the “Save” button on the MLM setup page.

• New feature: Bulk Record Delete
  • Users may use the Bulk Record Delete page to delete multiple records from the project or alternatively to delete data for multiple instruments across multiple records. To perform either of those two actions, a user must have “Delete Records” privileges, and for the partial delete option, a user must additionally have “View & Edit” instrument-level privileges for the instrument that they select.
  • The Bulk Record Delete page can be accessed from two different locations in a project: 1) On the Other Functionality page, and 2) On the Record Status Dashboard via the new Multi-Record Actions dropdown.
  • If the project has the GDPR-related feature “Delete a record’s logging activity when deleting the record?” enabled in the project, the user will be prompted with a checkbox to additionally delete the record’s logged events on the Logging page when deleting entire records.
  • If the “Require reason for change” option is enabled in the project, users will be prompted to enter a reason that will get logged when performing a partial delete of one or more instruments.
  • The Bulk Record Delete feature can be disabled for the whole system on the Modules/Services Configuration page in the Control Center, if desired. By default, this feature will be enabled.
  • Note: If a user is performing a partial delete, the instrument’s data cannot be deleted in the following situations: 1) If the form is locked, 2) If no users are allowed to modify survey responses (via the system-level setting) and the data of the selected instrument(s) is a survey response, 3) If the user does not have form-level rights to modify survey responses for the selected instrument(s) and the data of the selected instrument(s) is a completed survey response, or 4) If the selected instrument(s) is a completed e-Consent response and e-Consent responses are not allowed to be edited per the survey’s e-Consent settings.

• Major bug fix: When using the Multi-language Management feature in the MyCap mobile app, some important task settings information might mistakenly not get pulled from the REDCap server into the MyCap app on the mobile device, thus resulting in text from the fallback language being used in the mobile app instead of the desired MLM language.

• Bug fix: On the Configuration Check page, the External Service Check for Google reCAPTCHA API services might mistakenly return a false positive saying that the service can’t be reached when it actually can.

• Bug fix: The Quick-Modify Fields feature would not allow users to copy branching logic when it was just added (or would allow users to copy it when it was just removed).

• Bug fix: When using Form Display Logic, in which the “Hide forms that are disabled” checkbox is checked but no conditions are defined in the Form Display Logic setup dialog, the Record Home Page would mistakenly not display any instruments in the table for any records. (Ticket #236229)

• Bug fix: When using Multi-Language Management, the “Save & Return Later” page might mistakenly not display the desired language for the participant. (Ticket #236220)

• Bug fix: When using a rich text consent form with the e-Consent Framework, the consent form text might all be mistakenly bolded when being viewed on the survey page. (Ticket #236369)

• Improvement: Multi-Language Management can now be utilized by MyCap. Users will see a new “MyCap” tab on the MLM setup page, which will allow them to translate their custom MyCap elements that will appear to participants in the MyCap Mobile App. Participants will be given the choice to use any of the project’s MLM languages after opening and viewing the MyCap Mobile App.

• Improvement: REDCap now supports the “s” HTML tag for strikethrough (note: the “strike” HTML tag was already supported).

• Improvement: The “Help & FAQ” page has been updated with new content (thanks to the FAQ Committee).

• Improvement: The “strikethrough” styling button has been added to the toolbar in the rich text editor in all the places where the editor is used.

• Improvement: When using MyCap in a project, users can now customize the notification time (default 8:00AM) for MyCap notifications to participants using the MyCap mobile app.

• Change/improvement: If a custom primary key field has been added to any given REDCap database table that does not have an auto-incrementing field that serves as the primary key, the “database structure is incorrect” warning in the Control Center will no longer recommend that this extra field (and its key) be deleted. This should help institutions where their local IT support is recommending or forcing them to add primary keys to all REDCap database tables (for various reasons).

• Major bug fix: When editing a user’s privileges on the User Rights page, it would not be possible to grant a user access to the File Repository, despite checking the checkbox for it. Additionally, if any user previously had File Repository privileges and then another privilege was modified for the user on the User Rights page (excluding CSV imports and API imports), it would mistakenly remove their File Repository privileges. Bug emerged in REDCap 14.5.2.

• Bug fix: A JavaScript error might occur on some MyCap pages if using a non-English language for the project.

• Bug fix: A duplicated language string in English.ini might cause an incorrect phrase to be displayed on the upgrade page. (Ticket #235989)

• Bug fix: If the REDCap Base URL contains a port number, logging out of REDCap might mistakenly send the user to an incorrect URL that does not contain the port, thus resulting in an error. (Ticket #236221)

• Bug fix: The user interface for the date/time picker for date-validated and datetime-validated fields was mistakenly not translatable via Multi-Language Management. (Ticket #236211)

• Bug fix: When uploading an attachment file in the Edit Alerts dialog on the Alerts & Notifications page, the error message might not always be correct in all cases.

• Improvement: More user experience improvements for the Online Designer, including a new dismissible popup that alerts the user about the new “drag-n-drop” behavior for moving fields in the Online Designer. Additionally, users can now limit the deactivation/reactivation to certain action tags in the Quick Modify Field(s) popup. In previous versions, users could only deactivate/reactivate all action tags for the selected fields, but now users may provide specific actions tags that will be deactivated/reactivated.

• Change/improvement: The internal service check on the Configuration Check page that checks the main REDCap survey end-point now works even when the REDCap system is set as “Offline”.

• Change: REDCap has been verified to be fully compatible with PHP 8.3.

• Bug fix: If a project is in Production status and currently in Draft Mode, and then a user moves the project to Analysis/Cleanup status, the Online Designer would mistakenly still be accessible when it should instead display the message “Note: This page can only be accessed when the project is in Development or Production status”. (Ticket #235798)

• Bug fix: If a user manipulates some of the URL parameters on the Calendar page so that the parameter’s value is in scientific notation format instead of an integer, it would cause the page to crash with a fatal PHP error.

• Bug fix: Rapid Retrieval caching on Windows servers might mistakenly cause cache files to be invalidated/deleted prematurely, thus negating the positive benefits of the Rapid Retrieval feature. This has been fixed, in which it appears to have affected only Windows web servers. (Ticket #235297)

• Bug fix: When a PDF Snapshot trigger has been defined, in which the snapshot’s scope includes an instrument that has the e-Consent Framework enabled and the snapshot is set to be stored in the File Repository, if a user has marked that e-Consent instrument’s Form Status as “Complete” on a data entry form without having completed the instrument as an e-Consent survey, the “PDF utilized e-Consent Framework” icon would mistakenly be displayed for the snapshot in the PDF Snapshot Archive table in the File Repository. That icon should only appear when the snapshot contains a completed e-Consent response that was completed as a survey. Note: This will not fix the issue retroactively for already-stored snapshots, but it will prevent the issue going forward. Bug emerged in REDCap 14.5.0.

• Bug fix: When a participant is taking a survey as an SMS conversation using Twilio/Mosio, in which branching logic is used on some fields, in very specific situations those fields might mistakenly get skipped when they should not be skipped. (Ticket #235586)

• Bug fix: When upgrading from a version of REDCap below 14.5.0, in some specific situations the upgrade might fail due to an SQL error. (Ticket #235758)

• Bug fix: When using “OpenID Connect” or “OpenID Connect & Table-based” authentication, the user might not get correctly logged out of REDCap for some configurations. (Ticket #235539)

• Bug fix: When using the Field Bank in the Online Designer to search for fields, it might mistakenly show answer choices that say “Login to see the value.” for specific items. (Ticket #228217b)

• Change/improvement: Small change in JavaScript to improve loading speed and calculation speed on data entry forms and survey pages. (Ticket #235138)

• Change/improvement: Small change in JavaScript to improve loading speed slightly on data entry forms and survey pages in specific situations. (Ticket #235136)

• Change/improvement: When a user moves a project to production and they opt to delete all records during the process, this is now specifically denoted on the Logging page, which will now list the logged event as “Move project to Production status (delete all records)”.

• Major bug fix: If upgrading from REDCap 14.5.0 or 14.5.1, the upgrade script for upgrading to 14.5.0 or 14.5.1 from an earlier version would have not properly converted the “Save a PDF of completed survey response to a File Upload field” survey setting into its equivalent PDF Snapshot format for 14.5.X if the survey had neither the e-Consent Framework enabled nor the PDF Auto-Archiver enabled. This incorrect conversion would mistakenly cause a PDF Snapshot of the entire record (i.e., snapshot scope=“all instruments”) to be stored to the File Upload field rather than a PDF Snapshot of only the current survey/event/instance (i.e., snapshot scope=“single survey response”). Upgrading to 14.5.2 and higher will fix this issue so that surveys in those specific situations will only save the current survey response to the File Upload field, as it did in pre-14.5.0 versions.

• Major bug fix: When Data Access Groups are utilized in a project, especially when the DAG Switcher is being actively used, it is possible in specific scenarios that a user assigned to a DAG might mistakenly be able to see logged events on the Logging page for records in another DAG. For example, this could happen if a user created/modified a record for one DAG, and then switched to another DAG, a user in the second DAG would mistakenly be able to view logged events for the record in the first DAG merely due to the fact that the first user created/modified that record. (Ticket #235432)

• Bug fix: In some cases when inline PDFs are attached to Descriptive fields, and a user downloads the PDF of the instrument, if the iMagick PHP extension is installed on the web server, there would mistakenly be a blank page following the inline PDFs in the resulting REDCap-generated PDF of the instrument. Bug emerged in REDCap 14.5.0 Standard. (Ticket #222014b)

• Bug fix: Messages in REDCap Messenger that contain HTML hyperlinks might mistakenly get mangled and not display as a hyperlink correctly in a Messenger conversation.

• Bug fix: The BioPortal Ontology Service recently began returning data in a slightly unexpected format from its web service, thus causing all BioPortal fields on surveys and data entry forms not to work any longer. (Ticket #235501)

• Bug fix: When deleting a file from the File Repository via the API, it would mistakenly require that the user have “Delete Record” privileges, which are not required for this API method. (Ticket #235363)

• Bug fix: When upgrading from a version of REDCap below 14.5.0, in some specific situations the upgrade might fail due to an SQL error. (Ticket #235260)

• Bug fix: When users attempt to view the “General Notifications” or “System Notifications” threads in REDCap Messenger, those threads would mistakenly not open for normal users but would only open for REDCap administrators. Bug emerged in REDCap 14.0.33 LTS and 14.4.1 Standard.

• Bug fix: When using Custom Mappings for fields in CDIS projects, the Custom Mappings might mistakenly not get prioritized and thus might get overridden by the default mappings in REDCap.

• Various updates and fixes for the External Module Framework, including 1) Fixed a bug preventing $module->getChoiceLabel() from correctly matching integer values, 2) Displayed a warning when a development copy of the External Module Framework is installed & out of date, and 3) Misc. security scan improvements.

• Improvement: In the “Move Field” dialog in the Online Designer, the user may now choose “Insert at top of this form” or (if the field is part of a matrix) “Insert at the top of the matrix group” from the field drop-down.

• Change: Added 2 new data tables and 3 new log_event tables to help long-term performance going forward.

• Major bug fix: Some specific external authentication methods, such as Shibboleth and possibly AAF, might no longer work and might result in a fatal PHP error. Bug emerged in the previous version. (Ticket #235223, #235211)

• Bug fix: During the check to ensure that all non-versioned files are accounted for, in some specific situations the process might mistakenly fail with a fatal PHP error when using PHP 8. (Ticket #234877)

• Bug fix: The table displayed in the PDF Snapshot Re-Trigger dialog on data entry forms would mistakenly be missing a column header. (Ticket #235190)

• Bug fix: When using Entra ID (formerly Azure AD), OpenID Connect, or the “X & Table-based” version of either of those for authentication in REDCap, a user’s original location (their URL before logging in) would mistakenly not be preserved after having authenticated, and in some cases the logout process might not function 100% correctly, thus redirecting the user to a URL ending with “?logout=1” or sometimes a more generic URL of the REDCap installation, rather than the exact URL when they logged out. (Ticket #217736, #234817)

• New features: Enhanced e-Consent Framework and PDF Snapshot Functionality
  • Overview - A new page named “Settings for e-Consent & PDF Snapshots” (linked from the Online Designer) serves as the new location where users can enable and set up the e-Consent Framework for a given survey and also set up triggers for storing PDF Snapshots. In previous versions, the e-Consent Framework and PDF Snapshot settings all existed on the Survey Settings page as several disparate options, but now they have been consolidated on this new page as two separate tabs. While these two exist as separate features, there is some overlap of functionality since the e-Consent Framework does ultimately store a copy of the PDF Snapshot for the e-Consent response. In addition to moving these features to the new page, both have been given enhancements, which are detailed below. View a 5-minute overview video of the new features: https://redcap.link/econsent2vid
  • Overall Benefits of the New Features - Streamlined Consent Process: Simplify and enhance the electronic consent process for both researchers and participants. Improved Data Integrity: Ensure secure and organized storage of consent forms and survey responses. Enhanced Compliance: Meet regulatory standards such as ICH and FDA requirements with robust version control and audit trails.

• Improved PDF Snapshot Functionality: Audit Trails: Improved, detailed audit trails for consent form completions and PDF snapshot generations.

• Improved PDF Snapshot Functionality: Automatic Saving: Save PDF copies of survey responses (i.e., snapshots) to the project’s File Repository or to specified File Upload fields. In previous versions, this would have been set up using separate features on the Survey Settings page, but now they can be set up as specific settings of a PDF Snapshot trigger.

• Improved PDF Snapshot Functionality: Custom Logic-based Triggers: Create custom triggers for generating PDF snapshots based on specific conditions using conditional logic. Whenever data is being saved for a record (on a survey, form, API, data import, etc.), if the logic of the snapshot trigger evaluates as True, then a PDF snapshot will be saved to whatever location is specified. Note: Logic-based triggers can only be triggered once per record, whereas survey-completion-based triggers (including e-Consent surveys) will store a new snapshot every time the survey is completed (because surveys may possibly be completed multiple times if certain Survey Settings are defined).

• Improved PDF Snapshot Functionality: File Naming Customization: Customize the file names of PDF snapshots using static text or piping, appended with date-time stamps.

• Improved PDF Snapshot Functionality: Note: Non-e-Consent PDF Snapshot triggers will always store the PDF in the default MLM language, but an e-Consent PDF Snapshot trigger will always store the snapshot in the participant’s chosen language.

• Improved PDF Snapshot Functionality: Snapshot Re-triggering: Perform re-triggering of PDF Snapshots while on a data entry form. If the user has “View & Edit” Data View privileges on the current instrument, they will see a “Trigger Snapshots'' link in the button box at the top-left of the page. This will allow them to trigger or re-trigger any given PDF snapshot (although “survey completion” snapshot triggers specifically require that the survey be completed first). Additionally, for logic-based triggers, the logic does not have to currently be True in order to trigger/re-trigger it.

• Improved PDF Snapshot Functionality: Snapshot Scope: The “scope” of the snapshot must be defined when creating a new snapshot trigger. The scope refers to the data content inside the PDF, i.e., which instruments are included in the snapshot (a single instrument, multiple instruments, or all instruments/events). Note: The PDF snapshot created by completing an e-Consent survey will only ever include just that single survey response. But for non-e-Consent snapshots, users may define the scope of the snapshot.

• Improved PDF Snapshot Functionality: Support for Multi-Form Consents: Combine multiple forms and/or signatures into a single PDF snapshot. Define a PDF snapshot that contains multiple instruments in order to potentially capture multiple signatures, and then store the snapshot in the File Repository or a File Upload field.

• Improved PDF Snapshot Functionality: Vault Storage Integration: If using the system-level feature “e-Consent Framework: PDF External Storage Settings (for all projects)”, all PDF snapshots generated via completed e-Consent surveys will automatically be stored on the external server (i.e., “The Vault”). This feature existed in previous versions and continues to function in the same way. Noted new feature: If a multi-instrument PDF snapshot is being stored in the File Repository, in which it contains at least one completed e-Consent survey response, that snapshot will automatically be stored in the Vault. However, a project-level setting named “Store non-e-Consent governed PDF Snapshots on the External Storage server if the snapshot contains a completed e-Consent response” exists on the “Edit Project Settings” page that is set to Yes/Enabled by default, in which it can be disabled if the REDCap administrator wants only e-Consent governed PDF snapshots to be stored in the Vault and thus not store multi-instrument snapshots that happen to contain an e-Consent response in the Vault.

• Improvement/bug fix: A new project-level setting “Hide closed/verified data queries from Data Quality results” has been added that can be used with the Data Resolution Workflow. This setting defaults to an Enabled/Checked value, and it can be changed in the DRW/Field Comment Log section of the Additional Customizations dialog on the Project Setup page. If users prefer for closed and/or verified data queries in the DRW to always be visible in results on the Data Quality page, they can uncheck this new setting in the project. NOTE: Beginning in 14.3.13 through (and including) 14.4.1, a mistake was introduced regarding a change in the behavior of closed/verified data queries, in which they were no longer automatically hidden from Data Quality results (whereas in previous versions they were always hidden). That change was a mistake and thus was a bug, which is now fixed here by reverting the default behavior back to its pre-14.3.13 behavior and also by the addition of this new setting that allows users to have both behaviors (i.e., to either hide or show closed/verified data queries from Data Quality results). The default behavior of this setting is the same as the behavior prior to REDCap 14.3.13.

• Improvement: The “Help & FAQ” page has been updated with new content (thanks to the FAQ Committee).

