Changelog

This page includes a partial list of changes with each version of REDCap, including new features, improvements, and bug fixes.

Version 14.9.1 (released December 06, 2024)

Bug Fixes

  • Critical bug fix: Under specific circumstances when using PHP 8, data entry forms and survey pages might mistakenly always crash with a fatal PHP error, thus making data collection impossible. Bug emerged in REDCap 14.9.0 Standard. (Ticket #245574)

Version 14.9.0 (released December 05, 2024)

New Features

  • New feature: Organize stored files into subfolders by project (for “Local” storage only)
    • This is an optional feature that allows files for a given project to be stored in a subdirectory named “pidXXXX”, in which XXXX is the PID of the project, rather than storing the files associated with that project in the main local storage directory on the web server. This feature can aid in the organization of files if IT/server admins are not happy with there being thousands or millions of files stored in the main storage directory.
    • Once enabled, this setting will be applied to new projects that are created after the fact. This setting will not apply to any existing projects that were created before this setting was enabled.
    • This feature can be enabled near the top of the File Upload Settings page in the Control Center. When upgrading, this setting will be disabled by default, although it will be enabled by default when performing a fresh install of REDCap.
    • This feature is only applicable for REDCap installations that are using “Local” file storage or “Google Cloud Storage (for Google App Engine hosting only)”.
    • When enabled, if REDCap is unable (due to a directory permissions issue, etc.) to create a project-level subfolder when a new project is created, it will instead default to storing all project files in the main Local File Storage directory (specified above) for that project.

Changes/Improvements

  • Improvement/change: Added 8 new MTB measures for use in MyCap-enabled projects: Spanish versions of Arranging Pictures, Arrows, FNAME Learning, FNAME Test, Number Match, Sequences, Shape-Color Sorting, Word Meaning Form 1.

  • Improvement: The PDF Snapshot Archive page in the File Repository now contains a new button to allow users to download the PDF Archive’s file list as a CSV file. (Ticket #245337)

  • Improvement: When a project is created from a Project XML file, additional info about the file (source system REDCap version and the XML file’s creation date) is displayed on the page, or a warning message is displayed if the XML file appears not to be a proper REDCap Project XML file. (Ticket #245469)

  • Minor security improvement: The SameSite attribute for cookies utilized by REDCap now defaults to the value “Strict”, which provides more security by preventing cookie information leakage to first-party or same-site context. In previous versions, the default value for the SameSite attribute was “Lax”.

  • Change: A cookie policy was added that specifies the details of how cookies are utilized by a person’s web browser when using REDCap. A link to the policy exists at the bottom of every webpage in REDCap.

  • Change: When an admin clicks the “Compose confirmation email” button to send an email to the user via the Project Modifications Review page for Draft Mode, the logged event description (i.e., “Send email to user from admin”) now includes the recipient’s email address so that their email appears in the project logging to provide more context.

  • Various changes for the External Module Framework, including 1) Relaxed tag vs. release zip comparison during security scans, 2) EM Logs table within the project context will now properly maintain PID context (this prevents it from navigating away to the Control Center when trying to use search parameters), 3) Added ‘Record’ and ‘UserName’ columns to the report table of EM logs, 4) Included the framework’s twig dependency when checking for composer conflicts, and 5) Misc. minor changes.

Bug Fixes

  • Minor security fix: If REDCap Messenger is enabled, a malicious user could impersonate another user in the system specifically when uploading a file into a Messenger conversation by manipulating an HTTP request in a specially-crafted way. Note: This would not give the user being impersonated access to a Messenger conversation to which they do not have access to, but it would make it appear as if the other user uploaded the file to the conversation. This can only be exploited by authenticated users. Bugs exists in all versions of REDCap in the past 8 years.

  • Medium security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into the record name of a record being imported via the Data Import Tool or API, after which the exploit could be activated in a specific place in the Online Designer. This can only be exploited by authenticated users. Bugs exists in all versions of REDCap in the past 8 years.

  • Major bug fix: If a project has randomization enabled, in which the randomization field itself has branching logic, it is possible that the randomization field could mistakenly be hidden by branching logic even after the record has been randomized (in pre-14.7.0 versions, this could not happen), thus causing the randomization field’s value to be erased if the instrument is saved afterward. Bug emerged in REDCap 14.7.0 Standard. (Ticket #243375)

  • Major bug fix: When attempting to perform a traditional installation of REDCap on a PHP 8 web server, the install page would crash with a fatal PHP error, thus preventing the admin from completing the installation process successfully. Bug emerged in REDCap 14.8.0 Standard. (Ticket #244721, #245265, #245371)

  • Bug fix: A missing LOINC code was added to the CDIS mapping features.

  • Bug fix: An outdated version of jQuery was mistakenly included in REDCap as part of a third-party library. That outdated version has been removed since it did not serve a functional role in the library. (Ticket #245523)

  • Bug fix: If a Text field or Dropdown field is embedded on an instrument but is not using the “:icons” notation (e.g., {myfield:icons}), then if Missing Data Codes are being used in the project and the field’s current saved value is a MDC, there would be no way for a user to clear out the MDC and thus change the field’s value. In this situation, the M icon will now be displayed next to the field to allow users to unset the MDC value. (Ticket #245398)

  • Bug fix: If a project contains surveys, the “Filter by user name” drop-down list on the Logging page would mistakenly not display the “[survey respondent]” option. That option will now be displayed if surveys are enabled in the project. Bug emerged in REDCap 14.8.1 Standard. (Ticket #245290)

  • Bug fix: When a user attempts to resize the Choices textbox (for a multiple choice field) inside the Edit Field dialog in the Online Designer, the elements below the textbox would not move in response to the resizing, thus allowing the textbox to be stretched and mistakenly appear underneath the other elements. (Ticket #245180)

  • Bug fix: When an admin clicks the “Auto-fill form/survey” link on a form or survey, and a DMY or MDY formatted date field has the literal value “today” as the min or max range validation, this would result in an out-of-range validation error on the page. (Ticket #226377)

  • Bug fix: When downloading the Notification Log on the Alerts & Notifications page, the resulting CSV file’s filename would mistakenly end with “.csv.csv”. (Ticket #245440)

  • Bug fix: When exporting data to SPSS, the SPSS Pathway Mapper batch file would mistakenly remove the BOM (byte order mark) from the SPSS file, leading to UTF-8 characters in the SPSS file getting mangled.

  • Bug fix: When modifying a matrix of fields in the Online Designer, in which the variable names of some fields are changed, the fields would mistakenly not be saved correctly, and attributes of some fields in the matrix might get merged into other fields in the matrix. (Ticket #244773)

  • Bug fix: When performing a data import that contains values for the Secondary Unique Field in the project, in which the SUF’s value happens to be a Missing Data Code and another record already has the same Missing Data Code saved for the SUF in the other record, the import process would stop with an error message saying the value of the field duplicates the value from another record. The SUF uniqueness check should not be performed when importing a Missing Data Code. (Ticket #245182)

  • Bug fix: When the “Require a reason when making changes to existing records” feature is enabled in a project and a user goes to import data using the Data Import Tool, the user is given a warning message if a “reason” is not provided for all existing records being modified by the import, but it would mistakenly allow the import to take place without a reason provided, which should not be allowed. (Ticket #245514)

  • Bug fix: When uploading a consent form file for a survey on the e-Consent Framework page, in which the file uploaded is not a PDF file, it would mistakenly add a placeholder in the consent file version table (but with a blank value for the PDF file), which would prevent users thereafter from uploading the correct file with the same consent form version number (because the version number is already used by the previous mistaken upload). (Ticket #245561)

  • Bug fix: When using Twilio/Mosio telephony services in a project that is utilizing the setting to use a mappable multiple choice field for the Delivery Preference, if a new record is created via a data import or via the API, in which the mappable field value is set during the import process, the new record’s delivery preference would mistakenly be set to the project default delivery preference (or instead as “Email”) rather than to the correct delivery preference value for the record. (Ticket #245186)

  • Bug fix: When viewing the field-view in the Online Designer, in which a date/datetime field is embedded and also has the CALCDATE action tag, the green “Field is embedded elsewhere on page” button would mistakenly be hidden for that field. (Ticket #245243)

  • Bug fixes for Clinical Data Interoperability Services (CDIS): 1) Resolved incorrect display of mapped status for “Device - Implants” resources in the CDIS Mapping Helper, and 2) Fixed saving functionality for “Device - Implants” resources in the matching form for CDM projects.

Version 14.8.3 (released November 26, 2024)

Changes/Improvements

  • Improvement: When creating an alert in a longitudinal project, users can now select an email field from the current event where the alert is triggered to be used as the “Email To” setting for the alert. This allows for flexibility when using different email addresses on each event in the project. In previous versions, email fields in specific events only could be selected.

  • Minor security improvement: The HTTP header “Referrer-Policy: strict-origin-when-cross-origin” was added to prevent the leakage of referrer information when navigating to external websites from REDCap.

  • Change/improvement: Allow multiple PHP errors to be logged in the “redcap_error_log” database table for a single request (i.e., single log_view_id).

  • Change: REDCap is now officially compatible with PHP 8.4. Note: It was noted in a previous release that REDCap 14.7.4 and higher was compatible with PHP 8.4, but that was incorrect. Only REDCap 14.8.3 and higher are compatible with PHP 8.4. Additionally, the current recommended PHP versions for REDCap are PHP 8.1, 8.2, 8.3, and 8.4. Note: REDCap is currently compatible with PHP version 7.3.0 and all later versions (including PHP 8.4.X).

Bug Fixes

  • Minor security fix: A vulnerability was discovered in REDCap Messenger in which a malicious user could potentially exploit it by manipulating an HTTP request in a specially-crafted way that would potentially allow them to enumerate a list of all usernames in the whole system, including users' first and last name. This can only be exploited by authenticated users. Bugs exists in all versions of REDCap 7.4.0 and later.

  • Bug fix: If a survey ends via a Stop Action and the Alternate Survey Completion Text has been left blank, it would display no text at all at the end of the survey when it should instead default to displaying the regular Survey Completion Text. (Ticket #245008)

  • Bug fix: If users are using Firefox ESR (Extended Support Release) 115 as their browser, the Font Awesome icons (i.e., most of the icons used in REDCap) would mistakenly be invisible on all REDCap pages due to an incompatibility issue with Font Awesome 6.7.0 (that library was upgraded to 6.7.0 in the previous REDCap version). The Font Awesome library in REDCap has been upgraded to 6.7.1 to resolve this issue for users using Firefox ESR 115. Note: This should not affect users using the latest Firefox version in its default release channel, and this also does not affect users using other browsers. Bug emerged in the previous REDCap version.

  • Bug fix: In very specific situations where a date/datetime field has the READONLY action tag, the calendar datepicker icon next to the field would mistakenly still be displayed, thus allowing users to inadvertently modify the field value using the datepicker widget. (Ticket #244986)

  • Bug fix: The Data Search feature on the “Add/Edit Records” page might mistakenly keep saying “Searching…” even when nothing has been returned if certain keys on the keyboard are clicked, such as Enter, when typing the search term. (Ticket #54818b)

  • Bug fix: The piping documentation mistakenly did not specify that piping essentially bypasses a user’s Data Viewing Rights, so even if a user has ‘No Access’ Data Viewing Rights for the instrument of a piped field, any user will be able to view the data of the piped field regardless of where the field is being piped. More information has now been added to the piping documentation to clarify this missing piece of information. (Ticket #244827)

  • Bug fix: When MLM is active, the redirection of completed surveys via the survey termination option “Redirect to a URL” would not work as expected. (Ticket #244741)

  • Bug fix: When uploading a file into a REDCap Messenger conversation while inside a REDCap project, the Upload File dialog would mistakenly be covered by the left-hand project menu.

Version 14.8.2 (released November 20, 2024)

Bug Fixes

  • Major bug fix: The Multi-Language Management page in the Control Center would mistakenly fail to load due to a JavaScript error. Bug emerged in REDCap 14.8.0 (Standard).

Version 14.8.1 (released November 20, 2024)

Changes/Improvements

  • Minor security improvement: A couple different project pages might mistakenly allow knowledgeable malicious users to email any recipient as many times as they wish (i.e., spam any email address), although the email itself would still have to come “From” one of the user’s email addresses as listed in their REDCap user profile. Exploiting this feature is no longer possible.

  • Change/improvement: When using the Data Resolution Workflow, the “assign user” drop-down list in the DRW dialog is now displayed as an auto-complete drop-down to help users more easily select a user from the list in projects that have a large number of users.

  • Change: Performance improvements on the MLM setup page, which should load faster than in previous versions.

Bug Fixes

  • Minor security fix: A security vulnerability was discovered in the Moment.js library that is utilized by REDCap. That library has been removed from the REDCap code to remediate this issue.

  • Minor security fix: Due to a ReDoS (Regular expression Denial of Service) vulnerability discovered in the Vue third-party library that is bundled in REDCap, the Vue library utilized specifically on the CDP Mapping page has been upgraded to a newer version that does not contain the vulnerability.

  • Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in REDCap Messenger and in the Data Quality module in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way. These can only be exploited by authenticated users. Bugs exists in all versions of REDCap 7.4.0 and later.

  • Major security fix: An SQL Injection vulnerability was found on a MyCap-related page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. This can only be exploited by authenticated users. Bugs exists in all versions of REDCap 13.0.0 and later.

  • Bug fix: If a Descriptive Popup’s link text is an exact match for the choice label in a checkbox field, the choice label text would mistakenly be shifted to the left, in which the checkbox itself might not be visible. (Ticket #244425)

  • Bug fix: If a Descriptive Popup’s link text matches a choice label in a drop-down field, the popup’s content would mistakenly be inserted into the choice label. Descriptive Popups should not work for drop-down field choices due to general HTML limitations. (Ticket #244425)

  • Bug fix: If a Descriptive Popup’s link text matches a choice label in a radio field, the popup’s content (when displayed) might mistakenly be indented and not fit well inside the popup. (Ticket #244425)

  • Bug fix: If one or more fields are piped into the survey instructions of a survey, in which the fields being piped are located on the first page of the survey, the real-time piping action might not occur when entering data into those fields on the first survey page unless those same fields happen to be piped elsewhere on the page.

  • Bug fix: If the MyCap External Module had previously been enabled at the system level, and a user enables Draft Preview Mode in a production project, the Record Status Dashboard might mistakenly fail to load due to a fatal PHP error for PHP 8. (Ticket #244458)

  • Bug fix: In a multi-arm project that utilizes the Survey Queue or certain [survey-X] Smart Variables, in which individual records will exist on multiple arms at the same time, if a record exists in one arm and then a participant uses the Survey Queue to navigate to a survey in another arm where the record does not yet exist, the participant would mistakenly be redirected to the survey page that asks them to enter a survey access code. And if using a [survey-X] Smart Variable that refers to a survey on another arm, it would mistakenly return a blank value.

  • Bug fix: In the External Modules Framework, the method $module->getFirstEventId() would mistakenly not return the true first Event ID as listed on the My Events page in longitudinal projects.

  • Bug fix: Several missing LOINC codes were added to the CDIS mapping features.

  • Bug fix: The API Playground page might load unusually slowly for older projects or busy projects (i.e., with lots of logged events).

  • Bug fix: When a matrix of fields contains no choices, the Online Designer field-view page, data entry form, and survey page containing that matrix might mistakenly crash due to a fatal PHP error when using PHP 8. (Ticket #244669)

  • Bug fix: When exporting a report in “labels” format for a report that is sorted by a multiple choice field that has integers for every choice value, the resulting exported data would mistakenly not be sorted according to the choice labels but would often revert to being sorted by the record ID field instead. (Ticket #244525)

  • Bug fix: When using Multi-Language Management and translating field labels, in certain cases some text in the field label might not align horizontally with other text that should be displayed on the same line.

  • Bug fix: When using a CDIS service, the Date of Death value of a patient was mistakenly displayed in Zulu (UTC) time instead of the expected local formatted time. The date is now converted to local time and formatted to YYYY-MM-DD HH:MM format for consistency.

Version 14.8.0 (released November 14, 2024)

New Features

  • New feature: Descriptive Popups

    • This feature represents the integration of Mark McEver’s “Inline Descriptive Popup” External Module. Note: Upgrading to this version will not disable the “Inline Descriptive Popup” EM nor will it migrate any settings from the EM if the EM is being used in a project.
    • Summary: Descriptive popups are custom popups of text that become visible after hovering over a specific word or phrase on a data entry form or survey. They have two main components: 1) the link text, which should match a word or phrase used on a form or survey, and 2) the custom text for the popup content. Users may set a descriptive popup to work on all instruments/surveys (default) or on specific ones. Descriptive popups are a great way to convey extra information on a form or survey without the text taking up space on the page. Users may configure their descriptive popups to be activated only on specific instruments. By default, they are enabled on all instruments. Additionally, if the popups are enabled to work on a survey, especially a multi-page survey, users can specify specific page numbers on which the popups will be activated.
    • When copying a project or exporting a project via a Project XML file, there is now an option to copy/export the descriptive popup settings, respectively.
    • Web accessibility: Descriptive popups are WCAG compliant, thus they will work with screen readers.
    • MLM: Both the link text and popup content text of descriptive popups can be translated using Multi-Language Management.
  • New feature: Draft Preview Mode

    • Draft Preview Mode allows users to preview their data entry forms with their current drafted changes as if they were live. This allows users to fully test the changes they have made in Draft Mode, including all branching logic, calculations, action tags, and embedded fields, before submitting their drafted changes for approval.
    • Additionally, Draft Preview Mode will simulate live data entry on data entry forms, thus allowing users to enter ephemeral data that is stored only in their session; however, no data will actually be saved to the project. Once a user leaves Draft Preview Mode, all ephemeral data that has been entered will vanish.
    • Limitations: While in Draft Preview Mode, the following limitations exist: No new records can be created. No data can be changed or stored in the project (all data changes are transient and are bound to the user’s login session). Only changes to already existing forms can be previewed. Delete operations (deleting whole records or deleting data for forms/events) are disabled. Several more limitations exist and are delineated in the Online Designer before enabling Draft Preview Mode.
    • Note: Draft Preview Mode only operates on data entry pages, the Record Status Dashboard, and the Record Home Page. It does not impact any other pages, and it currently does not work on survey pages.

Changes/Improvements

  • Improvement: REDCap now supports the “address” HTML tag so that it may be utilized in user input (e.g., field labels, survey instructions). (Ticket #244390)

  • Change: In a MyCap-enabled project, REDCap now prevents the user from accessing the “View participant QR code” and “Invite Template” popups until the first MyCap app version has been published for the project.

  • Change: In a MyCap-enabled project, the “Messages” feature is now disabled in the MyCap participants list for participants that have not yet joined the project using the MyCap mobile app (i.e., their install date is blank).

  • Change: The “Learn Advanced Design Features” link on the left-hand project menu is now only displayed to users with Project Setup & Design privileges. (Ticket #244150)

Bug Fixes

  • Bug fix: If the Survey Base URL is being used together with Clickjacking Prevention in the REDCap installation, “Custom Surveys for Project Status Transitions” survey pages would initially load in a user’s browser, but after clicking a submit button on the survey, the page would be blocked and would not load any more pages. Note: This was supposedly fixed in REDCap 14.5.16 (LTS) and 14.6.10 (Standard), but it was only partially fixed. (Ticket #240644b)

  • Bug fix: If using the AWS CloudFormation deployment of REDCap, the REDCap upgrade process might mistakenly fail or have issues due to the “upgrade-aws-eb.sh” file inside the REDCap source code not being up-to-date with the same file stored in the GitHub repo for REDCap’s AWS CloudFormation (https://github.com/vanderbilt-redcap/redcap-aws-cloudformation/). The file inside REDCap has now been updated to match the GitHub file.

  • Bug fix: In a MyCap-enabled project, REDCap was mistakenly listing DAG-specific announcements in a participant’s message thread even if they are not in the DAG.

  • Bug fix: In a MyCap-enabled project, fields with the action tag MC-PARTICIPANT-CODE would mistakenly not get updated with the participant code value for records created via the API.

  • Bug fix: The System Statistics might mistakenly fail to load due to a fatal PHP error in PHP 8. In PHP 7, the Randomization project count on the System Statistics page would instead be a blank value instead of a number. Bug emerged in REDCap 14.7.4.

  • Bug fix: When downloading a PDF containing saved data, in which the PDF contains data for repeating instruments and/or repeating events, the repeating instances might be mistakenly displayed out of order in the PDF (with the instances of different repeating instruments being ordered by instance number instead of being ordered by instrument then instance number). Additionally, some of the repeating instruments might be duplicated as empty forms (as if they have no data) on certain pages in the PDF. (Ticket #244080)

  • Bug fix: When using field embedding on a Descriptive field that has an “Embed media” URL that is set to be displayed “Inline”, the resulting “View media” button and/or field label would mistakenly not appear where the field is supposed to be embedded on a survey page or data entry form. (Ticket #243847)

  • Bug fix: When using the “Erase all data” option on the Other Functionality page or when moving a project to production while erasing all records, any PDF Snapshots that are stored in the “PDF Snapshot Archive” in the File Repository would mistakenly not be deleted during this process. (Ticket #244073)

  • Bug fix: When using the [stats-table] Smart Variable with one or more unique event names appended to it (in order to limit the table data to specific events), the resulting stats table would mistakenly always display counts from all events for the given field instead of the specified events. (Ticket #244162)

Version 14.7.5 (released November 12, 2024)

Bug Fixes

  • Major bug fix: In several places in a project where survey links are generated, such as using the Smart Variable [survey-link] or the EM developer method REDCap::surveyLink(), those might return a blank value instead of a real URL. Additionally, if a survey has the “Allow participants to download a PDF of their responses at end of survey?” option set to “Yes” on the Survey Settings page, participants would get a 404 error in their browser when clicking the PDF Download button after completing the survey, thus preventing them from downloading the survey. Bug emerged in the previous version. (Ticket #244103, 244176)

Version 14.7.4 (released November 07, 2024)

Changes/Improvements

  • Security improvement: When using REDCap’s Two-Factor Authentication, the OTP (One Time Password) encryption secret, which is stored for a user in the back-end database and is used to generate their QR code for 2FA, has been increased to 160 bits to meet certain security standards. Note: This change will not affect existing users' ability to continue using their already-established Microsoft/Google Authenticator mobile app for 2FA in REDCap.

  • Change: Updated REDCap’s session handler functions to be compatible with the upcoming PHP 8.4 release. Thus, the only REDCap versions that are compatible with PHP 8.4 are REDCap 14.7.4 and higher.

  • Change/improvement: The dates displayed in the “Other useful info” box on the main Control Center page are now listed in the date format dictated by the user’s profile date format preference.

  • Change: On the Survey Invitation Log and Notification Log, a new warning has been added to the page when a project is in Analysis/Cleanup project status to denote that any already-scheduled survey invitations or alerts will not be sent while in Analysis/Cleanup status, despite the fact that the user may see scheduled invitations/alerts on those pages.

  • Change: The “Online Designer” video on the Training Videos page was updated, and a new video “Randomization” was added.

  • Change: When using Multi-Language Management in a MyCap-enabled project, the MLM setup page will now display a warning to users when adding an MLM language when the country code isn’t supported in the MyCap mobile app.

Bug Fixes

  • Minor security fix: A security vulnerability was discovered in the Twig library that is utilized by the External Module Framework. Twig has been upgraded to version 3.11.2 in the REDCap code to remediate this issue.

  • Minor security fix: Due to a ReDoS (Regular expression Denial of Service) vulnerability discovered in the Vue third-party library that is bundled in REDCap, the Vue library has been upgraded to a newer version that does not contain the vulnerability.

  • Bug fix: A PHP fatal error might occur when enabling a PROMIS battery measure for MyCap.

  • Bug fix: A duplicate language key for MyCap existed in the English.ini file. (Ticket #243930)

  • Bug fix: In certain cases, when creating a new project using a Project XML file that contains Custom Record Status Dashboards, the “Select instruments/events” attribute might not get set correctly during the import, thus causing that dashboard not to display any instruments when viewing it. (Ticket #243909)

  • Bug fix: In some rare cases when upgrading from a REDCap version lower than 14.3.1, the upgrade page might mistakenly fail to load completely. Bug emerged in REDCap 14.3.1 Standard. Note: This was supposedly fixed in the previous release, but mistakenly it was not.

  • Bug fix: The Smart Variable [mycap-participant-code] might display a blank value when being utilized on an instrument with a different event or page where the event ID is set in the URL (if different from the event ID stored in redcap_survey_participants database table).

  • Bug fix: When certain record-based [survey-X] Smart Variables are utilized on a survey or data entry form (e.g., CALCTEXT([survey-access-code])), in which the record has not been created yet, duplicate rows might mistakenly be added for the resulting record in the Participant List.

  • Bug fix: When clicking the “Download all” button when viewing the PDF Snapshot Archive in the File Repository, any PDF snapshots created using a logic-based snapshot trigger would mistakenly not be included in the downloaded zip file. (Ticket #243743)

  • Bug fix: When enabling MyCap on a project that has existing records, the MyCap participant code would mistakenly not get populated for fields with the action tag @MC-PARTICIPANT-CODE.

  • Bug fix: When importing data using the Data Import Tool or API, it would mistakenly not be possible to import Missing Data Codes for a Slider field. (Ticket #243896)

  • Bug fix: When uploading user role assignments via CSV on the User Rights page, if the username in the CSV file has trailing spaces, those spaces might mistakenly not get removed when saving the user role assignments in the project. (Ticket #243138b)

Version 14.7.3 (released October 31, 2024)

Changes/Improvements

  • Change/improvement: Better error reporting during CSV file import into MLM.

  • Change/improvement: Minor changes have been made to how the syntax files for R and SPSS are generated in order to improve the coding of labels in the syntax files. (Ticket #225047)

  • Change: New clarifying text was added to the instructional text displayed above the “Consent Form (Rich Text)” option in the “Add Consent Form” dialog on the e-Consent Framework page in order to indicate that images added via the rich text editor there will not be rendered in PDF exports or in stored PDF snapshots that include that consent form text.

  • Various changes for the External Module Framework, including the following: 1) The External Modules Framework error handling behavior has changed significantly. Every module error detected is now logged in the database instead of emailed. When errors occur, one email is sent per module per hour asking admins to check the “Recent Errors” page in Control Center for more details. And 2) Misc. security scan improvements.

Bug Fixes

  • Medium security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into the value of a Text field or Notes field by authenticated users on a data entry form or by survey participants on a survey. It can only be exploited by entering text containing the HTML “embed” tag when dynamic piping is happening on the current page via JavaScript. Bug emerged in REDCap 14.5.0.

  • Bug fix: If a user assigned to a Data Access Group is viewing the Notification Log for “Alerts & Notifications”, in which one or more alerts have been set as a recurring alert, the page would mistakenly display future notifications for records not in the user’s DAG. (Ticket #243195)

  • Bug fix: If a user is importing data via the API or Data Import Tool, in which the user is not assigned to a DAG and the data import file contains the “redcap_data_access_group” field, if the import file contains multiple records and the “Overwrite data with blank values?” setting is set to “Yes”, then any records that are currently assigned to a DAG but have a blank value for the “redcap_data_access_group” field in the import file would get correctly unassigned from their current DAG, but the Record List Cache would mistakenly not get updated to reflect this DAG unassignment. This means that until the Record List Cache is reset, the record might appear to be in a DAG even though it is technically not assigned to a DAG anymore. (Ticket #242983)

  • Bug fix: If an alert has been created with the “When to send the alert” setting as “Send the alert X [units] after the day (beginning at midnight) that the alert was triggered”, then downloading the alerts as a CSV file and then re-uploading them would result in an error for this particular setting. (Ticket #237215)

  • Bug fix: In rare cases, a fatal PHP error might occur on a survey when using PHP 8. (Ticket #243300)

  • Bug fix: In some cases, the Background Data Import process might mistakenly fail to finalize itself even after all records appear to have been successfully imported. (Ticket #243425)

  • Bug fix: In some rare cases when upgrading from a REDCap version lower than 14.3.1, the upgrade page might mistakenly fail to load completely. Bug emerged in REDCap 14.3.1 Standard.

  • Bug fix: The “Download form display logic setup” drop-down option in the Online Designer form-view would mistakenly not be visible because it would be obscured by the table immediately below it. (Ticket #243052)

  • Bug fix: The API method “Export a List of Files/Folders from the File Repository” would mistakenly require API Import privileges. It should only require API Export privileges and File Repository privileges in the project. (Ticket #243161)

  • Bug fix: The Email Users page would mistakenly list users that do not have the “Display user on ‘Email Users’ page?” checkbox checked for them on the Browse Users page in the Control Center. (Ticket #234149)

  • Bug fix: When downloading a PDF of a survey instrument or when REDCap is storing a PDF Snapshot of a survey instrument, certain HTML tags that exist in the survey instruction text might mistakenly get stripped out before being properly processed into line breaks, etc. for the PDF. Bug emerged in REDCap 14.5.0. (Ticket #243240)

  • Bug fix: When uploading user-DAG assignments via CSV on the Data Access Groups page, if the username in the CSV file has trailing spaces, those spaces might mistakenly not get removed when saving the user-DAG mappings in the project, which could cause the DAG page’s table not to display all DAG users in the “Users in group” column. (Ticket #243138)

  • Bug fix: When using Multi-Language Management, if a field has the @LANGUAGE-SET action tag, the language-switching functionality will not work for it if the field is embedded. (Ticket #243593)

Version 14.7.2 (released October 24, 2024)

Changes/Improvements

  • Improvement: Users may now pipe the field label of a given field (instead of its data value) by appending “:field-label” to the variable name inside the square brackets. (Ticket #229991)

  • Change/improvement: Added a new “Learn Advanced Design Features” link on the project left-hand menu that, when clicked, opens a panel displaying buttons to learn about Smart Variables, Piping, Action Tags, Embedding, and Special Functions.

  • Change/improvement: The API Token Request Email that is sent to an administrator when a user requests a token (if this behavior is enabled at the system level) now contains the project PID number and a link to the project. (Ticket #242747)

  • Change: The “Video Tutorials” link on the project left-hand menu now takes the user to the Training Video page rather than displaying a list of specific video links below it.

Bug Fixes

  • Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into a Text field or Notes field whose value is being piped on the same page of a survey or data entry form. This vulnerability can be exploited by authenticated users and also by survey participants entering data. Bug emerged in REDCap 14.5.0.

  • Bug fix: Adding a new field via the Online Designer would result in a JavaScript error in the user’s browser console.

  • Bug fix: If an email contains a piped File Upload field variable using the “:inline” piping option (e.g., [my_file:inline]), for certain email servers and certain email configurations in REDCap (e.g., SMTP), the file would mistakenly not get attached to the email as a regular attachment if the file is not an image file. (Ticket #242935b)

  • Bug fix: If an email contains a piped File Upload field variable using the “:link” piping option (e.g., [my_file:link]), clicking the download link in the email would mistakenly display the error message “NOTICE: This file is no longer available for download” rather than downloading the file. (Ticket #242935)

  • Bug fix: If upgrading from a REDCap version lower than 13.10.0, the upgrade page might mistakenly fail to load completely. Bug emerged in REDCap 14.6.11 Standard.

  • Bug fix: In certain situations, one of the Clinical Data Pull (CDP) cron jobs for CDIS might crash unexpectedly.

  • Bug fix: Modifying the value of a drop-down field, specifically one that has autocomplete enabled, would mistakenly not trigger the “Save your changes?” dialog or the “Reason for change” dialog (if enabled) in the project. (Ticket #242610)

  • Bug fix: Some of the CDP performance improvements released in the previous release (14.7.1) were mistakenly not optimized in certain situations, thus causing the CDP cron job to cause some SQL queries to run slow and slow down the cron job.

  • Bug fix: When data is exported from the Database Query Tool while “query context” was used in the query, this context was not properly evaluated and the page crashed during the export.

  • Bug fix: When exporting data via the Export Records API method with parameter type=eav, if any duplicate values somehow exist in the backend data table for a single field, those duplicates would mistakenly be output in the resulting data that is returned from the API. (Ticket #242493)

  • Bug fix: When importing data into a longitudinal project (whether via API, Data Import Tool, Mobile App, or data in a Project XML file), in which data for a repeating event or repeating instrument is being imported when the first instrument in the project is not designated for the event of data being imported, in certain situations the form status field for the first instrument might mistakenly receive a “0” (Incomplete) value during the import, even when that field is not included in the data being imported. This inadvertently creates data values that are automatically orphaned and never accessible in the user interface except in reports and data exports. (Ticket #242590)

  • Bug fix: When the e-Consent Framework is enabled for a survey, the “Save & Mark Survey as Complete” button would mistakenly be displayed when viewing the instrument as a data entry form. Clicking this save button would mark the survey as complete and log it as if an e-Consent certification took place, when in fact it did not because the certification was essentially bypassed. e-Consent surveys should only ever be completed on the survey page itself and not on a data entry form. Going forward, the “Save & Mark Survey as Complete” button will no longer be displayed on the data entry form for any survey instrument that has the e-Consent Framework enabled. (Ticket #242860)

  • Bug fix: When uploading a file for a File Upload field, in which the file exceeds the system-level maximum file size setting for File Upload fields, the file would mistakenly remain on the server for 30 days until it was then permanently deleted. Going forward, the file will never be initially stored in the system if it exceeds the file size limit.

  • Bug fix: When using the “Go to field” functionality in the Online Designer (Ctrl-G or Cmd-G) and searching for a field by typing in part of the variable name or field label, a JavaScript error would be thrown in the browser console if the current instrument does not have any fields. (Ticket #242884)

Version 14.7.1 (released October 17, 2024)

Changes/Improvements

  • Improvement: Better error handling in PHP for External Modules. Additionally, a new Control Center menu item named “Recent Errors” now appears on the left-hand menu in the “Dashboards & Activity” section.

  • Improvement: In MyCap-enabled projects, a new “Form completion status” setting has been added in the Online Designer that controls how a MyCap task’s form completion status value is set when a task is submitted by a participant from the MyCap mobile app to the REDCap server.

    • In previous versions, the MyCap task’s form completion status would always be set to Incomplete. But now, it can be set to Incomplete, Unverified, or Complete so that the form status value is set to that specified status value any time that a participant completes a MyCap task. This setting can be modified at any point during data collection in a MyCap project.
    • Note: Existing projects will maintain their existing default status setting of Incomplete, but that setting can be changed after the fact if desired. In contrast, all newly created projects will default to a status setting of Complete. However, if a new project is created using a Project Template that has MyCap enabled, the new project will adopt the MyCap form status setting of the Project Template. If you wish to change the default MyCap form status setting for all Project Templates that have MyCap enabled, run the following SQL (this is optional). This will ensure that all new projects, including those created via Project Templates will have this new setting set to Complete by default. Optional SQL: UPDATE redcap_projects p, redcap_projects_templates t SET p.task_complete_status = ‘2’ WHERE p.mycap_enabled AND p.project_id = t.project_id;
  • Improvement: MLM languages now have a “Notes” field that can hold general notes regarding each MLM language on the MLM setup page (inside the Add/Edit Language dialog). These notes have no impact on MLM performance.

  • Improvements: New CDIS-related resource monitor which helps manage resource-intensive processes more effectively. This does not have a user interface but just helps improve performance in the background. Additionally, the number of queued records for Clinical Data Pull (CDP) being fetched from the EHR system during a single cron job batch has been increased to allow for more records to be processed in a given period of time.

  • Various changes and improvements for the External Module Framework, including the following:

    • Added isMlmActive() method and getCurrentLanguage() method to javascript external module objects
    • Renamed the bundled “Configuration Example” external module to “Module Development Examples”
    • Added the $module->getSelectedCheckboxes() method
    • Added a Twig development exercise to the external module documentation
    • Prevented an error when “Export list with design rights users” is selected for modules not enabled on any projects
    • Misc. security scan improvements
  • Change/improvement: In MyCap-enabled projects, several MyCap settings (Baseline Date Settings, Custom Event Label Settings, and new Form Completion Status setting) in the Online Designer have now been aggregated in a new"Additional Settings" dialog on that page.

  • Change: The instructional text for the “Automatic Triggering Option” on the Randomization page has been modified for improved clarity.

Bug Fixes

  • Major bug fix: In some extremely rare cases, it might be possible that the same return code could be generated for two different participants taking the same public survey. In certain situations, this could possibly allow one participant to inadvertently view the responses of another participant. (Ticket #241815)

  • Bug fix: If a record is deleted when the data privacy/GDPR feature “Delete a record’s logging activity when deleting the record?” is enabled in a project, the email log associated with that record would mistakenly not get deleted along with the regular logging information. Note: This fix will not retroactively remove the email logging of already-deleted records in projects with this feature enabled, but it will prevent this issue from occurring in the future. (Ticket #242184)

  • Bug fix: If data exists for a field used in branching logic or in a calculation in a longitudinal project, in which the data is orphaned from a previously-repeating instrument or event (i.e., it is no longer repeating but had data collected for it back when it was repeating), then some of the orphaned data might mistakenly be used on a survey/form for cross-event branching logic and calculations, thus causing the branching/calc not to behave as expected.

  • Bug fix: In specific instances when a field in the Online Designer is edited and then moved via drag-n-drop, the field might end up located in the wrong position on the instrument afterward.

  • Bug fix: In very specific situations after submitting the first page of a multi-page survey, the Required Field dialog might mistakenly be displayed saying that a field that is not present on the first page (but is present on the second page) has a missing value. (Ticket #236511)

  • Bug fix: Minor text error in the Smart Variable documentation.

  • Bug fix: Multi-instrument PDF Snapshots were likely to be malformed in larger/complex projects when MLM was enabled. (Ticket #242031)

  • Bug fix: The Custom Event Label might cause significant performance issues to arise on the Record Home Page for certain projects.

  • Bug fix: The cron job responsible for fetching data from the EHR system via CDIS might be unable to retrieve a valid FHIR access token under specific conditions, causing the fetch process to fail. Additionally, the EHR ID might mistakenly not get logged in the FHIR Logs database table during CDIS processes.

  • Bug fix: Typo in randomization setup instructions. (Ticket #242219)

  • Bug fix: When a REDCap administrator is viewing an allocation/sequence on the randomization dashboard for a single-strata randomization model, in which the current strata value being viewed has a raw value of “0”, an incorrect error message might be displayed. (Ticket #242219)

  • Bug fix: When a given REDCap page does not contain any “h” HTML tags, a JavaScript error would be thrown in the browser console.

  • Bug fix: When a project is utilizing the Survey Queue together with the Survey Login feature, in which a survey participant has already logged in to a survey but then later reopens that same survey during the same “session”, the icon/link to the Survey Queue would mistakenly not appear at the top-right of the first page of that survey as it should, even when some surveys exist in the participant’s survey queue. (Ticket #242182)

  • Bug fix: When a repeating instrument is enabled as a survey, and a participant navigates to that survey with “&new” appended to the URL to denote that a new repeating instance should be created from that response, branching logic and/or calculations on the survey page would mistakenly not work as expected if the fields used in the branching/calculations exist on a different instrument. Bug emerged in REDCap 14.5.14 LTS and 14.6.8 Standard Release.

  • Bug fix: When certain video types (e.g., MP4) are added to the Embed Media URL of a Descriptive field, the video might not be playable for certain mobile browsers, such as Mobile Safari on iOS, if the project has MLM enabled on the current form/survey. (Ticket #241505b)

  • Bug fix: When creating a new project via a Project XML file, in which the project contains one or more logic-based PDF Snapshot triggers, it might cause the project not to be fully created and thus not accessible to the user afterward.

  • Bug fix: When exporting a Project XML file containing data for a longitudinal project that has repeating instruments, the resulting XML might be malformed in the file, thus causing some of the repeating instrument data not to get transferred to a new project created from the XML file.

  • Bug fix: When moving an entire matrix of fields in the Online Designer to the top of another instrument, an error would result, thus preventing the matrix from being moved successfully.

  • Bug fix: When moving an entire matrix of fields in the Online Designer, especially when moving them to another instrument, some fields in the matrix may not get moved successfully and/or the fields in the instrument might be messed up in various ways in the backend database, thus causing things not to display correctly for the instrument. (Ticket #236128, #241606)

  • Bug fix: When uploading an Instrument Zip file or when copying an instrument in the Online Designer, if a field in the instrument has branching logic that contains an inline comment with and odd number of single quotes and/or double quotes, it would prevent the instrument from being uploaded or copied, respectively. (Ticket #241955)

  • Bug fix: When using Multi-Language Management, floating matrix headers were not aligned properly on surveys for right-to-left languages. (Ticket #222689b)

  • Bug fix: When using Twilio or Mosio telephony features in a project, in which an Automated Survey Invitation is set to be triggered and sent using the “participant’s preference” for the ASI invitation type, if the mappable invitation preference field is being utilized in the project, then if a user sets the value for the invitation preference field on a form/survey, in which the ASI gets triggered and one or more calculated fields from other forms/events get subsequently triggered from the form/survey save, then the ASI will be sent/scheduled using the project’s default value for delivery preference rather than using the participant’s already-set delivery preference (from the invitation preference field). (Ticket #242434)

  • Bug fix: When using Twilio or Mosio, it would mistakenly not send SMS messages to U.S. phone numbers with certain newer area codes, specifically 235, 324, 329, 353, 436, 624, 645, 686, 728, and 861.

  • Bug fix: When using the Automatic Triggering Option for Randomization in a project, a record might mistakenly be automatically randomized on a survey (assuming the logic evaluates as true) when the Automatic Triggering Option is set to only trigger for users with the Randomize permission (i.e., not for survey respondents). (Ticket #242300)

  • Bug fix: When using the Automatic Triggering Option for Randomization in a project, in which data is being saved on a form or survey for an already-randomized record, the automatic triggering might mistakenly attempt to randomize the record again, thus resulting in a fatal PHP error. (Ticket #242300)

  • Bug fix: When using the Automatic Triggering Option for Randomization in a project, the data value saved for the randomization field itself might mistakenly not get explicitly recorded in the project Logging. However, the randomization event itself does get correctly logged. (Ticket #242300)

Version 14.7.0 (released October 09, 2024)

New Features

  • New features: Randomization enhancements
    • Note: Thanks to Luke Stevens (Murdoch Children’s Research Institute) for his contribution in building these new randomization features.
    • A) Multiple randomizations in a project - Users may now define more than one randomization model in a single project. Each randomization model has its own settings (e.g., strata, randomization field, allocation table), and is completely independent of the other models.
    • B) Blinded randomization support - Users may now create a randomization model that is blinded/concealed as a means of concealing the allocation (randomization value) from users to be able to have a truly blinded randomized clinical trial, for example. Users may still choose to create an “open” randomization model (as they always could) by choosing a single-select multiple choice field (e.g., drop-down or radio) to be the randomization field. Alternatively, users may now choose any text field [that does not have field validation] to represent the “randomization number”. The randomization number can be uploaded as part of the allocation table, and when a record is then randomized, the field is given the randomization number as its value.
    • C) New Smart Variables
      • [rand-number] - The randomization number assigned to the record. For randomization in a text field (blinded allocation), this is equivalent to piping the randomization field. For randomization in a categorical field (open allocation), this will be the randomization number associated with the randomization group allocation, if one has been uploaded (this is optional). Use :n to refer to a specific randomization where a project has more than one (default=1).
      • [rand-time] - The server date and time at which a record was randomized. In a piping context, such as in a field label, survey invitation, or inside the @default action tag, the format of the date and time will be displayed based on the current user’s date/time display preferences. If you wish to have it return the raw value, which will instead be in ‘YYYY-MM-DD HH:MM:SS’ format and would be more appropriate for conditional logic or calculated fields, simply append :value. Use :n to refer to a specific randomization where a project has more than one (default=1).
      • [rand-utc-time] - The UTC date and time at which a record was randomized. In a piping context, such as in a field label, survey invitation, or inside the @default action tag, the format of the date and time will be displayed based on the current user’s date/time display preferences. If you wish to have it return the raw value, which will instead be in ‘YYYY-MM-DD HH:MM:SS’ format and would be more appropriate for conditional logic or calculated fields, simply append :value. Use :n to refer to a specific randomization where a project has more than one (default=1).
    • D) New “Randomize Record” API method - This method allows an API user to randomize a record using the API. The API parameters required are content=“record”, action=“randomize”, record=Record name of record to randomize, and randomization_id=The unique id of the randomization (viewable on the Randomization page for users with Design permissions or on the API Playground page), which corresponds to a specific target field and event. This API method returns the value for the target randomization field (plus optionally the alternative target value), or an error message on failure (such as if the record does not exist or if stratification information is missing).
    • E) New developer methods
      • REDCap::getNextRandomizationAllocation() - Returns the integer allocation id if an unallocated entry is found, or string ‘0’ if no entry is available (allocation table is exhausted). Returns false on error, e.g. if incorrect stratification information provided.
      • REDCap::updateRandomizationTableEntry() - Updates the target (randomization field or number), alternate target (randomization group or number), or “is_used_by” (e.g., the record to which this allocation/sequence belongs) details for a specified allocation table entry. For example, this method can be utilized to effectively perform the randomization action itself.
    • F) New External Module Hook “redcap_module_randomize_record” - Allows custom actions to be performed prior to the randomization of a record - e.g., to override the default randomization allocation. This hook enables implementation of custom randomization allocation routines, e.g. dynamic randomization via minimization. It is expected that only one external module implementing this hook will be enabled in a single project. A warning will be generated if multiple external modules return results from this hook. Location of Execution: The function is executed immediately prior to lookup and assignment of the next available entry in the randomization allocation table. This lookup and allocation is skipped if all redcap_randomize_record hooks return false.
    • G) Real-Time Trigger Logic - Randomization can be automated to occur in real time when an instrument is saved and a specified logic expression becomes True, in which all required stratification information must be present. At the bottom of the randomization setup page for a given randomization model, the following options are displayed.
      • Manual only (default) - A user with “Randomize” user permissions must click the “Randomize” button on the data entry form where the randomization field is located.
      • Trigger logic, for users with Randomize permissions only - When the Save button on a specified data entry form is clicked, if the logic expression provided evaluates to True and the current user has “Randomize” user permissions, the record will automatically be randomized (i.e., without clicking a “Randomize” button).
      • Trigger logic, for all users (including survey respondents) - When the Save button on a specified data entry form or survey page is clicked, if the logic expression provided evaluates to True (despite the user’s permissions if on a data entry form), the record will automatically be randomized.
    • H) New options for REDCap administrators [only] to perform the actions below, which are meant to be used in rare/unexpected situations. These can be found when viewing the allocation table under the Dashboard section of a randomization model. Note: Whenever an administrator uses one of the actions, they must provide a “reason” as text, which gets added to the project Logging.
      • Manually randomize a record - Provide a value for a randomization group or number to manually set the randomization value for a specified record.
      • Remove the randomization for a record (un-randomize it) - If a record has already been randomized, remove that record’s randomization allocation so that it will no longer appear randomized and so that another record might possibly get assigned that allocation.
      • Edit an allocation/sequence - Modify the randomization group and/or randomization number value for an unallocated sequence. This is essentially the equivalent of modifying an existing allocation table.
      • Make an allocation/sequence unavailable - Remove an allocation/sequence so that it will not be used in a future randomization. This is essentially the equivalent of removing a row from an existing allocation table.
    • I) Project XML & Copy Project - Randomization model settings have now been added as an optional component to copy when doing a “Copy Project” action or when exporting->creating a project via a Project XML file.

Changes/Improvements

  • Improvement: In a MyCap-enabled project that is using Multi-Language Management, users can now more easily populate the MyCap Language ID and Language display name by clicking the MLM language ID from the allowed languages list on the MLM setup page for the MyCap mobile app (via the Add/Edit Language popup). These were merely displayed in previous versions, but now they are clickable, which makes them easier to add to the MLM setup page.

  • Improvement: In a MyCap-enabled project, the “View Task Details” popup in the Online Designer now includes detailed scheduling information per event for longitudinal projects.

  • Improvement: New MLM action tag LANGUAGE-MENU-STATIC - When this action tag is present on any field of an instrument enabled as a survey, and Multi-Language Management is active with at least two active languages, the language selection menu will remain visible at all times (i.e., it will not collapse after a language button has been clicked). (Ticket #241790)

  • Improvement: New piping option “:hideunderscore” - If a field value or Smart Variable value is blank/null (i.e., does not exist), then by default the blank value will be piped as six underscore characters (literally ______) as a placeholder to visually indicate that no value exists. However, if this behavior is not desired, users may append :hideunderscore to the variable name inside the square brackets (e.g., [first_name:hideunderscore], [race:value:hideunderscore]), and this will cause value to be piped as-is, that is, as a blank/null/invisible value. Note: The :hideunderscore notation may be appended to both field variables and Smart Variables.

  • Change: On the MyCap Configuration Check page in the Control Center, the PID has been added for each project displayed in the project drop-down list on that page.

  • Change: The newer-style “disabled” buttons in the Online Designer (added in REDCap 14.6.11) have been slightly modified from an encircled X to an encircled dash since it is thought that an X might imply a “delete” action rather than a “disabled” state. Additionally, the event-level ASI “Modify” buttons that are displayed in longitudinal projects when clicking the “Automated Invitations” button next to each survey in the Online Designer were updated with the new icons that were added elsewhere in the previous version.

  • Change: Two new videos were updated: “Field Types” and “Online Designer”.

  • Change: Various minor bug fixes and enhancements for Multi-Language Management (mostly related to export and change tracking with regard to MyCap items).

Bug Fixes

  • Major bug fix: If a project has one or more [non-e-Consent] PDF Snapshots enabled to be triggered by the completion of a specific survey, in which that same survey has had the e-Consent Framework enabled in the past but is currently disabled for the survey, in certain situations the active PDF Snapshots would mistakenly not get triggered and saved when the survey is completed by a participant. Bug emerged in REDCap 14.5.11 LTS and 14.6.5 Standard. (Ticket #241710)

  • Bug fix: When a participant has completed an e-Consent survey, in which a consent form has been defined on the e-Consent Framework page for that survey, and then a PDF of that response is later downloaded or a PDF Snapshot of that response is later saved, the resulting PDF would mistakenly not always contain the consent form that the participant saw when they completed the survey, but (especially when MLM is not being used) they would see a newer version of the consent form, assuming a newer version of the consent form has been added to that survey. (Ticket #241501)

  • Bug fix: When certain video types (e.g., MP4) are added to the Embed Media URL of a Descriptive field, the video might not be playable for certain mobile browsers, such as Mobile Safari on iOS. (Ticket #241505)

  • Bug fix: When exporting a Project XML file that contains e-Consent Framework settings, if the project is longitudinal and the e-Consent settings have a “Last name field” or “Date of birth field” defined, the e-Consent settings might not get successfully imported into the new project created using the Project XML file. Bug emerged in REDCap 14.5.0.

Version 14.6.11 (released October 03, 2024)

Changes/Improvements

  • Improvement: A new PDF download button has been added to the instrument-view of the Online Designer to allow users to download all instruments as a single PDF.

  • Improvement: REDCap now supports the “progress” and “meter” HTML tags so that they may be utilized in user input (e.g., field labels, survey instructions).

  • Improvement: Slight aesthetic changes have been made to the buttons displayed in the instrument-view of the Online Designer. Additionally, the “e-Consent and PDF Snapshot” button has been separated into two separate buttons under Survey Options and Form Options, respectively.

  • Improvement: The improved “Field Navigator” on the Online Designer now always floats on the right-hand side of the page and also has links to allow users to jump to specific Section Headers on the page.

  • Improvement: When the Google reCAPTCHA feature is enabled, administrators may now set the default state of that feature (as either initially enabled or disabled) in newly created projects. This can be set in the Google reCAPTCHA section of the Modules/Services Configuration page in the Control Center. By default, this new setting is set to “Disabled by default for new projects”. (Ticket #237045)

  • Change: For predefined ResearchKit active tasks in MyCap-enabled longitudinal projects, the “Active Task Settings” section on the task setup page has been moved to the task-level instead of the event-level (as seen in previous versions). Thus, there will be only one “active task setting” per task available even if multiple events are enabled on the task setup.

  • Change: Question Numbering on surveys is now set to “Custom numbered” by default when enabling an instrument as a survey.

  • Change: The “Preview instrument” button on the field-view page of the Online Designer has now been removed due to seldom use and also because in recent years it no longer provides a reliable presentation of the instrument for moderately-complex projects. (Ticket #241293)

Bug Fixes

  • Major security fix: If a malicious user is logged in and has access to at least one report in one project, they could potentially manipulate the URL of specific REDCap end-points in order to view the results of any report for any project, even when they do not have access to that report or project.

  • Major bug fix: Some of the AJAX end-points used by the Email Users page in the Control Center would mistakenly allow non-administrators to access them (if a user knows how), which could allow normal users to possibly view the list of all users (usernames, names, and emails) in the system.

  • Bug fix: An issue would occur for Clinical Data Pull (CDP) projects in which entries in the redcap_ddp_records database table were incorrectly marked with a “future date count” > 0 if no temporal fields were mapped but date fields were present in the project. This would cause affected records not to be queued for automatic fetching in the background.

  • Bug fix: For some server configurations, the MyCap logo displayed on the Multi-Language Management setup page might either not be displayed or might cause the whole page not to be displayed in MyCap-enabled projects. (Ticket #241449)

  • Bug fix: In very rare situations, when a person receives a file via Send-It, they would not be able to download it because it may appear to have already expired prematurely.

  • Bug fix: The question-mark popover in Step 2A option 3 when adding/editing an alert on the Alerts & Notifications page would mistakenly display escaped HTML in the popover rather than interpreting the HTML tags.

  • Bug fix: When a radio or drop-down field has numeric-only choice codes, in which the field has a blank/null value and is used in the concat_ws() function, the field would mistakenly be represented as “NaN” (in JavaScript) and as “NAN” (in PHP) in the result of concat_ws(). (Ticket #241098)

  • Bug fix: When a survey has the e-Consent Framework enabled and also has “Save & Return Later” enabled with the “Allow respondents to return without needing a return code” option checked, the survey would mistakenly display a Return Code when the participant clicks the “Save & Return Later” button, and it would also ask for a Return Code when loading the survey page after having not completed it. Bug emerged in REDCap 14.5.15 and 14.6.9. (Ticket #241142)

  • Bug fix: When clicking a value displayed in the results of a Data Quality rule, which opens the data entry form in a new tab, it would mistakenly not put the focus on the field if the field is a Notes field type. (Ticket #241058)

  • Bug fix: When deleting a user account when viewing an individual account on the Browse Users page in the Control Center, the User Search text box on the page would mistakenly no longer be functional for searching unless the page is reloaded. (Ticket #241142)

  • Bug fix: When the first field on a given instrument has a section header above it, and then in the Online Designer a user attempts to add a field between the section header and the field immediately below it, if the project is in draft mode while in production, the newly added might get added but would end up in a weird limbo state so that the field might not be visible afterward. (Ticket #241530)

  • Bug fix: When using MLM for translating survey invitations, specifically those sent via SMS, it could cause a fatal PHP error for the cron job when using PHP 8. (Ticket #92266b)

  • Bug fix: When using Multi-Language Management, the wrong message was shown on the Misc tab for the base language on the MLM setup page.

  • Bug fix: When using the READONLY action tag on the Secondary Unique Field on a survey that has the SUF prefilled via URL variables, the field would mistakenly be editable and not read-only. Note: This occurs only on the SUF when viewed specifically in survey mode, and only when prefilling is being performed. Also, this was supposedly fixed in REDCap 14.5.8 LTS and 14.6.2 Standard, but it was apparently only fixed in specific use cases. (Ticket #237623b)

Version 14.6.10 (released September 26, 2024)

Changes/Improvements

  • Improvement: Accessibility improvements have been made to all Control Center pages and other non-project pages (e.g., My Projects, REDCap Home Page) with specific regard to improving the color contrast of text on the page.

  • Improvement: More documentation has been added for Shibboleth authentication on the Security & Authentication page to set up the auto-import feature for a user’s first name, last name, and/or email address.

Bug Fixes

  • Major bug fix: If the REDCap installation has opted in to the feature of adding an auto-incremented Primary Key to every database table, an SQL query would prevent all draft mode changes from being committed while in production. Thus the user is not able to make any production changes. (Ticket #240564)

  • Bug fix: For certain PHP versions, a JavaScript error might occur on the Project Setup page when enabling the Mosio feature.

  • Bug fix: For projects in draft mode using the e-Consent Framework that have had a field modified or deleted on an e-Consent survey, the notice displayed to the user prior to submitting their drafted changes for approval (which mentions that the user should probably change the e-Consent version number) is no longer applicable in v14.5.0+ because the version number is no longer necessarily connected to the survey or its fields anymore in v14.5.0+ but instead is connected only to the consent form displayed on the survey. Given this, it no longer makes sense to display this notice to the user. Thus, the notice will no longer appear to users in this specific situation. (Ticket #240518)

  • Bug fix: If the Survey Base URL is being used together with Clickjacking Prevention in the REDCap installation, it would prevent any of the “Custom Surveys for Project Status Transitions” survey pages from loading in a user’s browser. (Ticket #240644)

  • Bug fix: The style/CSS of certain elements on the “Help & FAQ” page were not correct.

  • Bug fix: The text of some dialogs that appear on PROMIS surveys were mistakenly not available to be translated via Multi-Language Management. (Ticket #239286)

Version 14.6.9 (released September 20, 2024)

Changes/Improvements

  • Improvement: For MyCap projects that are longitudinal with multiple arms, users may now designate a Baseline Date Field for every arm on the baseline date setup popup in the Online Designer.

  • Improvement: When using Shibboleth authentication for REDCap, admins may now enable a new setting on the Security & Authentication page to allow REDCap to automatically import a user’s first name, last name, and/or email address the first time they log in or every time they log in to REDCap. Note: This may require some configuration changes on the Shibboleth side so that these user attributes appear as new $_SERVER variables.

Bug Fixes

  • Major bug fix: When importing data (via Data Import Tool, API, Mobile App, etc.) into a project that contains Data Access Groups, an erroneous message might be returned stating that the records being imported cannot be modified because they do not belong to the user’s DAG, in which it names existing records in the project (not the records being imported). This would prevent the data import process from starting, and if using the Background Data Import, that process might mistakenly fail midway through the import, thus needing to be re-imported. Bug emerged in the previous version. (Ticket #240514)

  • Bug fix: Further fixes for a possible upgrade error with regard to foreign keys on specific tables that occur for some installations under specific circumstances.

  • Bug fix: If a survey has the e-Consent Framework enabled and also has “Save & Return Later” enabled with “Allow respondents to return and modify completed responses”, this combination could cause major issues with regard to the state of the data of a participant’s informed consent if they are allowed to modify their own completed e-Consent response. In this specific situation going forward, the “Allow respondents to return and modify completed responses” setting will be automatically disabled and thus will prevent participants from modifying their completed e-Consent response. Additionally, the “Allow respondents to return and modify completed responses” setting will be disabled on the Survey Settings page if the current survey has the e-Consent Framework enabled, and it will display a note beneath the setting to inform users why it is disabled. (Ticket #240265)

  • Bug fix: The page number that is displayed near the top right of multi-page surveys would mistakenly not be fully right-aligned on the page when using a non-fixed width setting for the survey page.