• Improvements to the Online Designer General user interface improvement that utilizes newer icons. New “Go to field” feature (invoked via Ctrl-G or Cmd-G) allows users to search for a variable by name and then navigate directly to its location in the Online Designer, even if the field is on a different instrument than the current one. Improved and expanded “Quick modify field(s)” popup will appear when users Ctrl-click (or Cmd-click) one or more fields or check the new checkboxes located on the far right of each field. Additions to this popup include the ability to edit the following for multiple fields: branching logic, action tags/field annotation, custom alignment, required status, identifier status, and multiple choice options (including the ability to copy choices - with new choice of location for copied fields, import choices from an existing field, convert a field to a different multiple choice field, and also append new choices using a full-blown choice editor). NOTE: When updating actions tags for one or more fields via the “Quick modify field(s)” popup, there is a new action tag named @DEACTIVATED-ACTION-TAGS that is only used in the Online Designer for the purpose of deactivating (and thus possibly reactivating) action tags. The difference between deactivating action tags and removing action tags from fields is that deactivating them leaves the action tags in a state/format so that they can be easily reactivated later, whereas removing action tags would make it very difficult to restore the action tags of many fields having many different action tags. For example, if a field has the @HIDDEN action tag and is then deactivated, its field annotation will then appear as the following: @DEACTIVATED-ACTION-TAGS @.OFF.HIDDEN, and if reactivated, it will go back to @HIDDEN again. The “Quick modify field(s)” popup also includes an additional, large selector popup to allow users to select many fields on the current instrument that match certain criteria by clicking one or more icons (e.g., clicking the slider icon and then clicking the “add new selections” button will automatically select all slider fields on the page to use for the “Quick modify field(s)” popup). This makes it easy to select many fields on the page very quickly when they all match a certain criteria (i.e., field type, field validation). Change: The drag-field feature to “drag-n-drop” a field to a new location on the instrument now operates differently. Inside of clicking and holding anywhere on a field, the user must now click and hold specifically on the Move icon for the given field in order to ready the field for being moved.

• Change/improvement: The Configuration Check page now checks to ensure that the MySQL-specific setting “Generated Invisible Primary Key” (GIPK) is disabled. GIPK was introduced in MySQL 8.0.30. If enabled on the MySQL server, a warning will appear on the page telling the admin how to disable it since GIPK is not compatible with REDCap.

• Change: In a MyCap-enabled project, if users switch from classic mode (i.e., non-longitudinal) to longitudinal data collection mode or from longitudinal to classic (via the setting at the top of the Project Setup page), the MyCap task settings and Active task formats will no longer be erased in the project when changing that setting. In previous versions, all MyCap task settings and Active task formats would be completely erased in the project when moving to/from longitudinal mode.

• Enhanced e-Consent Framework: Audit Trails: Improved, detailed audit trails for consent form completions and PDF snapshot generations.

• Enhanced e-Consent Framework: Change/improvement: When a user views a completed/signed e-Consent response on a data entry form, in which a consent form was used on the survey, near the top of the page will be displayed the version of the consent form that was used. Also, the consent form itself (i.e., the inline PDF or rich text) displayed on the page will always be the consent form under which the participant originally consented. For example, if a participant consented using consent form v2.0, then even though a new consent form (v3.0) has been added to the project at some point afterward, the data entry form for that participant’s response will always display consent form v2.0 so that the user will always see the survey response and its consent form exactly as the participant originally viewed it.

• Enhanced e-Consent Framework: Change/improvement: When reviewing draft mode changes, if a consent form’s anchor Descriptive field is deleted or moved to another instrument, it now gets listed as a critical issue in the list of drafted changes.

• Enhanced e-Consent Framework: Change/improvement: When using MLM together with the e-Consent Framework, downloading an instrument PDF of a completed e-Consent survey response (or if the e-Consent survey response is included in a generated PDF that contains non-e-Consent instruments), the e-Consent survey response itself in the PDF will always be rendered in the language in which the participant originally consented.

• Enhanced e-Consent Framework: Custom Headers and Footers: Add custom headers and footers to PDF snapshots created via the e-Consent Framework, including the use of text fields, smart variables, and piping.

• Enhanced e-Consent Framework: Custom Notes: An optional custom notes field can be utilized for each e-Consent survey for bookkeeping purposes. The custom notes are neither displayed on the survey nor anywhere else in the application.

• Enhanced e-Consent Framework: Customizable Consent Forms with Version Control: Design consent forms and manage new versions of consent forms while maintaining historical versions for audit purposes. During the setup process for consent forms, their location can be set in relation to a single Descriptive field on the survey. A consent form can exist as an inline PDF or as rich text. A consent form can be associated with a specific MLM language and/or a Data Access Group if the project users wish to have the consent form be used for a specific language (chosen by the participant) and/or DAG (to which the record has been assigned). This allows for language-specific consent forms and DAG-specific consent forms, if needed.

• Enhanced e-Consent Framework: File Naming Customization: Customize the file names of PDF snapshots for e-Consent responses using static text or piping, appended with date-time stamps.

• Bug fix: If conditional logic, branching logic, or calculations are being evaluated by server-side processes when submitting a survey page (e.g., alerts, ASIs), in which the logic/calc contains one or more [aggregate-X] Smart Variables, the logic/calc might mistakenly not get evaluated correctly and thus might behave unexpectedly. (Ticket #233984)

• Bug fix: In a MyCap-enabled project that is in production status, if a user rejects their current drafted changes, any forms added while in draft mode would appropriately be deleted from the drafted changes; however any MyCap tasks created for those drafted forms would mistakenly remain in the backend database, which could then cause issues later.

• Bug fix: In a MyCap-enabled project, MyCap Task schedules would mistakenly not copy over when using the Project XML of a classic/non-longitudinal project to create a new project.

• Bug fix: In a MyCap-enabled project, the “Days Offset” value of an event would not automatically populate on the Task Setup page for longitudinal projects.

• Bug fix: The “MyCap participants that have joined a project” count on the System Statistics page mistakenly included participants from practice projects.

• Bug fix: The MyCap Participant Management page mistakenly displays all participants when there are no records in the user’s DAG. (Ticket #233473)

• Bug fix: The email sent to the survey participant after clicking the “Save & Return Later” button on a survey might mistakenly appear to be missing the main survey link back to the survey if the survey has no survey title defined (i.e., the title was left blank). (Ticket #234831)

• Bug fix: Various user interface elements, such as Bootstrap-style drop-down lists and certain buttons/links, might mistakenly appear with a larger or smaller font than intended. Bug emerged in the previous version.

• Bug fix: When enabling a new instrument for MyCap, the task status defaults to “Not Active”.

• Bug fix: When exporting the results of a Data Quality rule in a project that does not have any Data Access Groups, the resulting CSV file might mistakenly not contain any results but would be empty. Bug emerged in REDCap 14.3.13 (Standard).

• Bug fix: When exporting the results of a Data Quality rule that returns more than 10,000 discrepancies, the resulting CSV file would mistakenly only include 10,000 results instead of all the results. (Ticket #229449b)

• Bug fix: When fields in a calculated field are being added together using plus signs (e.g., [field1] [field2]), as opposed to using the “sum” function, the field values might mistakenly get concatenated/joined together as text instead of being added together mathematically. Bug emerged in REDCap 14.0.32 LTS and 14.4.0 Standard Release. (Ticket #234858)

• Bug fix: When performing piping in a repeating instance context, the wrong repeating instance might mistakenly be assumed in certain situations when no data is saved yet. (Ticket #234557)

• Bug fix: When using an “X & Table-based” authentication, and a Table-based user clicks the “Reset password” button on their Profile page, it might mistakenly not actually trigger the password reset process. (Ticket #234884)

• Bug fix: When viewing the “View Task Details (all)” dialog in the Online Designer for MyCap-enabled projects, “Invalid Format” would mistakenly be displayed for MyCap tasks created from PROMIS measures.

• New action tag @CONSENT-VERSION: This action tag represents the version of the consent form being used by the e-Consent Framework for the current e-Consent survey context (i.e., current record, event, survey, data access group, MLM language, etc.). NOTE: This action tag only adds a new value to the field when its field value is blank and only when the instrument is being completed in an e-Consent survey context. Also, this action tag can only be used if the e-Consent Framework has been enabled for a survey and only if one or more consent forms have been defined for that survey.

• Change/improvement: Stats for Mobile Toolbox (MTB) tasks and MyCap tasks created from PROMIS measures were added to the System Statistics page in the Control Center.

• Medium security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into the contents of a file that is uploaded via the API and then downloaded via the API using various file import/export API methods. This vulnerability can be exploited only by users that possess a REDCap API token. Bug exists in all REDCap versions.

• Medium security fixes: Several access control vulnerabilities were discovered in REDCap Messenger in which a malicious user could potentially exploit them by sending specially crafted HTTP requests that would allow them to perform the following actions: read and export any conversation in the system, add a message to any conversation, add themselves as a conversation leader on any conversation, upload a file to any conversation, and export a list of all users of a conversation. Bug exists in REDCap 7.4.0 and later.

• Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into any user input that is then output on a page in REDCap (e.g., field labels, survey instructions, data displayed on a report). This vulnerability can be exploited by authenticated users and also by survey participants entering data. Bug exists in all REDCap versions.

• Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into the record name when creating a new Calendar event on the Calendar page, specifically in the Calendar popup. This vulnerability can be exploited by authenticated users only. Bug exists in all REDCap versions.

• Bug fix: A fatal PHP 8 error might occur in a specific situation when a participant is taking an adaptive or auto-scoring instrument (i.e., a PROMIS assessment) from the REDCap Shared Library. (Ticket #234346)

• Bug fix: Some PHP errors might mistakenly occur when using Azure Blob Storage when performing certain tasks. (Ticket #234248)

• Bug fix: When a field is embedded in a checkbox or radio field’s choice label while that checkbox/radio field is also piped somewhere on the current page, the value of the embedded field might mistakenly not get saved correctly when a user modifies it and saves the page. (Ticket #233917b)

• Bug fix: When a participant is attempting to enter data for a biomedical ontology field while on a survey page, the ontology field would not function correctly and would not fetch any values from the BioPortal web service. This issue occurs on survey pages only. Bug emerged in the previous version.

• Bug fix: When taking a survey, malicious survey participants could possibly alter the “start time” of their response by carefully manipulating hidden elements on the first page of a survey. Note: This does not affect the security of the survey but might affect data quality.

• Bug fix: When using Clinical Data Pull for CDIS, a JavaScript error might occur when adding a patient to a project in the “Launch from EHR” process, thus preventing the patient from being added. (Ticket #234249)

• Bug fix: When using Twilio or Mosio, it would mistakenly not send SMS messages to U.S. phone numbers with certain newer area codes, including 787 and 939. (Ticket #234300)

• Bug fix: When viewing a public report that contains the record ID field, if the Secondary Unique Field has been defined in the project and has also been tagged as an identifier field, then the public report would mistakenly not display and would output an error message even if the setting “Display the value of the Secondary Unique Field next to each record name displayed?” is disabled. (Ticket #234403)

• New feature: Background Data Import option for the API - Similar to using the Background Data Import on the Data Import Tool page, users may now utilize the feature when making a call to the Import Records API method. They can simply pass the API parameter “backgroundProcess” with a value of 1 (for Yes) or 0 (for No, which is the default) to invoke this option. The API will return a “success” message with “true” or “false” regarding if the data was successfully accepted. Note: This option works with any data format: CSV, JSON, or XML.

• Improvement: “Survey Notifications” and “Survey Confirmation Emails” were added as new filter options to the “Type” drop-down filter on the Email Logging page. Note: This change is not retroactive, meaning that any survey notification emails or confirmation emails that were sent prior to the upgrade to REDCap 14.4.0 will not show up when filtering by these new options but will instead only show up when Type is set to “all types”.

• Improvement: The Email Logging page now has its own separate user privilege. Previously, only users with “User Rights” privileges could access the Email Logging page. Now, users must explicitly be given “Email Logging” privileges in order to access the Email Logging page. Note: During the upgrade to REDCap 14.4.0 or higher, any users with “User Rights” privileges will automatically be given “Email Logging” privileges in order to keep continuity with their current access to the Email Logging page.

• Improvement: When using Multi-Language Management, the Twilio/Mosio text messaging text (“To begin the survey, visit [link]” and voice call text (“To begin the phone survey, call [phone]” are now available for translation on the MLM setup page. (Ticket #233030)

• Change/improvement: The Data Access Group page in a project might be very slow to load in certain circumstances where many records exist in the project. (Ticket #233650)

• Change/improvement: The email that administrators receive when a user submits an API token request now contains the user’s email address in the email body. Previously, the email body only contained the username and first/last name of the requestor. (Ticket #233507)

• Change: The button text was changed from “Cancel import” to “Halt import” for greater clarity for Background Data Imports that are still processing on the Data Import Tool page.

• Bug fix: A rare issue might occur when non-checkbox fields from a repeating instrument or repeating event are referenced inside branching logic or calculated fields. (Ticket #233509)

• Bug fix: Embedded fields might mistakenly get hidden when also piped on the same form under very specific circumstances. (Ticket #233917)

• Bug fix: Fixed a bug preventing the External Module “View Logs” page from working on Google App Engine.

• Bug fix: Fixed several PHP 8 related errors. (Ticket #233266)

• Bug fix: If the Send-It feature has been disabled at the system level, the “Share” dialog for files stored in the File Repository would mistakenly still display an option to share the file using Send-It. (Ticket #233493)

• Bug fix: In some very specific situations, a @CALCTEXT action tag that contains a plus sign (” “) character might produce an unexpected result. (Ticket #233189)

• Bug fix: In specific scenarios when viewing MDY or DMY formatted date fields on a report, the date values might mistakenly appear mangled on the page. (Ticket #211780)

• Bug fix: Resolved an issue with the link to the Mapping Helper in the CDIS panel menu. (Ticket #226611)Bug fix: When using Multi-Language Management, a text string shown in partial survey completion emails when there is no survey title was mistakenly not available for translation. (Ticket #233149)

• Bug fix: The month and year drop-downs inside the datetime pickers for the “start time” and “end time” filters on the Logging page would not work and would mistakenly not change the start/end times after a new option was selected for those drop-downs. (Ticket #233815)

• Bug fix: Under certain circumstances where quote characters are next to equal signs, CALCTEXT expressions might not be parsed correctly and thus might produce a JavaScript error. (Ticket #233927)

• Bug fix: When a user has “read-only” data viewing access to an instrument that contains a biomedical ontology field, the ontology field would appear to be editable on the page, despite the fact that the user is not able to submit the page or modify the field’s saved value. (Ticket #233940)

• Bug fix: When clicking the “Add new template” button on the Project Template page in the Control Center, the popup might time out and never be displayed if tens of thousands of projects exist in the system. To prevent this, an auto-complete drop-down will replace the regular drop-down when more than 5000 projects exist. (Ticket #233451)

• Bug fix: When creating a new alert on the Alerts & Notifications page, in which the Twilio, Mosio, and Sendgrid services for alerts have been disabled at the system level, the “Email to send email-failure errors” setting would mistakenly not be displayed after clicking the “Show more options” link in the “Create new alert” dialog. (Ticket #233629)

• Bug fix: When exporting the Participant List via CSV on the Participant List page, some columns might mistakenly have the wrong header labels in the CSV file. (Ticket #233958)

• Bug fix: When modifying fields in the Online Designer, in which a field is embedded in the field label or notes of another field, the green box saying “Field is embedded elsewhere on page” might mistakenly not appear immediately after the field has been modified. (Ticket #233598)

• Bug fix: When the HTML tags “iframe” or “embed” are added to any user input that is then output on a page in REDCap (e.g., field labels, survey instructions), any text or tags that occur after the iframe/embed tags would mistakenly be removed along with the iframe/embed tags themselves, thus truncating the text. Note: iframe/embed tags are not allowed and are always removed for security purposes.

• Bug fix: When using Multi-Language Management, the MLM setup page would fail to load in projects that have not yet set up any languages. Bug emerged in the previous release. (Ticket #233304)

• Bug fix: When using Twilio, in which one or more Twilio voice call options are enabled in the project, the voice call options would mistakenly not be displayed in any drop-downs listing all the enabled delivery preferences. Bug emerged in REDCap 13.4.0. (Ticket #233599)

• Bug fix: When viewing the “Stats & Charts” page for a report in a longitudinal project, in which a user clicks the link for the “Missing” column for a given field after having selected the Live Filter of an event that contains data for a repeating instrument (although not for the field in question), the “missing values” list of records that is returned after clicking the “Missing” link might mistakenly display extra values that are not applicable. (Ticket #232841)

• Medium security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into a specific API parameter’s value that is used in several file-related and survey-related API methods. This vulnerability can be exploited only by users with a valid API token. Bug exists in all REDCap versions.

• Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into any user input that is then output on a page in REDCap (e.g., field labels, survey instructions, data displayed on a report). This vulnerability can be exploited by authenticated users and also by survey participants entering data. Bug exists in all REDCap versions.

• Bug fix: AJAX requests in External Modules were mistakenly not working on pages that lack REDCap page headers. (Ticket #232369)

• Bug fix: Embedding required fields into matrix groups hidden by branching logic would cause the page to crash, preventing it from being saved. (Ticket #232140)

• Bug fix: For some servers, the new Top Usage Report page in the Control Center would mistakenly not display any results. Bug introduced in the previous version.

• Bug fix: If a date, time, or datetime validated field was embedded inside the choice label of a radio or checkbox field, the width of the date/time/datetime field would mistakenly be too wide. (Ticket #232271)

• Bug fix: If alerts have been set up with an Alert Type of “SMS” or “Voice Call”, the log entry on the Logging page for each alert sent would mistakenly be missing the recipients' phone numbers.

• Bug fix: If the Survey Base URL setting has been defined on the General Configuration page in the Control Center, any images that are uploaded using the rich text editor to a field label, survey instructions, etc. might not be viewable when viewing them on the survey page. (Ticket #231843)

• Bug fix: The “Administrator?” column in the “View User List by Criteria” table on the Browse Users page in the Control Center was mistakenly never updated when granular Admin Privileges were introduced to REDCap. That column currently only denotes if the user has “Access to all projects and data” privileges when it should instead display a checkmark if the user has at least one of the seven possible admin rights. (Ticket #232602)

• Bug fix: The MyCap API call “getStudyFile” was not returning any file contents for the requested file.