  • Bug fix: When exporting data to SPSS, any field labels longer than 256 bytes would result as an error when loaded into SPSS.

  • Bug fix: When using Shibboleth authentication for REDCap, and a survey participant opens a survey page that contains an inline PDF, the PDF might mistakenly not be displayed but would display a login page inside an iframe. (Ticket #240240)

  • Bug fix: When using the Data Resolution Workflow along with Data Access Groups in a project, if a user attempts to assign a data query to a user, in some situations the drop-down list of assignable users would mistakenly list users that are not currently eligible to be assigned to the data query because they are not currently assigned to the record’s DAG. It should only list users that are currently in the record’s DAG (or users not in any DAG) if the record itself is assigned to a DAG. This bug was supposedly fixed in REDCap 13.10.2 but mistakenly was not. (Ticket #213770b)

Version 14.6.8 (released September 18, 2024)

Changes/Improvements

  • Various changes and fixes for the External Modules Framework, including: 1) Added a warning about External Module composer dependency conflicts above the Control Center module management list, 2) Fixed an error with the “external_modules” framework development dir’s out of date detection, 3) Updated Twig from v3.11.0 to v3.11.1, and 4) Misc. security scan updates.

  • Change/improvement: Better support for handling various authentication methods in a CDIS context (e.g., logging into REDCap via “Launch from EHR” context for CDP).

Bug Fixes

  • Major bug fix: Resolved an issue in the CDIS module that caused errors and disrupted normal operations in environments running PHP versions lower than 8.0. This bug affected: CDP auto-adjudication process, Mapping helper usage, and Data Mart operations. The fix ensures proper handling of user data, allowing CDIS to function smoothly across different PHP versions. Bug emerged in the previous release. (Ticket #240182)

  • Bug fix: Fix possible upgrade error with regard to foreign keys on specific tables that occurs for some installations under specific circumstances.

  • Bug fix: When a repeating instrument is enabled as a survey, and a participant navigates to that survey with “&new” appended to the URL to denote that a new repeating instance should be created from that response, the survey page would mistakenly get pre-filled with existing data if instance 1 of the instrument contains data and was created via a data entry form. When “&new” is appended to a survey URL, the survey should never get pre-filled with any saved data. (Ticket #239909)

  • Bug fix: When executing a custom data quality rule on a multi-arm project, in which the rule’s logic implies that only records in certain arms should be returned in the results, the results might mistakenly return false positives of data from arms in which the records do not actually exist. (Ticket #237137)

  • Bug fix: When exporting the Logging page as a CSV file, some logged events (e.g., “Invalid SMS response”) might mistakenly say “Record 101” rather than just “101” in the record column of the CSV file. This is inconsistent with how the record name is displayed in that column for other logged events. (Ticket #239394)

  • Bug fix: When reports or data exports are sorted by a multiple choice field that has only integers as its choice codes, the data for that field would mistakenly be sorted as a text string rather than appropriately sorted as a number.

  • Bug fix: When upgrading from a REDCap version lower than 14.6.2 to version 14.6.2 or higher, the upgrade page would mistakenly note that REDCap must first be taken offline for X minutes prior to upgrading. However, this is not true but a mistake. REDCap does not need to be taken offline during this specific situation.

  • Bug fix: When using Shibboleth authentication, in which the “URL for Shibboleth SP Session Initiator” is defined, the user might not get redirected back to their current page after performing a successful login.

  • Bug fix: When using Twilio or Mosio, it would mistakenly not send SMS messages to U.S. phone numbers with certain newer area codes, including 787 and 939. This bug was supposedly fixed in REDCap 14.0.33 LTS and 14.4.1 Standard Release, but mistakenly it was not. (Ticket #234300b)

  • Bug fix: When using surveys with enhanced radios/checkboxes together with LH orientation and an RTL language for Multi-Language Management, the standard radios/checkboxes would mistakenly be visible, and the order of the enhanced radios was not following proper RTL alignment.

  • Bug fix: When viewing a survey page with date or datetime fields, in which the “Size of survey text” setting is “Large” or “Very large”, the values inside the date/datetime fields might appear truncated/cut off on the page. Note: This does not affect the actual value from being saved. (Ticket #239174)

Version 14.6.7 (released September 17, 2024)

Bug Fixes

  • Medium security fix: A Blind SQL Injection vulnerability was found on certain Clinical Data Mart (CDM) related pages, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. The user must have “Access to all projects and data with maximum user privileges” administrator privileges in order to exploit this. This bug affects all known REDCap versions.

  • Medium security fix: A Blind SQL Injection vulnerability was found on several Control Center pages, in which a malicious user who has co-opted a REDCap admin account could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. The user must have “Modify system configuration pages” administrator privileges in order to exploit this. This bug affects all known REDCap versions.

  • Medium security fix: A Blind SQL Injection vulnerability was found on the Edit Project Settings page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. The user must have “Access to all projects and data with maximum user privileges” administrator privileges in order to exploit this. This bug affects all known REDCap versions.

  • Medium security fix: A Blind SQL Injection vulnerability was found on the Online Designer page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. The user must be logged in to REDCap in order to exploit this. This bug affects all known REDCap versions.

  • Medium security fix: A Blind SQL Injection vulnerability was found on the Send-It upload page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. The user must be logged in to REDCap in order to exploit this. This bug affects all known REDCap versions.

  • Major security fix: A Cross-Site Request Forgery (CSRF) Bypass vulnerability was found in which a malicious user could potentially exploit it by manipulating an HTTP request to any URL in the system by tricking an authenticated user to click a specially-crafted link that could bypass the CSRF check and submit information (including changing REDCap system configuration values) on behalf of the user or admin. This vulnerability exists in REDCap 13.4.0 and higher.

  • Major security fix: A Local File Inclusion (LFI) vulnerability was discovered in which a malicious user could potentially exploit it by setting the path of the hook function file on the General Configuration page to a value containing specific characters in order to bypass the check that ensures that the file path points to a PHP file. The user must have “Modify system configuration pages” administrator privileges in order to exploit this. This bug affects all known REDCap versions.

  • Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way that can be exploited on the following pages: Alerts & Notifications, Stats & Charts, and the main REDCap Home Page. This vulnerability can only be exploited by authenticated users. Bug exists in all REDCap versions.

  • Critical security fix: A Remote Code Execution vulnerability was found in which a malicious user who is logged in could potentially exploit it by manipulating an HTTP request to a specific External Module Framework endpoint. If successfully exploited, this could allow the attacker to remotely execute arbitrary code on the REDCap server. This vulnerability exists in REDCap 11.0.0 and higher.

  • Critical security fix: A Remote Code Execution vulnerability was found in which a malicious user who is logged in could potentially exploit it by manipulating an HTTP request to the Data Import Tool page while uploading a specially-crafted CDISC ODM XML file. If successfully exploited, this could allow the attacker to remotely execute arbitrary code on the REDCap server. This vulnerability exists in REDCap 6.12.0 and higher.

Version 14.6.6 (released September 15, 2024)

Changes/Improvements

  • Improvement: Enhancement to the information provided for the existing EHR access status and auto-login indicators in the CDIS panel of REDCap projects.

    • EHR Access Status: Detailed information about the user’s current EHR access is now available when clicking on the EHR access indicator within the CDIS panel. Additionally, this information is also displayed on the Project Home page of CDIS projects.
    • Auto-login Indicator: Clicking on the auto-login indicator in the CDIS panel now provides users with additional details about how the auto-login feature works, including the process of mapping REDCap and EHR accounts during the “Launch from EHR” process.
  • Improvement: The field validation type is now displayed below each Text field in the Online Designer (similar to how action tags are displayed for each field).

Bug Fixes

  • Major bug fix: In rare cases where radio field choices are being piped on a form or survey, the page might mistakenly never fully load due to a JavaScript error.

  • Bug fix: Mapped fields in projects marked as both CDP and CDM were not displaying correctly in the CDIS Mapping Helper tool.

  • Bug fix: Some text inside red boxes throughout REDCap would mistakenly appear in a much lighter red color than intended.

  • Bug fix: When reactivating all deactivated alerts on the Alerts & Notifications page, the page would mistakenly be blank, which could be confusing. Bug emerged in the previous version. (Ticket #239346)

  • Bug fix: When users are deleting multiple fields in the Online Designer, in some rare cases a race condition might occur that scrambles the field order and results in fields being suddenly in the wrong location.

  • Bug fix: When using the MyCap “App Design” page, a JavaScript error would occur when clicking the “Publish” button. This issue prevents a success message box from appearing on the page.

Version 14.6.5 (released September 05, 2024)

Changes/Improvements

  • Improvement: On the External Modules page in the Control Center, a new warning will be displayed when REDCap detects potentially incompatible Composer packages (i.e., third-party libraries) used inside the code of individual External Modules that may cause REDCap to crash unexpectedly. This warning will provide a list of which EMs might not be compatible with other EMs installed in the system, and provides information that can be given to the EM’s creator to resolve these potential compatibility issues.

  • Improvement: When exporting the Project XML file for a project that has alerts, there is now a new checkbox “Leave Alerts enabled (unless disabled)” on the Other Functionality page below the “Alerts & Notifications” checkbox. Going forward, all alerts in the Project XML file will be disabled by default unless the user checks the new checkbox to keep them enabled. In previous versions, alerts in the Project XML file would import into the new project as is (i.e., if enabled, it would stay enabled, and if disabled, it would stay disabled). This new option gives users more control over the default state of alerts in the newly created project. (Ticket #238810)

  • Change: When deleting a data quality rule when the Data Resolution Workflow feature is enabled in a project, the rule deletion dialog will now display a red warning to the user to inform them that deleting the rule will also delete any data queries (open or closed) that are currently associated with that data quality rule. (Ticket #219303)

Bug Fixes

  • Major bug fix: When the e-Consent Framework has been set up but then later disabled for a given survey, a PDF Snapshot would mistakenly still get saved to the File Repository and/or specified File Upload field whenever a participant completes the survey. (Ticket #239030)

  • Bug fix: MyCap participants would mistakenly not receive any push notifications upon a user (e.g., study coordinator) sending them an announcement via the MyCap messaging interface in the project.

  • Bug fix: Radio fields with the action tags READONLY and DEFAULT or SETVALUE would mistakenly not pipe correctly on the page.

  • Bug fix: Some unwanted text would mistakenly be displayed at the bottom of the Edit Project Settings page. (Ticket #238981)

  • Bug fix: When opening the “Edit Branching Logic” dialog via the Quick Modify Fields popup on the Online Designer, the branching logic text box in the dialog would mistakenly retain the previous value entered by the user while on that same current page. The text box’s value should be cleared out each time the dialog is opened. (Ticket #238833)

  • Bug fix: When performing a data import on the Data Import Tool page, in some rare situations, the import process might mistakenly fail due to a fatal PHP error when using PHP 8. (Ticket #238912)

  • Bug fix: When using “OpenID Connect” or “OpenID Connect & Table-based” authentication, and a user logs out of REDCap and then later logs back in again, the login process might mistakenly fail silently when re-logging again. (Ticket #237124)

  • Bug fix: When using Multi-Language Management in a project with MyCap enabled, the language ISO codes displayed for MyCap in the “Add New Language” dialog on the MLM setup page were incorrect for many of the languages listed. Those ISO codes have been corrected.

  • Bug fix: When viewing a report that has report logic that includes checkbox fields that reference Missing Data Codes (e.g., [my_checkbox(NA)] = “1”), the report might mistakenly not return items/data that should be returned, specifically when displaying data for repeating instruments.

Version 14.6.4 (released August 29, 2024)

Changes/Improvements

  • Change/improvements: The following web accessibility improvements were added to the REDCap Home Page: 1) Fixed headings so that it starts with h1 tag, 2) Moved navigation section outside of main section, 3) Added “skip to main content” link (press the Tab key to reveal the link), and 4) Fixed headings within Messenger (i.e. proper h tag level for Notifications and Conversations in Messenger) on Home page.

  • Various changes and improvements to the External Module Framework, including 1) Added built-in Twig support via module framework version 16, and 2) Expanded $module->getChoiceLabels() to support true/false & yes/no fields.

Bug Fixes

  • Bug fix: Alerts with conditional logic containing datediff() with “today” or “now” as a parameter might mistakenly get triggered multiple times by the cron job, thus resulting in duplicate alerts being sent. This behavior appears to be sporadic and occurs very seldom for most installations. (Ticket #237341)

  • Bug fix: Horizontally-aligned enhanced radios/checkboxes on surveys that do not have a question number column would mistakenly not be spaced out consistently between each choice on a given horizontal line. Note: This fix is slightly different from a similar one from last week, which did not get completely fixed.

  • Bug fix: If a user has received a confirmation link via email for registering a new email address with their REDCap account, and then the REDCap server is upgraded to a new REDCap version after the email is received, the link in the email would mistakenly redirect to the wrong place in the new version, thus preventing the user from being able to complete the email registration process. (Ticket #238619)

  • Bug fix: If an auto-incremented primary key (i.e., “pk_id”) has been added to all tables that do not have one (via the instructions at the bottom of the Control Center page), then the Copy Report functionality would mistakenly fail on the “My Reports & Exports” page. Bug emerged in REDCap 14.6.2 (Standard).

  • Bug fix: In certain specific situations, logged events related to clicking Project Bookmarks might mistakenly be displayed on the Logging page when filtering by a specific record in the project. (Ticket #238547)

  • Bug fix: In some cases when inline PDFs are attached to Descriptive fields, and a user downloads the PDF of the instrument, if the iMagick PHP extension is installed on the web server, the first page of the inline PDF might mistakenly get truncated in the resulting REDCap-generated PDF of the instrument.

  • Bug fix: In some cases when inline PDFs are used as consent forms in the e-Consent Framework, and a user downloads the PDF of the instrument, if the iMagick PHP extension is installed on the web server, there would mistakenly be a blank page following the inline PDFs in the resulting REDCap-generated PDF of the instrument. (Ticket #237921)

  • Bug fix: Several missing LOINC codes were added to the CDIS mapping features. Additionally, several Clinical Notes types were missing and not mappable, specifically pathology study, diagnostic imaging study, and laboratory report.

  • Bug fix: The CSV file download option for the Choices Editor inside the Edit Field dialog for multiple choice fields in the Online Designer would mistakenly not do anything. (Ticket #238818)

  • Bug fix: When a Data Entry Trigger is triggered on a data entry form for a record in a Data Access Group, the unique DAG name would mistakenly not get sent in the request to the Data Entry Trigger URL. Note: This issue does not occur on survey pages, and it also does not occur on data entry forms when a record is being assigned to a DAG while also being created there on the form. (Ticket #238727)

  • Bug fix: When comparing two records in the Data Comparison Tool, the coded values of multiple choice fields would be mistakenly wrapped in escaped HTML italic tags, which would cause the tags to be visible (rather than interpreted) on the page. Bug emerged in REDCap 14.0.14 LTS and 14.2.1 Standard. (Ticket #238437)

  • Bug fix: When copying a project via the “Copy the Project” page for a project that contains a repeating survey with a repeating Automated Survey Invitation, the ASI’s recurrence settings (e.g., “How many times to send it”) would mistakenly not get copied into the new project. Bug emerged in REDCap 12.5.0. (Ticket #238218)

  • Bug fix: When downloading a PDF of “All forms/surveys with saved data” or “All forms/surveys with saved data (compact)” when some instruments contain embedded fields, some of the embedded fields might mistakenly not get converted into data values or underscores (if they have no value) in the resulting PDF. (Ticket #238683)

  • Bug fix: When modifying a PDF Snapshot, some of the snapshot settings (specifically the checkbox options) might mistakenly not get saved successfully after being changed, and no error would be displayed to notify the user that their desired settings were not saved. This issue only affects web servers running PHP 7.3 or 7.4. (Ticket #236067)

  • Bug fix: When participants are taking a survey that contains fields with the @HIDDEN-SURVEY action tag, in which the participant is using a non-standard web browser, the fields might mistakenly be displayed instead of hidden on the survey page. (Ticket #238129)

  • Bug fix: When selecting instruments for the scope of a PDF Snapshot, the “Update” and “Cancel” buttons may disappear when scrolling downward when many instruments exist in the box, thus possibly causing confusion with regard to how to save one’s selected instruments. To fix this, the buttons now float at the top of the box regardless of scrolling. (Ticket #238698)

  • Bug fix: When the Confirmation Email option has been enabled, specifically with the “Include PDF of completed survey as attachment” checkbox checked, for a survey that has the e-Consent Framework enabled, the PDF attached to the email received by the participant would mistakenly contain the record name of the participant’s record in the filename of the PDF. The record name should not be included in the PDF filename for PDFs received by participants. (Ticket #223899)

  • Bug fix: When the Top Usage Report page displays a row that is a “Project” type, the project link displayed in that row would mistakenly be an invalid URL if the project title ends with text enclosed in parentheses. (Ticket #238523)

  • Bug fix: When using Clinical Data Pull for CDIS, in the “launch from EHR” context of a CDIS project, events were not logged properly when a patient was added to a project. This improper logging prevented the record list cache in REDCap from rebuilding correctly, leading to issues when saving records in projects with auto-incrementing record IDs. (Ticket #234550)

  • Bug fix: When using certain screen readers, such as JAWS, the individual options of drop-down fields might mistakenly not be able to be read by the screen reader. (Ticket #237629)

Version 14.6.3 (released August 22, 2024)

Changes/Improvements

  • Improvement: Slight change in the Database Query Tool’s “show more” link’s behavior to improve performance after being clicked on a page with large column values.

  • Change: After completing a survey, the “Close survey” button is now displayed below the Survey Completion Text so that it is no longer the first thing that participants see on the page.

  • Change: Background Data Imports would automatically be halted if they took more than 24 hours to complete. This limit has been increased to 48 hours to allow some very large imports more time to import all their data.

Bug Fixes

  • Bug fix: Deleting fields via the Online Designer for projects with several hundred fields might cause the page to hang for unacceptable amounts of time.

  • Bug fix: HTML “abbr” tags were mistakenly disallowed as an allowed tag that users can use in field labels, survey instructions, and other user input. Bug emerged in REDCap 14.5.4 Standard and 14.5.5 LTS.

  • Bug fix: Horizontally-aligned enhanced radios/checkboxes on surveys that do not have a question number column would mistakenly not be spaced out properly with some space between each horizontal choice.

  • Bug fix: If a Notes field has both the RICHTEXT and READONLY action tag at the same time, the “Source code” button in the toolbar of the rich text editor would still be clickable and could be used to modify the field’s value, which should not be allowed in this situation. (Ticket #237348b)

  • Bug fix: If editing a matrix of fields, in which one of the fields has its variable name changed, that field’s branching logic would mistakenly be erased when saving the changes to the matrix. (Ticket #236685)

  • Bug fix: Some CDIS-related text on the Edit Project Settings page was mistakenly not translatable via language INI files. (Ticket #238036)

  • Bug fix: Some EM Framework related language text that stems from translated INI language files might mistakenly not appear as translated on the page in certain places. (Ticket #238038)

  • Bug fix: The Upgrade page’s link to the REDCap ChangeLog on the REDCap Community website was outdated. (Ticket #237664)

  • Bug fix: When attempting to upload the Survey Queue via a CSV file when using certain browsers, such as Firefox, the upload process might mistakenly fail with an unknown error. (Ticket #233684)

  • Bug fix: When executing Data Quality rules in certain browsers and operating systems (e.g., Firefox on Linux), the “export

    • view” links to export and view the DQ results might mistakenly not be visible on the page.
  • Bug fix: When using Multi-Language Management while the Secondary Unique Field is enabled, the duplicate value message might not be translated via MLM when the secondary unique check is triggered by pre-filling a field from a URL parameter. (Ticket #237182)

  • Bug fix: When using the EHR Launch for Clinical Data Pull in CDIS, there could be possible compatibility issues, resulting in an HTTP 401 error, when using certain external authentication methods. (Ticket #237765)

  • Various changes to the External Module Framework, including: 1) Added the $module->getDataClassical() method, 2) Updated the $module->createProject() function to select the smallest data & log tables for new projects, and 3) External Module “every page” hooks no longer execute by default on authenticated pages when users are not logged in. Modules can allow them to execute in this case going forward by setting enable-every-page-hooks-on-system-pages to true in config.json.

Version 14.6.2 (released August 15, 2024)

New Features

  • New feature: Clinical Data Pull Dashboard - New admin-only page that appears on the left-hand menu in CDP projects. Key features:
    • Queueing and Fetching: The dashboard outlines the cron job processes for queueing records based on specific criteria and fetching queued data for caching and further review.
    • Manual Queueing: Users have the ability to manually mark non-queueable records as QUEUED, forcing their data to be fetched during the next data fetching cycle.
    • Cached Data Page: A dedicated “Cached” page allows users to view and decrypt detailed information for each record and field, including timestamps, to ensure data accuracy and timeliness.
    • Administrator Access: A link to the Dashboard is available exclusively for administrators in the “Clinical Data Interoperability Services” or “Clinical Data Pull” panels.

Changes/Improvements

  • Improvement/change: Optimization for the Background Data Import process for importing records faster for very large projects (e.g., >100K records). (Ticket #237549)

  • Improvement: If MySQL/MariaDB clustering or replication is implemented on your REDCap database server, in which it might be required that every database table has an auto-incremented Primary Key, the Configuration Check (at the bottom of the page) will auto-generate and display all the SQL needed to add auto-incrementing Primary Keys to all REDCap database tables that currently do not have them. (Ticket #236440)

  • Improvement: On the Security & Authentication page, administrators using “OpenID Connect” or “OpenID Connect & Table-based” authentication can now optionally set a custom logout URL to direct users to after logging out of the application. (Ticket #143391)

Bug Fixes

  • Bug fix: A missing LOINC code was added to the CDIS mapping features.

  • Bug fix: For certain MySQL/MariaDB configurations, the upgrade SQL script might mistakenly fail when upgrading from pre-14.1.1 to any post-14.1.1 version. The upgrade script has been updated for more compatibility to prevent this issue going forward.

  • Bug fix: HTML “input” tags were mistakenly disallowed as an allowed tag that users can use in field labels, survey instructions, and other user input. Bug emerged in REDCap 14.5.4 Standard and 14.5.5 LTS. (Ticket #237448)

  • Bug fix: If a Notes field has both the @richtext and @readonly action tag at the same time, the field would mistakenly not be displayed as a rich text editor but as a regular textarea field, which would contain visible HTML tags inside it if the field already has a value. (Ticket #237348)

  • Bug fix: In the Online Designer, when editing a CALCTEXT field whose calculation contains references to fields with “:value” appended - e.g., [field:value], normal users might never be able to successfully edit the field to change its CALCTEXT syntax. Note: Administrators are able to modify the field though. This issue was caused by the [field:value] syntax, which is not necessary since fields should be referenced simply as [field] in logic and calculations. Going forward, using the [field:value] notation, which is technically not incorrect, will no longer cause the Edit Field popup to hang when saving a field in the Online Designer. (Ticket #236945)

  • Bug fix: Some PHP 8 specific errors might occur on the MLM setup page in projects that do not have MyCap enabled.

  • Bug fix: When deleting an entire record via the Bulk Record Delete feature in a project where the “Require a reason when making changes to existing records” setting is enabled, an error would always be returned saying “Reason for change was not provided” instead of deleting the record. That should not occur except when doing a partial delete of records. (Ticket #237499)

  • Bug fix: When using LDAP authentication with PHP 8, an LDAP user that logs in with an incorrect password might mistakenly result in a fatal PHP error during the login process. (Ticket #237359)

  • Bug fix: When using both MyCap and Multi-Language Management in a project, the MLM setup page (inside the “MyCap help” popup and “add/edit language” popup) was mistakenly not displaying the list of available language codes currently supported by the MyCap mobile app.

  • Bug fix: When using both MyCap and Multi-Language Management in a project, the MLM setup page would mistakenly display a “MyCap” tab under the User Interface section. That tab was not meant to be added since it cannot be used yet.

  • Bug fix: When using the EHR Launch for Clinical Data Pull in CDIS, there could be possible compatibility issues when using Internet Explorer as the default browser in the EHR.

  • Bug fix: When using the EHR Launch for Clinical Data Pull in CDIS, there could be possible compatibility issues when using certain external authentication methods.

  • Bug fix: When using the READONLY action tag on the Secondary Unique Field on a survey that has the SUF prefilled via URL variables, the field would mistakenly be editable and not read-only. Note: This occurs only on the SUF when viewed specifically in survey mode, and only when prefilling is being performed. (Ticket #237623)

Version 14.6.1 (released August 08, 2024)

Bug Fixes

  • Medium security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into a specific API parameter’s value that is used in a specific API method. This vulnerability can be exploited only by users with a valid API token. Bug exists in all REDCap versions.

  • Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into any user input that is then output on a page in REDCap (e.g., field labels, survey instructions, data displayed on a report). This vulnerability can be exploited by authenticated users and also by survey participants entering data. Bug exists in all REDCap versions.

  • Major bug fix: If Multi-Language Management is enabled on a project, the datepicker for date/datetime fields would mistakenly appear in right-to-left mode all the time. Bug emerged in 14.5.4 Standard and 14.5.5 LTS.

  • Bug fix: In some situations, the record name and “upcoming calendar events” button that appears above the table on the Record Home Page might mistakenly appear too narrow on the page. (Ticket #236702)

  • Bug fix: In very specific situations, a user exporting the data for a report might mistakenly fail with a PHP error when using PHP 8. (Ticket #236555)

  • Bug fix: When a user is performing a “partial delete” of instrument data on the Bulk Record Delete page, in which randomization is enabled in the project and the record being partially deleted has already been randomized, if the randomization field or strata fields exist on the instrument being deleted, those values would mistakenly get deleted. Once a record has been randomized, it should not be possible to delete values for the randomization field and strata fields. In this situation going forward, the instrument data will not be deleted for the selected records on the Bulk Record Delete page.

  • Bug fix: When upgrading from a version of REDCap below 14.5.0, in some specific situations the upgrade might fail due to an SQL error. (Ticket #236740)

  • Bug fix: When using Clinical Data Pull for CDIS, the auto-adjudication interface would be incorrectly displayed on the record dashboard after disabling CDP in the project or at the system level.

  • Bug fix: When using MyCap together with Multi-Language Management, the “Notification Settings” tab was mistakenly not appearing in the correct location on the MyCap setup page.

  • Bug fix: When using MyCap together with Multi-Language Management, the “version” attribute and list of languages in the MyCap config JSON (that is consumed by the MyCap mobile app) was mistakenly not getting updated automatically whenever a user clicks on the “Save” button on the MLM setup page.

Version 14.6.0 (released August 01, 2024)

New Features

  • New feature: Bulk Record Delete
    • Users may use the Bulk Record Delete page to delete multiple records from the project or alternatively to delete data for multiple instruments across multiple records. To perform either of those two actions, a user must have “Delete Records” privileges, and for the partial delete option, a user must additionally have “View & Edit” instrument-level privileges for the instrument that they select.
    • The Bulk Record Delete page can be accessed from two different locations in a project: 1) On the Other Functionality page, and 2) On the Record Status Dashboard via the new Multi-Record Actions dropdown.
    • If the project has the GDPR-related feature “Delete a record’s logging activity when deleting the record?” enabled in the project, the user will be prompted with a checkbox to additionally delete the record’s logged events on the Logging page when deleting entire records.
    • If the “Require reason for change” option is enabled in the project, users will be prompted to enter a reason that will get logged when performing a partial delete of one or more instruments.
    • The Bulk Record Delete feature can be disabled for the whole system on the Modules/Services Configuration page in the Control Center, if desired. By default, this feature will be enabled.
    • Note: If a user is performing a partial delete, the instrument’s data cannot be deleted in the following situations: 1) If the form is locked, 2) If no users are allowed to modify survey responses (via the system-level setting) and the data of the selected instrument(s) is a survey response, 3) If the user does not have form-level rights to modify survey responses for the selected instrument(s) and the data of the selected instrument(s) is a completed survey response, or 4) If the selected instrument(s) is a completed e-Consent response and e-Consent responses are not allowed to be edited per the survey’s e-Consent settings.

Bug Fixes

  • Major bug fix: When using the Multi-language Management feature in the MyCap mobile app, some important task settings information might mistakenly not get pulled from the REDCap server into the MyCap app on the mobile device, thus resulting in text from the fallback language being used in the mobile app instead of the desired MLM language.

  • Bug fix: On the Configuration Check page, the External Service Check for Google reCAPTCHA API services might mistakenly return a false positive saying that the service can’t be reached when it actually can.

  • Bug fix: The Quick-Modify Fields feature would not allow users to copy branching logic when it was just added (or would allow users to copy it when it was just removed).

  • Bug fix: When using Form Display Logic, in which the “Hide forms that are disabled” checkbox is checked but no conditions are defined in the Form Display Logic setup dialog, the Record Home Page would mistakenly not display any instruments in the table for any records. (Ticket #236229)

  • Bug fix: When using Multi-Language Management, the “Save & Return Later” page might mistakenly not display the desired language for the participant. (Ticket #236220)

  • Bug fix: When using a rich text consent form with the e-Consent Framework, the consent form text might all be mistakenly bolded when being viewed on the survey page. (Ticket #236369)

Version 14.5.4 (released July 30, 2024)

Changes/Improvements

  • Improvement: Multi-Language Management can now be utilized by MyCap. Users will see a new “MyCap” tab on the MLM setup page, which will allow them to translate their custom MyCap elements that will appear to participants in the MyCap Mobile App. Participants will be given the choice to use any of the project’s MLM languages after opening and viewing the MyCap Mobile App.