• Bug fix: Too many unnecessary database queries would mistakenly be executed during the Background Data Import process.

• Bug fix: When a calculated field is using a datetime field inside a datediff() function while also using “today” as a parameter (as opposed to using “now”), it might result in an incorrect calculated result on the page (although the server-side calculation process would typically correct this). (Ticket #231434)

• Bug fix: When executing a custom Data Quality rule in a longitudinal project, in which the rule’s logic references a field with a blank/null value (e.g., [field]=""), the rule would mistakenly not return results from events that contain no data. (Ticket #231374)

• Bug fix: When exporting data via the Export Records API method in EAV format, in which the “fields” parameter is not provided, the API would mistakenly not return data for all project fields in the output of the API request but might instead only return the record ID field and (if the API parameter DataAccessGroups=false) the GROUPID field. (Ticket #232249)

• Bug fix: When importing data for a repeating instrument, in which one of the fields on the repeating instrument is the Secondary Unique Field, in certain situations REDCap might mistakenly return an error and prevent the import process from occurring. (Ticket #229881)

• Bug fix: When importing data via the Background Data Import process in a MyCap enabled project, it might mistakenly create duplicate entries for the same record in the MyCap Participant List. (Ticket #229177)

• Bug fix: When using Multi-Language Management, “Download PDF” buttons for each language on the MLM setup page were mistakenly disabled when the project is in production mode. (Ticket #232952)

• Bug fix: When using Multi-Language Management, the survey queue page, when called directly, would mistakenly not take the language preference field into account. (Ticket #233093)

• Bug fix: When using WebDAV for file storage in REDCap, the Configuration Check page might mistakenly not display the WebDAV path on the page in one of the checks but would instead just display two double quotes where the path should be displayed.

• Bug fix: When using right-to-left languages in Multi-Language Management, the email content for translated ASIs or Alerts would mistakenly not appear in the user’s/participant’s email client as right-to-left. (Ticket #232158)

• Bug fix: When using the Clinical Data Mart feature for CDIS, users not having Data Mart privileges might mistakenly be able to access a Data Mart page. (Ticket #232792)

• Bug fix: When using the datetime picker on datetime fields, in which the field already has a value, clicking on the time sliders in the datetime picker would mistakenly cause the picker to close immediately. Bug emerged in the previous version. (Ticket #232350)

• Improvement: Ability to import clinical notes via CDIS - Users may now import clinical note documents for patients using Clinical Data Pull or Clinical Data Mart. Note: If using Epic, the institution will be required to upgrade to v4 of the REDCap app in the Epic “Show Room” (formerly known as “App Orchard”).

• Improvement: For users that are not assigned to a Data Access Group, the Data Quality page will now display a DAG drop-down filter (next to the record drop-down filter) to allow them to apply any Data Quality rule only to records assigned to the selected DAG.

• Improvement: IP exceptions for the Rate Limiter - On the General Configuration page in the Control Center, you may now set IP address or IP range exceptions for the Rate Limiter (if enabled) so that specific IP addresses will not be banned. This will be useful if performing security scans on your server, in which you can add the IP address of the scanning tool so that it does not get banned while performing scans. (Ticket #119954)

• Improvement: In the Online Designer when Ctrl-clicking multiple checkbox or radio fields to display the “Modify multiple fields” options, a new option to “Convert to matrix group” will appear, thus allowing users to merge the selected fields into a matrix. When merging fields into a matrix, the confirmation dialog will note that only the choices for the first field selected will be preserved (in case the selected fields have different choices). Additionally, the action will remove all field notes from the fields and will also remove all section headers (except for the first field’s section header, if it exists). (Ticket #230591)

• Improvement: In the Online Designer when editing a matrix of fields, a new button will appear at the bottom left of the “Edit Matrix of Fields” dialog that says “Save & split matrix into separate fields”. When clicked, it will convert the matrix into separate fields. (Ticket #230591)

• Improvement: New “Top Usage Report” page in the Control Center - This page displays the most active projects, users, pages, specific URLs, External Modules, cron jobs, etc. within a given period of time. It can be used to quickly identify where server resources are being spent under periods of high load.

• Change: When using the Data Resolution Workflow in a project, it has always been the case that the results of data quality rules would automatically “exclude” fields that have a data query with “closed” status. Many users have complained about this behavior and have stated that the discrepancies should still be displayed in the data quality rule results regardless of the field’s data query status. From now on, such fields will no longer be automatically “excluded” simply because they have a data query with “closed” status.

• Medium security fix: Numerous REDCap endpoints that are called via AJAX on certain pages that are oriented around project design were mistakenly not enforcing the Project Design & Setup rights requirement. This could allow someone with access to the project that does not have Design rights to access information they should not, and in the worst cases, make specific design changes to the project (e.g., copy or delete a field) when they do not have the rights to do so. Note: In order to exploit this, the user would have to have access to the project and would have to know the specific endpoints/URLs to call (and also must know some specific parameters to use). Additionally, this only affects endpoints that require Project Design & Setup rights. Bug exists in all versions of REDCap.

• Bug fix: If a user is creating a new project and selects the option to “Upload a REDCap project XML file”, then chooses a file, but then selects another option (i.e., Empty project, Use a template), the Project XML file might mistakenly still be used to create the project, and in some cases might result in a fatal PHP error. (Ticket #232084)

• Bug fix: In REDCap generated PDFs that contain data for repeating instruments and/or repeating events, the repeating instance number was mistakenly not displayed in the PDF’s right header above the page number. The absence of the instance number added ambiguity and made the specific instances not easily discernible from each other in the PDF.

• Bug fix: It might be possible for users/participants to bypass the @FORCE-MINMAX action tag’s requirement and enter an out-of-range value for a datetime field if they tab out of the field while the datetime picker is still visible. (Ticket #231611)

• Bug fix: When attempting to delete one or more scheduled survey invitations via the right-hand checkbox in the Survey Invitation Log table by clicking the “Delete all selected” button, the invitations would fail to be deleted if the record does not exist yet (i.e., participant was added to the Participant List manually, but the participant has not yet taken the survey). (Ticket #231754)

• Bug fix: When executing Data Quality rules that return more than 10,000 discrepancies, in which one or more discrepancies have been previously “excluded” by a user, the total number of discrepancies displayed on the page would mistakenly be listed as 10000 minus the number of exclusions (which is incorrect) rather than the total discrepancies minus the number of exclusions. (Ticket #229449)

• Bug fix: When using a large font-size for text in the rich text editor, the text might mistakenly overlap with other text or action buttons in some places. (Ticket #231737)

• Various bug fixes and under-the-hood changes for CDIS.

• Improvement: “Phone (France)” was added as a new field validation. After upgrading, an administrator will need to enable it on the Field Validation Types page in the Control Center.

• Improvement: A new system-level setting “Total maximum cron instances” was added, which allows one to control the maximum number of concurrent cron processes for the REDCap cron job. The setting defaults to the value “20”. Increasing this value will allow more cron processes to be spawned concurrently, which may be useful if you are using system-intensive External Modules such as API Sync or Flight Tracker. It is generally advised to leave this setting at its default value unless the cron job is either causing server performance issues (because too many jobs are running simultaneously) or if certain cron jobs aren’t running often enough to get everything done that they need to get done.

• Medium security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into a specific API parameter’s value that is used in the API File Import, File Export, and File Delete methods. This vulnerability can be exploited only by users with a valid API token. Bug exists in all REDCap versions.

• Minor security fix: An authenticated user could make a simple request to a very specific REDCap end-point, in which it would reset the REDCap Base URL and thus make the application temporarily unusable to users accessing REDCap in a web browser.

• Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into any user input that is then output on a page in REDCap (e.g., field labels, survey instructions, data displayed on a report). This vulnerability can be exploited by authenticated users and also by survey participants entering data. Bug exists in all REDCap versions.

• Bug fix: In the previous version, it was mistakenly thought that the variable name “calculate” needed to be added to the reserved variable name list, but that turned out not to be true. Because of some new underlying code fixes, that variable name is still allowed. (Ticket #231128b)

• Bug fix: Long choice labels for fields used in Smart Charts, specifically bar charts, might mistakenly appear as too wide on the chart and thus might overlap with other text, making it hard to read.

• Bug fix: The survey queue was mistakenly not translated in MLM-enabled projects when it was displayed on the survey page itself (as opposed to when specifically viewing the survey queue page after completing the survey).

• Bug fix: When exporting an instrument PDF, the word “Confidential” would fail to be displayed in the PDF’s left header by default (this excludes participant-facing PDFs, which should not display this text).

• Bug fix: When making a call to the Export Logging API method for a longitudinal project, the event name would mistakenly be omitted in the API response. (Ticket #210938)

• Improvement: Administrators will now see an icon/link in the User Actions popup when clicking a username on a project’s User Rights page, in which the icon/link will take the admin to view the user’s account on the Browse Users page in the Control Center. (Ticket #230772)

• Improvement: In a MyCap-enabled project, all MyCap tasks can now be manually set as Active or Not Active at any time on the MyCap settings page in the Online Designer. Setting a MyCap task as “not active” will prevent the task from appearing in the MyCap mobile app for participants. Note: The previous release enabled this feature specifically for MyCap active tasks, while this change makes this feature available to all MyCap tasks (not just active tasks).

• Change/improvement: The accuracy of the External Service Checks on the Configuration Check page was improved and are now able to better exclude false positive results.

• Minor security fix: The Clinical Data Pull (CDP) feature in CDIS contained a vulnerability in which a malicious user could potentially re-use a URL utilized during the “launch from EHR” process when accessing the CDP “patient portal” page, in which it might potentially allow them to access unauthorized PHI. This vulnerability is only accessible if CDP is enabled on the REDCap server.

• Major bug fix: When exporting data via the Export Records API method in EAV format with rawOrLabel=“label”, the value of “False” would mistakenly be returned as most of the multiple choice field values. Bug emerged in the previous release. (Ticket #230389)

• Bug fix: A missing LOINC code was added to the CDIS mapping features.

• Bug fix: If the Custom Account Expiration Email setting (found at the bottom of the User Settings page in the Control Center) is not used (no custom text is defined), in which REDCap uses the default Account Expiration Email text instead, the resulting email sent out to users might mistakenly contain some braces/curly brackets in certain places.

• Bug fix: In a MyCap-enabled project, some minor issues could occur via the “Create/Edit MyCap Task” and “Fix warnings” popups when the project is in production and enters draft mode.

• Bug fix: The variable name “calculate” has been added to the reserved variable name list because it could cause various unexpected issues on forms/surveys if a field has that variable name. (Ticket #231128)

• Bug fix: When a report has advanced filter logic that contains inline comments, and a user selects a Live Filter on the report page, it might cause the report page to crash with a fatal error, thus not displaying the report.

• Bug fix: When comparing two revisions/snapshots on the Project Revision History page, in which more than two columns in a given row of the comparison table display the “Preview Change” link, clicking the “Preview Change” link would only work for the left-most column that contains the link and not for any other columns. (Ticket #230991)

• Bug fix: When importing some instruments from the REDCap Shared Library that contain calc fields, line breaks existing in a calculation might mistakenly get converted to HTML “BR” tags when being imported into a project, thus causing the calculated field to throw an error when viewing it on a form/survey.

• Bug fix: When viewing the API documentation or the Documentation for Plugins, Hooks, & External Modules, the main part of the page and its content would mistakenly appear invisible if the browser window is at a specific width range. (Ticket #231012)

• Various updates and fixes for the External Module Framework, including the following: 1) Fixed a bug preventing module system file settings from being saved, 2) Added support for the [data-table] smart variable in SQL fields when using $module->getChoiceLabel(), 3) Improved rendering for module README files in Markdown format, 4) Expanded module AJAX APIs to support public dashboards & reports, and 4) Misc. security scan improvements.

• Improvement: In a MyCap-enabled project, active tasks can now be set as Active or Not Active at any time on the MyCap settings page in the Online Designer. Setting an active task as “not active” will prevent the task from appearing in the MyCap mobile app for participants. Note: This is not for all MyCap tasks but only for MyCap active tasks.

• Improvement: In the Online Designer when viewing the fields of a specific instrument, a yellow star is now displayed to the right of the variable name for identifier fields to denote to users which fields are identifiers.

• Improvement: When clicking on a user’s username in the user table on the User Rights page, in which the user is assigned to a user role, a “Remove from project” button was added inside the “User actions” popup that allows the user to be removed from a project directly without having to un-assign them from the role first.

• Change: The text in the help dialog for the option “Rename records?” on the Data Import Tool has been changed slightly for improved clarity and to reduce confusion. (Ticket #228096b)

• Major bug fix: Alerts with conditional logic containing datediff() with “today” or “now” as a parameter might mistakenly not get triggered by the cron job, thus causing some alerts not to get sent when they should. Bug emerged in REDCap 14.2.0 Standard. Note: This does not affect any LTS versions. (Ticket #229617)

• Major bug fix: The API Delete Users method was mistakenly not checking if a user had API Import/Update privileges in the project in addition to User Rights privileges in order to successfully make a call to the API method. This bug was supposedly fixed in REDCap 13.7.28/14.0.5 LTS and 14.0.4 Standard, but mistakenly it was not. (Ticket #230626)

• Major bug fix: When the system-level setting “Allow normal users to create new projects?” is set to “No”, normal (non-admin) users would mistakenly get the error “You do not have Create Project privileges!” when submitting the Create New Project page. In that situation, all users should be able to view and submit that page (unless they are not allowed to create projects via the user-level setting). Bug emerged two releases ago. (Ticket #230244)

• Bug fix: A fatal PHP error might occur for PHP 8 when loading the Form Display Logic setup dialog. (Ticket #230223)

• Bug fix: If REDCap surveys are embedded via an iframe on external web pages, in some situations the survey page might go completely blank when the page loads. (Ticket #229885)

• Bug fix: The Export Survey Link API method would mistakenly return a survey link when provided with an instrument and event in which the instrument is not designated for that particular event. In that case, the API should instead return an error. (Ticket #230491)

• Bug fix: The variable name “field_label” has been added to the reserved variable name list because it could cause some instruments to become no longer accessible in the Online Designer if a field has “field_label” as its variable name. (Ticket #230669)

• Bug fix: When MLM is active, piping would mistakenly not work on (first) survey pages when in “start over” mode.

• Bug fix: When a user simply clicks a field in the Online Designer, it would mistakenly call the “field reorder” script even though no fields were actually being reordered on the page. This would sometimes cause the whole table to be reloaded and also could cause annoying issues such as multiple fields getting deselected when attempting to use the “Modify multiple fields” feature.

• Bug fix: When exporting data via the Export Records API method in EAV format and providing the API parameter exportDataAccessGroups=true, the DAG designations would mistakenly not get output from the API request. (Ticket #230389)

• Bug fix: When using Multi-Language Management, the mouseover tooltips for date/datetime/time validated fields would mistakenly fail to be updated with translations on MLM-enabled surveys and data entry forms. (Ticket #230546)

• Bug fix: When using an iOS device to enter data for a date/datetime/time validated field that has an accompanying datetimepicker calendar widget, the field would mistakenly lose focus with each character entered into the Text field, thus causing the user/participant to have to keep putting focus back on the field for each character needing to be entered. Bug emerged in REDCap 14.0.19 LTS and 14.3.2 Standard. (Ticket #230017)

• Bug fix: When using the rich text editor, REDCap’s default font (i.e., Open Sans) was mistakenly not listed in the font-family list in the editor’s toolbar. (Ticket #230315)

• Bug fix: When viewing an individual email on the Email Logging page, in which the email contains a “mailto” link in the email body, the “mailto” link would mistakenly get mangled when displaying the email inside the dialog on the page. (Ticket #230319)

• Bug fix: When viewing the Record Status Dashboard or a report, if the Rapid Retrieval feature is working on the page to provide a cached version of the page, and if the RR’s cache was stored when REDCap was on a previous version, in which that previous REDCap version has been removed from the web server, some images (e.g., form status icons) might not display correctly on the page and other links might lead to a 404 “does not exist” error. (Ticket #230224)

• Change: The text for the option “Rename records?” on the Data Import Tool has been changed slightly for improved clarity and to reduce confusion. (Ticket #228096)

• Major bug fix: When the system-level setting “Allow normal users to create new projects?” is set to “No”, normal (non-admin) users would mistakenly get the error “You do not have Create Project privileges!” when navigating to the Create New Project page. In that situation, all users should be able to view that page. Bug emerged in the previous release. (Ticket #230090)

• Bug fix: When exporting then importing a Project XML file, the two sub-options for the Secondary Unique Field (i.e., “Display the value…” and “Display the field label…") would mistakenly not get transferred to the new project but would resort to their default values. (Ticket #229880)

• Improvement: Mobile Toolbox measures have been added for use in the MyCap mobile app. The Mobile Toolbox (MTB) is a research platform that includes a library of cognitive and other tests that can be administered remotely on a smartphone. The MTB’s measures include smartphone versions of assessments from the NIH Toolbox, the International Cognitive Ability Resource, and the Patient Reported Outcomes Measurement Information System. A list of all available MTB tasks in REDCap can be viewed via the “Import Active Task” button in the Online Designer for any MyCap-enabled project.

• Improvement: New “Download SQL” button was added to the REDCap install page to make it easier to fetch the generated install SQL as a file rather than obtaining it from the webpage via copy-and-pasting. (Ticket #229260)

• Improvement: The Codebook page now has checkboxes that can be toggled by the user to remember the collapsed state of the tables on the page on a per-project basis for the user. (Ticket #229673)

• Change: Small changes to the redcap_log_view_requests database table to improve general application performance.

• Major bug fix: When viewing the User Rights page and the survey page when using certain PHP versions, the page might mistakenly crash with a fatal PHP error. (Ticket #229976)

• Bug fix: Certain queries on the project Logging page might mistakenly take too long to run for certain projects, thus making the page unnecessarily slow. (Ticket #229219)

• Bug fix: If using Multi-Language Management and reCAPTCHA is enabled for the public survey, the reCAPTCHA page might mistakenly throw a JavaScript error when MLM is active.

• Bug fix: Problematic code was causing the cron job to crash in certain unknown situations. (Ticket #229536)

• Bug fix: When downloading an instrument PDF when the field label or section header text of a field is very long, in some cases the text in the PDF might mistakenly run over and obscure the PDF’s footer text. (Ticket #205997)

• Bug fix: When the system-level setting “Allow normal users to create new projects?” is set to “No”, and a user does not have the user-level option “Allow this user to request that projects be created for them…” checked on the Browse Users page, if the user knows how to navigate to the Create New Project page (even though the links to that page have been removed in the user interface), it would mistakenly display that page and would allow them to submit a request to create a project. Note: The project would not get created unless the admin mistakenly approved it while not realizing that this user should not be able to request new projects be created. (Ticket #229702)

• Bug fix: When users are not allowed to create or copy projects on their own, and they submit a “Copy Project” request to an administrator, in which the “Warning about miscellaneous attachments” dialog is displayed to the user on the Copy Project page, when the admin goes to approve the request, that dialog would mistakenly be displayed again (it should only be displayed initially to the user, not the admin) and thus would block the admin from successfully approving the request. (Ticket #228954)

• Bug fix: When viewing the Stats & Charts page for Report B in a longitudinal project, in which one or more events are selected for Report B, the Stats & Charts page would mistakenly not filter the data on the page to those selected events but would instead display data from all events. (Ticket #228030)

• Change: The video “Full Project Build” was added as a new video on the project left-hand menu and on the Training Videos page.

• Major bug fix: In specific situations when using Multi-Language Management in a project when the web server is running PHP 8.0 or higher, every project page would crash with a fatal PHP error. (Ticket #229529)

• Bug fix: Fixed several different SQL queries used in various places in the REDCap code that were silently failing in specific cases.

• Bug fix: When exporting a project’s data to Stata, multiple choice fields would mistakenly have a “label values” entry in the Stata syntax file even when not all choice codings are integers. The “label values” entries should only be added to the Stata syntax file when a multiple choice field has an integer code for every choice. (Ticket #229277b)

• Major bug fix: When the “href” attribute of any hyperlink has a value of “#” for any label or other user input, the entire label text would mistakenly be completely removed (i.e., would be blank) when output on the page. (Ticket #229451)

• Bug fix: When importing the Survey Queue settings via CSV file, an error might mistakenly be returned if certain things, such as condition_surveycomplete_form_name, do not have a value, even when not needed. (Ticket #229186)

• Improvement: The Database Query Tool in the Control Center now has the ability to utilize “Smart Variables Context”, which can be enabled on the page via checkbox option on the DQT menu so that administrators may provide the literal values of certain Smart Variables that can be piped into the query from text boxes on the page. Also, a link or button to navigate directly to the Database Query Tool has been added to several project pages, such data entry forms, survey pages, the Edit Field dialog in the Online Designer, etc. to allow admins to open the DQT directly with the current context values (e.g., project-id, record-name, event-id) already pre-filled on the page. This will make it much, much easier to execute queries on a specific project and/or record with less copy-and-pasting. Note: This feature will not be displayed if the DQT has not been enabled yet.

• Improvement: The rich text editor used throughout REDCap now has a new drop-down option in the editor’s toolbar for setting the “font family” and “font size” of any text in the editor.

• Improvement: When using MyCap in a longitudinal project, users can now decide on the event display format (ID, Label, or None) for titles of MyCap tasks displayed in the Upcoming Tasks section.

• Change/improvement: A few more pages were added to the “Navigate to page” widget to allow users to go to specific pages via PID and keyboard shortcuts.

• Change: The video “A Brief Overview of REDCap” was replaced with a new video.

• Various changes/improvements to the External Module Framework, including 1) Allow external module ajax requests to work on dashboards & reports, 2) Added an instance parameter to the resetSurveyAndGetCodes() method, 3) Improve performance of the disabled modules dialog, and 4) Misc. security scan script improvements.

• Medium security fix/protection: All usages of the PHP function iconv() have been replaced in the REDCap code due to a vulnerability (CVE-2024-2961) discovered in Glibc (GNU C Library). Note: This is not a vulnerability in REDCap but in a PHP library. This vulnerability can be remediated at the web server level via configuration settings, but this security fix/protection seeks to protect all REDCap installations in the event that their IT support is not able to remediate this vulnerability at the server level. (Ticket #229281)

• Medium security fix: A Base Tag Hijacking vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML in a specially crafted way into labels and other user input that is then output onto the webpage. The user must be authenticated into REDCap in order to exploit this, with one exception: a malicious survey participant could inject the HTML into a Text or Notes field whose value is then viewed on a report. Bug exists in all versions of REDCap. (Ticket #229158)

• Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom JavaScript/HTML in a specially crafted way into the “href” attribute of hyperlinks placed inside labels and other user input that is then output onto the webpage. The user must be authenticated into REDCap in order to exploit this, with one exception: a malicious survey participant could inject the JavaScript/HTML into a Text or Notes field whose value is then viewed on a report (i.e., it would appear as a hyperlink in the report that would have to be clicked by the user to be exploited). Bug exists in all versions of REDCap. (Ticket #228857)

• Bug fix: A query used on the Data Access Groups page was incompatible with certain versions of MySQL that have ONLY_FULL_GROUP_BY set in the SQL Mode, thus causing the query to fail for some installations. The query has been replaced with an equivalent query that is compatible with all supported versions and configurations of MariaDB/MySQL. (Ticket #228974)

• Bug fix: Certain options on the instrument view of the Online Designer, such as Form Display Logic settings and survey-related settings, would mistakenly not function on the page for MyCap enabled projects. (Ticket #228963)

• Bug fix: In certain situations when exporting a report, the survey completion timestamps would mistakenly be date shifted in the resulting export file if the “shift all dates” checkbox is checked while the “shift all survey completion timestamps” is not checked. (Ticket #228879)

• Bug fix: Survey pages might mistakenly display text inside P tags in labels as different font sizes in different situations. (Ticket #228686)

• Bug fix: The Smart Variables [event-number] and [event-id] would mistakenly not return a numerical value but a string, causing special functions that expect numeric values to fail to produce the correct result (e.g., mod()). (Ticket #228953)

• Bug fix: When accessing a project that is enabled as a Project Template, if the current user is an administrator that is currently impersonating another user in the project, the “Project is used as a template” box would mistakenly be displayed on the Project Home Page. That should only be displayed when the user is an admin with “Modify system configuration pages” rights and while not impersonating a non-admin user. (Ticket #229370)

• Bug fix: When an instrument contains an inline PDF attached to a Descriptive field, and the instrument is then downloaded as a PDF, the first page of the generated PDF might mistakenly have text that runs off the bottom of the page if the inline PDF is displayed (via iMagick conversion to an image) on the first page of the generated PDF. (Ticket #228282)

• Bug fix: When copying a project, the survey setting “Display page numbers at top of survey page” would mistakenly not get copied to the new project. (Ticket #229243)

• Bug fix: When exporting a project’s data to Stata, multiple choice fields would mistakenly have a “label define” entry in the Stata syntax file even when not all choice codings are integers. The “label define” entries should only be added to the Stata syntax file when a multiple choice field has an integer code for every choice. (Ticket #229277)

• Bug fix: When regular users (non-admins) import data dictionaries containing Dynamic SQL fields, in certain cases REDCap might refuse to import the file, mistakenly stating that the query has changed when in fact it has not. (Ticket #229148)

• Bug fix: When renaming a record on the Record Home Page, in which the new record name is the same as the old record name but with leading zeros (or vice versa), if both the old and new record names are integers, REDCap would not rename the record and would mistakenly take the user to another page to create a new record under the new record name provided, which is confusing.

• Bug fix: When using Google Cloud Storage for file storage in the system, uploading/downloading a file via Send-It for a File Upload field might mistakenly not work successfully. Additionally, file downloads might also fail when using GCS when downloading files attached to data queries in the Data Resolution Workflow dialog. (Ticket #226875c)

• Bug fix: When using Multi-Language Management and applying or canceling draft mode changes in projects where MLM is active, there would always be a message/warning that MLM settings/translations have been modified even when this is not actually the case. (Ticket #228877)

• Bug fix: When using Twilio or Mosio for a survey that is taken as an SMS Conversation, if the survey is a repeating instrument, branching logic might not work successfully for fields that have branching logic referencing fields on the same instrument. (Ticket #227028)

• Bug fix: When using the search capability for the Biomedical Ontology feature for a Text field on a form/survey, if the user’s search returned the message “[No results were returned]”, and the user then clicked on that message, it would mistakenly display a bunch of HTML below the field when instead it should not display anything below the field. (Ticket #229124)

• Bug fix: When utilizing Microsoft Azure Blob Storage for file storage in REDCap, some operations (specifically the “delete file” action) might mistakenly fail for specific server configurations because the CURL options for VERIFY_HOST and VERIFY_PEER were mistakenly not being set to FALSE in the API request to Azure.

• Improvement: New built-in PDF Viewer

  • This built-in PDF viewer remediates an old gap of functionality in which iOS and Android devices are not able to display more than the first page of an inline PDF. So whenever REDCap is displaying an inline PDF (e.g., for a Descriptive field, when using the INLINE action tag on a File Upload field, or on the e-Consent certification page), if the current device is iOS or Android or if it lacks a native PDF viewer, then REDCap’s built-in PDF Viewer will be utilized automatically. For all other devices, the device’s native PDF viewer will be used.
  • Notable change: Previous versions of REDCap would not attempt to display an inline PDF on the certification page of an e-Consent survey, in which it would say “This browser does not support inline PDFs. Please open the PDF in a new tab.”. But now, it will actually display the inline PDF for all devices on the e-Consent certification page, whether using the device’s native PDF viewer or if using REDCap’s PDF viewer.

• Improvement: The “Help & FAQ” page has been updated with new content (thanks to the FAQ Committee).

• Improvement: Videos hosted by the VidYard video service (vidyard.com) can now be utilized for the “Embed media” option on Descriptive Text fields. Thus, VidYard URLs (e.g., https://share.vidyard.com/watch/XYZXYZ) are now fully compatible, similar to how YouTube and Vimeo URLs have always been.

• Improvement: When moving one or more fields in the Online Designer, a new option will appear in the field selection drop-down to allow the user to move a field to an empty instrument (i.e., an instrument with no defined fields). In previous versions, fields could only be moved to an instrument containing at least one field (not counting the Form Status field).

• Change: All hard-coded references to “redcap.vanderbilt.edu” have been changed to “redcap.vumc.org” to reflect the recent change of the Vanderbilt REDCap server’s domain name. Note: The old URL will continue to work and automatically redirect to the new URL until April 2025.

• Change: New MLM tip added at the bottom of the “Forms/Surveys” tab on the MLM setup page. The tip reads as follows: “Tip: Choose your “ASI Language Source” wisely - If ASIs have been translated in your MLM setup, it is typically recommended that you utilize the “Language preference field” option for determining the translation to be used for an ASI survey invitation. Choosing “User’s or survey respondent’s active language” as the ASI Language Source can have unexpected results. For example, if a participant’s survey response triggers the ASI, the ASI’s invitation text will be output in the correct language since it uses what the participant has chosen previously. However, if the ASI is triggered by an action of the project user, such as a data import or saving a data entry form, the ASI’s text will be in the language of the project user, which may not be the language that the participant prefers.”

• Change: When copying a project via the Other Functionality page, a new note appears below the copy project option that says “NOTE: The new project will not contain the project’s logging history (audit trail), but if you wish to obtain it, you may freely download it any time at the top of the Logging page.”. This will help users understand upfront that the logging does not get copied during this process. (Ticket #228253)

• Various fixes and changes to the External Module Framework, including the following: 1) Made it possible to download a list of users that have Project Design rights for all projects where a given module is enabled (appears as a new button in the View Usage dialog in the Control Center), 2) Queued all External Module AJAX requests to prevent them from getting canceled by REDCap’s duplicate query protection, and 3) Miscellaneous security scan improvements.

• Bug fix: After editing the Survey Queue settings in the Online Designer, the SQ button might mistakenly display multiple green check mark icons. (Ticket #228741)

• Bug fix: Data Quality rules A and B will now return checkbox fields in the list of discrepancies if none of the checkbox options have been checked for a given checkbox field. This reverts a change made in REDCap 13.7.10 LTS and 13.9.0 Standard (via Ticket #212048), which is now considered to have been a mistake. This has been changed because the previous behavior was considered to be inconsistent with regard to how checkboxes, especially required checkboxes, are treated on survey pages and data entry forms. For example, if a checkbox field is required and no checkboxes are checked, the Required Field alert is displayed to the user, which implies that a checkbox field with no checked checkboxes is considered to be a field with a missing value. Thus, to provide more consistency with how checkboxes are treated throughout REDCap, this fix has been applied to correct this issue. (Ticket #217798)

• Bug fix: If some surveys are set as inactive in a project, then the Copy Project page might mistakenly have the “Survey Queue and Automated Survey Invitation settings” option unchecked and disabled. (Ticket #228742)

• Bug fix: In certain situations on a data entry form, the Custom Event Label might not display correctly and/or might get overwritten by the Custom Record Label (or vice versa). Bug emerged in REDCap 14.2.2. (Ticket #228503)

• Bug fix: When a Text or Notes field containing HTML tags in its value is being piped to another place on the same page/instrument, the HTML tags would mistakenly not be interpreted but instead would be escaped in its final piped form. This issue would only occur when the field has a SETVALUE or DEFAULT action tag. Bug emerged in 13.7.27 LTS and 14.0.3 Standard. (Ticket #228818)

• Bug fix: When completing a survey, a JavaScript error might occur during certain parts of the survey that might cause other important processes to be blocked on the page. (Ticket #228785)

• Bug fix: When using the Field Bank in the Online Designer to search for fields, it might mistakenly show answer choices that say “Login to see the value.” for specific items. (Ticket #228217)

• Change: When editing a MyCap task’s settings in the Online Designer, if a task is scheduled one time then the “allow retroactive” option will now not be available.

• Improvement/change: When uploading static attachment files to an alert on the Alerts & Notifications page, the maximum allowed attachment size has been increased from 10 MB to 20 MB. Please note that sending attachments larger than 10 MB might cause the email to be rejected by certain email providers.

• Major bug fix: If a project is deleted by a user, when that project is eventually deleted from the database 30 days later, if the project’s data is stored in the redcap_data2, redcap_data3, or redcap_data4 database table, the data might mistakenly not get removed from those data tables when the project as a whole is deleted. This could leave orphaned data in those data tables. Note: During the upgrade process, REDCap will automatically delete any orphaned data still present in the redcap_data2, redcap_data3, and redcap_data4 database tables. Bug emerged in REDCap 14.0.0.

• Major bug fix: When the e-signature functionality has been enabled on an instrument, the e-signature checkbox at the bottom of the data entry form would mistakenly be displayed and would be clickable even when the whole record is locked. If the whole record is locked, the e-signature checkbox should remain disabled. Additionally, it might be possible in certain situations (e.g., simultaneous users locking and editing a record) for a user to lock, unlock, or e-sign an instrument while the whole record is locked. Server-side checks have now been added to prevent that. (Ticket #225320)

• Bug fix: When accessing an instrument in the Online Designer right after creating a new project from scratch (i.e., when only the Record ID field exists), some instructional text at the top would mistakenly be too wide and might be partially covered up by other things on the page. (Ticket #228129)

• Bug fix: When editing some previously-saved content using the rich text editor (i.e., editing the body of an alert, ASI, project dashboard, or field label), in which an inline image was uploaded and saved by a user while on an earlier REDCap version, the inline image in the rich text editor would mistakenly appear as a broken image inside the editor if that older REDCap version’s directory has been removed from the REDCap web server. (Ticket #228239)

• Bug fix: When exporting a query as a CSV file on the Database Query Tool page, the first line of the CSV file would mistakenly contain a line of HTML. Bug emerged in REDCap 14.3.0.

• Bug fix: When importing a data dictionary, it would be possible to import fields that have a variable name ending with an underscore character. This should not be allowed, and thus it now displays an error message when attempting to do so. (Ticket #227821)

• Bug fix: When importing the Survey Queue settings via CSV file, an error might mistakenly be returned if certain things, such as condition_surveycomplete_form_name, do not have a value, even when not needed. (Ticket #227928)

• Bug fix: When moving one or more fields in the Online Designer, in which the user chooses to create a new instrument and then move the field to the newly created instrument (via the last drop-down option in the “Move field to another location” dialog), the process would place the Form Status field on the new instrument so that it would mistakenly be located above the new fields rather than below them. Bug emerged in the previous version.

• Bug fix: When opening REDCap Messenger while in a project, and then attempting to create a new conversation, the project’s left-hand menu would mistakenly cover over the “Create new conversation” dialog. Bug emerged in REDCap 14.0.16 LTS and 14.2.2 Standard. (Ticket #228033)

• Bug fix: When performing an initial install of REDCap on certain versions of MySQL, the install SQL script might mistakenly fail during the creation of the MyCap project template. (Ticket #228041)

• Bug fix: When the “Auto-suspend users after period of inactivity” setting is enabled, users who recently had their account created but had not logged in yet would mistakenly get auto-suspended. (Ticket #224747)

• Bug fix: When the PDF Auto-Archiver is enabled for a survey, the IP address of the participant would mistakenly be stored in the PDF Survey Archive table in the File Repository. It was intended that the participant’s IP address should only be stored when completing a survey with the e-Consent Framework enabled.

• Bug fix: When using Clinical Data Mart for CDIS, revisions were failing to be imported using the Data Mart import feature.