  • Improvement: REDCap now supports the “s” HTML tag for strikethrough (note: the “strike” HTML tag was already supported).

  • Improvement: The “Help & FAQ” page has been updated with new content (thanks to the FAQ Committee).

  • Improvement: The “strikethrough” styling button has been added to the toolbar in the rich text editor in all the places where the editor is used.

  • Improvement: When using MyCap in a project, users can now customize the notification time (default 8:00AM) for MyCap notifications to participants using the MyCap mobile app.

  • Change/improvement: If a custom primary key field has been added to any given REDCap database table that does not have an auto-incrementing field that serves as the primary key, the “database structure is incorrect” warning in the Control Center will no longer recommend that this extra field (and its key) be deleted. This should help institutions where their local IT support is recommending or forcing them to add primary keys to all REDCap database tables (for various reasons).

Bug Fixes

  • Major bug fix: When editing a user’s privileges on the User Rights page, it would not be possible to grant a user access to the File Repository, despite checking the checkbox for it. Additionally, if any user previously had File Repository privileges and then another privilege was modified for the user on the User Rights page (excluding CSV imports and API imports), it would mistakenly remove their File Repository privileges. Bug emerged in REDCap 14.5.2.

  • Bug fix: A JavaScript error might occur on some MyCap pages if using a non-English language for the project.

  • Bug fix: A duplicated language string in English.ini might cause an incorrect phrase to be displayed on the upgrade page. (Ticket #235989)

  • Bug fix: If the REDCap Base URL contains a port number, logging out of REDCap might mistakenly send the user to an incorrect URL that does not contain the port, thus resulting in an error. (Ticket #236221)

  • Bug fix: The user interface for the date/time picker for date-validated and datetime-validated fields was mistakenly not translatable via Multi-Language Management. (Ticket #236211)

  • Bug fix: When uploading an attachment file in the Edit Alerts dialog on the Alerts & Notifications page, the error message might not always be correct in all cases.

Version 14.5.3 (released July 25, 2024)

Changes/Improvements

  • Improvement: More user experience improvements for the Online Designer, including a new dismissible popup that alerts the user about the new “drag-n-drop” behavior for moving fields in the Online Designer. Additionally, users can now limit the deactivation/reactivation to certain action tags in the Quick Modify Field(s) popup. In previous versions, users could only deactivate/reactivate all action tags for the selected fields, but now users may provide specific actions tags that will be deactivated/reactivated.

  • Change/improvement: The internal service check on the Configuration Check page that checks the main REDCap survey end-point now works even when the REDCap system is set as “Offline”.

  • Change: REDCap has been verified to be fully compatible with PHP 8.3.

Bug Fixes

  • Bug fix: If a project is in Production status and currently in Draft Mode, and then a user moves the project to Analysis/Cleanup status, the Online Designer would mistakenly still be accessible when it should instead display the message “Note: This page can only be accessed when the project is in Development or Production status”. (Ticket #235798)

  • Bug fix: If a user manipulates some of the URL parameters on the Calendar page so that the parameter’s value is in scientific notation format instead of an integer, it would cause the page to crash with a fatal PHP error.

  • Bug fix: Rapid Retrieval caching on Windows servers might mistakenly cause cache files to be invalidated/deleted prematurely, thus negating the positive benefits of the Rapid Retrieval feature. This has been fixed, in which it appears to have affected only Windows web servers. (Ticket #235297)

  • Bug fix: When a PDF Snapshot trigger has been defined, in which the snapshot’s scope includes an instrument that has the e-Consent Framework enabled and the snapshot is set to be stored in the File Repository, if a user has marked that e-Consent instrument’s Form Status as “Complete” on a data entry form without having completed the instrument as an e-Consent survey, the “PDF utilized e-Consent Framework” icon would mistakenly be displayed for the snapshot in the PDF Snapshot Archive table in the File Repository. That icon should only appear when the snapshot contains a completed e-Consent response that was completed as a survey. Note: This will not fix the issue retroactively for already-stored snapshots, but it will prevent the issue going forward. Bug emerged in REDCap 14.5.0.

  • Bug fix: When a participant is taking a survey as an SMS conversation using Twilio/Mosio, in which branching logic is used on some fields, in very specific situations those fields might mistakenly get skipped when they should not be skipped. (Ticket #235586)

  • Bug fix: When upgrading from a version of REDCap below 14.5.0, in some specific situations the upgrade might fail due to an SQL error. (Ticket #235758)

  • Bug fix: When using “OpenID Connect” or “OpenID Connect & Table-based” authentication, the user might not get correctly logged out of REDCap for some configurations. (Ticket #235539)

  • Bug fix: When using the Field Bank in the Online Designer to search for fields, it might mistakenly show answer choices that say “Login to see the value.” for specific items. (Ticket #228217b)

Version 14.5.2 (released July 18, 2024)

Changes/Improvements

  • Change/improvement: Small change in JavaScript to improve loading speed and calculation speed on data entry forms and survey pages. (Ticket #235138)

  • Change/improvement: Small change in JavaScript to improve loading speed slightly on data entry forms and survey pages in specific situations. (Ticket #235136)

  • Change/improvement: When a user moves a project to production and they opt to delete all records during the process, this is now specifically denoted on the Logging page, which will now list the logged event as “Move project to Production status (delete all records)”.

Bug Fixes

  • Major bug fix: If upgrading from REDCap 14.5.0 or 14.5.1, the upgrade script for upgrading to 14.5.0 or 14.5.1 from an earlier version would have not properly converted the “Save a PDF of completed survey response to a File Upload field” survey setting into its equivalent PDF Snapshot format for 14.5.X if the survey had neither the e-Consent Framework enabled nor the PDF Auto-Archiver enabled. This incorrect conversion would mistakenly cause a PDF Snapshot of the entire record (i.e., snapshot scope=“all instruments”) to be stored to the File Upload field rather than a PDF Snapshot of only the current survey/event/instance (i.e., snapshot scope=“single survey response”). Upgrading to 14.5.2 and higher will fix this issue so that surveys in those specific situations will only save the current survey response to the File Upload field, as it did in pre-14.5.0 versions.

  • Major bug fix: When Data Access Groups are utilized in a project, especially when the DAG Switcher is being actively used, it is possible in specific scenarios that a user assigned to a DAG might mistakenly be able to see logged events on the Logging page for records in another DAG. For example, this could happen if a user created/modified a record for one DAG, and then switched to another DAG, a user in the second DAG would mistakenly be able to view logged events for the record in the first DAG merely due to the fact that the first user created/modified that record. (Ticket #235432)

  • Bug fix: In some cases when inline PDFs are attached to Descriptive fields, and a user downloads the PDF of the instrument, if the iMagick PHP extension is installed on the web server, there would mistakenly be a blank page following the inline PDFs in the resulting REDCap-generated PDF of the instrument. Bug emerged in REDCap 14.5.0 Standard. (Ticket #222014b)

  • Bug fix: Messages in REDCap Messenger that contain HTML hyperlinks might mistakenly get mangled and not display as a hyperlink correctly in a Messenger conversation.

  • Bug fix: The BioPortal Ontology Service recently began returning data in a slightly unexpected format from its web service, thus causing all BioPortal fields on surveys and data entry forms not to work any longer. (Ticket #235501)

  • Bug fix: When deleting a file from the File Repository via the API, it would mistakenly require that the user have “Delete Record” privileges, which are not required for this API method. (Ticket #235363)

  • Bug fix: When upgrading from a version of REDCap below 14.5.0, in some specific situations the upgrade might fail due to an SQL error. (Ticket #235260)

  • Bug fix: When users attempt to view the “General Notifications” or “System Notifications” threads in REDCap Messenger, those threads would mistakenly not open for normal users but would only open for REDCap administrators. Bug emerged in REDCap 14.0.33 LTS and 14.4.1 Standard.

  • Bug fix: When using Custom Mappings for fields in CDIS projects, the Custom Mappings might mistakenly not get prioritized and thus might get overridden by the default mappings in REDCap.

  • Various updates and fixes for the External Module Framework, including 1) Fixed a bug preventing $module->getChoiceLabel() from correctly matching integer values, 2) Displayed a warning when a development copy of the External Module Framework is installed & out of date, and 3) Misc. security scan improvements.

Version 14.5.1 (released July 15, 2024)

Changes/Improvements

  • Improvement: In the “Move Field” dialog in the Online Designer, the user may now choose “Insert at top of this form” or (if the field is part of a matrix) “Insert at the top of the matrix group” from the field drop-down.

  • Change: Added 2 new data tables and 3 new log_event tables to help long-term performance going forward.

Bug Fixes

  • Major bug fix: Some specific external authentication methods, such as Shibboleth and possibly AAF, might no longer work and might result in a fatal PHP error. Bug emerged in the previous version. (Ticket #235223, #235211)

  • Bug fix: During the check to ensure that all non-versioned files are accounted for, in some specific situations the process might mistakenly fail with a fatal PHP error when using PHP 8. (Ticket #234877)

  • Bug fix: The table displayed in the PDF Snapshot Re-Trigger dialog on data entry forms would mistakenly be missing a column header. (Ticket #235190)

  • Bug fix: When using Entra ID (formerly Azure AD), OpenID Connect, or the “X & Table-based” version of either of those for authentication in REDCap, a user’s original location (their URL before logging in) would mistakenly not be preserved after having authenticated, and in some cases the logout process might not function 100% correctly, thus redirecting the user to a URL ending with “?logout=1” or sometimes a more generic URL of the REDCap installation, rather than the exact URL when they logged out. (Ticket #217736, #234817)

Version 14.5.0 (released July 11, 2024)

New Features

  • New features: Enhanced e-Consent Framework and PDF Snapshot Functionality
    • Overview - A new page named “Settings for e-Consent & PDF Snapshots” (linked from the Online Designer) serves as the new location where users can enable and set up the e-Consent Framework for a given survey and also set up triggers for storing PDF Snapshots. In previous versions, the e-Consent Framework and PDF Snapshot settings all existed on the Survey Settings page as several disparate options, but now they have been consolidated on this new page as two separate tabs. While these two exist as separate features, there is some overlap of functionality since the e-Consent Framework does ultimately store a copy of the PDF Snapshot for the e-Consent response. In addition to moving these features to the new page, both have been given enhancements, which are detailed below. View a 5-minute overview video of the new features: https://redcap.link/econsent2vid
    • Overall Benefits of the New Features - Streamlined Consent Process: Simplify and enhance the electronic consent process for both researchers and participants. Improved Data Integrity: Ensure secure and organized storage of consent forms and survey responses. Enhanced Compliance: Meet regulatory standards such as ICH and FDA requirements with robust version control and audit trails.

Changes/Improvements

  • Improved PDF Snapshot Functionality: Audit Trails: Improved, detailed audit trails for consent form completions and PDF snapshot generations.

  • Improved PDF Snapshot Functionality: Automatic Saving: Save PDF copies of survey responses (i.e., snapshots) to the project’s File Repository or to specified File Upload fields. In previous versions, this would have been set up using separate features on the Survey Settings page, but now they can be set up as specific settings of a PDF Snapshot trigger.

  • Improved PDF Snapshot Functionality: Custom Logic-based Triggers: Create custom triggers for generating PDF snapshots based on specific conditions using conditional logic. Whenever data is being saved for a record (on a survey, form, API, data import, etc.), if the logic of the snapshot trigger evaluates as True, then a PDF snapshot will be saved to whatever location is specified. Note: Logic-based triggers can only be triggered once per record, whereas survey-completion-based triggers (including e-Consent surveys) will store a new snapshot every time the survey is completed (because surveys may possibly be completed multiple times if certain Survey Settings are defined).

  • Improved PDF Snapshot Functionality: File Naming Customization: Customize the file names of PDF snapshots using static text or piping, appended with date-time stamps.

  • Improved PDF Snapshot Functionality: Note: Non-e-Consent PDF Snapshot triggers will always store the PDF in the default MLM language, but an e-Consent PDF Snapshot trigger will always store the snapshot in the participant’s chosen language.

  • Improved PDF Snapshot Functionality: Snapshot Re-triggering: Perform re-triggering of PDF Snapshots while on a data entry form. If the user has “View & Edit” Data View privileges on the current instrument, they will see a “Trigger Snapshots'' link in the button box at the top-left of the page. This will allow them to trigger or re-trigger any given PDF snapshot (although “survey completion” snapshot triggers specifically require that the survey be completed first). Additionally, for logic-based triggers, the logic does not have to currently be True in order to trigger/re-trigger it.

  • Improved PDF Snapshot Functionality: Snapshot Scope: The “scope” of the snapshot must be defined when creating a new snapshot trigger. The scope refers to the data content inside the PDF, i.e., which instruments are included in the snapshot (a single instrument, multiple instruments, or all instruments/events). Note: The PDF snapshot created by completing an e-Consent survey will only ever include just that single survey response. But for non-e-Consent snapshots, users may define the scope of the snapshot.

  • Improved PDF Snapshot Functionality: Support for Multi-Form Consents: Combine multiple forms and/or signatures into a single PDF snapshot. Define a PDF snapshot that contains multiple instruments in order to potentially capture multiple signatures, and then store the snapshot in the File Repository or a File Upload field.

  • Improved PDF Snapshot Functionality: Vault Storage Integration: If using the system-level feature “e-Consent Framework: PDF External Storage Settings (for all projects)”, all PDF snapshots generated via completed e-Consent surveys will automatically be stored on the external server (i.e., “The Vault”). This feature existed in previous versions and continues to function in the same way. Noted new feature: If a multi-instrument PDF snapshot is being stored in the File Repository, in which it contains at least one completed e-Consent survey response, that snapshot will automatically be stored in the Vault. However, a project-level setting named “Store non-e-Consent governed PDF Snapshots on the External Storage server if the snapshot contains a completed e-Consent response” exists on the “Edit Project Settings” page that is set to Yes/Enabled by default, in which it can be disabled if the REDCap administrator wants only e-Consent governed PDF snapshots to be stored in the Vault and thus not store multi-instrument snapshots that happen to contain an e-Consent response in the Vault.

  • Improvement/bug fix: A new project-level setting “Hide closed/verified data queries from Data Quality results” has been added that can be used with the Data Resolution Workflow. This setting defaults to an Enabled/Checked value, and it can be changed in the DRW/Field Comment Log section of the Additional Customizations dialog on the Project Setup page. If users prefer for closed and/or verified data queries in the DRW to always be visible in results on the Data Quality page, they can uncheck this new setting in the project. NOTE: Beginning in 14.3.13 through (and including) 14.4.1, a mistake was introduced regarding a change in the behavior of closed/verified data queries, in which they were no longer automatically hidden from Data Quality results (whereas in previous versions they were always hidden). That change was a mistake and thus was a bug, which is now fixed here by reverting the default behavior back to its pre-14.3.13 behavior and also by the addition of this new setting that allows users to have both behaviors (i.e., to either hide or show closed/verified data queries from Data Quality results). The default behavior of this setting is the same as the behavior prior to REDCap 14.3.13.

  • Improvement: The “Help & FAQ” page has been updated with new content (thanks to the FAQ Committee).

  • Improvements to the Online Designer General user interface improvement that utilizes newer icons. New “Go to field” feature (invoked via Ctrl-G or Cmd-G) allows users to search for a variable by name and then navigate directly to its location in the Online Designer, even if the field is on a different instrument than the current one. Improved and expanded “Quick modify field(s)” popup will appear when users Ctrl-click (or Cmd-click) one or more fields or check the new checkboxes located on the far right of each field. Additions to this popup include the ability to edit the following for multiple fields: branching logic, action tags/field annotation, custom alignment, required status, identifier status, and multiple choice options (including the ability to copy choices - with new choice of location for copied fields, import choices from an existing field, convert a field to a different multiple choice field, and also append new choices using a full-blown choice editor). NOTE: When updating actions tags for one or more fields via the “Quick modify field(s)” popup, there is a new action tag named @DEACTIVATED-ACTION-TAGS that is only used in the Online Designer for the purpose of deactivating (and thus possibly reactivating) action tags. The difference between deactivating action tags and removing action tags from fields is that deactivating them leaves the action tags in a state/format so that they can be easily reactivated later, whereas removing action tags would make it very difficult to restore the action tags of many fields having many different action tags. For example, if a field has the @HIDDEN action tag and is then deactivated, its field annotation will then appear as the following: @DEACTIVATED-ACTION-TAGS @.OFF.HIDDEN, and if reactivated, it will go back to @HIDDEN again. The “Quick modify field(s)” popup also includes an additional, large selector popup to allow users to select many fields on the current instrument that match certain criteria by clicking one or more icons (e.g., clicking the slider icon and then clicking the “add new selections” button will automatically select all slider fields on the page to use for the “Quick modify field(s)” popup). This makes it easy to select many fields on the page very quickly when they all match a certain criteria (i.e., field type, field validation). Change: The drag-field feature to “drag-n-drop” a field to a new location on the instrument now operates differently. Inside of clicking and holding anywhere on a field, the user must now click and hold specifically on the Move icon for the given field in order to ready the field for being moved.

  • Change/improvement: The Configuration Check page now checks to ensure that the MySQL-specific setting “Generated Invisible Primary Key” (GIPK) is disabled. GIPK was introduced in MySQL 8.0.30. If enabled on the MySQL server, a warning will appear on the page telling the admin how to disable it since GIPK is not compatible with REDCap.

  • Change: In a MyCap-enabled project, if users switch from classic mode (i.e., non-longitudinal) to longitudinal data collection mode or from longitudinal to classic (via the setting at the top of the Project Setup page), the MyCap task settings and Active task formats will no longer be erased in the project when changing that setting. In previous versions, all MyCap task settings and Active task formats would be completely erased in the project when moving to/from longitudinal mode.

  • Enhanced e-Consent Framework: Audit Trails: Improved, detailed audit trails for consent form completions and PDF snapshot generations.

  • Enhanced e-Consent Framework: Change/improvement: When a user views a completed/signed e-Consent response on a data entry form, in which a consent form was used on the survey, near the top of the page will be displayed the version of the consent form that was used. Also, the consent form itself (i.e., the inline PDF or rich text) displayed on the page will always be the consent form under which the participant originally consented. For example, if a participant consented using consent form v2.0, then even though a new consent form (v3.0) has been added to the project at some point afterward, the data entry form for that participant’s response will always display consent form v2.0 so that the user will always see the survey response and its consent form exactly as the participant originally viewed it.

  • Enhanced e-Consent Framework: Change/improvement: When reviewing draft mode changes, if a consent form’s anchor Descriptive field is deleted or moved to another instrument, it now gets listed as a critical issue in the list of drafted changes.

  • Enhanced e-Consent Framework: Change/improvement: When using MLM together with the e-Consent Framework, downloading an instrument PDF of a completed e-Consent survey response (or if the e-Consent survey response is included in a generated PDF that contains non-e-Consent instruments), the e-Consent survey response itself in the PDF will always be rendered in the language in which the participant originally consented.

  • Enhanced e-Consent Framework: Custom Headers and Footers: Add custom headers and footers to PDF snapshots created via the e-Consent Framework, including the use of text fields, smart variables, and piping.

  • Enhanced e-Consent Framework: Custom Notes: An optional custom notes field can be utilized for each e-Consent survey for bookkeeping purposes. The custom notes are neither displayed on the survey nor anywhere else in the application.

  • Enhanced e-Consent Framework: Customizable Consent Forms with Version Control: Design consent forms and manage new versions of consent forms while maintaining historical versions for audit purposes. During the setup process for consent forms, their location can be set in relation to a single Descriptive field on the survey. A consent form can exist as an inline PDF or as rich text. A consent form can be associated with a specific MLM language and/or a Data Access Group if the project users wish to have the consent form be used for a specific language (chosen by the participant) and/or DAG (to which the record has been assigned). This allows for language-specific consent forms and DAG-specific consent forms, if needed.

  • Enhanced e-Consent Framework: File Naming Customization: Customize the file names of PDF snapshots for e-Consent responses using static text or piping, appended with date-time stamps.

Bug Fixes

  • Bug fix: If conditional logic, branching logic, or calculations are being evaluated by server-side processes when submitting a survey page (e.g., alerts, ASIs), in which the logic/calc contains one or more [aggregate-X] Smart Variables, the logic/calc might mistakenly not get evaluated correctly and thus might behave unexpectedly. (Ticket #233984)

  • Bug fix: In a MyCap-enabled project that is in production status, if a user rejects their current drafted changes, any forms added while in draft mode would appropriately be deleted from the drafted changes; however any MyCap tasks created for those drafted forms would mistakenly remain in the backend database, which could then cause issues later.

  • Bug fix: In a MyCap-enabled project, MyCap Task schedules would mistakenly not copy over when using the Project XML of a classic/non-longitudinal project to create a new project.

  • Bug fix: In a MyCap-enabled project, the “Days Offset” value of an event would not automatically populate on the Task Setup page for longitudinal projects.

  • Bug fix: The “MyCap participants that have joined a project” count on the System Statistics page mistakenly included participants from practice projects.

  • Bug fix: The MyCap Participant Management page mistakenly displays all participants when there are no records in the user’s DAG. (Ticket #233473)

  • Bug fix: The email sent to the survey participant after clicking the “Save & Return Later” button on a survey might mistakenly appear to be missing the main survey link back to the survey if the survey has no survey title defined (i.e., the title was left blank). (Ticket #234831)

  • Bug fix: Various user interface elements, such as Bootstrap-style drop-down lists and certain buttons/links, might mistakenly appear with a larger or smaller font than intended. Bug emerged in the previous version.

  • Bug fix: When enabling a new instrument for MyCap, the task status defaults to “Not Active”.

  • Bug fix: When exporting the results of a Data Quality rule in a project that does not have any Data Access Groups, the resulting CSV file might mistakenly not contain any results but would be empty. Bug emerged in REDCap 14.3.13 (Standard).

  • Bug fix: When exporting the results of a Data Quality rule that returns more than 10,000 discrepancies, the resulting CSV file would mistakenly only include 10,000 results instead of all the results. (Ticket #229449b)

  • Bug fix: When fields in a calculated field are being added together using plus signs (e.g., [field1] [field2]), as opposed to using the “sum” function, the field values might mistakenly get concatenated/joined together as text instead of being added together mathematically. Bug emerged in REDCap 14.0.32 LTS and 14.4.0 Standard Release. (Ticket #234858)

  • Bug fix: When performing piping in a repeating instance context, the wrong repeating instance might mistakenly be assumed in certain situations when no data is saved yet. (Ticket #234557)

  • Bug fix: When using an “X & Table-based” authentication, and a Table-based user clicks the “Reset password” button on their Profile page, it might mistakenly not actually trigger the password reset process. (Ticket #234884)

  • Bug fix: When viewing the “View Task Details (all)” dialog in the Online Designer for MyCap-enabled projects, “Invalid Format” would mistakenly be displayed for MyCap tasks created from PROMIS measures.

  • New action tag @CONSENT-VERSION: This action tag represents the version of the consent form being used by the e-Consent Framework for the current e-Consent survey context (i.e., current record, event, survey, data access group, MLM language, etc.). NOTE: This action tag only adds a new value to the field when its field value is blank and only when the instrument is being completed in an e-Consent survey context. Also, this action tag can only be used if the e-Consent Framework has been enabled for a survey and only if one or more consent forms have been defined for that survey.

Version 14.4.1 (released July 03, 2024)

Changes/Improvements

  • Change/improvement: Stats for Mobile Toolbox (MTB) tasks and MyCap tasks created from PROMIS measures were added to the System Statistics page in the Control Center.

Bug Fixes

  • Medium security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into the contents of a file that is uploaded via the API and then downloaded via the API using various file import/export API methods. This vulnerability can be exploited only by users that possess a REDCap API token. Bug exists in all REDCap versions.

  • Medium security fixes: Several access control vulnerabilities were discovered in REDCap Messenger in which a malicious user could potentially exploit them by sending specially crafted HTTP requests that would allow them to perform the following actions: read and export any conversation in the system, add a message to any conversation, add themselves as a conversation leader on any conversation, upload a file to any conversation, and export a list of all users of a conversation. Bug exists in REDCap 7.4.0 and later.

  • Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into any user input that is then output on a page in REDCap (e.g., field labels, survey instructions, data displayed on a report). This vulnerability can be exploited by authenticated users and also by survey participants entering data. Bug exists in all REDCap versions.

  • Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into the record name when creating a new Calendar event on the Calendar page, specifically in the Calendar popup. This vulnerability can be exploited by authenticated users only. Bug exists in all REDCap versions.

  • Bug fix: A fatal PHP 8 error might occur in a specific situation when a participant is taking an adaptive or auto-scoring instrument (i.e., a PROMIS assessment) from the REDCap Shared Library. (Ticket #234346)

  • Bug fix: Some PHP errors might mistakenly occur when using Azure Blob Storage when performing certain tasks. (Ticket #234248)

  • Bug fix: When a field is embedded in a checkbox or radio field’s choice label while that checkbox/radio field is also piped somewhere on the current page, the value of the embedded field might mistakenly not get saved correctly when a user modifies it and saves the page. (Ticket #233917b)

  • Bug fix: When a participant is attempting to enter data for a biomedical ontology field while on a survey page, the ontology field would not function correctly and would not fetch any values from the BioPortal web service. This issue occurs on survey pages only. Bug emerged in the previous version.

  • Bug fix: When taking a survey, malicious survey participants could possibly alter the “start time” of their response by carefully manipulating hidden elements on the first page of a survey. Note: This does not affect the security of the survey but might affect data quality.

  • Bug fix: When using Clinical Data Pull for CDIS, a JavaScript error might occur when adding a patient to a project in the “Launch from EHR” process, thus preventing the patient from being added. (Ticket #234249)

  • Bug fix: When using Twilio or Mosio, it would mistakenly not send SMS messages to U.S. phone numbers with certain newer area codes, including 787 and 939. (Ticket #234300)

  • Bug fix: When viewing a public report that contains the record ID field, if the Secondary Unique Field has been defined in the project and has also been tagged as an identifier field, then the public report would mistakenly not display and would output an error message even if the setting “Display the value of the Secondary Unique Field next to each record name displayed?” is disabled. (Ticket #234403)

Version 14.4.0 (released June 27, 2024)

New Features

  • New feature: Background Data Import option for the API - Similar to using the Background Data Import on the Data Import Tool page, users may now utilize the feature when making a call to the Import Records API method. They can simply pass the API parameter “backgroundProcess” with a value of 1 (for Yes) or 0 (for No, which is the default) to invoke this option. The API will return a “success” message with “true” or “false” regarding if the data was successfully accepted. Note: This option works with any data format: CSV, JSON, or XML.

Changes/Improvements

  • Improvement: “Survey Notifications” and “Survey Confirmation Emails” were added as new filter options to the “Type” drop-down filter on the Email Logging page. Note: This change is not retroactive, meaning that any survey notification emails or confirmation emails that were sent prior to the upgrade to REDCap 14.4.0 will not show up when filtering by these new options but will instead only show up when Type is set to “all types”.

  • Improvement: The Email Logging page now has its own separate user privilege. Previously, only users with “User Rights” privileges could access the Email Logging page. Now, users must explicitly be given “Email Logging” privileges in order to access the Email Logging page. Note: During the upgrade to REDCap 14.4.0 or higher, any users with “User Rights” privileges will automatically be given “Email Logging” privileges in order to keep continuity with their current access to the Email Logging page.

  • Improvement: When using Multi-Language Management, the Twilio/Mosio text messaging text (“To begin the survey, visit [link]” and voice call text (“To begin the phone survey, call [phone]” are now available for translation on the MLM setup page. (Ticket #233030)

  • Change/improvement: The Data Access Group page in a project might be very slow to load in certain circumstances where many records exist in the project. (Ticket #233650)

  • Change/improvement: The email that administrators receive when a user submits an API token request now contains the user’s email address in the email body. Previously, the email body only contained the username and first/last name of the requestor. (Ticket #233507)

  • Change: The button text was changed from “Cancel import” to “Halt import” for greater clarity for Background Data Imports that are still processing on the Data Import Tool page.

Bug Fixes

  • Bug fix: A rare issue might occur when non-checkbox fields from a repeating instrument or repeating event are referenced inside branching logic or calculated fields. (Ticket #233509)

  • Bug fix: Embedded fields might mistakenly get hidden when also piped on the same form under very specific circumstances. (Ticket #233917)

  • Bug fix: Fixed a bug preventing the External Module “View Logs” page from working on Google App Engine.

  • Bug fix: Fixed several PHP 8 related errors. (Ticket #233266)

  • Bug fix: If the Send-It feature has been disabled at the system level, the “Share” dialog for files stored in the File Repository would mistakenly still display an option to share the file using Send-It. (Ticket #233493)

  • Bug fix: In some very specific situations, a @CALCTEXT action tag that contains a plus sign (” “) character might produce an unexpected result. (Ticket #233189)

  • Bug fix: In specific scenarios when viewing MDY or DMY formatted date fields on a report, the date values might mistakenly appear mangled on the page. (Ticket #211780)

  • Bug fix: Resolved an issue with the link to the Mapping Helper in the CDIS panel menu. (Ticket #226611)Bug fix: When using Multi-Language Management, a text string shown in partial survey completion emails when there is no survey title was mistakenly not available for translation. (Ticket #233149)

  • Bug fix: The month and year drop-downs inside the datetime pickers for the “start time” and “end time” filters on the Logging page would not work and would mistakenly not change the start/end times after a new option was selected for those drop-downs. (Ticket #233815)

  • Bug fix: Under certain circumstances where quote characters are next to equal signs, CALCTEXT expressions might not be parsed correctly and thus might produce a JavaScript error. (Ticket #233927)

  • Bug fix: When a user has “read-only” data viewing access to an instrument that contains a biomedical ontology field, the ontology field would appear to be editable on the page, despite the fact that the user is not able to submit the page or modify the field’s saved value. (Ticket #233940)

  • Bug fix: When clicking the “Add new template” button on the Project Template page in the Control Center, the popup might time out and never be displayed if tens of thousands of projects exist in the system. To prevent this, an auto-complete drop-down will replace the regular drop-down when more than 5000 projects exist. (Ticket #233451)

  • Bug fix: When creating a new alert on the Alerts & Notifications page, in which the Twilio, Mosio, and Sendgrid services for alerts have been disabled at the system level, the “Email to send email-failure errors” setting would mistakenly not be displayed after clicking the “Show more options” link in the “Create new alert” dialog. (Ticket #233629)

  • Bug fix: When exporting the Participant List via CSV on the Participant List page, some columns might mistakenly have the wrong header labels in the CSV file. (Ticket #233958)

  • Bug fix: When modifying fields in the Online Designer, in which a field is embedded in the field label or notes of another field, the green box saying “Field is embedded elsewhere on page” might mistakenly not appear immediately after the field has been modified. (Ticket #233598)

  • Bug fix: When the HTML tags “iframe” or “embed” are added to any user input that is then output on a page in REDCap (e.g., field labels, survey instructions), any text or tags that occur after the iframe/embed tags would mistakenly be removed along with the iframe/embed tags themselves, thus truncating the text. Note: iframe/embed tags are not allowed and are always removed for security purposes.

  • Bug fix: When using Multi-Language Management, the MLM setup page would fail to load in projects that have not yet set up any languages. Bug emerged in the previous release. (Ticket #233304)

  • Bug fix: When using Twilio, in which one or more Twilio voice call options are enabled in the project, the voice call options would mistakenly not be displayed in any drop-downs listing all the enabled delivery preferences. Bug emerged in REDCap 13.4.0. (Ticket #233599)

  • Bug fix: When viewing the “Stats & Charts” page for a report in a longitudinal project, in which a user clicks the link for the “Missing” column for a given field after having selected the Live Filter of an event that contains data for a repeating instrument (although not for the field in question), the “missing values” list of records that is returned after clicking the “Missing” link might mistakenly display extra values that are not applicable. (Ticket #232841)

Version 14.3.14 (released June 13, 2024)

Bug Fixes

  • Medium security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into a specific API parameter’s value that is used in several file-related and survey-related API methods. This vulnerability can be exploited only by users with a valid API token. Bug exists in all REDCap versions.

  • Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into any user input that is then output on a page in REDCap (e.g., field labels, survey instructions, data displayed on a report). This vulnerability can be exploited by authenticated users and also by survey participants entering data. Bug exists in all REDCap versions.

  • Bug fix: AJAX requests in External Modules were mistakenly not working on pages that lack REDCap page headers. (Ticket #232369)

  • Bug fix: Embedding required fields into matrix groups hidden by branching logic would cause the page to crash, preventing it from being saved. (Ticket #232140)

  • Bug fix: For some servers, the new Top Usage Report page in the Control Center would mistakenly not display any results. Bug introduced in the previous version.

  • Bug fix: If a date, time, or datetime validated field was embedded inside the choice label of a radio or checkbox field, the width of the date/time/datetime field would mistakenly be too wide. (Ticket #232271)

  • Bug fix: If alerts have been set up with an Alert Type of “SMS” or “Voice Call”, the log entry on the Logging page for each alert sent would mistakenly be missing the recipients' phone numbers.

  • Bug fix: If the Survey Base URL setting has been defined on the General Configuration page in the Control Center, any images that are uploaded using the rich text editor to a field label, survey instructions, etc. might not be viewable when viewing them on the survey page. (Ticket #231843)

  • Bug fix: The “Administrator?” column in the “View User List by Criteria” table on the Browse Users page in the Control Center was mistakenly never updated when granular Admin Privileges were introduced to REDCap. That column currently only denotes if the user has “Access to all projects and data” privileges when it should instead display a checkmark if the user has at least one of the seven possible admin rights. (Ticket #232602)

  • Bug fix: The MyCap API call “getStudyFile” was not returning any file contents for the requested file.

  • Bug fix: Too many unnecessary database queries would mistakenly be executed during the Background Data Import process.

  • Bug fix: When a calculated field is using a datetime field inside a datediff() function while also using “today” as a parameter (as opposed to using “now”), it might result in an incorrect calculated result on the page (although the server-side calculation process would typically correct this). (Ticket #231434)

  • Bug fix: When executing a custom Data Quality rule in a longitudinal project, in which the rule’s logic references a field with a blank/null value (e.g., [field]=""), the rule would mistakenly not return results from events that contain no data. (Ticket #231374)

  • Bug fix: When exporting data via the Export Records API method in EAV format, in which the “fields” parameter is not provided, the API would mistakenly not return data for all project fields in the output of the API request but might instead only return the record ID field and (if the API parameter DataAccessGroups=false) the GROUPID field. (Ticket #232249)

  • Bug fix: When importing data for a repeating instrument, in which one of the fields on the repeating instrument is the Secondary Unique Field, in certain situations REDCap might mistakenly return an error and prevent the import process from occurring. (Ticket #229881)

  • Bug fix: When importing data via the Background Data Import process in a MyCap enabled project, it might mistakenly create duplicate entries for the same record in the MyCap Participant List. (Ticket #229177)

  • Bug fix: When using Multi-Language Management, “Download PDF” buttons for each language on the MLM setup page were mistakenly disabled when the project is in production mode. (Ticket #232952)

  • Bug fix: When using Multi-Language Management, the survey queue page, when called directly, would mistakenly not take the language preference field into account. (Ticket #233093)

  • Bug fix: When using WebDAV for file storage in REDCap, the Configuration Check page might mistakenly not display the WebDAV path on the page in one of the checks but would instead just display two double quotes where the path should be displayed.

  • Bug fix: When using right-to-left languages in Multi-Language Management, the email content for translated ASIs or Alerts would mistakenly not appear in the user’s/participant’s email client as right-to-left. (Ticket #232158)

  • Bug fix: When using the Clinical Data Mart feature for CDIS, users not having Data Mart privileges might mistakenly be able to access a Data Mart page. (Ticket #232792)

  • Bug fix: When using the datetime picker on datetime fields, in which the field already has a value, clicking on the time sliders in the datetime picker would mistakenly cause the picker to close immediately. Bug emerged in the previous version. (Ticket #232350)

Version 14.3.13 (released May 30, 2024)

Changes/Improvements

  • Improvement: Ability to import clinical notes via CDIS - Users may now import clinical note documents for patients using Clinical Data Pull or Clinical Data Mart. Note: If using Epic, the institution will be required to upgrade to v4 of the REDCap app in the Epic “Show Room” (formerly known as “App Orchard”).

  • Improvement: For users that are not assigned to a Data Access Group, the Data Quality page will now display a DAG drop-down filter (next to the record drop-down filter) to allow them to apply any Data Quality rule only to records assigned to the selected DAG.

  • Improvement: IP exceptions for the Rate Limiter - On the General Configuration page in the Control Center, you may now set IP address or IP range exceptions for the Rate Limiter (if enabled) so that specific IP addresses will not be banned. This will be useful if performing security scans on your server, in which you can add the IP address of the scanning tool so that it does not get banned while performing scans. (Ticket #119954)

  • Improvement: In the Online Designer when Ctrl-clicking multiple checkbox or radio fields to display the “Modify multiple fields” options, a new option to “Convert to matrix group” will appear, thus allowing users to merge the selected fields into a matrix. When merging fields into a matrix, the confirmation dialog will note that only the choices for the first field selected will be preserved (in case the selected fields have different choices). Additionally, the action will remove all field notes from the fields and will also remove all section headers (except for the first field’s section header, if it exists). (Ticket #230591)

  • Improvement: In the Online Designer when editing a matrix of fields, a new button will appear at the bottom left of the “Edit Matrix of Fields” dialog that says “Save & split matrix into separate fields”. When clicked, it will convert the matrix into separate fields. (Ticket #230591)

  • Improvement: New “Top Usage Report” page in the Control Center - This page displays the most active projects, users, pages, specific URLs, External Modules, cron jobs, etc. within a given period of time. It can be used to quickly identify where server resources are being spent under periods of high load.

  • Change: When using the Data Resolution Workflow in a project, it has always been the case that the results of data quality rules would automatically “exclude” fields that have a data query with “closed” status. Many users have complained about this behavior and have stated that the discrepancies should still be displayed in the data quality rule results regardless of the field’s data query status. From now on, such fields will no longer be automatically “excluded” simply because they have a data query with “closed” status.

Bug Fixes

  • Medium security fix: Numerous REDCap endpoints that are called via AJAX on certain pages that are oriented around project design were mistakenly not enforcing the Project Design & Setup rights requirement. This could allow someone with access to the project that does not have Design rights to access information they should not, and in the worst cases, make specific design changes to the project (e.g., copy or delete a field) when they do not have the rights to do so. Note: In order to exploit this, the user would have to have access to the project and would have to know the specific endpoints/URLs to call (and also must know some specific parameters to use). Additionally, this only affects endpoints that require Project Design & Setup rights. Bug exists in all versions of REDCap.

  • Bug fix: If a user is creating a new project and selects the option to “Upload a REDCap project XML file”, then chooses a file, but then selects another option (i.e., Empty project, Use a template), the Project XML file might mistakenly still be used to create the project, and in some cases might result in a fatal PHP error. (Ticket #232084)

  • Bug fix: In REDCap generated PDFs that contain data for repeating instruments and/or repeating events, the repeating instance number was mistakenly not displayed in the PDF’s right header above the page number. The absence of the instance number added ambiguity and made the specific instances not easily discernible from each other in the PDF.

  • Bug fix: It might be possible for users/participants to bypass the @FORCE-MINMAX action tag’s requirement and enter an out-of-range value for a datetime field if they tab out of the field while the datetime picker is still visible. (Ticket #231611)

  • Bug fix: When attempting to delete one or more scheduled survey invitations via the right-hand checkbox in the Survey Invitation Log table by clicking the “Delete all selected” button, the invitations would fail to be deleted if the record does not exist yet (i.e., participant was added to the Participant List manually, but the participant has not yet taken the survey). (Ticket #231754)

  • Bug fix: When executing Data Quality rules that return more than 10,000 discrepancies, in which one or more discrepancies have been previously “excluded” by a user, the total number of discrepancies displayed on the page would mistakenly be listed as 10000 minus the number of exclusions (which is incorrect) rather than the total discrepancies minus the number of exclusions. (Ticket #229449)

  • Bug fix: When using a large font-size for text in the rich text editor, the text might mistakenly overlap with other text or action buttons in some places. (Ticket #231737)

  • Various bug fixes and under-the-hood changes for CDIS.

Version 14.3.12 (released May 23, 2024)

Changes/Improvements

  • Improvement: “Phone (France)” was added as a new field validation. After upgrading, an administrator will need to enable it on the Field Validation Types page in the Control Center.

  • Improvement: A new system-level setting “Total maximum cron instances” was added, which allows one to control the maximum number of concurrent cron processes for the REDCap cron job. The setting defaults to the value “20”. Increasing this value will allow more cron processes to be spawned concurrently, which may be useful if you are using system-intensive External Modules such as API Sync or Flight Tracker. It is generally advised to leave this setting at its default value unless the cron job is either causing server performance issues (because too many jobs are running simultaneously) or if certain cron jobs aren’t running often enough to get everything done that they need to get done.

Bug Fixes

  • Medium security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into a specific API parameter’s value that is used in the API File Import, File Export, and File Delete methods. This vulnerability can be exploited only by users with a valid API token. Bug exists in all REDCap versions.

  • Minor security fix: An authenticated user could make a simple request to a very specific REDCap end-point, in which it would reset the REDCap Base URL and thus make the application temporarily unusable to users accessing REDCap in a web browser.

  • Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into any user input that is then output on a page in REDCap (e.g., field labels, survey instructions, data displayed on a report). This vulnerability can be exploited by authenticated users and also by survey participants entering data. Bug exists in all REDCap versions.

  • Bug fix: In the previous version, it was mistakenly thought that the variable name “calculate” needed to be added to the reserved variable name list, but that turned out not to be true. Because of some new underlying code fixes, that variable name is still allowed. (Ticket #231128b)

  • Bug fix: Long choice labels for fields used in Smart Charts, specifically bar charts, might mistakenly appear as too wide on the chart and thus might overlap with other text, making it hard to read.

  • Bug fix: The survey queue was mistakenly not translated in MLM-enabled projects when it was displayed on the survey page itself (as opposed to when specifically viewing the survey queue page after completing the survey).

  • Bug fix: When exporting an instrument PDF, the word “Confidential” would fail to be displayed in the PDF’s left header by default (this excludes participant-facing PDFs, which should not display this text).

  • Bug fix: When making a call to the Export Logging API method for a longitudinal project, the event name would mistakenly be omitted in the API response. (Ticket #210938)

Version 14.3.11 (released May 16, 2024)

Changes/Improvements

  • Improvement: Administrators will now see an icon/link in the User Actions popup when clicking a username on a project’s User Rights page, in which the icon/link will take the admin to view the user’s account on the Browse Users page in the Control Center. (Ticket #230772)

  • Improvement: In a MyCap-enabled project, all MyCap tasks can now be manually set as Active or Not Active at any time on the MyCap settings page in the Online Designer. Setting a MyCap task as “not active” will prevent the task from appearing in the MyCap mobile app for participants. Note: The previous release enabled this feature specifically for MyCap active tasks, while this change makes this feature available to all MyCap tasks (not just active tasks).

  • Change/improvement: The accuracy of the External Service Checks on the Configuration Check page was improved and are now able to better exclude false positive results.

Bug Fixes

  • Minor security fix: The Clinical Data Pull (CDP) feature in CDIS contained a vulnerability in which a malicious user could potentially re-use a URL utilized during the “launch from EHR” process when accessing the CDP “patient portal” page, in which it might potentially allow them to access unauthorized PHI. This vulnerability is only accessible if CDP is enabled on the REDCap server.

  • Major bug fix: When exporting data via the Export Records API method in EAV format with rawOrLabel=“label”, the value of “False” would mistakenly be returned as most of the multiple choice field values. Bug emerged in the previous release. (Ticket #230389)

  • Bug fix: A missing LOINC code was added to the CDIS mapping features.

  • Bug fix: If the Custom Account Expiration Email setting (found at the bottom of the User Settings page in the Control Center) is not used (no custom text is defined), in which REDCap uses the default Account Expiration Email text instead, the resulting email sent out to users might mistakenly contain some braces/curly brackets in certain places.

  • Bug fix: In a MyCap-enabled project, some minor issues could occur via the “Create/Edit MyCap Task” and “Fix warnings” popups when the project is in production and enters draft mode.

  • Bug fix: The variable name “calculate” has been added to the reserved variable name list because it could cause various unexpected issues on forms/surveys if a field has that variable name. (Ticket #231128)

  • Bug fix: When a report has advanced filter logic that contains inline comments, and a user selects a Live Filter on the report page, it might cause the report page to crash with a fatal error, thus not displaying the report.

  • Bug fix: When comparing two revisions/snapshots on the Project Revision History page, in which more than two columns in a given row of the comparison table display the “Preview Change” link, clicking the “Preview Change” link would only work for the left-most column that contains the link and not for any other columns. (Ticket #230991)

  • Bug fix: When importing some instruments from the REDCap Shared Library that contain calc fields, line breaks existing in a calculation might mistakenly get converted to HTML “BR” tags when being imported into a project, thus causing the calculated field to throw an error when viewing it on a form/survey.

  • Bug fix: When viewing the API documentation or the Documentation for Plugins, Hooks, & External Modules, the main part of the page and its content would mistakenly appear invisible if the browser window is at a specific width range. (Ticket #231012)

  • Various updates and fixes for the External Module Framework, including the following: 1) Fixed a bug preventing module system file settings from being saved, 2) Added support for the [data-table] smart variable in SQL fields when using $module->getChoiceLabel(), 3) Improved rendering for module README files in Markdown format, 4) Expanded module AJAX APIs to support public dashboards & reports, and 4) Misc. security scan improvements.

Version 14.3.10 (released May 09, 2024)

Changes/Improvements

  • Improvement: In a MyCap-enabled project, active tasks can now be set as Active or Not Active at any time on the MyCap settings page in the Online Designer. Setting an active task as “not active” will prevent the task from appearing in the MyCap mobile app for participants. Note: This is not for all MyCap tasks but only for MyCap active tasks.

  • Improvement: In the Online Designer when viewing the fields of a specific instrument, a yellow star is now displayed to the right of the variable name for identifier fields to denote to users which fields are identifiers.

  • Improvement: When clicking on a user’s username in the user table on the User Rights page, in which the user is assigned to a user role, a “Remove from project” button was added inside the “User actions” popup that allows the user to be removed from a project directly without having to un-assign them from the role first.

  • Change: The text in the help dialog for the option “Rename records?” on the Data Import Tool has been changed slightly for improved clarity and to reduce confusion. (Ticket #228096b)

Bug Fixes

  • Major bug fix: Alerts with conditional logic containing datediff() with “today” or “now” as a parameter might mistakenly not get triggered by the cron job, thus causing some alerts not to get sent when they should. Bug emerged in REDCap 14.2.0 Standard. Note: This does not affect any LTS versions. (Ticket #229617)

  • Major bug fix: The API Delete Users method was mistakenly not checking if a user had API Import/Update privileges in the project in addition to User Rights privileges in order to successfully make a call to the API method. This bug was supposedly fixed in REDCap 13.7.28/14.0.5 LTS and 14.0.4 Standard, but mistakenly it was not. (Ticket #230626)

  • Major bug fix: When the system-level setting “Allow normal users to create new projects?” is set to “No”, normal (non-admin) users would mistakenly get the error “You do not have Create Project privileges!” when submitting the Create New Project page. In that situation, all users should be able to view and submit that page (unless they are not allowed to create projects via the user-level setting). Bug emerged two releases ago. (Ticket #230244)

  • Bug fix: A fatal PHP error might occur for PHP 8 when loading the Form Display Logic setup dialog. (Ticket #230223)

  • Bug fix: If REDCap surveys are embedded via an iframe on external web pages, in some situations the survey page might go completely blank when the page loads. (Ticket #229885)

  • Bug fix: The Export Survey Link API method would mistakenly return a survey link when provided with an instrument and event in which the instrument is not designated for that particular event. In that case, the API should instead return an error. (Ticket #230491)

  • Bug fix: The variable name “field_label” has been added to the reserved variable name list because it could cause some instruments to become no longer accessible in the Online Designer if a field has “field_label” as its variable name. (Ticket #230669)

  • Bug fix: When MLM is active, piping would mistakenly not work on (first) survey pages when in “start over” mode.

  • Bug fix: When a user simply clicks a field in the Online Designer, it would mistakenly call the “field reorder” script even though no fields were actually being reordered on the page. This would sometimes cause the whole table to be reloaded and also could cause annoying issues such as multiple fields getting deselected when attempting to use the “Modify multiple fields” feature.

  • Bug fix: When exporting data via the Export Records API method in EAV format and providing the API parameter exportDataAccessGroups=true, the DAG designations would mistakenly not get output from the API request. (Ticket #230389)

  • Bug fix: When using Multi-Language Management, the mouseover tooltips for date/datetime/time validated fields would mistakenly fail to be updated with translations on MLM-enabled surveys and data entry forms. (Ticket #230546)

  • Bug fix: When using an iOS device to enter data for a date/datetime/time validated field that has an accompanying datetimepicker calendar widget, the field would mistakenly lose focus with each character entered into the Text field, thus causing the user/participant to have to keep putting focus back on the field for each character needing to be entered. Bug emerged in REDCap 14.0.19 LTS and 14.3.2 Standard. (Ticket #230017)

  • Bug fix: When using the rich text editor, REDCap’s default font (i.e., Open Sans) was mistakenly not listed in the font-family list in the editor’s toolbar. (Ticket #230315)

  • Bug fix: When viewing an individual email on the Email Logging page, in which the email contains a “mailto” link in the email body, the “mailto” link would mistakenly get mangled when displaying the email inside the dialog on the page. (Ticket #230319)

  • Bug fix: When viewing the Record Status Dashboard or a report, if the Rapid Retrieval feature is working on the page to provide a cached version of the page, and if the RR’s cache was stored when REDCap was on a previous version, in which that previous REDCap version has been removed from the web server, some images (e.g., form status icons) might not display correctly on the page and other links might lead to a 404 “does not exist” error. (Ticket #230224)

Version 14.3.9 (released May 03, 2024)

Changes/Improvements

  • Change: The text for the option “Rename records?” on the Data Import Tool has been changed slightly for improved clarity and to reduce confusion. (Ticket #228096)

Bug Fixes

  • Major bug fix: When the system-level setting “Allow normal users to create new projects?” is set to “No”, normal (non-admin) users would mistakenly get the error “You do not have Create Project privileges!” when navigating to the Create New Project page. In that situation, all users should be able to view that page. Bug emerged in the previous release. (Ticket #230090)

  • Bug fix: When exporting then importing a Project XML file, the two sub-options for the Secondary Unique Field (i.e., “Display the value…” and “Display the field label…") would mistakenly not get transferred to the new project but would resort to their default values. (Ticket #229880)

Version 14.3.8 (released May 02, 2024)

Changes/Improvements

  • Improvement: Mobile Toolbox measures have been added for use in the MyCap mobile app. The Mobile Toolbox (MTB) is a research platform that includes a library of cognitive and other tests that can be administered remotely on a smartphone. The MTB’s measures include smartphone versions of assessments from the NIH Toolbox, the International Cognitive Ability Resource, and the Patient Reported Outcomes Measurement Information System. A list of all available MTB tasks in REDCap can be viewed via the “Import Active Task” button in the Online Designer for any MyCap-enabled project.

  • Improvement: New “Download SQL” button was added to the REDCap install page to make it easier to fetch the generated install SQL as a file rather than obtaining it from the webpage via copy-and-pasting. (Ticket #229260)

  • Improvement: The Codebook page now has checkboxes that can be toggled by the user to remember the collapsed state of the tables on the page on a per-project basis for the user. (Ticket #229673)

  • Change: Small changes to the redcap_log_view_requests database table to improve general application performance.

Bug Fixes

  • Major bug fix: When viewing the User Rights page and the survey page when using certain PHP versions, the page might mistakenly crash with a fatal PHP error. (Ticket #229976)

  • Bug fix: Certain queries on the project Logging page might mistakenly take too long to run for certain projects, thus making the page unnecessarily slow. (Ticket #229219)

  • Bug fix: If using Multi-Language Management and reCAPTCHA is enabled for the public survey, the reCAPTCHA page might mistakenly throw a JavaScript error when MLM is active.

  • Bug fix: Problematic code was causing the cron job to crash in certain unknown situations. (Ticket #229536)

  • Bug fix: When downloading an instrument PDF when the field label or section header text of a field is very long, in some cases the text in the PDF might mistakenly run over and obscure the PDF’s footer text. (Ticket #205997)

  • Bug fix: When the system-level setting “Allow normal users to create new projects?” is set to “No”, and a user does not have the user-level option “Allow this user to request that projects be created for them…” checked on the Browse Users page, if the user knows how to navigate to the Create New Project page (even though the links to that page have been removed in the user interface), it would mistakenly display that page and would allow them to submit a request to create a project. Note: The project would not get created unless the admin mistakenly approved it while not realizing that this user should not be able to request new projects be created. (Ticket #229702)

  • Bug fix: When users are not allowed to create or copy projects on their own, and they submit a “Copy Project” request to an administrator, in which the “Warning about miscellaneous attachments” dialog is displayed to the user on the Copy Project page, when the admin goes to approve the request, that dialog would mistakenly be displayed again (it should only be displayed initially to the user, not the admin) and thus would block the admin from successfully approving the request. (Ticket #228954)

  • Bug fix: When viewing the Stats & Charts page for Report B in a longitudinal project, in which one or more events are selected for Report B, the Stats & Charts page would mistakenly not filter the data on the page to those selected events but would instead display data from all events. (Ticket #228030)

Version 14.3.7 (released April 29, 2024)

Changes/Improvements

  • Change: The video “Full Project Build” was added as a new video on the project left-hand menu and on the Training Videos page.

Bug Fixes

  • Major bug fix: In specific situations when using Multi-Language Management in a project when the web server is running PHP 8.0 or higher, every project page would crash with a fatal PHP error. (Ticket #229529)

  • Bug fix: Fixed several different SQL queries used in various places in the REDCap code that were silently failing in specific cases.

  • Bug fix: When exporting a project’s data to Stata, multiple choice fields would mistakenly have a “label values” entry in the Stata syntax file even when not all choice codings are integers. The “label values” entries should only be added to the Stata syntax file when a multiple choice field has an integer code for every choice. (Ticket #229277b)

Version 14.3.6 (released April 26, 2024)

Bug Fixes

  • Major bug fix: When the “href” attribute of any hyperlink has a value of “#” for any label or other user input, the entire label text would mistakenly be completely removed (i.e., would be blank) when output on the page. (Ticket #229451)

  • Bug fix: When importing the Survey Queue settings via CSV file, an error might mistakenly be returned if certain things, such as condition_surveycomplete_form_name, do not have a value, even when not needed. (Ticket #229186)

Version 14.3.5 (released April 25, 2024)

Changes/Improvements

  • Improvement: The Database Query Tool in the Control Center now has the ability to utilize “Smart Variables Context”, which can be enabled on the page via checkbox option on the DQT menu so that administrators may provide the literal values of certain Smart Variables that can be piped into the query from text boxes on the page. Also, a link or button to navigate directly to the Database Query Tool has been added to several project pages, such data entry forms, survey pages, the Edit Field dialog in the Online Designer, etc. to allow admins to open the DQT directly with the current context values (e.g., project-id, record-name, event-id) already pre-filled on the page. This will make it much, much easier to execute queries on a specific project and/or record with less copy-and-pasting. Note: This feature will not be displayed if the DQT has not been enabled yet.

  • Improvement: The rich text editor used throughout REDCap now has a new drop-down option in the editor’s toolbar for setting the “font family” and “font size” of any text in the editor.

  • Improvement: When using MyCap in a longitudinal project, users can now decide on the event display format (ID, Label, or None) for titles of MyCap tasks displayed in the Upcoming Tasks section.

  • Change/improvement: A few more pages were added to the “Navigate to page” widget to allow users to go to specific pages via PID and keyboard shortcuts.

  • Change: The video “A Brief Overview of REDCap” was replaced with a new video.

  • Various changes/improvements to the External Module Framework, including 1) Allow external module ajax requests to work on dashboards & reports, 2) Added an instance parameter to the resetSurveyAndGetCodes() method, 3) Improve performance of the disabled modules dialog, and 4) Misc. security scan script improvements.

Bug Fixes

  • Medium security fix/protection: All usages of the PHP function iconv() have been replaced in the REDCap code due to a vulnerability (CVE-2024-2961) discovered in Glibc (GNU C Library). Note: This is not a vulnerability in REDCap but in a PHP library. This vulnerability can be remediated at the web server level via configuration settings, but this security fix/protection seeks to protect all REDCap installations in the event that their IT support is not able to remediate this vulnerability at the server level. (Ticket #229281)

  • Medium security fix: A Base Tag Hijacking vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML in a specially crafted way into labels and other user input that is then output onto the webpage. The user must be authenticated into REDCap in order to exploit this, with one exception: a malicious survey participant could inject the HTML into a Text or Notes field whose value is then viewed on a report. Bug exists in all versions of REDCap. (Ticket #229158)

  • Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom JavaScript/HTML in a specially crafted way into the “href” attribute of hyperlinks placed inside labels and other user input that is then output onto the webpage. The user must be authenticated into REDCap in order to exploit this, with one exception: a malicious survey participant could inject the JavaScript/HTML into a Text or Notes field whose value is then viewed on a report (i.e., it would appear as a hyperlink in the report that would have to be clicked by the user to be exploited). Bug exists in all versions of REDCap. (Ticket #228857)

  • Bug fix: A query used on the Data Access Groups page was incompatible with certain versions of MySQL that have ONLY_FULL_GROUP_BY set in the SQL Mode, thus causing the query to fail for some installations. The query has been replaced with an equivalent query that is compatible with all supported versions and configurations of MariaDB/MySQL. (Ticket #228974)

  • Bug fix: Certain options on the instrument view of the Online Designer, such as Form Display Logic settings and survey-related settings, would mistakenly not function on the page for MyCap enabled projects. (Ticket #228963)

  • Bug fix: In certain situations when exporting a report, the survey completion timestamps would mistakenly be date shifted in the resulting export file if the “shift all dates” checkbox is checked while the “shift all survey completion timestamps” is not checked. (Ticket #228879)

  • Bug fix: Survey pages might mistakenly display text inside P tags in labels as different font sizes in different situations. (Ticket #228686)

  • Bug fix: The Smart Variables [event-number] and [event-id] would mistakenly not return a numerical value but a string, causing special functions that expect numeric values to fail to produce the correct result (e.g., mod()). (Ticket #228953)

  • Bug fix: When accessing a project that is enabled as a Project Template, if the current user is an administrator that is currently impersonating another user in the project, the “Project is used as a template” box would mistakenly be displayed on the Project Home Page. That should only be displayed when the user is an admin with “Modify system configuration pages” rights and while not impersonating a non-admin user. (Ticket #229370)

  • Bug fix: When an instrument contains an inline PDF attached to a Descriptive field, and the instrument is then downloaded as a PDF, the first page of the generated PDF might mistakenly have text that runs off the bottom of the page if the inline PDF is displayed (via iMagick conversion to an image) on the first page of the generated PDF. (Ticket #228282)

  • Bug fix: When copying a project, the survey setting “Display page numbers at top of survey page” would mistakenly not get copied to the new project. (Ticket #229243)

  • Bug fix: When exporting a project’s data to Stata, multiple choice fields would mistakenly have a “label define” entry in the Stata syntax file even when not all choice codings are integers. The “label define” entries should only be added to the Stata syntax file when a multiple choice field has an integer code for every choice. (Ticket #229277)

  • Bug fix: When regular users (non-admins) import data dictionaries containing Dynamic SQL fields, in certain cases REDCap might refuse to import the file, mistakenly stating that the query has changed when in fact it has not. (Ticket #229148)

  • Bug fix: When renaming a record on the Record Home Page, in which the new record name is the same as the old record name but with leading zeros (or vice versa), if both the old and new record names are integers, REDCap would not rename the record and would mistakenly take the user to another page to create a new record under the new record name provided, which is confusing.