• Bug fix: When using MyCap in a project and a MyCap task exists, if a user switches the project from classic to longitudinal (or vice-versa) then task schedules might remain orphaned.

• Bug fix: When using the Mapping Helper for CDIS, the status mapping for different types of Condition resources was inaccurately handled.

• Improvement: When moving one or more fields in the Online Designer, a new option will appear at the end of the field selection drop-down to allow the user to auto-create an instrument while moving the field(s) to that new instrument. Note: The new instrument will be named “New Instrument” by default, although the user can always rename it after the fact. (Ticket #227034)

• Various updates and fixes to the External Module Framework, including 1) Added validation button and use of Logic Editor for JSON settings, and 2) Miscellaneous security scan script improvements.

• Bug fix: Automated Survey Invitations were mistakenly not getting triggered when set up with a survey completion condition together with conditional logic in which the “OR” option is selected. (Ticket #227693)

• Bug fix: The datetimepicker calendar widget used for datetime fields would mistakenly inject numbers at the end of the field value when typing a datetime value that has a time beginning with “23:”. The Datetimepicker library has been updated to a newer version, which resolves this issue. (Ticket #227636)

• Bug fix: The two new hooks “redcap_module_project_save_after” and “redcap_project_delete_after” that were added in the previous version were mistakenly added as traditional hooks when instead they should have only been added as EM-only hooks that can only be utilized by External Modules. This has been corrected.

• Bug fix: When a participant is completing an e-Consent survey on a mobile device, and thus it is unable to display the inline PDF of their response at the end of the survey, although they are able to view the PDF by clicking the button on the page to view it in another tab, the “Working…” popup would mistakenly appear for 20 seconds before disappearing. Instead, it should only appear very briefly before revealing the page.

• Bug fix: When using Google Cloud Storage for file storage in the system, uploading/downloading a file via Send-It for a File Upload field might mistakenly not work successfully. Additionally, file downloads might also fail when using GCS when downloading files attached to data queries in the Data Resolution Workflow dialog. (Ticket #226875b)

• Bug fix: When using Multi-Language Management, a piping issue would occur when viewing survey pages for participant-specific survey links only. (Ticket #227555)

• Bug fix: When using MyCap, there is some missing text that is utilized for displaying notes inside the repeating instruments popup (for longitudinal projects).

• Bug fix: When using the piping parameter “:inline” when piping a File Upload field, in which a unique event name (or event-based Smart Variable) is not prepended to the field but [first-instance] or [last-instance] is appended to the field (e.g., [my_upload_field:inline][last-instance]), the piping would fail to work correctly.

• Bug fix: When viewing a report in a longitudinal project or a project containing repeating instruments/events, it now displays the text “(‘records’ = total available data across all events and/or instances)” near the top of the report. In previous versions, it did not display any clarifying text for non-longitudinal projects that had repeating instruments, which caused confusion for users regarding the meaning of the word “records” in “Total number of records queried”.

• New hook: redcap_project_delete_after - Allows custom actions to be performed after a delete action has been initiated. This allows for close control of the delete operation on a project.

• New hook: redcap_project_save_after - Allows custom actions to be performed after a project has been saved from a newly created, copied, or modified project. This allows for close control of the create, copy, and modify operations on a project.

• Improvement: MyCap now supports repeating instrument functionality for longitudinal projects. In previous versions, repeating instruments were only supported for class/non-longitudinal projects.

• Minor security fix: The TinyMCE library embedded in REDCap was upgraded to its latest version (7.0.0) due to a XSS (Cross-site Scripting) vulnerability in the library’s previous version.

• Major bug fix: Users with API Import/Update privileges could successfully call the API method “Import User-DAG Assignments” without having Data Access Groups privileges in the project. Data Access Groups privileges should always be required when creating/renaming/deleting DAGs and when importing/exporting user-DAG assignments.

• Bug fix: If the E-signature feature is disabled system-wide via the Modules/Services Configuration page in the Control Center, the user rights option “Locking/Unlocking with E-signature authority” would mistakenly still appear when adding/editing a role or user. Additionally, if the E-signature feature is enabled system-wide but is not available for a specific user to use (e.g., if using Entra ID authentication but not using Two-Factor Authentication with the E-signature 2FA PIN option enabled), the user rights option “Locking/Unlocking with E-signature authority” would mistakenly still appear for that specific user. (Ticket #227220)

• Bug fix: The order of the alerts as displayed in the “Re-evaluate Alerts” dialog mistakenly does not match the order of the alerts on the Alerts & Notifications page. (Ticket #227234)

• Bug fix: Users with API Export privileges could successfully call the API method “Export DAGs” without having Data Access Groups privileges in the project.

• Bug fix: Users with API Export privileges could successfully call the API method “Export Repeating Instruments and Events” without having Project Design/Setup privileges in the project.

• Bug fix: Users with API Export privileges could successfully call the API method “Export User-DAG Assignments” without having Data Access Groups privileges in the project. Data Access Groups privileges should always be required when creating/renaming/deleting DAGs and when importing/exporting user-DAG assignments.

• Bug fix: Users with API Export privileges could successfully call the API methods “Export Users”, “Export User Roles”, and “Export User-Role Assignments” without having User Rights privileges in the project.

• Bug fix: Users with API Import/Update privileges could successfully call the API method “Import Project Settings” without having Project Design/Setup privileges in the project.

• Bug fix: Users with API Import/Update privileges could successfully call the API method “Import Repeating Instruments and Events” without having Project Design/Setup privileges in the project. It was instead checking for User Rights privileges instead of Project Design/Setup privileges.

• Bug fix: Users with API Import/Update privileges could successfully call the API methods “Import DAGs” and “Delete DAGs” without having Data Access Groups privileges in the project.

• Bug fix: When a survey participant submits the first page of a survey and gets the “Some fields are required” prompt because some required fields were left empty, the “start time” of the response would mistakenly not get stored in the backend database, thus preventing REDCap from displaying the start time or duration of the survey at any time afterward, including via Smart Variables (e.g., [survey-time-started], [survey-duration]). Note: This only occurs when required fields are left empty on the first page of the survey, not on subsequent pages. While this fix will prevent the issue from occurring in the future, it will unfortunately not be able to retroactively fix the issue for already-affected responses that are missing their start time and duration values. (Ticket #226240)

• Bug fix: When using CDP, encounter diagnosis mappings and potentially other kinds of conditions in CDP projects were not being applied correctly, causing data not to be imported correctly from the EHR. (Ticket #227307)

• Bug fix: When using Google Cloud Storage for file storage in the system, uploading/downloading a file via Send-It for a File Upload field might mistakenly not work successfully. Additionally, file downloads might also fail when using GCS when downloading files attached to data queries in the Data Resolution Workflow dialog. (Ticket #226875)

• Bug fix: When using Multi-Language Management and adding a system language to a project where the language set on the Control Center’s General Configuration page differs from the language set in a project (via Edit Project Settings page), the “The original values of some translated items have changed” message would mistakenly be shown. (Ticket #227077)

• Bug fix: When using Multi-Language Management, some MLM AJAX calls might mistakenly not work when using Shibboleth authentication. (Ticket #225282)

• Bug fix: When using MyCap and viewing the Online Designer, the “Enable” MyCap buttons for PROMIS battery instruments are now disabled since these are not yet supported in the MyCap mobile app.

• Bug fix: When using the randomization feature, while a radio strata field exists on the same instrument as the randomization field, after the record is randomized on the data entry form, the strata field’s “reset” link (for resetting its value) would mistakenly still appear on the page until the page is refreshed or returned to later. The “reset” link should be immediately hidden after randomization has occurred. (Ticket #226998)

• New action tags: @MC-PARTICIPANT-JOINDATE-UTC and @MC-PARTICIPANT-TIMEZONE - These action tags will capture the MyCap participant’s timezone and also the install date/time (in UTC time) of the MyCap participant whenever the participant joins a project via the MyCap mobile app. NOTE: This is used only for the MyCap mobile app. The fields' values are not generated when viewing the data entry form but only when the MyCap app is making a call to REDCap when the participant joins the project. Additionally, while these action tags can be added to a new field in already-existing MyCap projects, a field with this action tag will be auto-added to any projects where MyCap is enabled in the project after the fact and for any new projects created using the MyCap project template.

• New feature: Custom Query Folders - For improved organization, Custom Queries on the Database Query Tool page can now be organized into folders. Additionally, custom queries can be exported and imported using a CSV file.

• Improvement: API examples in C Sharp (C#) code were added to the API Playground.

• Improvement: In the Online Designer, the variable name for each field on the page is clickable, and when clicked, will copy the variable name to the user’s clipboard.

• Improvement: In the Online Designer, when a user attempts to click into the variable name field in the Edit Field popup while the project is in production, the dialog that notes that the variable name is not editable when in production will now also display the variable name as clickable in the dialog’s text, and when clicked, will copy the variable name to the user’s clipboard.

• Improvement: In the Online Designer, when a user clicks on the green button “Field is embedded elsewhere on this page” on an embedded field in the table, the page will scroll up to where the field is embedded and flash a red border around the container field. This will make it easier for users to find where a field is embedded.

• Improvement: When viewing a user on the Browse Users page in the Control Center, it now lists a new row “Number of users of which user is a sponsor” in the table. It will list how many sponsees the user has and also a link to open a dialog that will list the username and first/last name of all their sponsees. (Ticket #225819)

• Bug fix: If a project has a repeating Automated Survey Invitation, and then later the survey instrument is set to be no longer repeating (via the Project Setup page settings), the ASI would continue to function as if the survey was still a repeating instrument.

• Bug fix: In specific situations when downloading an instrument PDF in a longitudinal project, the process would mistakenly crash when using PHP 8. (Ticket #226047)

• Bug fix: Multi-language Management mistakenly failed to translate a number of survey exit pages (survey offline, response limit reached), and the language selector would be inaccessible. (Ticket #226237)

• Bug fix: The “characters/words remaining” message mistakenly was not translated on data entry and survey pages when using Multi-language Management. (Ticket #226676)

• Bug fix: When a confirmation email is defined for a survey on the Survey Settings page, and then later the user selects “No” to disable the confirmation email on that page, it would mistakenly not disable the confirmation email setting after clicking the Save Changes button. Note: This would only be noticeable if the user returned to the page afterward. (Ticket #226697)

• Bug fix: When a regular user (non-admin) is uploading a CSV data file via the Background Data Import, the upload process might mistakenly fail due to a PHP error if the user is not assigned to a Data Access Group. (Ticket #226639)

• Bug fix: When an inline image is used in the body of an alert, the image might mistakenly not be displayed (i.e., a broken image icon would appear) when a user views an already-sent alert message in the Notification Log. (Ticket #226089)

• Bug fix: When taking a survey using a mobile device, in certain situations the Submit button might be partially obscured by the browser window and thus might not be clickable. (Ticket #226895)

• Bug fix: When the datediff() function is used in a calculated field, in which it contains “today” or “now” as one of the two parameters and the other parameter is a DMY or MDY formatted date/datetime field from another event and also exists on a repeating event or repeating instrument, a calculation error message might appear on the survey page or data entry form, thus preventing the page from working correctly. (Ticket #226037)

• Bug fix: When using CDIS, a query in the code was structured incorrectly so that it might mistakenly not return recently modified records in certain use cases, thus affecting CDIS' ability to import data from the EHR effectively.

• Bug fix: When using CDIS, some mapping for Adverse Events were not being pulled, such as causality.

• Bug fix: When using CDP or DDP Custom, the “database” icon would mistakenly not be displayed next to a mapped field on the data entry form for right-aligned Notes fields. (Ticket #226554)

• Bug fix: When using CDP or DDP Custom, the Record Status Dashboard page might mistakenly attempt to automatically pull data from the EHR for records on the page when viewing that page as an administrator that is not a user in the project. Instead, it will now only do this for project users.

• Bug fix: When using the Data Resolution Workflow while a project is in Analysis/Cleanup status with data as Read-only/Locked, users might still be able to submit a data entry form after navigating to the form in a specific way from the Resolve Issues page. Users should not be able to submit a data entry form while in Analysis/Cleanup status with data as Read-only/Locked. (Ticket #226735)

• Bug fix: When using the Stats & Charts page in a longitudinal project, in which some data had been collected on specific instruments and then later those instruments were undesignated for certain events, thus orphaning some of the data, the charts displayed on the page would mistakenly include the orphaned data for the undesignated instruments when they should be excluding that data. (Ticket #30382)

• Bug fix: When utilizing the project-by-project Unicode Transformation process, which is done using a cron job via Step 2 on the Unicode Transformation page, the data in the Data Resolution Workflow related table might mistakenly not get transformed (i.e., the comments for data queries in DRW).

• Improvement: The Custom Event Label, if being used in a longitudinal project, will now display at the top of the data entry form in the yellow event bar. In previous versions, it only appeared above each event column on the Record Home Page. Now it appears in both places.

• Improvement: Users may now use “now” or “today” (wrapped in quotes) instead of a field variable in the special functions day(), month(), and year() in order to capture a specific date component of today’s date.

• Change: The Configuration Check page will no longer display a warning if any REDCap database tables have “compressed” row_format. REDCap now allows both “compressed” and “dynamic” as the row_format. (Ticket #224878)

• Bug fix: A fatal error might occur when calling REDCap::saveData() when providing “array” data in an incorrect format to the method while running PHP 8. (Ticket #225896)

• Bug fix: If a participant attempts to load a survey using a non-public survey link after the participant’s record has been deleted in the project, they would be mistakenly redirected to the REDCap login page, which is confusing. Instead, an appropriate error message is now displayed to let them know the survey is no longer active or that they are no longer a participant. (Ticket #225427)

• Bug fix: If matrix field labels contain tags, the downloaded PDF of the instrument might mistakenly display the field labels overlapping each other.

• Bug fix: It is possible to perform data imports in which the record name contains a line break or carriage return character. Those characters should not be allowed in record names. (Ticket #224506)

• Bug fix: Modifying the value of a Notes field that has the @RICHTEXT action tag would mistakenly not cause the “Save your changes” prompt to be displayed if a user attempts to leave the page afterward. (Ticket #225367)

• Bug fix: The API Playground’s example R code for the API Export File method was not correct and has been fixed. (Ticket #101454b)

• Bug fix: The API method “Export a File from the File Repository” would mistakenly output an incorrect MIME type for a file being exported. (Ticket #225517)

• Bug fix: The query cache efficiency check on the Configuration Check page might mistakenly display a false positive saying that the MySQL query cache is not efficient when actually it is. (Ticket #225731)

• Bug fix: The special function concat_ws() would mistakenly include fields with blank values in its output. It is expected that blank values should not be included. For example, if we have @CALCTEXT(” and “, [dob1], [dob2], [dob3), it would mistakenly output “2024-03-01 and and 2024-03-01” when field “dob2” is empty/blank, whereas it should instead output “2024-03-01 and 2024-03-01”.

• Bug fix: When CDIS is enabled, specifically Clinical Data Mart, with one or more EHRs defined on the CDIS page in the Control Center, the My Projects page might mistakenly crash in certain situations when using PHP 8. (Ticket #225890)

• Bug fix: When a project’s first instrument is a repeating instrument, and a user is performing a data import of new (not existing) repeating instances for another repeating instrument in the project, new empty instances would mistakenly get created for the first instrument when new instances should only get added for the desired repeating instrument. (Ticket #224932)

• Bug fix: When calling the “Import Users” API method and providing the data payload in CSV format, the “forms_export” privileges provided in the CSV might mistakenly not get parsed correctly, which might cause the API script to return an error, specifically when using PHP 8, or it would mistakenly set the user’s data export rights to “No Access” across the board for all instruments.

• Bug fix: When creating an alert in a longitudinal project, the “Email To” option would display an event-ambiguous email field (i.e., “Any Event”) that could be chosen. However, in many situations, this might cause the alert not to be sent (or it is attempted to be sent with a blank sender address). To prevent this issue, the “Any Event” field options are now no longer displayed as choices for the “Email To” field for alerts. (Ticket #224839)

• Bug fix: When exporting data to R, any backslashes in the R syntax file would mistakenly not get escaped. Now all backslashes are replaced with a double backslash in the resulting R code. (Ticket #225046)

• Bug fix: When using Double Data Entry as DDE person 1 or 2, records that are locked at the record level would not appear to be locked and might mistakenly allow a user to modify a locked record. (Ticket #225431)

• Bug fix: When using MLM, importing UI translations would mistakenly not be possible in projects with subscribed languages, even when UI overrides are explicitly allowed.

• Bug fix: When using a mobile device and attempting to open Messenger, the Messenger panel might mistakenly be obscured and not viewable in certain contexts.

• Bug fix: When using the Clinical Data Pull in CDIS, specifically when launching the CDP window in an EHR context, an undefined JavaScript function might produce a JavaScript error, thus causing certain things not to function correctly on the page.

• Bug fix: When using the Clinical Data Pull in CDIS, the “address-district” demographics field was mistakenly missing, and thus EHR data could not be pulled for it.

• Bug fix: When viewing scheduled alerts on the Notification Log page for alerts that are recurring, the scheduled send time might mistakenly appear to be incorrect in the Notification Log if the alerts are set to recur every X minutes/hours/days, in which X is a number with a decimal (i.e., not an integer). Note: This does not appear to prevent the alert from being sent at the appropriate time, but this is simply a display issue in the Notification Log. (Ticket #225860)

• Bug fix: When viewing the Stats & Charts page in a longitudinal project, the page might mistakenly crash in very specific scenarios when running PHP 8. (Ticket #225493)

• Bugfix: When MLM is active, matrix headers mistakenly were shown over each line of a matrix field when output as an instrument PDF. (Ticket #225203)

• Bug fix/change: The “Azure AD” authentication is now referred to as “Microsoft Entra ID (formerly Azure AD)” in the REDCap user interface due to the fact that Microsoft renamed the product to “Microsoft Entra ID” at the end of 2023.

• Major security fix: A Stored Cross-site Scripting (XSS) vulnerability was discovered in the File Repository in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way inside the folder name of a folder created in the File Repository. The user must be logged in to REDCap and also must have File Repository privileges in the project in order to exploit this. Bug emerged in REDCap 13.1.0.

• Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into a field’s data value when viewed on the Data Comparison Tool page. The user must be authenticated into REDCap in order to exploit this in a project. Bug exists in all REDCap versions for the past 10 years.

• Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into specific translated labels when using Multi-Language Management. The user must be authenticated into REDCap in order to exploit this in a project. Bug exists in all REDCap versions beginning with v12.0.0.

• Bug fix: A fatal PHP error might occur for PHP 8 when viewing the Record Home Page or Record Status Dashboard for a record on an arm that has no events. (Ticket #225089)

• Bug fix: If a user assigned to a Data Access Group is importing records via the Background Data Import, those records would mistakenly not get assigned to the user’s DAG. In addition, if record auto-numbering has been selected for the import, it would also not prepend the record names with the DAG ID number and a dash. (Ticket #224833)

• Bug fix: If using certain versions of MariaDB, the “YOUR REDCAP DATABASE STRUCTURE IS INCORRECT!” error message might display as a false positive in the Control Center, even when nothing is wrong with the database table structure.

• Bug fix: The Copy Project page would mistakenly have the wrong label for the “Copy Project Dashboards” checkbox. Bug emerged in the previous version.

• Bug fix: When Double Data Entry is enabled, and the current user is either DDE person #1 or #2, in which Form Display Logic has been defined in the project, the Form Display Logic might mistakenly not work correctly when viewing the Record Home Page. (Ticket #225125)

• Bug fix: When entering text for an alert message when adding/editing an alert on the Alerts & Notifications page, in which the field list menu would appear after entering the “[” character, clicking a field in the field list would mistakenly not inject that variable name into the alert message. (Ticket #224895)

• Bug fix: When using “OpenID Connect & Table-based” authentication, clicking the “Logout” link in REDCap might mistakenly result in a logout error in the Identity Provide/SSO service. Bug emerged in REDCap 13.10.4. (Ticket #224757)

• Bug fix: When using the Data Resolution Workflow, a fatal PHP error for PHP 8 in certain situations when data is being saved in certain contexts, such as data imports, when some data values have been “Verified”. (Ticket #225198)

• Bug fix: When using the repeatable settings in the External Modules configuration dialog, removing a single repeating setting instance would mistakenly remove all repeating instances in the dialog. Bug emerged in REDCap 13.11.0. (Ticket #225171)

• New feature: Account Expiration Email Templates - At the bottom of the User Settings page in the Control Center, administrators may optionally customize the email text of the account expiration emails that are sent to users prior to the users' impending expiration. Two text editors exist on the page, in which admins may define text for users with sponsors and also for users without sponsors. If no custom text is provided, stock text will be utilized in the outgoing emails to users. (Ticket #58767)

• New feature: Project Dashboard Folders - Project Dashboards in a project can now be organized into folders. If a user has Project Setup & Design privileges, they will see an “Organize” link on the left-hand project menu above the Project Dashboards panel. They will be able to create folders and then assign their Project Dashboards to a folder, after which the Project Dashboards will be displayed in collapsible groups on the left-hand menu. (Ticket #137183)

• Improvement: If using CDIS, new data fields “Legal Sex” and “Sex for Clinical Use” can now be mapped for Clinical Data Pull projects and also will be included in Clinical Data Mart projects. Note: Currently, only Epic is providing data for these fields, but other EHR systems will likely add them too in the near future.

• Improvement: New “Test Run” option when re-evaluating Alerts and Automated Survey Invitations - When performing the “Re-evaluate” feature for Alerts and ASIs, a new toggle that says “Enable Test Run?” can be clicked in the dialog, which will perform a test run (dry run) to simulate what would have happened (e.g., schedule or send alerts/invitations) but without actually doing anything. This will allow users to feel more confident if they actually need to perform a real re-evaluation of Alerts or ASIs so that they know beforehand how many records will be affected during the re-evaluation. In addition, users may download a CSV file of all affected record names afterward, whether using the test run option or not.

• Improvement: The “Help & FAQ” page has been updated with new content (thanks to the FAQ Committee).

• Improvement: The Project Home Page now contains an icon in the Current Users table to allow users to download the current user list as a CSV file.

• Medium security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered on the Data Quality page in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into parameters in certain AJAX requests.

• Bug fix: If the @SETVALUE action tag exists on a field on an e-Consent survey, it would mistakenly allow the field’s value to be overridden even when the e-Consent setting “Allow e-Consent responses to be edited by users” is not checked. (Ticket #225008)

• Bug fix: If using CDIS, the Clinical Data Pull mapping tool might mistakenly throw a JavaScript error. Additionally, Descriptive fields were mistakenly being excluded from the CDP mapping tool.

• Bug fix: The EHR launch process in CDIS might mistakenly fail in specific situations where Azure AD is the authentication method in REDCap.

• Bug fix: The Rapid Retrieval caching system might mistakenly fail with a fatal PHP error in some specific instances. (Ticket #224840)

• Bug fix: The developer method REDCap::getUserRights() would mistakenly not return instrument-level Data Export Rights information. (Ticket #224887)

• Improvement: The “Help & FAQ” page has been updated with new content (thanks to the FAQ Committee).

• Change/improvement: All logged events concerning Alerts & Notifications will now additionally display the alert’s Unique Alert ID in order to make it easier to discern alerts from each other if alerts are reordered or moved after being created (i.e., if their alert number changes over time). (Ticket #222857)

• Change: The “Email Alerts” converter that migrates alerts from the Email Alerts external module to alerts in “Alerts & Notifications” has been officially removed. This feature was technically removed four years ago, but there still existed an Easter Egg in the redcap_config database table that would allow it to be used during emergency situations.

• Several bug fixes for the External Module Framework.

• Bug fix: If any text used in an outgoing SMS text message contains an HTML hyperlink, in which the link’s text is virtually the same as the link’s URL, it would mistakenly display the URL in parentheses after the link text in the resulting SMS message. It should only do this when the link text is different from the URL. (Ticket #109648)

• Bug fix: If the Custom Event Label is used in a longitudinal project and contains any HTML tags, all the tags would mistakenly get stripped out when exporting the project’s Project XML file. (Ticket #224571)

• Bug fix: In places that display a drop-down list of records for the “Test logic with a record” feature, most notably in the branching logic dialog, Survey Queue setup dialog, and ASI setup dialog, the dialog might mistakenly never load if the project contains many thousands of records. For now on, it will display a normal drop-down list if the project contains 1000 records or fewer, and if the project contains more than 1000 records, it will instead automatically revert to displaying an auto-suggest text box to allow the user to manually enter the record name (rather than attempting to display an extremely long drop-down). (Ticket #224531)

• Bug fix: In some cases when inline PDFs are attached to Descriptive fields, and a user downloads the PDF of the instrument, if the iMagick PHP extension is installed on the web server, there would mistakenly be a blank page following the inline PDFs in the resulting REDCap-generated PDF of the instrument. (Ticket #222014)

• Bug fix: When an Automated Survey Invitation with conditional logic is being evaluated when a record’s data is being saved, in which the conditional logic references a field in a repeating instrument or repeating event where the field does not have an X-instance Smart Variable appended or an instance number appended to itself, the logic might not get evaluated as expected.

• Bug fix: When the “Auto-suspend users after period of inactivity” setting is enabled, users who recently had their account created but had not logged in yet would mistakenly get auto-suspended. Bug emerged in the previous version. (Ticket #224266)

• Bug fix: When using the datediff() function in which the Daylight Saving Time barrier is crossed when calculating the result of two datetime values, in specific cases the result might mistakenly be one hour off if using units of “h”, “m”, or “s” for the function. (Ticket #223682)

• Improvement: Administrators are now able to view survey pages even when the system or a project is in “offline” status. Note: The admin must have logged into REDCap (i.e., they have a session cookie) before the system/project was taken offline in order to access a survey page. (Ticket #223524)

• Improvement: Enhanced settings for importing email addresses from EHRs via Clinical Data Interoperability Services (CDIS) - Previous versions of REDCap had a CDIS feature to allow or disallow projects from importing the email addresses of patients from the EHR, in which it was either completely disallowed or an admin could enable the feature on an individual project via the Edit Project Settings page. The new features provide more options so that it can be 1) disabled for all projects, 2) enabled for all projects, or 3) allow individual projects to decide (via the admin-only setting on the Edit Project Settings page). (Ticket #223068)

• Improvement: When using CDIS in a project, a new status indicator for FHIR access tokens will appear underneath each user in the Current Users table on the Project Home page. This feature helps team members and admins quickly see who needs to update their access token, essential for CDIS background fetch processes.

• Various updates to the External Module Framework, including adding the “redcap_module_api_before” hook and miscellaneous security scan improvements.

• Bug fix: In some rare cases, the “collation_connection” setting for the REDCap database connection might mistakenly be taking effect, which could thus lead to possible encoding issues when pulling information from or storing information in the REDCap database.

• Bug fix: It might be possible for users or participants to manipulate an HTTP request in a specially-crafted way in order to upload files of any file type into a Signature field on a data entry form or survey. Note: This does not pose a security issue of any kind, and if certain file extensions are defined in the “Restricted file types for uploaded files” list in the Control Center, then those file types will be blocked immediately and not saved in the system.

• Bug fix: On certain pages/dialogs, the calendar datepicker popup might mistakenly fail to be displayed when expected (e.g., when editing an alert). Bug was supposedly fixed in the previous version but still persists in some places throughout the application. (Ticket #223627)

• Bug fix: The simultaneous user prevention check on data entry forms would mistakenly prevent multiple users from accessing and editing different repeating instances of the same record-event-instrument in a project.

• Bug fix: When importing Form Display Logic via a CSV file, the checkboxes for the FDL’s optional settings would mistakenly all become unchecked after the import. (Ticket #223666)

• Bug fix: When the “Auto-suspend users after period of inactivity” setting is enabled, users who have not been added to any projects might mistakenly not get auto-suspended. (Ticket #223659)

• Bug fix: When the Rapid Retrieval caching feature is using file-based storage and is utilizing the alternate storage location (instead of using REDCap temp for storage), it might store some of the RR files in the REDCap temp directory by mistake. (Ticket #223738)

• Bug fix: When uploading a CSV file to add or rename Data Access Groups on the DAG page in a project, in which the user provides a unique group name in the CSV file for a DAG that does not yet exist, the error message provided would be confusing as to what the problem is. In this situation, a more detailed error message is provided to inform the user that the unique group name is only used for renaming DAGs and should be left blank when creating new DAGs. (Ticket #223526)

• Bug fix: When using Google Cloud Storage for file storage in the system, uploading a file on the main Send-It page might mistakenly not work successfully. (Ticket #221098b)

• Bug fix: When utilizing the project-by-project Unicode Transformation process, which is done using a cron job via Step 2 on the Unicode Transformation page, if processing individual projects that do not have any surveys enabled, it would mistakenly execute several unnecessary, long-running SQL queries on each project lacking surveys, which would make the overall process take much longer to fully complete than it should.

• Minor security fix: Cross-site Request Forgery (CSRF) protection was mistakenly not applied to the user action of deleting arms on the Define My Events page.

• Minor security fix: If a logged-in user has specific knowledge of the REDCap system, they might be able to manipulate the parameters of a specific AJAX endpoint in order to send custom crafted emails impersonating any email sender (i.e., they can set the email’s From address to anything they wish).

• Medium security fix: A Broken Access Control vulnerability was discovered in which a logged-in user who is not a REDCap administrator could create Custom Application Links and have those open on the left-hand menu for any and all projects in the system. Only admins should be able to create, modify, and delete Custom Application Links in the Control Center. This could be used to trick users into navigating to potentially malicious websites.

• Medium security fix: Lower-level REDCap administrators (e.g., with “Manage user accounts” rights) could potentially escalate their own admin privileges by utilizing information from certain tables in the database via the Database Query Tool page. Going forward, only administrators with ‘Admin Rights’ privileges, ‘Modify system configuration pages’ privileges, or ‘Access to all projects and data with maximum privileges’ privileges are allowed to access the Database Query Tool.

• Medium security fix: There is a possibility in very specific situations that a malicious user might be able to reactivate another user’s session and take it over after the other user has logged out of REDCap. This would require obtaining the other user’s session ID.

• Major security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered in the Database Query Tool in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into saved queries on the page. The user must be an admin and must be authenticated into REDCap in order to exploit this. Bug emerged in REDCap 12.3.0.

• Major security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered on the “Importing instrument from the REDCap Shared Library” page in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into input elements on the page. The user must be authenticated into REDCap in order to exploit this. Bug exists in all REDCap versions for the past 10 years.

• Major security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered on the Alerts & Notifications page in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into parameters in certain AJAX requests. The user must be authenticated into REDCap in order to exploit this. Bug emerged in REDCap 9.0.0.

• Major security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered on the confirmation page displayed for users who have put in specific requests to the REDCap administrator (e.g., requested a project be moved to production) in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into the URL. The user must be authenticated into REDCap in order to exploit this. Bug exists in all REDCap versions for the past 10 years.

• Major bug fix: On certain pages/dialogs, the calendar datepicker popup might mistakenly fail to be displayed when expected (e.g., when composing survey invitations). Bug emerged in the previous version. (Ticket #223277)

• Bug fix: A fatal error would occur when using Azure AD authentication. Bug emerged in REDCap 14.1.2. (Ticket #223173)

• Bug fix: For Step 2 when editing an alert and setting “Send it how many times?” to “Multiple times on a recurring basis”, the number interval of the recurrence could mistakenly only be 4 characters long at the maximum. (Ticket #223020)

• Bug fix: If the first instrument in a project is taken as a public survey, it can end up with two different (but equally valid) return codes, assuming the survey has “Save & Return Later” enabled. However, it could be confusing for users to see two different return codes and think something is wrong. For consistency, the return code on the data entry form will now match the return code displayed to the participant on the survey page. (Ticket #208079)

• Bug fix: In some situations, it might be possible for a user or admin to duplicate the process of moving a project to production status, which would inadvertently cause the project to end up in Analysis/Cleanup status instead. (Ticket #222935)

• Bug fix: In very specific situations when using branching logic on a multi-page survey that is a repeating instrument/survey, some survey pages might get mistakenly skipped if the repeating instance number is greater than “1” when all fields on the page have branching logic that references field values on the current repeating instance. (Ticket #223126)

• Bug fix: Since Microsoft will soon be deprecating their Azure Storage PHP client libraries that are currently used by REDCap, the Azure Storage library has now been replaced in REDCap with new custom-built methods for making calls directly to the Azure Blob Storage REST API. (Ticket #216356)

• Bug fix: The Rapid Retrieval caching feature might mistakenly cause some API calls to hang and eventually time out. (Ticket #223083)

• Bug fix: When a REDCap administrator has limited data export privileges in a project and then calls the Export Report API method, REDCap would mistakenly remove many of the fields in the resulting data set, which should not happen to administrators. (Ticket #223259)

• Bug fix: When using Multi-Language Management, certain types of fields (yesno, truefalse, matrix field choices) would fail to be properly piped when the fields do not exist on the same form. (Ticket #222446)

• Bug fix: When using the @if action tag on a survey question, in which the participant is returning to the survey via their “Save & Return Later” return code, the @if logic might mistakenly not get evaluated correctly on the page to which they return, thus possibly utilizing the wrong action tags for the field. Note: This does not occur for subsequent pages in the survey after returning to the survey but only to the initial page loaded upon their return. (Ticket #223291)

• Various updates and fixes for the External Modules Framework, including 1) Fixed a module setting race condition when using a “Read Replica” database server, and 2) Displayed logged parameters on the View Logs page for External Modules.

• Bug fix: If a file in the Recycle Bin in the File Repository is permanently deleted by a REDCap admin, the file would be marked as having been permanently deleted but would mistakenly still exist in the file storage system. (Ticket #222787)

• Bug fix: If an administrator is not a user in a project but clicks the “Create API token now” button on the project’s API page, the token would not be created (as expected) but it would mistakenly log the event “Create API token for self” as if it was created. (Ticket #222977)

• Bug fix: The simultaneous user prevention check on data entry forms would mistakenly prevent multiple users from accessing and editing different repeating instances of the same record-event-instrument in a project.

• Bug fix: When Rapid Retrieval is disabled, REDCap might still be creating *.rr cache files in the temp folder. (Ticket #223076)

• Bug fix: When downloading an Instrument Zip file or various CSV files, the process might crash due to a fatal PHP error if the user has Space or Tab as their preferred “Delimiter for CSV file downloads” (as defined on their Profile page). (Ticket #222524)

• Bug fix: When the calendar datepicker popup is displayed near the rich text editor, in some situations part of the calendar might mistakenly get covered up by the editor’s toolbar. (Ticket #223011)

• Bug fix: When upgrading from a version prior to REDCap 14.0.1, an SQL error might occur during the REDCap upgrade with regard to an “alter table” statement for the database table “redcap_outgoing_email_sms_log”.

• Bug fix: When using CDIS, a project’s Edit Project Settings page might be missing a Save button if the REDCap server lacks configurations for at least one FHIR system. (Ticket #222919)

• Bug fix: When using CDIS, an issue might occur if REDCap is using Azure AD OAuth2 & Table-based authentication method, particularly during an EHR launch for Clinical Data Pull.

• Bug fix: When using Clinical Data Pull for CDIS, the CDP cron job might mistakenly miss some records when fetching EHR data in the background.

• Bug fix: When using Multi-Language Management, floating matrix headers were not aligned properly on surveys for right-to-left languages. (Ticket #222689)

• Bug fix: When using Multi-Language Management, the Forms/Surveys tab on the MLM setup page might fail to load due to a JavaScript error.