  • Bug fix: When using Google Cloud Storage for file storage in the system, uploading/downloading a file via Send-It for a File Upload field might mistakenly not work successfully. Additionally, file downloads might also fail when using GCS when downloading files attached to data queries in the Data Resolution Workflow dialog. (Ticket #226875c)

  • Bug fix: When using Multi-Language Management and applying or canceling draft mode changes in projects where MLM is active, there would always be a message/warning that MLM settings/translations have been modified even when this is not actually the case. (Ticket #228877)

  • Bug fix: When using Twilio or Mosio for a survey that is taken as an SMS Conversation, if the survey is a repeating instrument, branching logic might not work successfully for fields that have branching logic referencing fields on the same instrument. (Ticket #227028)

  • Bug fix: When using the search capability for the Biomedical Ontology feature for a Text field on a form/survey, if the user’s search returned the message “[No results were returned]”, and the user then clicked on that message, it would mistakenly display a bunch of HTML below the field when instead it should not display anything below the field. (Ticket #229124)

  • Bug fix: When utilizing Microsoft Azure Blob Storage for file storage in REDCap, some operations (specifically the “delete file” action) might mistakenly fail for specific server configurations because the CURL options for VERIFY_HOST and VERIFY_PEER were mistakenly not being set to FALSE in the API request to Azure.

Version 14.3.4 (released April 18, 2024)

Changes/Improvements

  • Improvement: New built-in PDF Viewer

    • This built-in PDF viewer remediates an old gap of functionality in which iOS and Android devices are not able to display more than the first page of an inline PDF. So whenever REDCap is displaying an inline PDF (e.g., for a Descriptive field, when using the INLINE action tag on a File Upload field, or on the e-Consent certification page), if the current device is iOS or Android or if it lacks a native PDF viewer, then REDCap’s built-in PDF Viewer will be utilized automatically. For all other devices, the device’s native PDF viewer will be used.
    • Notable change: Previous versions of REDCap would not attempt to display an inline PDF on the certification page of an e-Consent survey, in which it would say “This browser does not support inline PDFs. Please open the PDF in a new tab.”. But now, it will actually display the inline PDF for all devices on the e-Consent certification page, whether using the device’s native PDF viewer or if using REDCap’s PDF viewer.
  • Improvement: The “Help & FAQ” page has been updated with new content (thanks to the FAQ Committee).

  • Improvement: Videos hosted by the VidYard video service (vidyard.com) can now be utilized for the “Embed media” option on Descriptive Text fields. Thus, VidYard URLs (e.g., https://share.vidyard.com/watch/XYZXYZ) are now fully compatible, similar to how YouTube and Vimeo URLs have always been.

  • Improvement: When moving one or more fields in the Online Designer, a new option will appear in the field selection drop-down to allow the user to move a field to an empty instrument (i.e., an instrument with no defined fields). In previous versions, fields could only be moved to an instrument containing at least one field (not counting the Form Status field).

  • Change: All hard-coded references to “redcap.vanderbilt.edu” have been changed to “redcap.vumc.org” to reflect the recent change of the Vanderbilt REDCap server’s domain name. Note: The old URL will continue to work and automatically redirect to the new URL until April 2025.

  • Change: New MLM tip added at the bottom of the “Forms/Surveys” tab on the MLM setup page. The tip reads as follows: “Tip: Choose your “ASI Language Source” wisely - If ASIs have been translated in your MLM setup, it is typically recommended that you utilize the “Language preference field” option for determining the translation to be used for an ASI survey invitation. Choosing “User’s or survey respondent’s active language” as the ASI Language Source can have unexpected results. For example, if a participant’s survey response triggers the ASI, the ASI’s invitation text will be output in the correct language since it uses what the participant has chosen previously. However, if the ASI is triggered by an action of the project user, such as a data import or saving a data entry form, the ASI’s text will be in the language of the project user, which may not be the language that the participant prefers.”

  • Change: When copying a project via the Other Functionality page, a new note appears below the copy project option that says “NOTE: The new project will not contain the project’s logging history (audit trail), but if you wish to obtain it, you may freely download it any time at the top of the Logging page.”. This will help users understand upfront that the logging does not get copied during this process. (Ticket #228253)

  • Various fixes and changes to the External Module Framework, including the following: 1) Made it possible to download a list of users that have Project Design rights for all projects where a given module is enabled (appears as a new button in the View Usage dialog in the Control Center), 2) Queued all External Module AJAX requests to prevent them from getting canceled by REDCap’s duplicate query protection, and 3) Miscellaneous security scan improvements.

Bug Fixes

  • Bug fix: After editing the Survey Queue settings in the Online Designer, the SQ button might mistakenly display multiple green check mark icons. (Ticket #228741)

  • Bug fix: Data Quality rules A and B will now return checkbox fields in the list of discrepancies if none of the checkbox options have been checked for a given checkbox field. This reverts a change made in REDCap 13.7.10 LTS and 13.9.0 Standard (via Ticket #212048), which is now considered to have been a mistake. This has been changed because the previous behavior was considered to be inconsistent with regard to how checkboxes, especially required checkboxes, are treated on survey pages and data entry forms. For example, if a checkbox field is required and no checkboxes are checked, the Required Field alert is displayed to the user, which implies that a checkbox field with no checked checkboxes is considered to be a field with a missing value. Thus, to provide more consistency with how checkboxes are treated throughout REDCap, this fix has been applied to correct this issue. (Ticket #217798)

  • Bug fix: If some surveys are set as inactive in a project, then the Copy Project page might mistakenly have the “Survey Queue and Automated Survey Invitation settings” option unchecked and disabled. (Ticket #228742)

  • Bug fix: In certain situations on a data entry form, the Custom Event Label might not display correctly and/or might get overwritten by the Custom Record Label (or vice versa). Bug emerged in REDCap 14.2.2. (Ticket #228503)

  • Bug fix: When a Text or Notes field containing HTML tags in its value is being piped to another place on the same page/instrument, the HTML tags would mistakenly not be interpreted but instead would be escaped in its final piped form. This issue would only occur when the field has a SETVALUE or DEFAULT action tag. Bug emerged in 13.7.27 LTS and 14.0.3 Standard. (Ticket #228818)

  • Bug fix: When completing a survey, a JavaScript error might occur during certain parts of the survey that might cause other important processes to be blocked on the page. (Ticket #228785)

  • Bug fix: When using the Field Bank in the Online Designer to search for fields, it might mistakenly show answer choices that say “Login to see the value.” for specific items. (Ticket #228217)

Version 14.3.3 (released April 11, 2024)

Changes/Improvements

  • Change: When editing a MyCap task’s settings in the Online Designer, if a task is scheduled one time then the “allow retroactive” option will now not be available.

  • Improvement/change: When uploading static attachment files to an alert on the Alerts & Notifications page, the maximum allowed attachment size has been increased from 10 MB to 20 MB. Please note that sending attachments larger than 10 MB might cause the email to be rejected by certain email providers.

Bug Fixes

  • Major bug fix: If a project is deleted by a user, when that project is eventually deleted from the database 30 days later, if the project’s data is stored in the redcap_data2, redcap_data3, or redcap_data4 database table, the data might mistakenly not get removed from those data tables when the project as a whole is deleted. This could leave orphaned data in those data tables. Note: During the upgrade process, REDCap will automatically delete any orphaned data still present in the redcap_data2, redcap_data3, and redcap_data4 database tables. Bug emerged in REDCap 14.0.0.

  • Major bug fix: When the e-signature functionality has been enabled on an instrument, the e-signature checkbox at the bottom of the data entry form would mistakenly be displayed and would be clickable even when the whole record is locked. If the whole record is locked, the e-signature checkbox should remain disabled. Additionally, it might be possible in certain situations (e.g., simultaneous users locking and editing a record) for a user to lock, unlock, or e-sign an instrument while the whole record is locked. Server-side checks have now been added to prevent that. (Ticket #225320)

  • Bug fix: When accessing an instrument in the Online Designer right after creating a new project from scratch (i.e., when only the Record ID field exists), some instructional text at the top would mistakenly be too wide and might be partially covered up by other things on the page. (Ticket #228129)

  • Bug fix: When editing some previously-saved content using the rich text editor (i.e., editing the body of an alert, ASI, project dashboard, or field label), in which an inline image was uploaded and saved by a user while on an earlier REDCap version, the inline image in the rich text editor would mistakenly appear as a broken image inside the editor if that older REDCap version’s directory has been removed from the REDCap web server. (Ticket #228239)

  • Bug fix: When exporting a query as a CSV file on the Database Query Tool page, the first line of the CSV file would mistakenly contain a line of HTML. Bug emerged in REDCap 14.3.0.

  • Bug fix: When importing a data dictionary, it would be possible to import fields that have a variable name ending with an underscore character. This should not be allowed, and thus it now displays an error message when attempting to do so. (Ticket #227821)

  • Bug fix: When importing the Survey Queue settings via CSV file, an error might mistakenly be returned if certain things, such as condition_surveycomplete_form_name, do not have a value, even when not needed. (Ticket #227928)

  • Bug fix: When moving one or more fields in the Online Designer, in which the user chooses to create a new instrument and then move the field to the newly created instrument (via the last drop-down option in the “Move field to another location” dialog), the process would place the Form Status field on the new instrument so that it would mistakenly be located above the new fields rather than below them. Bug emerged in the previous version.

  • Bug fix: When opening REDCap Messenger while in a project, and then attempting to create a new conversation, the project’s left-hand menu would mistakenly cover over the “Create new conversation” dialog. Bug emerged in REDCap 14.0.16 LTS and 14.2.2 Standard. (Ticket #228033)

  • Bug fix: When performing an initial install of REDCap on certain versions of MySQL, the install SQL script might mistakenly fail during the creation of the MyCap project template. (Ticket #228041)

  • Bug fix: When the “Auto-suspend users after period of inactivity” setting is enabled, users who recently had their account created but had not logged in yet would mistakenly get auto-suspended. (Ticket #224747)

  • Bug fix: When the PDF Auto-Archiver is enabled for a survey, the IP address of the participant would mistakenly be stored in the PDF Survey Archive table in the File Repository. It was intended that the participant’s IP address should only be stored when completing a survey with the e-Consent Framework enabled.

  • Bug fix: When using Clinical Data Mart for CDIS, revisions were failing to be imported using the Data Mart import feature.

  • Bug fix: When using MyCap in a project and a MyCap task exists, if a user switches the project from classic to longitudinal (or vice-versa) then task schedules might remain orphaned.

  • Bug fix: When using the Mapping Helper for CDIS, the status mapping for different types of Condition resources was inaccurately handled.

Version 14.3.2 (released April 04, 2024)

Changes/Improvements

  • Improvement: When moving one or more fields in the Online Designer, a new option will appear at the end of the field selection drop-down to allow the user to auto-create an instrument while moving the field(s) to that new instrument. Note: The new instrument will be named “New Instrument” by default, although the user can always rename it after the fact. (Ticket #227034)

  • Various updates and fixes to the External Module Framework, including 1) Added validation button and use of Logic Editor for JSON settings, and 2) Miscellaneous security scan script improvements.

Bug Fixes

  • Bug fix: Automated Survey Invitations were mistakenly not getting triggered when set up with a survey completion condition together with conditional logic in which the “OR” option is selected. (Ticket #227693)

  • Bug fix: The datetimepicker calendar widget used for datetime fields would mistakenly inject numbers at the end of the field value when typing a datetime value that has a time beginning with “23:”. The Datetimepicker library has been updated to a newer version, which resolves this issue. (Ticket #227636)

  • Bug fix: The two new hooks “redcap_module_project_save_after” and “redcap_project_delete_after” that were added in the previous version were mistakenly added as traditional hooks when instead they should have only been added as EM-only hooks that can only be utilized by External Modules. This has been corrected.

  • Bug fix: When a participant is completing an e-Consent survey on a mobile device, and thus it is unable to display the inline PDF of their response at the end of the survey, although they are able to view the PDF by clicking the button on the page to view it in another tab, the “Working…” popup would mistakenly appear for 20 seconds before disappearing. Instead, it should only appear very briefly before revealing the page.

  • Bug fix: When using Google Cloud Storage for file storage in the system, uploading/downloading a file via Send-It for a File Upload field might mistakenly not work successfully. Additionally, file downloads might also fail when using GCS when downloading files attached to data queries in the Data Resolution Workflow dialog. (Ticket #226875b)

  • Bug fix: When using Multi-Language Management, a piping issue would occur when viewing survey pages for participant-specific survey links only. (Ticket #227555)

  • Bug fix: When using MyCap, there is some missing text that is utilized for displaying notes inside the repeating instruments popup (for longitudinal projects).

  • Bug fix: When using the piping parameter “:inline” when piping a File Upload field, in which a unique event name (or event-based Smart Variable) is not prepended to the field but [first-instance] or [last-instance] is appended to the field (e.g., [my_upload_field:inline][last-instance]), the piping would fail to work correctly.

  • Bug fix: When viewing a report in a longitudinal project or a project containing repeating instruments/events, it now displays the text “(‘records’ = total available data across all events and/or instances)” near the top of the report. In previous versions, it did not display any clarifying text for non-longitudinal projects that had repeating instruments, which caused confusion for users regarding the meaning of the word “records” in “Total number of records queried”.

Version 14.3.1 (released March 28, 2024)

New Features

  • New hook: redcap_project_delete_after - Allows custom actions to be performed after a delete action has been initiated. This allows for close control of the delete operation on a project.

  • New hook: redcap_project_save_after - Allows custom actions to be performed after a project has been saved from a newly created, copied, or modified project. This allows for close control of the create, copy, and modify operations on a project.

Changes/Improvements

  • Improvement: MyCap now supports repeating instrument functionality for longitudinal projects. In previous versions, repeating instruments were only supported for class/non-longitudinal projects.

Bug Fixes

  • Minor security fix: The TinyMCE library embedded in REDCap was upgraded to its latest version (7.0.0) due to a XSS (Cross-site Scripting) vulnerability in the library’s previous version.

  • Major bug fix: Users with API Import/Update privileges could successfully call the API method “Import User-DAG Assignments” without having Data Access Groups privileges in the project. Data Access Groups privileges should always be required when creating/renaming/deleting DAGs and when importing/exporting user-DAG assignments.

  • Bug fix: If the E-signature feature is disabled system-wide via the Modules/Services Configuration page in the Control Center, the user rights option “Locking/Unlocking with E-signature authority” would mistakenly still appear when adding/editing a role or user. Additionally, if the E-signature feature is enabled system-wide but is not available for a specific user to use (e.g., if using Entra ID authentication but not using Two-Factor Authentication with the E-signature 2FA PIN option enabled), the user rights option “Locking/Unlocking with E-signature authority” would mistakenly still appear for that specific user. (Ticket #227220)

  • Bug fix: The order of the alerts as displayed in the “Re-evaluate Alerts” dialog mistakenly does not match the order of the alerts on the Alerts & Notifications page. (Ticket #227234)

  • Bug fix: Users with API Export privileges could successfully call the API method “Export DAGs” without having Data Access Groups privileges in the project.

  • Bug fix: Users with API Export privileges could successfully call the API method “Export Repeating Instruments and Events” without having Project Design/Setup privileges in the project.

  • Bug fix: Users with API Export privileges could successfully call the API method “Export User-DAG Assignments” without having Data Access Groups privileges in the project. Data Access Groups privileges should always be required when creating/renaming/deleting DAGs and when importing/exporting user-DAG assignments.

  • Bug fix: Users with API Export privileges could successfully call the API methods “Export Users”, “Export User Roles”, and “Export User-Role Assignments” without having User Rights privileges in the project.

  • Bug fix: Users with API Import/Update privileges could successfully call the API method “Import Project Settings” without having Project Design/Setup privileges in the project.

  • Bug fix: Users with API Import/Update privileges could successfully call the API method “Import Repeating Instruments and Events” without having Project Design/Setup privileges in the project. It was instead checking for User Rights privileges instead of Project Design/Setup privileges.

  • Bug fix: Users with API Import/Update privileges could successfully call the API methods “Import DAGs” and “Delete DAGs” without having Data Access Groups privileges in the project.

  • Bug fix: When a survey participant submits the first page of a survey and gets the “Some fields are required” prompt because some required fields were left empty, the “start time” of the response would mistakenly not get stored in the backend database, thus preventing REDCap from displaying the start time or duration of the survey at any time afterward, including via Smart Variables (e.g., [survey-time-started], [survey-duration]). Note: This only occurs when required fields are left empty on the first page of the survey, not on subsequent pages. While this fix will prevent the issue from occurring in the future, it will unfortunately not be able to retroactively fix the issue for already-affected responses that are missing their start time and duration values. (Ticket #226240)

  • Bug fix: When using CDP, encounter diagnosis mappings and potentially other kinds of conditions in CDP projects were not being applied correctly, causing data not to be imported correctly from the EHR. (Ticket #227307)

  • Bug fix: When using Google Cloud Storage for file storage in the system, uploading/downloading a file via Send-It for a File Upload field might mistakenly not work successfully. Additionally, file downloads might also fail when using GCS when downloading files attached to data queries in the Data Resolution Workflow dialog. (Ticket #226875)

  • Bug fix: When using Multi-Language Management and adding a system language to a project where the language set on the Control Center’s General Configuration page differs from the language set in a project (via Edit Project Settings page), the “The original values of some translated items have changed” message would mistakenly be shown. (Ticket #227077)

  • Bug fix: When using Multi-Language Management, some MLM AJAX calls might mistakenly not work when using Shibboleth authentication. (Ticket #225282)

  • Bug fix: When using MyCap and viewing the Online Designer, the “Enable” MyCap buttons for PROMIS battery instruments are now disabled since these are not yet supported in the MyCap mobile app.

  • Bug fix: When using the randomization feature, while a radio strata field exists on the same instrument as the randomization field, after the record is randomized on the data entry form, the strata field’s “reset” link (for resetting its value) would mistakenly still appear on the page until the page is refreshed or returned to later. The “reset” link should be immediately hidden after randomization has occurred. (Ticket #226998)

Version 14.3.0 (released March 21, 2024)

New Features

  • New action tags: @MC-PARTICIPANT-JOINDATE-UTC and @MC-PARTICIPANT-TIMEZONE - These action tags will capture the MyCap participant’s timezone and also the install date/time (in UTC time) of the MyCap participant whenever the participant joins a project via the MyCap mobile app. NOTE: This is used only for the MyCap mobile app. The fields' values are not generated when viewing the data entry form but only when the MyCap app is making a call to REDCap when the participant joins the project. Additionally, while these action tags can be added to a new field in already-existing MyCap projects, a field with this action tag will be auto-added to any projects where MyCap is enabled in the project after the fact and for any new projects created using the MyCap project template.

  • New feature: Custom Query Folders - For improved organization, Custom Queries on the Database Query Tool page can now be organized into folders. Additionally, custom queries can be exported and imported using a CSV file.

Changes/Improvements

  • Improvement: API examples in C Sharp (C#) code were added to the API Playground.

  • Improvement: In the Online Designer, the variable name for each field on the page is clickable, and when clicked, will copy the variable name to the user’s clipboard.

  • Improvement: In the Online Designer, when a user attempts to click into the variable name field in the Edit Field popup while the project is in production, the dialog that notes that the variable name is not editable when in production will now also display the variable name as clickable in the dialog’s text, and when clicked, will copy the variable name to the user’s clipboard.

  • Improvement: In the Online Designer, when a user clicks on the green button “Field is embedded elsewhere on this page” on an embedded field in the table, the page will scroll up to where the field is embedded and flash a red border around the container field. This will make it easier for users to find where a field is embedded.

  • Improvement: When viewing a user on the Browse Users page in the Control Center, it now lists a new row “Number of users of which user is a sponsor” in the table. It will list how many sponsees the user has and also a link to open a dialog that will list the username and first/last name of all their sponsees. (Ticket #225819)

Bug Fixes

  • Bug fix: If a project has a repeating Automated Survey Invitation, and then later the survey instrument is set to be no longer repeating (via the Project Setup page settings), the ASI would continue to function as if the survey was still a repeating instrument.

  • Bug fix: In specific situations when downloading an instrument PDF in a longitudinal project, the process would mistakenly crash when using PHP 8. (Ticket #226047)

  • Bug fix: Multi-language Management mistakenly failed to translate a number of survey exit pages (survey offline, response limit reached), and the language selector would be inaccessible. (Ticket #226237)

  • Bug fix: The “characters/words remaining” message mistakenly was not translated on data entry and survey pages when using Multi-language Management. (Ticket #226676)

  • Bug fix: When a confirmation email is defined for a survey on the Survey Settings page, and then later the user selects “No” to disable the confirmation email on that page, it would mistakenly not disable the confirmation email setting after clicking the Save Changes button. Note: This would only be noticeable if the user returned to the page afterward. (Ticket #226697)

  • Bug fix: When a regular user (non-admin) is uploading a CSV data file via the Background Data Import, the upload process might mistakenly fail due to a PHP error if the user is not assigned to a Data Access Group. (Ticket #226639)

  • Bug fix: When an inline image is used in the body of an alert, the image might mistakenly not be displayed (i.e., a broken image icon would appear) when a user views an already-sent alert message in the Notification Log. (Ticket #226089)

  • Bug fix: When taking a survey using a mobile device, in certain situations the Submit button might be partially obscured by the browser window and thus might not be clickable. (Ticket #226895)

  • Bug fix: When the datediff() function is used in a calculated field, in which it contains “today” or “now” as one of the two parameters and the other parameter is a DMY or MDY formatted date/datetime field from another event and also exists on a repeating event or repeating instrument, a calculation error message might appear on the survey page or data entry form, thus preventing the page from working correctly. (Ticket #226037)

  • Bug fix: When using CDIS, a query in the code was structured incorrectly so that it might mistakenly not return recently modified records in certain use cases, thus affecting CDIS' ability to import data from the EHR effectively.

  • Bug fix: When using CDIS, some mapping for Adverse Events were not being pulled, such as causality.

  • Bug fix: When using CDP or DDP Custom, the “database” icon would mistakenly not be displayed next to a mapped field on the data entry form for right-aligned Notes fields. (Ticket #226554)

  • Bug fix: When using CDP or DDP Custom, the Record Status Dashboard page might mistakenly attempt to automatically pull data from the EHR for records on the page when viewing that page as an administrator that is not a user in the project. Instead, it will now only do this for project users.

  • Bug fix: When using the Data Resolution Workflow while a project is in Analysis/Cleanup status with data as Read-only/Locked, users might still be able to submit a data entry form after navigating to the form in a specific way from the Resolve Issues page. Users should not be able to submit a data entry form while in Analysis/Cleanup status with data as Read-only/Locked. (Ticket #226735)

  • Bug fix: When using the Stats & Charts page in a longitudinal project, in which some data had been collected on specific instruments and then later those instruments were undesignated for certain events, thus orphaning some of the data, the charts displayed on the page would mistakenly include the orphaned data for the undesignated instruments when they should be excluding that data. (Ticket #30382)

  • Bug fix: When utilizing the project-by-project Unicode Transformation process, which is done using a cron job via Step 2 on the Unicode Transformation page, the data in the Data Resolution Workflow related table might mistakenly not get transformed (i.e., the comments for data queries in DRW).

Version 14.2.2 (released March 07, 2024)

Changes/Improvements

  • Improvement: The Custom Event Label, if being used in a longitudinal project, will now display at the top of the data entry form in the yellow event bar. In previous versions, it only appeared above each event column on the Record Home Page. Now it appears in both places.

  • Improvement: Users may now use “now” or “today” (wrapped in quotes) instead of a field variable in the special functions day(), month(), and year() in order to capture a specific date component of today’s date.

  • Change: The Configuration Check page will no longer display a warning if any REDCap database tables have “compressed” row_format. REDCap now allows both “compressed” and “dynamic” as the row_format. (Ticket #224878)

Bug Fixes

  • Bug fix: A fatal error might occur when calling REDCap::saveData() when providing “array” data in an incorrect format to the method while running PHP 8. (Ticket #225896)

  • Bug fix: If a participant attempts to load a survey using a non-public survey link after the participant’s record has been deleted in the project, they would be mistakenly redirected to the REDCap login page, which is confusing. Instead, an appropriate error message is now displayed to let them know the survey is no longer active or that they are no longer a participant. (Ticket #225427)

  • Bug fix: If matrix field labels contain tags, the downloaded PDF of the instrument might mistakenly display the field labels overlapping each other.

  • Bug fix: It is possible to perform data imports in which the record name contains a line break or carriage return character. Those characters should not be allowed in record names. (Ticket #224506)

  • Bug fix: Modifying the value of a Notes field that has the @RICHTEXT action tag would mistakenly not cause the “Save your changes” prompt to be displayed if a user attempts to leave the page afterward. (Ticket #225367)

  • Bug fix: The API Playground’s example R code for the API Export File method was not correct and has been fixed. (Ticket #101454b)

  • Bug fix: The API method “Export a File from the File Repository” would mistakenly output an incorrect MIME type for a file being exported. (Ticket #225517)

  • Bug fix: The query cache efficiency check on the Configuration Check page might mistakenly display a false positive saying that the MySQL query cache is not efficient when actually it is. (Ticket #225731)

  • Bug fix: The special function concat_ws() would mistakenly include fields with blank values in its output. It is expected that blank values should not be included. For example, if we have @CALCTEXT(” and “, [dob1], [dob2], [dob3), it would mistakenly output “2024-03-01 and and 2024-03-01” when field “dob2” is empty/blank, whereas it should instead output “2024-03-01 and 2024-03-01”.

  • Bug fix: When CDIS is enabled, specifically Clinical Data Mart, with one or more EHRs defined on the CDIS page in the Control Center, the My Projects page might mistakenly crash in certain situations when using PHP 8. (Ticket #225890)

  • Bug fix: When a project’s first instrument is a repeating instrument, and a user is performing a data import of new (not existing) repeating instances for another repeating instrument in the project, new empty instances would mistakenly get created for the first instrument when new instances should only get added for the desired repeating instrument. (Ticket #224932)

  • Bug fix: When calling the “Import Users” API method and providing the data payload in CSV format, the “forms_export” privileges provided in the CSV might mistakenly not get parsed correctly, which might cause the API script to return an error, specifically when using PHP 8, or it would mistakenly set the user’s data export rights to “No Access” across the board for all instruments.

  • Bug fix: When creating an alert in a longitudinal project, the “Email To” option would display an event-ambiguous email field (i.e., “Any Event”) that could be chosen. However, in many situations, this might cause the alert not to be sent (or it is attempted to be sent with a blank sender address). To prevent this issue, the “Any Event” field options are now no longer displayed as choices for the “Email To” field for alerts. (Ticket #224839)

  • Bug fix: When exporting data to R, any backslashes in the R syntax file would mistakenly not get escaped. Now all backslashes are replaced with a double backslash in the resulting R code. (Ticket #225046)

  • Bug fix: When using Double Data Entry as DDE person 1 or 2, records that are locked at the record level would not appear to be locked and might mistakenly allow a user to modify a locked record. (Ticket #225431)

  • Bug fix: When using MLM, importing UI translations would mistakenly not be possible in projects with subscribed languages, even when UI overrides are explicitly allowed.

  • Bug fix: When using a mobile device and attempting to open Messenger, the Messenger panel might mistakenly be obscured and not viewable in certain contexts.

  • Bug fix: When using the Clinical Data Pull in CDIS, specifically when launching the CDP window in an EHR context, an undefined JavaScript function might produce a JavaScript error, thus causing certain things not to function correctly on the page.

  • Bug fix: When using the Clinical Data Pull in CDIS, the “address-district” demographics field was mistakenly missing, and thus EHR data could not be pulled for it.

  • Bug fix: When viewing scheduled alerts on the Notification Log page for alerts that are recurring, the scheduled send time might mistakenly appear to be incorrect in the Notification Log if the alerts are set to recur every X minutes/hours/days, in which X is a number with a decimal (i.e., not an integer). Note: This does not appear to prevent the alert from being sent at the appropriate time, but this is simply a display issue in the Notification Log. (Ticket #225860)

  • Bug fix: When viewing the Stats & Charts page in a longitudinal project, the page might mistakenly crash in very specific scenarios when running PHP 8. (Ticket #225493)

  • Bugfix: When MLM is active, matrix headers mistakenly were shown over each line of a matrix field when output as an instrument PDF. (Ticket #225203)

Version 14.2.1 (released February 29, 2024)

Changes/Improvements

  • Bug fix/change: The “Azure AD” authentication is now referred to as “Microsoft Entra ID (formerly Azure AD)” in the REDCap user interface due to the fact that Microsoft renamed the product to “Microsoft Entra ID” at the end of 2023.