• Bug fix: When using multiple EHR systems with Clinical Data Pull for CDIS, the incorrect FHIR base URL was being used for data retrieval during the background fetch process of CDP projects. This error not only hindered the data fetch process when fetching EHR data, but it also led to the internal FHIR token manager inadvertently deleting valid access tokens for users.

• Bug fix: When using the text “month”, “day”, or “year” followed by an opening parenthesis inside quotes in a @CALCTEXT equation, the calculation would not get parsed correctly, thus resulting in a calculation error on the survey page or data entry form. (Ticket #222973)

• Bug fix: When viewing the “Stats & Charts” page for any report that has one or more Live Filters selected on the page, and then the user selects an instrument and/or record in the Display Options box near the top of the page, all Live Filter selections would mistakenly get reset back to a blank value. (Ticket #222699)

• Change: The “Copy Project” page now contains more informational text when copying a project containing surveys. The new text explains that when copying all records, the survey completion time for any survey responses will not be copied with the normal project data because the completion times are considered to be equivalent to project logging, which never gets copied during this process. (Ticket #222256)

• Various changes and fixes for the External Modules Framework, including fixing a bug that was preventing link editing in rich text module settings caused by a conflict between Bootstrap dialogs and TinyMCE.

• Major bug fix: When a user views a report and modifies the “report_id” parameter in the URL while on the report’s “Stats & Charts” page or when editing the report, in which the report_id is changed to the report_id of a report in another project to which the user does not have access, the user would mistakenly be able to view the report name and the number of results returned from that report from the other project. Note: No identifying data or record names from the other project are able to be accessed using these methods; only the report name and the total count of results returned from the report can be extracted.

• Bug fix: If a project is being moved back to Production status from Analysis/Cleanup status, the process of moving it back to Production would mistakenly not clear out the “inactive_time” timestamp in the backend database for the project. This issue has no impact on the application. (Ticket #222175)

• Bug fix: If a user was given “Edit Access” rights to a specific report, but they have been given “Add/Edit/Organize Reports” user privileges for the project, if they append “&addedit=1” to the URL when viewing the report, it might appear that they can edit the report. However, clicking the “Save Report” button on the page would actually do nothing and would forever say “Working”. So while they aren’t able to bypass any report access privileges, it could be confusing because it appears as though maybe they could. (Ticket #222150)

• Bug fix: When erasing all data in a project or deleting all records when moving a project to production, the process might mistakenly not delete the ‘Survey Login Success’ and ‘Survey Login Failure’ logged events in the project if the Survey Login feature is being utilized. (Ticket #222429)

• Bug fix: When erasing all data in a project or deleting all records when moving a project to production, the process might take a disproportionately large amount of time to complete (or it might get stuck) if the project contains a large amount of data points (i.e., several million or more rows). The process now deletes data from the redcap_dataX table in smaller batches rather than attempting to delete all rows with a single query.

• Bug fix: When saving the Survey Login settings in the Online Designer, the confirmation dialog would mistakenly not be displayed due to a JavaScript error.

• Bug fix: When upgrading to REDCap 14.1.1 from any earlier version, an SQL error might occur in some rare cases when performing the REDCap upgrade process due to a foreign key constraint in the redcap_ehr_user_map database table. (Ticket #222084)

• Bug fix: When using Clinical Data Mart in CDIS, the CDM data fetching process might fail when using specific versions of MySQL/MariaDB, specifically MySQL versions prior to 8.0 and MariaDB versions prior to 10.2.1. (Ticket #219308)

• Bug fix: When using Clinical Data Mart in CDIS, there were issues in the list of mappable items within CDM projects, in which the following condition types were not mappable as generic entries: encounter-diagnosis-list, problem-genomics-list, problem-medical-history-list, and problem-reason-for-visit-list.

• Bug fix: When using Clinical Data Pull in CDIS, an out-of-memory error could occur when handling large volumes of data being pulled from the EHR.

• Bug fix: When using Clinical Data Pull in CDIS, some CDP projects with the auto-adjudication feature enabled might display the adjudication count as a negative number. (Ticket #134564)

• Bug fix: When using Multi-Language Management, instruments with matrix fields would fail to load due to a JavaScript error. This bug was introduced in the previous version. (Ticket #222211)

• Bug fix: When viewing the Record Status Dashboard when Data Access Groups exist in a project, in certain situations the RSD page might load a bit slowly due to an excessive amount of SQL queries being run. This was fixed in the previous version, but it only covered specific situations. (Ticket #221998b)

• Improvement: If a user has a sponsor, their sponsor’s username, name, and email will be listed at the top of their Profile page. (Ticket #138684)

• Major security fix: An SQL Injection vulnerability was found on a Calendar-related page, some MyCap-related pages, the Define My Events page, the Online Designer, the Record Home Page, and other places, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. In order to exploit these, the user must be logged in as a REDCap user. Bugs exist in all REDCap versions for the past 10 years.

• Major security fix: Several Reflected XSS (Cross-site Scripting) and Stored XSS vulnerabilities were discovered in which a malicious user could potentially exploit them by inserting custom JavaScript in a specially crafted way into specific URLs or POST parameters in several places, including the Data Quality page, Custom Application Links, Report Folders, and other places. The user must be authenticated into REDCap in order to exploit these in a project. Bugs exist in all REDCap versions for the past 10 years.

• Major bug fix: The Clinical Data Mart in CDIS might mistakenly not work at all and thus might not allow users to pull any data from the EHR. Bug emerged in REDCap 14.1.0 Standard.

• Bug fix: An error might occur during the “refresh token” process in CDIS. If an HTTP error occurred while refreshing the token, it was not correctly caught and handled.

• Bug fix: During the cache file creation process for Rapid Retrieval, concurrent write attempts could lead to PHP errors and potentially high CPU usage in some specific cases. (Ticket #221459)

• Bug fix: If a record contains multiple consecutive spaces in its record name, some things might not display correctly on certain pages when viewing the record, such as the floating table of repeating instances when clicking on the “stack” status icon for a repeating instrument on the Record Home Page or Record Status Dashboard.

• Bug fix: In certain situations when using Clinical Data Pull for CDIS, the process might stop with a fatal PHP error for some PHP version.

• Bug fix: The “Create new API token for user” dialog might mistakenly display the option “External Modules API”, which is not a published feature yet. (Ticket #221904)

• Bug fix: The upgrade process might unexpectedly stop due to an SQL error in the upgrade SQL script when upgrading to or higher than REDCap 14.0.1 in some cases.

• Bug fix: Usernames with apostrophes could not be added to a project or assigned to a user role through the user interface on the User Rights page. (Ticket #221933)

• Bug fix: When using Clinical Data Mart in CDIS, the CDM auto-fetch feature was not properly scheduling a fetch process.

• Bug fix: When using Clinical Data Pull in CDIS, conditions or medications were not shown in the CDP adjudication dialog unless a specific status was specified.

• Bug fix: When using Multi-Language Management, in which the highlighting feature for untranslated items is enabled, some items would mistakenly be highlighted on the page that should not be highlighted. (Ticket #221418)

• Bug fix: When using Multi-Language Management, the MLM setup page might not sort the choices of multiple choice fields in the correct order as seen in the Codebook and Online Designer. (Ticket #221888)

• Bug fix: When using the Background Data Import process, in which an error occurs, if a user goes to download the CSV file containing the list of errors for the import batch, the first letter of the error message in a given row might be missing.

• Bug fix: When using the Survey Queue, in which survey participants are added initially via the Participant List, if neither the Designated Email field nor the Participant Identifier is used in the project, and the Survey Response Status is “Anonymous*”, the Survey Queue’s “Get link to my survey queue” popup would mistakenly display the participant’s email address, thus breaking the participant’s anonymity in the project. Going forward, it will no longer display the participant’s email address in that popup in this situation. (Ticket #221804)

• Bug fix: When viewing the Record Status Dashboard when Data Access Groups exist in a project, in certain situations the RSD page might load a bit slowly due to an excessive amount of SQL queries being run. (Ticket #221998)

• Various CDIS-related bug fixes, especially related to EHR user mapping when using multiple EHR systems

• New Multi-EHR functionality for Clinical Data Interoperability Services (CDIS)- Multiple electronic health record systems (EHRs) can now be defined on the CDIS page in the Control Center, whereas in previous versions only one could be defined. This will allow users to pull clinical data from many different EHR systems, if they desire. After a REDCap administrator has defined one or more EHR systems on the CDIS page, any given REDCap project can utilize a specific EHR connection. Note: A project can only be connected to one single EHR. The first EHR connection will serve as the default, and thus whenever CDP or Data Mart is enabled in a project, it will initially point to the default connection, but this can be changed after the fact to point to one of the other EHR connections that are defined in the Control Center. As previously, all users attempting to pull data from any EHR connection will need to have signed in through the EHR (either using the Standalone Launch or CDPs EHR Launch) in order to obtain a FHIR access token for that specific EHR. Thus the user must still have a valid account for each EHR from which they are attempting to pull data.

• Improvement: Performance improvement when using iMagick (i.e., rendering PDF attachments for Descriptive fields as images embedded inside REDCap-generated PDFs) by using a new internal image cache. Whenever a PDF attachment for a Descriptive field is rendered as an image via iMagick, the image of each PDF page will be cached and stored separately so that the next time the PDF attachment is being rendered inside a PDF, it will use the cached image(s) rather than perform a real-time conversion of the PDF to images every time, which can be time consuming. Note: The image cache of the PDF attachment will be stored and used for up to 30 days, after which it will be automatically deleted from the system.

• Improvement: New Read Only user privilege for the User Rights page- Users and roles can now be given Read Only access to the User Rights page, which will allow users to view the page but not be able to take any actions on the page. Note: If a user is in a Data Access Group while viewing the page, it is still the case that they can only view users from their own DAG on the page.

• Change/improvement: A notice was added on the Database Query Tool page so that when exactly 500 rows are returned from a query that does not contain a “limit” clause, it notes that more rows might exist that are not being displayed on the page. This is because “limit 0,500” is always appended to any query that lacks a “limit” clause. This will reduce confusion for admins who might assume that they are viewing the full results of a query when they might not be.

• Bug fix: If using file-based storage for Rapid Retrieval, in which an alternative storage directory has been defined, in certain cases many of the cached files in the alternative directory would mistakenly not get deleted after the 5-day expiration time.

• Bug fix: The REDCap::evaluateLogic() developer method’s documentation mistakenly did not include information about the current_context_instrument parameter, which is required for the correct evaluation of logic that contains certain Smart Variables. This parameter should be provided to the method if the logic is being evaluated within the context of a specific instrument (e.g., while on a survey page or data entry form). This parameter has been added to the method’s documentation. (Ticket #220861)

• Bug fix: When enabling Twilio in a project, it is possible in certain cases to enter the same Twilio phone number (if it is a U.S. number) for more than one project. This could be done by entering the phone number in one project with the U.S. country code, and then entering it in another project without the U.S. country code. (Ticket #221468)

• Bug fix: When importing alerts via a CSV file, if the file contains some mangled characters due to incorrect encoding, the file might fail to upload and would mistakenly not produce any error message.

• Bug fix: When using CDIS in certain contexts where data is being pulled for specific research studies, the FHIR ID of a research study might not be found.

• Bug fix: When using CDIS, issues might occur when fetching “conditions” data having a status other than “active”. Additionally, new FHIR resources were inadvertently excluded from mapping in CDP projects. This includes the following mappable resources: encounter, coverage, procedure, device, and all conditions (including their status).

• Bug fix: When using the functions day(), month(), or year(), more than once inside a calculation, it might not parse the calc correctly, thus possibly returning incorrect results. (Ticket #221544)

• Change/improvement: When using the eConsent Framework on a survey, the certification page now says “Working…” until the inline PDF finally loads on the page. This will reduce confusion for participants in case the PDF takes an abnormal time to load. (Ticket #221228)

• Medium security fix: The AWS SDK PHP third-party library contained a medium security vulnerability that would mistakenly allow an attacker to possibly perform URI path traversal. The library was updated to the latest version.

• Major bug fix: The API Delete Users method was mistakenly not checking if a user had User Rights privileges in the project in addition to API Import/Update privileges in order to successfully make a call to the API method.

• Bug fix: Direct links to the FAQ in certain places throughout REDCap were not working. They would merely take the user to the top of the Help & FAQ page instead of to a specific item. Bug emerged in REDCap 13.4.0. (Ticket #221329)

• Bug fix: If Form Display Logic or Survey Queue Logic references a specific repeating instance of a field, specifically instance “1”, “first-instance”, or “last-instance”, when the field exists on a repeating event that currently contains no data for a given record, the logic might mistakenly not evaluate correctly. (Ticket #221229)

• Bug fix: In specific situations where multiple File Upload fields are piped onto a page in a specific way, it may cause a JavaScript error that prevents the instrument from loading. (Ticket #221225)

• Bug fix: When using Multi-language Management, the “Initialize a new language from available system languages” option was mistakenly checked (while also disabled) even when no system languages are available, leading to a JavaScript error when “Continue” is clicked. (Ticket #221273)

• Improvement: If a project dashboard has been set as “public”, a link icon will appear next to the project dashboard title on the left-hand project menu. If a user clicks the link icon, the public project dashboard will open in a new tab.

• Improvement: If a report has been set as “public”, a link icon will appear next to the report title on the left-hand project menu. If a user clicks the link icon, the public report will open in a new tab.

• Improvement: The Unicode Transformation process (found via the Configuration Check page if your installation was installed prior to REDCap 8.5.0) now contains a Step 2 Alternative method, which utilizes a project-by-project Unicode Transformation process using a cron job. Previous versions required that SQL be run over all projects at the same time (which might take quite a while) while REDCap was offline. If your REDCap installation was installed roughly 8 years ago or if it contains more than 1000 projects, it is recommended that you use Step 2 Alternative to minimize server downtime during the Unicode Transformation process. After performing Step 1, Step 2 Alternative will provide some SQL to enable the cron job. Once initiated, you may refresh the page to view its project-by-project progress until all steps appear green on the page after it has finished. Note: Step 1 will still need to be run in real time while REDCap is offline. Thus downtime is unavoidable for Step 1. But the benefit of Step 2 Alternative is that it allows one to complete the remaining steps of the Unicode Transformation process without any downtime.

• Improvement: When in a project context when the Read Replica feature is enabled, the Read Replica’s utilization will now be maximized by referencing the last time a “write event” occurred in the project’s Logging (such as data being saved or the project being modified in some way) when being compared with the replica’s lag time (rather than merely using a static maximum lag time of 3 seconds as the cutoff). This means that, for example, if a project has not had any logged “write events” in the past 5 minutes, the replica will be used on specific pages in that project so long as the replica’s lag time (i.e., behind the primary database) is less than 5 minutes. Whereas in previous versions, the replica would only be utilized if the replica’s lag time was 3 seconds or less. This increases the utilization of the replica, thus improving overall system performance.

• Change: Some help text was added to the Form Display Logic and Survey Queue instructions to inform users that their conditional logic will be evaluated at the record level and not within the context of an event or a repeating instance, which means that it is not possible to use relative instance or relative event Smart Variables - i.e., those with the name ‘current’, ‘next’, or ‘previous’, such as [next-instance] or [previous-event-name].

• Change: The length of time in which the record list cache will be automatically reset has been increased from 1 week to 2 weeks. This was done because the record list cache has seen years of stability and can now be trusted to be accurate for longer periods of time. This change will reduce how often the cache will need to be rebuilt for an active project, which should improve overall system performance.

• Major bug fix: When checkbox field values are being imported during a data import (via the API or Data Import Tool), in which some calculated fields in the project reference the checkbox field in their calculations, the calc fields might mistakenly not get updated during the import process. (Ticket #221111)

• Bug fix: A warning might mistakenly be encountered during the extraction of an identifier from a FHIR request within a CDIS project. The adjustment involves ensuring that the returned identifier is a single value rather than an array.

• Bug fix: If fields are embedded into the field label of a File Upload field or Signature field, the “Upload file”/“Add signature” dialog would mistakenly display the embedded fields as editable, whereas it should instead display them as read-only since their values cannot be modified there inside the dialog. (Ticket #221137)

• Bug fix: In rare cases, a database query run on the Participant List page might cause the page to load very slowly or even time out. (Ticket #211469)

• Bug fix: In some cases when exporting the Project XML file for a project, the process might mistakenly crash with a fatal PHP error when using PHP 8. (Ticket #221097)

• Bug fix: In the Online Designer, when a field has a section header immediately above it, and the field is then moved to be directly above that section header, the field would mistakenly revert back to its original position.

• Bug fix: The “Insert a dynamic variable” feature on the Email Users page in the Control Center would mistakenly never work, in which the variables would not get successfully replaced in the email body when sending the emails.

• Bug fix: Using the function isblankormissingcode() in branching logic would not always return the correct result if the field used in the function is numeric. (Ticket #218984)

• Bug fix: When calling the Rename Record API method, the API request would mistakenly get logged as “Switch DAG (API)” when it should instead be logged as “Update record (API)”.

• Bug fix: When entering data on a data entry form or survey while using a mobile device, in which a text field on the page has field validation and the user has entered a value that will throw a field validation error, if they click the “Add signature” link or “Upload file” link for a signature or file upload field, respectively, while their cursor is still in the text field, then they would get stuck in an infinite loop of popups and not be able to continue data entry on the page. (Ticket #219569)

• Bug fix: When performing an API Export Records call with type=eav, in some rare cases the record ID field might mistakenly have duplicate rows for some records in the exported data. (Ticket #220860)

• Bug fix: When piping a field on the same instrument on which it is located, the piping might mistakenly not work in a repeating instrument or repeating event context. (Ticket #220610)

• Bug fix: When renaming a record in a multi-arm longitudinal project, in which the new record name already exists in another arm but in another case (e.g., renaming a record to “aa3” in arm 1 when there is already a record “AA3” in arm 2), issues can occur when trying to access the record in either arm in the user interface afterward. When this occurs going forward, the new record name will be forced to be the same case as the existing record in the other arm. (Ticket #217809)

• Bug fix: When uploading a data import file via the Background Data Import, in which the process somehow gets stuck during the initialization phase, the upload would mistakenly appear with a “queued” status. Going forward, if any imports are stuck in the initialization phase for more than one hour, they will be automatically cancelled by the system. (Ticket #220714)

• Bug fix: When uploading a data import file via the Background Data Import, in which the process somehow gets stuck processing for a long period of time, the upload would mistakenly appear with a “processing” status forever. Going forward, if any imports are stuck in the processing phase for more than one day, they will be automatically cancelled by the system.

• Bug fix: When using Google Cloud Storage for file storage in the system, and the “Organize the stored files by REDCap project ID?” setting is enabled, uploading a file on the main Send-It page (i.e., via the tab from the My Projects page) might cause a fatal PHP error when using PHP 8. (Ticket #221098)

• Various bug fixes and improvements to the External Module Framework: Added the isModulePage() and isREDCapPage() module methods (courtesy of Andrew Poppe) Added the dashboard-list module setting type (courtesy of Andrew Poppe) Added the visibility-filter option for the dashboard-list and form-list module setting types (courtesy of Andrew Poppe) Removed survey-list module setting type in favor of form-list with a visibility-filter option Misc. security scan script improvements

• Improvement: If the Read Replica feature is enabled, all API export methods will now utilize the Read Replica, whereas in previous versions the only API methods that utilized the Read Replica were the Export Records, Export Report, and Export Logging methods.

• Improvement: The Rapid Retrieval caching feature is now utilized for data exports and also for the API methods Export Records and Export Report, whereas in previous versions Rapid Retrieval was only utilized on report pages and the record status dashboard page.

• Change: The PID number for a project is now displayed on the My Projects page for all user types, whereas in previous versions it was only displayed for admins (users with some kind of Control Center access). (Ticket #220689)

• Improvement/change: For projects with the “Delete a record’s logging activity when deleting the record?” setting enabled on the Edit Project Settings page, a request to the API Delete Record method may now include the parameter delete_logging=0 if the user wants to prevent the record’s logging activity from being deleted when the record is deleted. If the setting is enabled in the project, then the default value will be ‘1’ for delete_logging (to maintain the existing behavior in previous versions), and if the project-level setting is not enabled, the default value will be ‘0’. If the project-level setting has been enabled, this API parameter must be provided with a value of ‘0’ in order to prevent the record’s logging activity from being deleted when the record is deleted (Ticket #96300)

• Various fixes and changes to the External Module Framework, including the following: 1) The getProjectsWithModuleEnabled() method begins included modules enabled via the “Enable module on all projects by default” setting as of framework version 15, and 2) Fixed copy/paste/cut issue in rich text editor.

• Major bug fix: When exporting a report (including using the API Report Export method) in CSV, XML, or JSON format, in which the report does NOT have “order by” fields, the resulting exported data might mistakenly contain duplicate rows, some of which might appear empty while others have the expected data for the given record/event. (Ticket #219392b)

• Bug fix: In a MyCap-enabled project, the MyCap participant install dates and baseline dates would mistakenly get carried over into copied projects and projects created via Project XML upload.

• Bug fix: In specific cases, the @richtext action tag might cause the Notes field’s rich text editor to be read-only when it should be editable on the page.

• Bug fix: On the Codebook page, collapsing of some tables on the page would not work in certain browsers.

• Bug fix: Some example R code in the API Playground was syntactically incorrect and would cause errors if it was run in R as is. Bug emerged in 13.7.24 LTS and 14.0.0 Standard Release. (Ticket #219535b)

• Bug fix: The EHR patient portal for CDIS might mistakenly fail to accurately display whether a patient was already associated with a given project. Bug emerged in REDCap 14.0.0.

• Bug fix: The Scheduling page would mistakenly never display the record drop-down list. Bug was originally fixed in version 13.8.3 but then reappeared again in 14.0.0. (Ticket #210446b)

• Bug fix: When clicking the increase/decrease font-size button at the top of survey pages, the speaker icons used for text-to-speech functionality would mistakenly not change size.

• Bug fix: When importing data (via API or Data Import Tool), in which the record name of the record being imported already exists in the project but has a different case (e.g., “101A” vs “101a”), it might cause extra logged events to be added during the data import process, even when no data is being modified. This issue does not seem to affect existing data in any negative way. (Ticket #219755)

• Bug fix: When importing data via the Data Import Tool’s background data import, if the CSV file contains any File Upload fields, even if they are empty columns, it would mistakenly display an error saying that some variable names in the file were invalid, which is confusing. File Upload fields will now be ignored for this field pre-check since ultimately they are ignored during the data import process since files cannot be uploaded using this method. (Ticket #218575)

• Bug fix: When sending invitations through the Participant List via the Compose Survey Invitations dialog, in some rare cases the action of scheduling/sending the invitations might result in a fatal PHP error for PHP 8. (Ticket #220549)

• Bug fix: When upgrading REDCap more than once in a single day, the “redcap_history_version” database table would mistakenly only list the last upgrade of the day. (Ticket #220627)

• Bug fix: When using CDIS, a patient’s preferred language might not be correctly extracted from a patient’s FHIR payload. (Ticket #219743)

• Bug fix: When using CDP (Clinical Data Pull), data was mistakenly not being automatically fetched from the EHR and imported into a given CDP project as part of the CPD cron job. The issue was observed specifically in scenarios where certain records lacked a specified Medical Record Number (MRN).

• Bug fix: When using Shibboleth authentication, the REDCap redirect URL was mistakenly not URL-encoded in the Shibboleth handler address, which might cause the user not to get redirected back to the correct place after returning from a successful Shibboleth login. (Ticket #220564)

• Improvement: For Descriptive Text fields on the Codebook page, the attachment’s filename and its display format are now listed on the page if it has an attachment, and the media URL and its display format are now listed on the page if it has a media URL. (Ticket #220204)

• Improvement: Improved user interface elements on the Codebook page. A new instrument table lists instrument names and also event designations, if longitudinal. The instrument and event tables are now collapsible. Additionally, the tables denote if an instrument is a repeating instrument or is designated to a repeating event, and the event table denotes if an event is a repeating event. All tables on the page are now collapsed by default. (Ticket #220221)

• Major bug fix: When exporting a report (including using the API Report Export method) in CSV, XML, or JSON format, in which the report is ordered by a field other than the record name and the total size of the exported data is fairly large (containing several hundred or thousand records), the resulting exported data might mistakenly be missing many rows of data. Bug emerged in the previous version. (Ticket #220275)

• Bug fix: If a proxy is specified on the General Configuration page in the Control Center, the username-password authentication for HTTP requests made during CDIS remote calls to the EHR system might not always work successfully under certain conditions. (Ticket #219039c)

• Bug fix: If a survey does not have survey instruction text, and the participant navigates back to page 1 after being on page 2 of the survey, the page would mistakenly display the “View survey instructions” link under the survey title.

• Bug fix: In some situations when copying a project, in which the records are also copied, the new project would appear not to have any records until the administrator clicked the “Clear all record and page caches” button on the Other Functionality page.

• Bug fix: Referencing a field from another instrument or another event inside the function month(), day(), or year() for a calculated field would mistakenly cause a calculation error to occur on the page. (Ticket #220405)

• Bug fix: The EHR Launch in CDIS might mistakenly fail due to a fatal PHP namespace error.

• Bug fix: The administrator’s browser time that is displayed at the bottom of the main Control Center page was not formatted correctly. (Ticket #219917)

• Bug fix: The query cache efficiency check on the Configuration Check page might mistakenly display a false positive saying that the MySQL query cache is not efficient when actually it is. (Ticket #220049)

• Bug fix: When a project has been deleted, some orphaned rows for that project might still exist in certain database tables. (Ticket #220047)

• Bug fix: When clicking the “Download metadata only (XML)” button on the Project Setup->Other Functionality page, it mistakenly would not log the file download. It now logs the download event as “Download REDCap project XML file (metadata only)” on the Logging page. (Ticket #220203)

• Bug fix: When using Azure AD authentication with Endpoint V2, the setting “AD attribute to use for REDCap username” was mistakenly not using all of the options listed in the drop-down but would only use the “userPrincipalName” option, if selected. Now all options can be used in Endpoint V2. (Ticket #134789b)

• Bug fix: When using the Survey Login feature in a longitudinal project, in which a field referenced on the survey login page exists on a different event as the survey currently being taken, the logged event’s description of the successful/failed login on the Logging page would mistakenly have the wrong event for the context of the survey login. (Ticket #220174)

• New action tag: @SHOWCHOICE- When applied to a multiple-choice field, this action tag will hide all choices except for the ones listed in its argument. This action tag is useful if you wish to only show a subset of choices depending on some logic (e.g., depending on data access groups) via the IF action tag. The format must follow the pattern @SHOWCHOICE='??', in which the coded values should be inside single or double quotes for the choice(s) you wish to show. If more than one choice needs to be shown, then provide all the coded values separated by commas. For example, to show the choice ‘Monday (1)’, you would have @SHOWCHOICE=‘1’, but if you wanted to additionally show ‘Tuesday (2)’, you would have @SHOWCHOICE=‘1,2’. NOTE: The @SHOWCHOICE action tag supports piping into its argument - e.g., @SHOWCHOICE=[my_checkbox:checked:value].

• New feature: Additional redcap_data tables To help improve long-term server performance over time through horizontal scaling, REDCap now makes use of 3 new redcap_data tables named redcap_data2, redcap_data3, and redcap_data4. As new projects are created, they will be assigned to one of the four data tables, which will be the single place where that projects data is stored. Utilizing more data tables will allow REDCap to maintain its speed and remain performant over time. The addition of these new tables is a completely automatic and transparent change that users will likely never realize or need to know about. However, administrators should be aware of it, especially in regard to the creation of Dynamic SQL fields (see below), which will be affected by this change. Note: No existing projects will be impacted by this change in v14.0.0; thus, it will only affect new projects created after upgrading to v14.0.0. Also, a projects data table can always be obtained on the Edit Project Settings page after selecting a project, in which the table name will be listed at the top of that page. New [data-table] Smart Variable- Since a projects data can be stored in any of the 4 data tables, writing queries for Dynamic SQL fields can be tricky. On the Add/Edit Field dialog on the Online Designer, it will note the current projects data table after selecting Dynamic SQL Field in the dialog. However, instead of using the literal data table name in their SQL query, admins may instead use [data-table], which will be replaced with the current tables data table name. If you wish to obtain the data table name for another project, append a colon and the PID of the other project - e.g., [data-table:7345], in which the PID of the other project is 7345. It is advised that going forward, administrators should utilize the [data-table] Smart Variable for Dynamic SQL fields rather than using the literal data table name. New developer method REDCap::getDataTable($pid)- New REDCap class method for plugins/modules/hooks that will return the redcap_dataX database table name for a specified project by providing its project_id. If $project_id is null or not provided, it will return “redcap_data” by default. It is recommended that if any External Module developers have any EMs that reference the redcap_data explicitly in their EM code, they should replace it similar to how it is done in the code below: \(data_table = method_exists('\REDCap', 'getDataTable') ? \REDCap::getDataTable(\)project_id) : “redcap_data”; $sql = “select * from $data_table where project_id = $project_id”; New Move Project Data page This page allows REDCap administrators to move the data stored in a given REDCap project to another redcap_dataX table in the database in order to [hopefully] improve the general performance of the project. The performance improvement will depend greatly on the size and structure of the project and will also depend on many things in the overall system, such as the current size of the redcap_data table and the power of the database server. Note: The data transfer process on this page will perform multiple checks to ensure that all data gets moved successfully, and if anything goes wrong, it will automatically roll back all changes. How to find this page - The Edit Project Settings page in the Control Center contains a link to the Move Project Data page.

• New feature: Read Replica Server To help offset server load if the REDCap system has been experiencing routine slowness, REDCap can connect to a read-only, secondary database server that uses MySQL/MariaDB replication to stay in sync with REDCap’s primary database server. The Read Replica server will be utilized only for read-only operations in the following places in REDCap: viewing reports, exporting data (including API exports), viewing record status dashboards, viewing and exporting the project logging page (including API logging exports), using the data search tool, viewing the scheduling page, executing data quality rules, viewing project dashboards, and viewing the Control Center’s System Statistics and User Activity Log pages. The effort of enabling the Read Replica functionality is very minimal once a replica server has been created and is successfully replicating from the REDCap primary database server. Most of the work will be simply setting up the replica server. Instructions for setting up the Read Replica can be found near the top of the General Configuration page in the Control Center. NOTE: The Read Replica is only recommended for use if you have been experiencing performance issues with your REDCap server, such as a routine or off-and-on slowness. Before enabling the Read Replica feature, it is advised that you explore other ways to improve database performance first, such as adding more RAM and CPUs to your database server to see if that provides some improvement. If those things do not help, then using the Read Replica might be a good option.

• New page-level caching feature: Rapid Retrieval REDCap now implements an automatic, transparent form of page-level caching (known as Rapid Retrieval) to help speed up certain pages that are known to be slow. Currently, Rapid Retrieval operates only on reports and on the Record Status Dashboard page. When a cache is being utilized, a note will appear at the top of the page that says Page speed was boosted using Rapid Retrieval. The Rapid Retrieval cache can be cleared for an entire project by an administrator using the Clear the Record List Cache button on the Project Setup->Other Functionality page, in which the button text now says Clear all record & page caches. On the Modules/Services Configuration page in the Control Center, the Rapid Retrieval functionality can be disabled for the whole system, if desired. It has two options: File-based storage (default, recommended) and Database storage. If set to ‘File-based storage’, the Rapid Retrieval feature will store all cached files in REDCap’s ‘temp’ folder by default. If set to ‘Database storage’, they will be stored in the redcap_cache database table. When using File-based storage, there is an additional setting named Alternative directory to store cached files that is completely optional, in which you may set an alternate location on your web server for storing the cached files, whether for security or performance related reasons. Suggestion: The File-based storage method is recommended in most cases, such as on very active servers, because the Database storage method can tend to cause the database to be too busy, in which it may bog down the server and/or cause the MySQL binary log to grow too rapidly. You may try both options to see if one performs better overall. There is no harm in changing this setting at any time while the system is running. Additional notes: When using File-based storage, the cached files are completely encrypted (at rest) on the web server, and the files are quickly removed by a cron job once they have been invalidated and can no longer be utilized. This form of active pruning keeps the cached files from taking up too much space on the web server.

• Improvement: The @HIDECHOICE action tag now supports piping into its argument - e.g., @HIDECHOICE=[my_checkbox:checked:value].

• Improvement: The bottom of the main Control Center page now displays the current time of the users browser and the current time of the REDCap server (with its timezone).

• Change: When downloading the Survey Queue settings via CSV file, the CSV filename now contains the project title and timestamp of the download.

• Change: When viewing the “View or Edit Schedule” tab on the Scheduling page when more than 10K drop-down options would be displayed in the already-scheduled drop-down list of records, in which the drop-down will display at all, the text on the page has been modified for better clarity since it was confusing regarding how to view an already-scheduled record in this situation.

• Major bug fix: When exporting a report (including using the API Report Export method) in CSV, XML, or JSON format, in which the report is ordered by a field other than the record name and the total size of the exported data is fairly large (containing several hundred or thousand records), the resulting exported data might mistakenly contain duplicate rows, some of which might appear empty while others have the expected data for the given record/event. (Ticket #219392)

• Bug fix: For certain REDCap installations, the events on the Define My Events page would not be ordered correctly. (Ticket #219188)

• Bug fix: Form Display Logic might mistakenly not be evaluated correctly on the Record Home Page when a record has not been created yet but is in the process of being created. (Ticket #219883)

• Bug fix: If a proxy is specified on the General Configuration page in the Control Center, it was mistakenly not using username-password authentication for HTTP requests made during CDIS remote calls to the EHR system. (Ticket #219039b)

• Bug fix: In some rare cases when using nested IF action tags for a field in which spaces or line breaks appear in specific places in the IF’s logic, the IF action tag might mistakenly not evaluate correctly.

• Bug fix: Issues related to copy, paste, and cut in the TinyMCE 6 rich text editor. (Ticket #219212, #219274, #218550, #219286)

• Bug fix: Some example R code in the API Playground was syntactically incorrect and would cause errors if it was run in R as is. (Ticket #219535)

• Bug fix: The “Upcoming Scheduled Survey Invitations” popup on the Record Home Page might not display all the upcoming invitations scheduled in the next 7 days but might mistakenly omit some. (Ticket #218769)

• Bug fix: When a datediff() function has a literal date value (e.g., “22-07-2023”) for the first or second parameter in the function, in which the date value is in DMY or MDY date format, the datediff might mistakenly not perform the calculation correctly in some instances - most specifically server-side processes, such as auto-calculations, data imports, and Data Quality rule H. (Ticket #219662)

• Bug fix: When downloading the Survey Queue settings via CSV file, the download action was mistakenly not being logged.

• Bug fix: When opening certain dialog popups throughout the application, in which the dialog contains a lot of text, the page might mistakenly auto-scroll downward unexpectedly, thus causing the user to have to scroll back up in order to read the dialog contents.

• Bug fix: When uploading the Survey Queue settings via CSV file, the upload action was mistakenly being logged multiple times.

• Bug fix: When using the RICHTEXT action tag for a field on a data entry form that is disabled/readonly (due to limited user rights or when viewing a survey response that is not in edit mode), the field’s rich text editor would mistakenly not appear disabled/readonly and would allow users to type and modify its content, even though the page is not able to be submitted. (Ticket #219212b)

• Several fixes and improvements for the External Modules Framework, including 1) Added the report-list and survey-list EM setting types, and 2) Resolved a queryLogs() bug when referencing username in WHERE clauses (Ticket #217622).