Bug Fixes

  • Major security fix: A Stored Cross-site Scripting (XSS) vulnerability was discovered in the File Repository in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way inside the folder name of a folder created in the File Repository. The user must be logged in to REDCap and also must have File Repository privileges in the project in order to exploit this. Bug emerged in REDCap 13.1.0.

  • Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into a field’s data value when viewed on the Data Comparison Tool page. The user must be authenticated into REDCap in order to exploit this in a project. Bug exists in all REDCap versions for the past 10 years.

  • Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into specific translated labels when using Multi-Language Management. The user must be authenticated into REDCap in order to exploit this in a project. Bug exists in all REDCap versions beginning with v12.0.0.

  • Bug fix: A fatal PHP error might occur for PHP 8 when viewing the Record Home Page or Record Status Dashboard for a record on an arm that has no events. (Ticket #225089)

  • Bug fix: If a user assigned to a Data Access Group is importing records via the Background Data Import, those records would mistakenly not get assigned to the user’s DAG. In addition, if record auto-numbering has been selected for the import, it would also not prepend the record names with the DAG ID number and a dash. (Ticket #224833)

  • Bug fix: If using certain versions of MariaDB, the “YOUR REDCAP DATABASE STRUCTURE IS INCORRECT!” error message might display as a false positive in the Control Center, even when nothing is wrong with the database table structure.

  • Bug fix: The Copy Project page would mistakenly have the wrong label for the “Copy Project Dashboards” checkbox. Bug emerged in the previous version.

  • Bug fix: When Double Data Entry is enabled, and the current user is either DDE person #1 or #2, in which Form Display Logic has been defined in the project, the Form Display Logic might mistakenly not work correctly when viewing the Record Home Page. (Ticket #225125)

  • Bug fix: When entering text for an alert message when adding/editing an alert on the Alerts & Notifications page, in which the field list menu would appear after entering the “[” character, clicking a field in the field list would mistakenly not inject that variable name into the alert message. (Ticket #224895)

  • Bug fix: When using “OpenID Connect & Table-based” authentication, clicking the “Logout” link in REDCap might mistakenly result in a logout error in the Identity Provide/SSO service. Bug emerged in REDCap 13.10.4. (Ticket #224757)

  • Bug fix: When using the Data Resolution Workflow, a fatal PHP error for PHP 8 in certain situations when data is being saved in certain contexts, such as data imports, when some data values have been “Verified”. (Ticket #225198)

  • Bug fix: When using the repeatable settings in the External Modules configuration dialog, removing a single repeating setting instance would mistakenly remove all repeating instances in the dialog. Bug emerged in REDCap 13.11.0. (Ticket #225171)

Version 14.2.0 (released February 22, 2024)

New Features

  • New feature: Account Expiration Email Templates - At the bottom of the User Settings page in the Control Center, administrators may optionally customize the email text of the account expiration emails that are sent to users prior to the users' impending expiration. Two text editors exist on the page, in which admins may define text for users with sponsors and also for users without sponsors. If no custom text is provided, stock text will be utilized in the outgoing emails to users. (Ticket #58767)

  • New feature: Project Dashboard Folders - Project Dashboards in a project can now be organized into folders. If a user has Project Setup & Design privileges, they will see an “Organize” link on the left-hand project menu above the Project Dashboards panel. They will be able to create folders and then assign their Project Dashboards to a folder, after which the Project Dashboards will be displayed in collapsible groups on the left-hand menu. (Ticket #137183)

Changes/Improvements

  • Improvement: If using CDIS, new data fields “Legal Sex” and “Sex for Clinical Use” can now be mapped for Clinical Data Pull projects and also will be included in Clinical Data Mart projects. Note: Currently, only Epic is providing data for these fields, but other EHR systems will likely add them too in the near future.

  • Improvement: New “Test Run” option when re-evaluating Alerts and Automated Survey Invitations - When performing the “Re-evaluate” feature for Alerts and ASIs, a new toggle that says “Enable Test Run?” can be clicked in the dialog, which will perform a test run (dry run) to simulate what would have happened (e.g., schedule or send alerts/invitations) but without actually doing anything. This will allow users to feel more confident if they actually need to perform a real re-evaluation of Alerts or ASIs so that they know beforehand how many records will be affected during the re-evaluation. In addition, users may download a CSV file of all affected record names afterward, whether using the test run option or not.

  • Improvement: The “Help & FAQ” page has been updated with new content (thanks to the FAQ Committee).

  • Improvement: The Project Home Page now contains an icon in the Current Users table to allow users to download the current user list as a CSV file.

Bug Fixes

  • Medium security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered on the Data Quality page in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into parameters in certain AJAX requests.

  • Bug fix: If the @SETVALUE action tag exists on a field on an e-Consent survey, it would mistakenly allow the field’s value to be overridden even when the e-Consent setting “Allow e-Consent responses to be edited by users” is not checked. (Ticket #225008)

  • Bug fix: If using CDIS, the Clinical Data Pull mapping tool might mistakenly throw a JavaScript error. Additionally, Descriptive fields were mistakenly being excluded from the CDP mapping tool.

  • Bug fix: The EHR launch process in CDIS might mistakenly fail in specific situations where Azure AD is the authentication method in REDCap.

  • Bug fix: The Rapid Retrieval caching system might mistakenly fail with a fatal PHP error in some specific instances. (Ticket #224840)

  • Bug fix: The developer method REDCap::getUserRights() would mistakenly not return instrument-level Data Export Rights information. (Ticket #224887)

Version 14.1.6 (released February 15, 2024)

Changes/Improvements

  • Improvement: The “Help & FAQ” page has been updated with new content (thanks to the FAQ Committee).

  • Change/improvement: All logged events concerning Alerts & Notifications will now additionally display the alert’s Unique Alert ID in order to make it easier to discern alerts from each other if alerts are reordered or moved after being created (i.e., if their alert number changes over time). (Ticket #222857)

  • Change: The “Email Alerts” converter that migrates alerts from the Email Alerts external module to alerts in “Alerts & Notifications” has been officially removed. This feature was technically removed four years ago, but there still existed an Easter Egg in the redcap_config database table that would allow it to be used during emergency situations.

  • Several bug fixes for the External Module Framework.

Bug Fixes

  • Bug fix: If any text used in an outgoing SMS text message contains an HTML hyperlink, in which the link’s text is virtually the same as the link’s URL, it would mistakenly display the URL in parentheses after the link text in the resulting SMS message. It should only do this when the link text is different from the URL. (Ticket #109648)

  • Bug fix: If the Custom Event Label is used in a longitudinal project and contains any HTML tags, all the tags would mistakenly get stripped out when exporting the project’s Project XML file. (Ticket #224571)

  • Bug fix: In places that display a drop-down list of records for the “Test logic with a record” feature, most notably in the branching logic dialog, Survey Queue setup dialog, and ASI setup dialog, the dialog might mistakenly never load if the project contains many thousands of records. For now on, it will display a normal drop-down list if the project contains 1000 records or fewer, and if the project contains more than 1000 records, it will instead automatically revert to displaying an auto-suggest text box to allow the user to manually enter the record name (rather than attempting to display an extremely long drop-down). (Ticket #224531)

  • Bug fix: In some cases when inline PDFs are attached to Descriptive fields, and a user downloads the PDF of the instrument, if the iMagick PHP extension is installed on the web server, there would mistakenly be a blank page following the inline PDFs in the resulting REDCap-generated PDF of the instrument. (Ticket #222014)

  • Bug fix: When an Automated Survey Invitation with conditional logic is being evaluated when a record’s data is being saved, in which the conditional logic references a field in a repeating instrument or repeating event where the field does not have an X-instance Smart Variable appended or an instance number appended to itself, the logic might not get evaluated as expected.

  • Bug fix: When the “Auto-suspend users after period of inactivity” setting is enabled, users who recently had their account created but had not logged in yet would mistakenly get auto-suspended. Bug emerged in the previous version. (Ticket #224266)

  • Bug fix: When using the datediff() function in which the Daylight Saving Time barrier is crossed when calculating the result of two datetime values, in specific cases the result might mistakenly be one hour off if using units of “h”, “m”, or “s” for the function. (Ticket #223682)

Version 14.1.5 (released February 08, 2024)

Changes/Improvements

  • Improvement: Administrators are now able to view survey pages even when the system or a project is in “offline” status. Note: The admin must have logged into REDCap (i.e., they have a session cookie) before the system/project was taken offline in order to access a survey page. (Ticket #223524)

  • Improvement: Enhanced settings for importing email addresses from EHRs via Clinical Data Interoperability Services (CDIS) - Previous versions of REDCap had a CDIS feature to allow or disallow projects from importing the email addresses of patients from the EHR, in which it was either completely disallowed or an admin could enable the feature on an individual project via the Edit Project Settings page. The new features provide more options so that it can be 1) disabled for all projects, 2) enabled for all projects, or 3) allow individual projects to decide (via the admin-only setting on the Edit Project Settings page). (Ticket #223068)

  • Improvement: When using CDIS in a project, a new status indicator for FHIR access tokens will appear underneath each user in the Current Users table on the Project Home page. This feature helps team members and admins quickly see who needs to update their access token, essential for CDIS background fetch processes.

  • Various updates to the External Module Framework, including adding the “redcap_module_api_before” hook and miscellaneous security scan improvements.

Bug Fixes

  • Bug fix: In some rare cases, the “collation_connection” setting for the REDCap database connection might mistakenly be taking effect, which could thus lead to possible encoding issues when pulling information from or storing information in the REDCap database.

  • Bug fix: It might be possible for users or participants to manipulate an HTTP request in a specially-crafted way in order to upload files of any file type into a Signature field on a data entry form or survey. Note: This does not pose a security issue of any kind, and if certain file extensions are defined in the “Restricted file types for uploaded files” list in the Control Center, then those file types will be blocked immediately and not saved in the system.

  • Bug fix: On certain pages/dialogs, the calendar datepicker popup might mistakenly fail to be displayed when expected (e.g., when editing an alert). Bug was supposedly fixed in the previous version but still persists in some places throughout the application. (Ticket #223627)

  • Bug fix: The simultaneous user prevention check on data entry forms would mistakenly prevent multiple users from accessing and editing different repeating instances of the same record-event-instrument in a project.

  • Bug fix: When importing Form Display Logic via a CSV file, the checkboxes for the FDL’s optional settings would mistakenly all become unchecked after the import. (Ticket #223666)

  • Bug fix: When the “Auto-suspend users after period of inactivity” setting is enabled, users who have not been added to any projects might mistakenly not get auto-suspended. (Ticket #223659)

  • Bug fix: When the Rapid Retrieval caching feature is using file-based storage and is utilizing the alternate storage location (instead of using REDCap temp for storage), it might store some of the RR files in the REDCap temp directory by mistake. (Ticket #223738)

  • Bug fix: When uploading a CSV file to add or rename Data Access Groups on the DAG page in a project, in which the user provides a unique group name in the CSV file for a DAG that does not yet exist, the error message provided would be confusing as to what the problem is. In this situation, a more detailed error message is provided to inform the user that the unique group name is only used for renaming DAGs and should be left blank when creating new DAGs. (Ticket #223526)

  • Bug fix: When using Google Cloud Storage for file storage in the system, uploading a file on the main Send-It page might mistakenly not work successfully. (Ticket #221098b)

  • Bug fix: When utilizing the project-by-project Unicode Transformation process, which is done using a cron job via Step 2 on the Unicode Transformation page, if processing individual projects that do not have any surveys enabled, it would mistakenly execute several unnecessary, long-running SQL queries on each project lacking surveys, which would make the overall process take much longer to fully complete than it should.

Version 14.1.4 (released January 30, 2024)

Bug Fixes

  • Minor security fix: Cross-site Request Forgery (CSRF) protection was mistakenly not applied to the user action of deleting arms on the Define My Events page.

  • Minor security fix: If a logged-in user has specific knowledge of the REDCap system, they might be able to manipulate the parameters of a specific AJAX endpoint in order to send custom crafted emails impersonating any email sender (i.e., they can set the email’s From address to anything they wish).

  • Medium security fix: A Broken Access Control vulnerability was discovered in which a logged-in user who is not a REDCap administrator could create Custom Application Links and have those open on the left-hand menu for any and all projects in the system. Only admins should be able to create, modify, and delete Custom Application Links in the Control Center. This could be used to trick users into navigating to potentially malicious websites.

  • Medium security fix: Lower-level REDCap administrators (e.g., with “Manage user accounts” rights) could potentially escalate their own admin privileges by utilizing information from certain tables in the database via the Database Query Tool page. Going forward, only administrators with ‘Admin Rights’ privileges, ‘Modify system configuration pages’ privileges, or ‘Access to all projects and data with maximum privileges’ privileges are allowed to access the Database Query Tool.

  • Medium security fix: There is a possibility in very specific situations that a malicious user might be able to reactivate another user’s session and take it over after the other user has logged out of REDCap. This would require obtaining the other user’s session ID.

  • Major security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered in the Database Query Tool in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into saved queries on the page. The user must be an admin and must be authenticated into REDCap in order to exploit this. Bug emerged in REDCap 12.3.0.

  • Major security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered on the “Importing instrument from the REDCap Shared Library” page in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into input elements on the page. The user must be authenticated into REDCap in order to exploit this. Bug exists in all REDCap versions for the past 10 years.

  • Major security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered on the Alerts & Notifications page in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into parameters in certain AJAX requests. The user must be authenticated into REDCap in order to exploit this. Bug emerged in REDCap 9.0.0.

  • Major security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered on the confirmation page displayed for users who have put in specific requests to the REDCap administrator (e.g., requested a project be moved to production) in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into the URL. The user must be authenticated into REDCap in order to exploit this. Bug exists in all REDCap versions for the past 10 years.

  • Major bug fix: On certain pages/dialogs, the calendar datepicker popup might mistakenly fail to be displayed when expected (e.g., when composing survey invitations). Bug emerged in the previous version. (Ticket #223277)

  • Bug fix: A fatal error would occur when using Azure AD authentication. Bug emerged in REDCap 14.1.2. (Ticket #223173)

  • Bug fix: For Step 2 when editing an alert and setting “Send it how many times?” to “Multiple times on a recurring basis”, the number interval of the recurrence could mistakenly only be 4 characters long at the maximum. (Ticket #223020)

  • Bug fix: If the first instrument in a project is taken as a public survey, it can end up with two different (but equally valid) return codes, assuming the survey has “Save & Return Later” enabled. However, it could be confusing for users to see two different return codes and think something is wrong. For consistency, the return code on the data entry form will now match the return code displayed to the participant on the survey page. (Ticket #208079)

  • Bug fix: In some situations, it might be possible for a user or admin to duplicate the process of moving a project to production status, which would inadvertently cause the project to end up in Analysis/Cleanup status instead. (Ticket #222935)

  • Bug fix: In very specific situations when using branching logic on a multi-page survey that is a repeating instrument/survey, some survey pages might get mistakenly skipped if the repeating instance number is greater than “1” when all fields on the page have branching logic that references field values on the current repeating instance. (Ticket #223126)

  • Bug fix: Since Microsoft will soon be deprecating their Azure Storage PHP client libraries that are currently used by REDCap, the Azure Storage library has now been replaced in REDCap with new custom-built methods for making calls directly to the Azure Blob Storage REST API. (Ticket #216356)

  • Bug fix: The Rapid Retrieval caching feature might mistakenly cause some API calls to hang and eventually time out. (Ticket #223083)

  • Bug fix: When a REDCap administrator has limited data export privileges in a project and then calls the Export Report API method, REDCap would mistakenly remove many of the fields in the resulting data set, which should not happen to administrators. (Ticket #223259)

  • Bug fix: When using Multi-Language Management, certain types of fields (yesno, truefalse, matrix field choices) would fail to be properly piped when the fields do not exist on the same form. (Ticket #222446)

  • Bug fix: When using the @if action tag on a survey question, in which the participant is returning to the survey via their “Save & Return Later” return code, the @if logic might mistakenly not get evaluated correctly on the page to which they return, thus possibly utilizing the wrong action tags for the field. Note: This does not occur for subsequent pages in the survey after returning to the survey but only to the initial page loaded upon their return. (Ticket #223291)

Version 14.1.3 (released January 25, 2024)

Changes/Improvements

  • Various updates and fixes for the External Modules Framework, including 1) Fixed a module setting race condition when using a “Read Replica” database server, and 2) Displayed logged parameters on the View Logs page for External Modules.

Bug Fixes

  • Bug fix: If a file in the Recycle Bin in the File Repository is permanently deleted by a REDCap admin, the file would be marked as having been permanently deleted but would mistakenly still exist in the file storage system. (Ticket #222787)

  • Bug fix: If an administrator is not a user in a project but clicks the “Create API token now” button on the project’s API page, the token would not be created (as expected) but it would mistakenly log the event “Create API token for self” as if it was created. (Ticket #222977)

  • Bug fix: The simultaneous user prevention check on data entry forms would mistakenly prevent multiple users from accessing and editing different repeating instances of the same record-event-instrument in a project.

  • Bug fix: When Rapid Retrieval is disabled, REDCap might still be creating *.rr cache files in the temp folder. (Ticket #223076)

  • Bug fix: When downloading an Instrument Zip file or various CSV files, the process might crash due to a fatal PHP error if the user has Space or Tab as their preferred “Delimiter for CSV file downloads” (as defined on their Profile page). (Ticket #222524)

  • Bug fix: When the calendar datepicker popup is displayed near the rich text editor, in some situations part of the calendar might mistakenly get covered up by the editor’s toolbar. (Ticket #223011)

  • Bug fix: When upgrading from a version prior to REDCap 14.0.1, an SQL error might occur during the REDCap upgrade with regard to an “alter table” statement for the database table “redcap_outgoing_email_sms_log”.

  • Bug fix: When using CDIS, a project’s Edit Project Settings page might be missing a Save button if the REDCap server lacks configurations for at least one FHIR system. (Ticket #222919)

  • Bug fix: When using CDIS, an issue might occur if REDCap is using Azure AD OAuth2 & Table-based authentication method, particularly during an EHR launch for Clinical Data Pull.

  • Bug fix: When using Clinical Data Pull for CDIS, the CDP cron job might mistakenly miss some records when fetching EHR data in the background.

  • Bug fix: When using Multi-Language Management, floating matrix headers were not aligned properly on surveys for right-to-left languages. (Ticket #222689)

  • Bug fix: When using Multi-Language Management, the Forms/Surveys tab on the MLM setup page might fail to load due to a JavaScript error.

  • Bug fix: When using multiple EHR systems with Clinical Data Pull for CDIS, the incorrect FHIR base URL was being used for data retrieval during the background fetch process of CDP projects. This error not only hindered the data fetch process when fetching EHR data, but it also led to the internal FHIR token manager inadvertently deleting valid access tokens for users.

  • Bug fix: When using the text “month”, “day”, or “year” followed by an opening parenthesis inside quotes in a @CALCTEXT equation, the calculation would not get parsed correctly, thus resulting in a calculation error on the survey page or data entry form. (Ticket #222973)

  • Bug fix: When viewing the “Stats & Charts” page for any report that has one or more Live Filters selected on the page, and then the user selects an instrument and/or record in the Display Options box near the top of the page, all Live Filter selections would mistakenly get reset back to a blank value. (Ticket #222699)

Version 14.1.2 (released January 18, 2024)

Changes/Improvements

  • Change: The “Copy Project” page now contains more informational text when copying a project containing surveys. The new text explains that when copying all records, the survey completion time for any survey responses will not be copied with the normal project data because the completion times are considered to be equivalent to project logging, which never gets copied during this process. (Ticket #222256)

  • Various changes and fixes for the External Modules Framework, including fixing a bug that was preventing link editing in rich text module settings caused by a conflict between Bootstrap dialogs and TinyMCE.

Bug Fixes

  • Major bug fix: When a user views a report and modifies the “report_id” parameter in the URL while on the report’s “Stats & Charts” page or when editing the report, in which the report_id is changed to the report_id of a report in another project to which the user does not have access, the user would mistakenly be able to view the report name and the number of results returned from that report from the other project. Note: No identifying data or record names from the other project are able to be accessed using these methods; only the report name and the total count of results returned from the report can be extracted.

  • Bug fix: If a project is being moved back to Production status from Analysis/Cleanup status, the process of moving it back to Production would mistakenly not clear out the “inactive_time” timestamp in the backend database for the project. This issue has no impact on the application. (Ticket #222175)

  • Bug fix: If a user was given “Edit Access” rights to a specific report, but they have been given “Add/Edit/Organize Reports” user privileges for the project, if they append “&addedit=1” to the URL when viewing the report, it might appear that they can edit the report. However, clicking the “Save Report” button on the page would actually do nothing and would forever say “Working”. So while they aren’t able to bypass any report access privileges, it could be confusing because it appears as though maybe they could. (Ticket #222150)

  • Bug fix: When erasing all data in a project or deleting all records when moving a project to production, the process might mistakenly not delete the ‘Survey Login Success’ and ‘Survey Login Failure’ logged events in the project if the Survey Login feature is being utilized. (Ticket #222429)

  • Bug fix: When erasing all data in a project or deleting all records when moving a project to production, the process might take a disproportionately large amount of time to complete (or it might get stuck) if the project contains a large amount of data points (i.e., several million or more rows). The process now deletes data from the redcap_dataX table in smaller batches rather than attempting to delete all rows with a single query.

  • Bug fix: When saving the Survey Login settings in the Online Designer, the confirmation dialog would mistakenly not be displayed due to a JavaScript error.

  • Bug fix: When upgrading to REDCap 14.1.1 from any earlier version, an SQL error might occur in some rare cases when performing the REDCap upgrade process due to a foreign key constraint in the redcap_ehr_user_map database table. (Ticket #222084)

  • Bug fix: When using Clinical Data Mart in CDIS, the CDM data fetching process might fail when using specific versions of MySQL/MariaDB, specifically MySQL versions prior to 8.0 and MariaDB versions prior to 10.2.1. (Ticket #219308)

  • Bug fix: When using Clinical Data Mart in CDIS, there were issues in the list of mappable items within CDM projects, in which the following condition types were not mappable as generic entries: encounter-diagnosis-list, problem-genomics-list, problem-medical-history-list, and problem-reason-for-visit-list.

  • Bug fix: When using Clinical Data Pull in CDIS, an out-of-memory error could occur when handling large volumes of data being pulled from the EHR.

  • Bug fix: When using Clinical Data Pull in CDIS, some CDP projects with the auto-adjudication feature enabled might display the adjudication count as a negative number. (Ticket #134564)

  • Bug fix: When using Multi-Language Management, instruments with matrix fields would fail to load due to a JavaScript error. This bug was introduced in the previous version. (Ticket #222211)

  • Bug fix: When viewing the Record Status Dashboard when Data Access Groups exist in a project, in certain situations the RSD page might load a bit slowly due to an excessive amount of SQL queries being run. This was fixed in the previous version, but it only covered specific situations. (Ticket #221998b)

Version 14.1.1 (released January 11, 2024)

Changes/Improvements

  • Improvement: If a user has a sponsor, their sponsor’s username, name, and email will be listed at the top of their Profile page. (Ticket #138684)

Bug Fixes

  • Major security fix: An SQL Injection vulnerability was found on a Calendar-related page, some MyCap-related pages, the Define My Events page, the Online Designer, the Record Home Page, and other places, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. In order to exploit these, the user must be logged in as a REDCap user. Bugs exist in all REDCap versions for the past 10 years.

  • Major security fix: Several Reflected XSS (Cross-site Scripting) and Stored XSS vulnerabilities were discovered in which a malicious user could potentially exploit them by inserting custom JavaScript in a specially crafted way into specific URLs or POST parameters in several places, including the Data Quality page, Custom Application Links, Report Folders, and other places. The user must be authenticated into REDCap in order to exploit these in a project. Bugs exist in all REDCap versions for the past 10 years.

  • Major bug fix: The Clinical Data Mart in CDIS might mistakenly not work at all and thus might not allow users to pull any data from the EHR. Bug emerged in REDCap 14.1.0 Standard.

  • Bug fix: An error might occur during the “refresh token” process in CDIS. If an HTTP error occurred while refreshing the token, it was not correctly caught and handled.

  • Bug fix: During the cache file creation process for Rapid Retrieval, concurrent write attempts could lead to PHP errors and potentially high CPU usage in some specific cases. (Ticket #221459)

  • Bug fix: If a record contains multiple consecutive spaces in its record name, some things might not display correctly on certain pages when viewing the record, such as the floating table of repeating instances when clicking on the “stack” status icon for a repeating instrument on the Record Home Page or Record Status Dashboard.

  • Bug fix: In certain situations when using Clinical Data Pull for CDIS, the process might stop with a fatal PHP error for some PHP version.

  • Bug fix: The “Create new API token for user” dialog might mistakenly display the option “External Modules API”, which is not a published feature yet. (Ticket #221904)

  • Bug fix: The upgrade process might unexpectedly stop due to an SQL error in the upgrade SQL script when upgrading to or higher than REDCap 14.0.1 in some cases.

  • Bug fix: Usernames with apostrophes could not be added to a project or assigned to a user role through the user interface on the User Rights page. (Ticket #221933)

  • Bug fix: When using Clinical Data Mart in CDIS, the CDM auto-fetch feature was not properly scheduling a fetch process.

  • Bug fix: When using Clinical Data Pull in CDIS, conditions or medications were not shown in the CDP adjudication dialog unless a specific status was specified.

  • Bug fix: When using Multi-Language Management, in which the highlighting feature for untranslated items is enabled, some items would mistakenly be highlighted on the page that should not be highlighted. (Ticket #221418)

  • Bug fix: When using Multi-Language Management, the MLM setup page might not sort the choices of multiple choice fields in the correct order as seen in the Codebook and Online Designer. (Ticket #221888)

  • Bug fix: When using the Background Data Import process, in which an error occurs, if a user goes to download the CSV file containing the list of errors for the import batch, the first letter of the error message in a given row might be missing.

  • Bug fix: When using the Survey Queue, in which survey participants are added initially via the Participant List, if neither the Designated Email field nor the Participant Identifier is used in the project, and the Survey Response Status is “Anonymous*”, the Survey Queue’s “Get link to my survey queue” popup would mistakenly display the participant’s email address, thus breaking the participant’s anonymity in the project. Going forward, it will no longer display the participant’s email address in that popup in this situation. (Ticket #221804)

  • Bug fix: When viewing the Record Status Dashboard when Data Access Groups exist in a project, in certain situations the RSD page might load a bit slowly due to an excessive amount of SQL queries being run. (Ticket #221998)

  • Various CDIS-related bug fixes, especially related to EHR user mapping when using multiple EHR systems

Version 14.1.0 (released January 04, 2024)

New Features

  • New Multi-EHR functionality for Clinical Data Interoperability Services (CDIS)- Multiple electronic health record systems (EHRs) can now be defined on the CDIS page in the Control Center, whereas in previous versions only one could be defined. This will allow users to pull clinical data from many different EHR systems, if they desire. After a REDCap administrator has defined one or more EHR systems on the CDIS page, any given REDCap project can utilize a specific EHR connection. Note: A project can only be connected to one single EHR. The first EHR connection will serve as the default, and thus whenever CDP or Data Mart is enabled in a project, it will initially point to the default connection, but this can be changed after the fact to point to one of the other EHR connections that are defined in the Control Center. As previously, all users attempting to pull data from any EHR connection will need to have signed in through the EHR (either using the Standalone Launch or CDPs EHR Launch) in order to obtain a FHIR access token for that specific EHR. Thus the user must still have a valid account for each EHR from which they are attempting to pull data.

Changes/Improvements

  • Improvement: Performance improvement when using iMagick (i.e., rendering PDF attachments for Descriptive fields as images embedded inside REDCap-generated PDFs) by using a new internal image cache. Whenever a PDF attachment for a Descriptive field is rendered as an image via iMagick, the image of each PDF page will be cached and stored separately so that the next time the PDF attachment is being rendered inside a PDF, it will use the cached image(s) rather than perform a real-time conversion of the PDF to images every time, which can be time consuming. Note: The image cache of the PDF attachment will be stored and used for up to 30 days, after which it will be automatically deleted from the system.

  • Improvement: New Read Only user privilege for the User Rights page- Users and roles can now be given Read Only access to the User Rights page, which will allow users to view the page but not be able to take any actions on the page. Note: If a user is in a Data Access Group while viewing the page, it is still the case that they can only view users from their own DAG on the page.

  • Change/improvement: A notice was added on the Database Query Tool page so that when exactly 500 rows are returned from a query that does not contain a “limit” clause, it notes that more rows might exist that are not being displayed on the page. This is because “limit 0,500” is always appended to any query that lacks a “limit” clause. This will reduce confusion for admins who might assume that they are viewing the full results of a query when they might not be.

Bug Fixes

  • Bug fix: If using file-based storage for Rapid Retrieval, in which an alternative storage directory has been defined, in certain cases many of the cached files in the alternative directory would mistakenly not get deleted after the 5-day expiration time.

  • Bug fix: The REDCap::evaluateLogic() developer method’s documentation mistakenly did not include information about the current_context_instrument parameter, which is required for the correct evaluation of logic that contains certain Smart Variables. This parameter should be provided to the method if the logic is being evaluated within the context of a specific instrument (e.g., while on a survey page or data entry form). This parameter has been added to the method’s documentation. (Ticket #220861)

  • Bug fix: When enabling Twilio in a project, it is possible in certain cases to enter the same Twilio phone number (if it is a U.S. number) for more than one project. This could be done by entering the phone number in one project with the U.S. country code, and then entering it in another project without the U.S. country code. (Ticket #221468)

  • Bug fix: When importing alerts via a CSV file, if the file contains some mangled characters due to incorrect encoding, the file might fail to upload and would mistakenly not produce any error message.

  • Bug fix: When using CDIS in certain contexts where data is being pulled for specific research studies, the FHIR ID of a research study might not be found.

  • Bug fix: When using CDIS, issues might occur when fetching “conditions” data having a status other than “active”. Additionally, new FHIR resources were inadvertently excluded from mapping in CDP projects. This includes the following mappable resources: encounter, coverage, procedure, device, and all conditions (including their status).

  • Bug fix: When using the functions day(), month(), or year(), more than once inside a calculation, it might not parse the calc correctly, thus possibly returning incorrect results. (Ticket #221544)

Version 14.0.4 (released December 28, 2023)

Changes/Improvements

  • Change/improvement: When using the eConsent Framework on a survey, the certification page now says “Working…” until the inline PDF finally loads on the page. This will reduce confusion for participants in case the PDF takes an abnormal time to load. (Ticket #221228)

Bug Fixes

  • Medium security fix: The AWS SDK PHP third-party library contained a medium security vulnerability that would mistakenly allow an attacker to possibly perform URI path traversal. The library was updated to the latest version.

  • Major bug fix: The API Delete Users method was mistakenly not checking if a user had User Rights privileges in the project in addition to API Import/Update privileges in order to successfully make a call to the API method.

  • Bug fix: Direct links to the FAQ in certain places throughout REDCap were not working. They would merely take the user to the top of the Help & FAQ page instead of to a specific item. Bug emerged in REDCap 13.4.0. (Ticket #221329)

  • Bug fix: If Form Display Logic or Survey Queue Logic references a specific repeating instance of a field, specifically instance “1”, “first-instance”, or “last-instance”, when the field exists on a repeating event that currently contains no data for a given record, the logic might mistakenly not evaluate correctly. (Ticket #221229)

  • Bug fix: In specific situations where multiple File Upload fields are piped onto a page in a specific way, it may cause a JavaScript error that prevents the instrument from loading. (Ticket #221225)

  • Bug fix: When using Multi-language Management, the “Initialize a new language from available system languages” option was mistakenly checked (while also disabled) even when no system languages are available, leading to a JavaScript error when “Continue” is clicked. (Ticket #221273)

Version 14.0.3 (released December 21, 2023)

Changes/Improvements

  • Improvement: If a project dashboard has been set as “public”, a link icon will appear next to the project dashboard title on the left-hand project menu. If a user clicks the link icon, the public project dashboard will open in a new tab.

  • Improvement: If a report has been set as “public”, a link icon will appear next to the report title on the left-hand project menu. If a user clicks the link icon, the public report will open in a new tab.

  • Improvement: The Unicode Transformation process (found via the Configuration Check page if your installation was installed prior to REDCap 8.5.0) now contains a Step 2 Alternative method, which utilizes a project-by-project Unicode Transformation process using a cron job. Previous versions required that SQL be run over all projects at the same time (which might take quite a while) while REDCap was offline. If your REDCap installation was installed roughly 8 years ago or if it contains more than 1000 projects, it is recommended that you use Step 2 Alternative to minimize server downtime during the Unicode Transformation process. After performing Step 1, Step 2 Alternative will provide some SQL to enable the cron job. Once initiated, you may refresh the page to view its project-by-project progress until all steps appear green on the page after it has finished. Note: Step 1 will still need to be run in real time while REDCap is offline. Thus downtime is unavoidable for Step 1. But the benefit of Step 2 Alternative is that it allows one to complete the remaining steps of the Unicode Transformation process without any downtime.

  • Improvement: When in a project context when the Read Replica feature is enabled, the Read Replica’s utilization will now be maximized by referencing the last time a “write event” occurred in the project’s Logging (such as data being saved or the project being modified in some way) when being compared with the replica’s lag time (rather than merely using a static maximum lag time of 3 seconds as the cutoff). This means that, for example, if a project has not had any logged “write events” in the past 5 minutes, the replica will be used on specific pages in that project so long as the replica’s lag time (i.e., behind the primary database) is less than 5 minutes. Whereas in previous versions, the replica would only be utilized if the replica’s lag time was 3 seconds or less. This increases the utilization of the replica, thus improving overall system performance.

  • Change: Some help text was added to the Form Display Logic and Survey Queue instructions to inform users that their conditional logic will be evaluated at the record level and not within the context of an event or a repeating instance, which means that it is not possible to use relative instance or relative event Smart Variables - i.e., those with the name ‘current’, ‘next’, or ‘previous’, such as [next-instance] or [previous-event-name].

  • Change: The length of time in which the record list cache will be automatically reset has been increased from 1 week to 2 weeks. This was done because the record list cache has seen years of stability and can now be trusted to be accurate for longer periods of time. This change will reduce how often the cache will need to be rebuilt for an active project, which should improve overall system performance.

Bug Fixes

  • Major bug fix: When checkbox field values are being imported during a data import (via the API or Data Import Tool), in which some calculated fields in the project reference the checkbox field in their calculations, the calc fields might mistakenly not get updated during the import process. (Ticket #221111)

  • Bug fix: A warning might mistakenly be encountered during the extraction of an identifier from a FHIR request within a CDIS project. The adjustment involves ensuring that the returned identifier is a single value rather than an array.

  • Bug fix: If fields are embedded into the field label of a File Upload field or Signature field, the “Upload file”/“Add signature” dialog would mistakenly display the embedded fields as editable, whereas it should instead display them as read-only since their values cannot be modified there inside the dialog. (Ticket #221137)

  • Bug fix: In rare cases, a database query run on the Participant List page might cause the page to load very slowly or even time out. (Ticket #211469)

  • Bug fix: In some cases when exporting the Project XML file for a project, the process might mistakenly crash with a fatal PHP error when using PHP 8. (Ticket #221097)

  • Bug fix: In the Online Designer, when a field has a section header immediately above it, and the field is then moved to be directly above that section header, the field would mistakenly revert back to its original position.

  • Bug fix: The “Insert a dynamic variable” feature on the Email Users page in the Control Center would mistakenly never work, in which the variables would not get successfully replaced in the email body when sending the emails.

  • Bug fix: Using the function isblankormissingcode() in branching logic would not always return the correct result if the field used in the function is numeric. (Ticket #218984)

  • Bug fix: When calling the Rename Record API method, the API request would mistakenly get logged as “Switch DAG (API)” when it should instead be logged as “Update record (API)”.

  • Bug fix: When entering data on a data entry form or survey while using a mobile device, in which a text field on the page has field validation and the user has entered a value that will throw a field validation error, if they click the “Add signature” link or “Upload file” link for a signature or file upload field, respectively, while their cursor is still in the text field, then they would get stuck in an infinite loop of popups and not be able to continue data entry on the page. (Ticket #219569)

  • Bug fix: When performing an API Export Records call with type=eav, in some rare cases the record ID field might mistakenly have duplicate rows for some records in the exported data. (Ticket #220860)

  • Bug fix: When piping a field on the same instrument on which it is located, the piping might mistakenly not work in a repeating instrument or repeating event context. (Ticket #220610)

  • Bug fix: When renaming a record in a multi-arm longitudinal project, in which the new record name already exists in another arm but in another case (e.g., renaming a record to “aa3” in arm 1 when there is already a record “AA3” in arm 2), issues can occur when trying to access the record in either arm in the user interface afterward. When this occurs going forward, the new record name will be forced to be the same case as the existing record in the other arm. (Ticket #217809)

  • Bug fix: When uploading a data import file via the Background Data Import, in which the process somehow gets stuck during the initialization phase, the upload would mistakenly appear with a “queued” status. Going forward, if any imports are stuck in the initialization phase for more than one hour, they will be automatically cancelled by the system. (Ticket #220714)

  • Bug fix: When uploading a data import file via the Background Data Import, in which the process somehow gets stuck processing for a long period of time, the upload would mistakenly appear with a “processing” status forever. Going forward, if any imports are stuck in the processing phase for more than one day, they will be automatically cancelled by the system.

  • Bug fix: When using Google Cloud Storage for file storage in the system, and the “Organize the stored files by REDCap project ID?” setting is enabled, uploading a file on the main Send-It page (i.e., via the tab from the My Projects page) might cause a fatal PHP error when using PHP 8. (Ticket #221098)

  • Various bug fixes and improvements to the External Module Framework: Added the isModulePage() and isREDCapPage() module methods (courtesy of Andrew Poppe) Added the dashboard-list module setting type (courtesy of Andrew Poppe) Added the visibility-filter option for the dashboard-list and form-list module setting types (courtesy of Andrew Poppe) Removed survey-list module setting type in favor of form-list with a visibility-filter option Misc. security scan script improvements

Version 14.0.2 (released December 14, 2023)

Changes/Improvements

  • Improvement: If the Read Replica feature is enabled, all API export methods will now utilize the Read Replica, whereas in previous versions the only API methods that utilized the Read Replica were the Export Records, Export Report, and Export Logging methods.

  • Improvement: The Rapid Retrieval caching feature is now utilized for data exports and also for the API methods Export Records and Export Report, whereas in previous versions Rapid Retrieval was only utilized on report pages and the record status dashboard page.

  • Change: The PID number for a project is now displayed on the My Projects page for all user types, whereas in previous versions it was only displayed for admins (users with some kind of Control Center access). (Ticket #220689)

  • Improvement/change: For projects with the “Delete a record’s logging activity when deleting the record?” setting enabled on the Edit Project Settings page, a request to the API Delete Record method may now include the parameter delete_logging=0 if the user wants to prevent the record’s logging activity from being deleted when the record is deleted. If the setting is enabled in the project, then the default value will be ‘1’ for delete_logging (to maintain the existing behavior in previous versions), and if the project-level setting is not enabled, the default value will be ‘0’. If the project-level setting has been enabled, this API parameter must be provided with a value of ‘0’ in order to prevent the record’s logging activity from being deleted when the record is deleted (Ticket #96300)

  • Various fixes and changes to the External Module Framework, including the following: 1) The getProjectsWithModuleEnabled() method begins included modules enabled via the “Enable module on all projects by default” setting as of framework version 15, and 2) Fixed copy/paste/cut issue in rich text editor.

Bug Fixes

  • Major bug fix: When exporting a report (including using the API Report Export method) in CSV, XML, or JSON format, in which the report does NOT have “order by” fields, the resulting exported data might mistakenly contain duplicate rows, some of which might appear empty while others have the expected data for the given record/event. (Ticket #219392b)

  • Bug fix: In a MyCap-enabled project, the MyCap participant install dates and baseline dates would mistakenly get carried over into copied projects and projects created via Project XML upload.

  • Bug fix: In specific cases, the @richtext action tag might cause the Notes field’s rich text editor to be read-only when it should be editable on the page.

  • Bug fix: On the Codebook page, collapsing of some tables on the page would not work in certain browsers.

  • Bug fix: Some example R code in the API Playground was syntactically incorrect and would cause errors if it was run in R as is. Bug emerged in 13.7.24 LTS and 14.0.0 Standard Release. (Ticket #219535b)

  • Bug fix: The EHR patient portal for CDIS might mistakenly fail to accurately display whether a patient was already associated with a given project. Bug emerged in REDCap 14.0.0.

  • Bug fix: The Scheduling page would mistakenly never display the record drop-down list. Bug was originally fixed in version 13.8.3 but then reappeared again in 14.0.0. (Ticket #210446b)

  • Bug fix: When clicking the increase/decrease font-size button at the top of survey pages, the speaker icons used for text-to-speech functionality would mistakenly not change size.

  • Bug fix: When importing data (via API or Data Import Tool), in which the record name of the record being imported already exists in the project but has a different case (e.g., “101A” vs “101a”), it might cause extra logged events to be added during the data import process, even when no data is being modified. This issue does not seem to affect existing data in any negative way. (Ticket #219755)

  • Bug fix: When importing data via the Data Import Tool’s background data import, if the CSV file contains any File Upload fields, even if they are empty columns, it would mistakenly display an error saying that some variable names in the file were invalid, which is confusing. File Upload fields will now be ignored for this field pre-check since ultimately they are ignored during the data import process since files cannot be uploaded using this method. (Ticket #218575)

  • Bug fix: When sending invitations through the Participant List via the Compose Survey Invitations dialog, in some rare cases the action of scheduling/sending the invitations might result in a fatal PHP error for PHP 8. (Ticket #220549)

  • Bug fix: When upgrading REDCap more than once in a single day, the “redcap_history_version” database table would mistakenly only list the last upgrade of the day. (Ticket #220627)

  • Bug fix: When using CDIS, a patient’s preferred language might not be correctly extracted from a patient’s FHIR payload. (Ticket #219743)

  • Bug fix: When using CDP (Clinical Data Pull), data was mistakenly not being automatically fetched from the EHR and imported into a given CDP project as part of the CPD cron job. The issue was observed specifically in scenarios where certain records lacked a specified Medical Record Number (MRN).

  • Bug fix: When using Shibboleth authentication, the REDCap redirect URL was mistakenly not URL-encoded in the Shibboleth handler address, which might cause the user not to get redirected back to the correct place after returning from a successful Shibboleth login. (Ticket #220564)

Version 14.0.1 (released December 07, 2023)

Changes/Improvements

  • Improvement: For Descriptive Text fields on the Codebook page, the attachment’s filename and its display format are now listed on the page if it has an attachment, and the media URL and its display format are now listed on the page if it has a media URL. (Ticket #220204)

  • Improvement: Improved user interface elements on the Codebook page. A new instrument table lists instrument names and also event designations, if longitudinal. The instrument and event tables are now collapsible. Additionally, the tables denote if an instrument is a repeating instrument or is designated to a repeating event, and the event table denotes if an event is a repeating event. All tables on the page are now collapsed by default. (Ticket #220221)

Bug Fixes

  • Major bug fix: When exporting a report (including using the API Report Export method) in CSV, XML, or JSON format, in which the report is ordered by a field other than the record name and the total size of the exported data is fairly large (containing several hundred or thousand records), the resulting exported data might mistakenly be missing many rows of data. Bug emerged in the previous version. (Ticket #220275)

  • Bug fix: If a proxy is specified on the General Configuration page in the Control Center, the username-password authentication for HTTP requests made during CDIS remote calls to the EHR system might not always work successfully under certain conditions. (Ticket #219039c)

  • Bug fix: If a survey does not have survey instruction text, and the participant navigates back to page 1 after being on page 2 of the survey, the page would mistakenly display the “View survey instructions” link under the survey title.

  • Bug fix: In some situations when copying a project, in which the records are also copied, the new project would appear not to have any records until the administrator clicked the “Clear all record and page caches” button on the Other Functionality page.

  • Bug fix: Referencing a field from another instrument or another event inside the function month(), day(), or year() for a calculated field would mistakenly cause a calculation error to occur on the page. (Ticket #220405)

  • Bug fix: The EHR Launch in CDIS might mistakenly fail due to a fatal PHP namespace error.

  • Bug fix: The administrator’s browser time that is displayed at the bottom of the main Control Center page was not formatted correctly. (Ticket #219917)

  • Bug fix: The query cache efficiency check on the Configuration Check page might mistakenly display a false positive saying that the MySQL query cache is not efficient when actually it is. (Ticket #220049)

  • Bug fix: When a project has been deleted, some orphaned rows for that project might still exist in certain database tables. (Ticket #220047)

  • Bug fix: When clicking the “Download metadata only (XML)” button on the Project Setup->Other Functionality page, it mistakenly would not log the file download. It now logs the download event as “Download REDCap project XML file (metadata only)” on the Logging page. (Ticket #220203)

  • Bug fix: When using Azure AD authentication with Endpoint V2, the setting “AD attribute to use for REDCap username” was mistakenly not using all of the options listed in the drop-down but would only use the “userPrincipalName” option, if selected. Now all options can be used in Endpoint V2. (Ticket #134789b)

  • Bug fix: When using the Survey Login feature in a longitudinal project, in which a field referenced on the survey login page exists on a different event as the survey currently being taken, the logged event’s description of the successful/failed login on the Logging page would mistakenly have the wrong event for the context of the survey login. (Ticket #220174)

Version 14.0.0 (released November 30, 2023)

New Features

  • New action tag: @SHOWCHOICE- When applied to a multiple-choice field, this action tag will hide all choices except for the ones listed in its argument. This action tag is useful if you wish to only show a subset of choices depending on some logic (e.g., depending on data access groups) via the IF action tag. The format must follow the pattern @SHOWCHOICE='??', in which the coded values should be inside single or double quotes for the choice(s) you wish to show. If more than one choice needs to be shown, then provide all the coded values separated by commas. For example, to show the choice ‘Monday (1)’, you would have @SHOWCHOICE=‘1’, but if you wanted to additionally show ‘Tuesday (2)’, you would have @SHOWCHOICE=‘1,2’. NOTE: The @SHOWCHOICE action tag supports piping into its argument - e.g., @SHOWCHOICE=[my_checkbox:checked:value].

  • New feature: Additional redcap_data tables To help improve long-term server performance over time through horizontal scaling, REDCap now makes use of 3 new redcap_data tables named redcap_data2, redcap_data3, and redcap_data4. As new projects are created, they will be assigned to one of the four data tables, which will be the single place where that projects data is stored. Utilizing more data tables will allow REDCap to maintain its speed and remain performant over time. The addition of these new tables is a completely automatic and transparent change that users will likely never realize or need to know about. However, administrators should be aware of it, especially in regard to the creation of Dynamic SQL fields (see below), which will be affected by this change. Note: No existing projects will be impacted by this change in v14.0.0; thus, it will only affect new projects created after upgrading to v14.0.0. Also, a projects data table can always be obtained on the Edit Project Settings page after selecting a project, in which the table name will be listed at the top of that page. New [data-table] Smart Variable- Since a projects data can be stored in any of the 4 data tables, writing queries for Dynamic SQL fields can be tricky. On the Add/Edit Field dialog on the Online Designer, it will note the current projects data table after selecting Dynamic SQL Field in the dialog. However, instead of using the literal data table name in their SQL query, admins may instead use [data-table], which will be replaced with the current tables data table name. If you wish to obtain the data table name for another project, append a colon and the PID of the other project - e.g., [data-table:7345], in which the PID of the other project is 7345. It is advised that going forward, administrators should utilize the [data-table] Smart Variable for Dynamic SQL fields rather than using the literal data table name. New developer method REDCap::getDataTable($pid)- New REDCap class method for plugins/modules/hooks that will return the redcap_dataX database table name for a specified project by providing its project_id. If $project_id is null or not provided, it will return “redcap_data” by default. It is recommended that if any External Module developers have any EMs that reference the redcap_data explicitly in their EM code, they should replace it similar to how it is done in the code below: \(data_table = method_exists('\REDCap', 'getDataTable') ? \REDCap::getDataTable(\)project_id) : “redcap_data”; $sql = “select * from $data_table where project_id = $project_id”; New Move Project Data page This page allows REDCap administrators to move the data stored in a given REDCap project to another redcap_dataX table in the database in order to [hopefully] improve the general performance of the project. The performance improvement will depend greatly on the size and structure of the project and will also depend on many things in the overall system, such as the current size of the redcap_data table and the power of the database server. Note: The data transfer process on this page will perform multiple checks to ensure that all data gets moved successfully, and if anything goes wrong, it will automatically roll back all changes. How to find this page - The Edit Project Settings page in the Control Center contains a link to the Move Project Data page.

  • New feature: Read Replica Server To help offset server load if the REDCap system has been experiencing routine slowness, REDCap can connect to a read-only, secondary database server that uses MySQL/MariaDB replication to stay in sync with REDCap’s primary database server. The Read Replica server will be utilized only for read-only operations in the following places in REDCap: viewing reports, exporting data (including API exports), viewing record status dashboards, viewing and exporting the project logging page (including API logging exports), using the data search tool, viewing the scheduling page, executing data quality rules, viewing project dashboards, and viewing the Control Center’s System Statistics and User Activity Log pages. The effort of enabling the Read Replica functionality is very minimal once a replica server has been created and is successfully replicating from the REDCap primary database server. Most of the work will be simply setting up the replica server. Instructions for setting up the Read Replica can be found near the top of the General Configuration page in the Control Center. NOTE: The Read Replica is only recommended for use if you have been experiencing performance issues with your REDCap server, such as a routine or off-and-on slowness. Before enabling the Read Replica feature, it is advised that you explore other ways to improve database performance first, such as adding more RAM and CPUs to your database server to see if that provides some improvement. If those things do not help, then using the Read Replica might be a good option.

  • New page-level caching feature: Rapid Retrieval REDCap now implements an automatic, transparent form of page-level caching (known as Rapid Retrieval) to help speed up certain pages that are known to be slow. Currently, Rapid Retrieval operates only on reports and on the Record Status Dashboard page. When a cache is being utilized, a note will appear at the top of the page that says Page speed was boosted using Rapid Retrieval. The Rapid Retrieval cache can be cleared for an entire project by an administrator using the Clear the Record List Cache button on the Project Setup->Other Functionality page, in which the button text now says Clear all record & page caches. On the Modules/Services Configuration page in the Control Center, the Rapid Retrieval functionality can be disabled for the whole system, if desired. It has two options: File-based storage (default, recommended) and Database storage. If set to ‘File-based storage’, the Rapid Retrieval feature will store all cached files in REDCap’s ‘temp’ folder by default. If set to ‘Database storage’, they will be stored in the redcap_cache database table. When using File-based storage, there is an additional setting named Alternative directory to store cached files that is completely optional, in which you may set an alternate location on your web server for storing the cached files, whether for security or performance related reasons. Suggestion: The File-based storage method is recommended in most cases, such as on very active servers, because the Database storage method can tend to cause the database to be too busy, in which it may bog down the server and/or cause the MySQL binary log to grow too rapidly. You may try both options to see if one performs better overall. There is no harm in changing this setting at any time while the system is running. Additional notes: When using File-based storage, the cached files are completely encrypted (at rest) on the web server, and the files are quickly removed by a cron job once they have been invalidated and can no longer be utilized. This form of active pruning keeps the cached files from taking up too much space on the web server.

Changes/Improvements

  • Improvement: The @HIDECHOICE action tag now supports piping into its argument - e.g., @HIDECHOICE=[my_checkbox:checked:value].

  • Improvement: The bottom of the main Control Center page now displays the current time of the users browser and the current time of the REDCap server (with its timezone).

  • Change: When downloading the Survey Queue settings via CSV file, the CSV filename now contains the project title and timestamp of the download.

  • Change: When viewing the “View or Edit Schedule” tab on the Scheduling page when more than 10K drop-down options would be displayed in the already-scheduled drop-down list of records, in which the drop-down will display at all, the text on the page has been modified for better clarity since it was confusing regarding how to view an already-scheduled record in this situation.

Bug Fixes

  • Major bug fix: When exporting a report (including using the API Report Export method) in CSV, XML, or JSON format, in which the report is ordered by a field other than the record name and the total size of the exported data is fairly large (containing several hundred or thousand records), the resulting exported data might mistakenly contain duplicate rows, some of which might appear empty while others have the expected data for the given record/event. (Ticket #219392)

  • Bug fix: For certain REDCap installations, the events on the Define My Events page would not be ordered correctly. (Ticket #219188)

  • Bug fix: Form Display Logic might mistakenly not be evaluated correctly on the Record Home Page when a record has not been created yet but is in the process of being created. (Ticket #219883)

  • Bug fix: If a proxy is specified on the General Configuration page in the Control Center, it was mistakenly not using username-password authentication for HTTP requests made during CDIS remote calls to the EHR system. (Ticket #219039b)

  • Bug fix: In some rare cases when using nested IF action tags for a field in which spaces or line breaks appear in specific places in the IF’s logic, the IF action tag might mistakenly not evaluate correctly.

  • Bug fix: Issues related to copy, paste, and cut in the TinyMCE 6 rich text editor. (Ticket #219212, #219274, #218550, #219286)

  • Bug fix: Some example R code in the API Playground was syntactically incorrect and would cause errors if it was run in R as is. (Ticket #219535)

  • Bug fix: The “Upcoming Scheduled Survey Invitations” popup on the Record Home Page might not display all the upcoming invitations scheduled in the next 7 days but might mistakenly omit some. (Ticket #218769)

  • Bug fix: When a datediff() function has a literal date value (e.g., “22-07-2023”) for the first or second parameter in the function, in which the date value is in DMY or MDY date format, the datediff might mistakenly not perform the calculation correctly in some instances - most specifically server-side processes, such as auto-calculations, data imports, and Data Quality rule H. (Ticket #219662)

  • Bug fix: When downloading the Survey Queue settings via CSV file, the download action was mistakenly not being logged.

  • Bug fix: When opening certain dialog popups throughout the application, in which the dialog contains a lot of text, the page might mistakenly auto-scroll downward unexpectedly, thus causing the user to have to scroll back up in order to read the dialog contents.

  • Bug fix: When uploading the Survey Queue settings via CSV file, the upload action was mistakenly being logged multiple times.

  • Bug fix: When using the RICHTEXT action tag for a field on a data entry form that is disabled/readonly (due to limited user rights or when viewing a survey response that is not in edit mode), the field’s rich text editor would mistakenly not appear disabled/readonly and would allow users to type and modify its content, even though the page is not able to be submitted. (Ticket #219212b)

  • Several fixes and improvements for the External Modules Framework, including 1) Added the report-list and survey-list EM setting types, and 2) Resolved a queryLogs() bug when referencing username in WHERE clauses (Ticket #217622).

Version 13.11.4 (released November 18, 2023)

Bug Fixes

  • Major bug fix: When a user is uploading a project’s Survey Queue settings via a CSV file in the Online Designer, in certain situations, the process might mistakenly erase the Survey Queue settings of ALL PROJECTS in the entire system. This bug affects only Standard Releases 13.11.0, 13.11.1, 13.11.2, and 13.11.3. If you are on an affected version, it is advised that you upgrade ASAP. Additionally, this fix in 13.11.4 has also been backported to all affected versions so as to prevent further damage. (Ticket #219088)

Version 13.11.3 (released November 16, 2023)

Changes/Improvements

  • Improvement: A new parameter was added to the method REDCap::storeFile() to allow one to set the filename of the file being stored. In previous versions, the filename would be extracted from the file path itself. This new parameter is useful to assign a filename to files that have a temporary filename, such as when resulting from a file upload.

  • Improvement: New MLM-related Action Tags - If using Multi-Language Management, the LANGUAGE-SET action tag can now be selectively applied to data entry forms via LANGUAGE-SET-FORM) or surveys via LANGUAGE-SET-SURVEY.

  • Improvement: When using MyCap in a longitudinal project, a more streamlined process is provided for helping users add new active tasks and designate them for specific events in the project. This process is now much less confusing and less disjointed than in previous versions.

  • Minor changes and improvements to the External Module Framework.

Bug Fixes

  • Bug fix: If a proxy is specified on the General Configuration page in the Control Center, it was mistakenly not being utilized for HTTP requests made during CDIS remote calls to the EHR system. (Ticket #219039)

  • Bug fix: If the Mosio SMS Services have been enabled in a project, the configuration step for Mosio on the Project Setup page would mistakenly not be displayed if the system-level Twilio feature (rather than the system-level Mosio feature) had been left disabled on the Modules/Services Configuration page in the Control Center.

  • Bug fix: If using Multi-Language Management, under certain circumstances the language preference of a logged-in user was mistakenly overwritten by a browser cookie. (Ticket #218766)

  • Bug fix: In some situations, the AWS SDK might mistakenly fail when attempting to store or retrieve files from S3. The AWS SDK for PHP has been updated to the latest version in order to resolve this.

  • Bug fix: The Data Viewing Rights & Data Export Rights might not be set correctly for user roles after adding a new instrument to a project while in production. When adding a new instrument, the rights would always get set to “No access” for that instrument for all roles, despite the fact that the setting “Default instrument-level user access…” on the User Settings page in the Control Center might be set otherwise. Note: This does not affect individual users' rights but only user roles. (Ticket #218708)

  • Bug fix: When a Table-based user navigates into a project, after which the Password Expire Warning popup is displayed if their password is about to expire soon, and then the user clicks the “Change my password” button, they are mistakenly taken to a blank page. This issue only occurs if the Password Expire Warning popup is displayed while they are inside a project (as opposed to on the My Projects page). (Ticket #218606)

  • Bug fix: When merging two records while using Double Data Entry (DDE), the merging process might mistakenly replace specific characters with HTML entities in the values of the third record that was created. (Ticket #218547)

  • Bug fix: When performing a data import on the Data Import Tool page when using PHP 8, a fatal PHP error might mistakenly occur. (Ticket #212225b)

  • Bug fix: When piping a value onto a form/survey from outside the current context, in certain situations the piped value might mistakenly get wrapped in invisible HTML “span” tags when output onto the page, which should only occur when the field being piped exists on the same page. (Ticket #219031)

  • Bug fix: When using a designated email field (whether project-level or survey-level), there might be some inconsistency with regard to saving the email field if the field exists on multiple events or on a repeating instrument/event, in which REDCap attempts to keep all values the same for the field in all places in the record. One of the worst side effects is that it might mistakenly create extra repeating instances on a record when the email field exists on a repeating instrument when multiple repeating instances already exist for another instrument on the same record. (Ticket #217938)

Version 13.11.2 (released November 09, 2023)

Changes/Improvements

  • Improvement: When using the “Erase all data” feature on the Other Functionality page, it now lists the total number of records in the dialog so that the user is aware. (Ticket #218329)

  • Change/bug fix: In a MyCap-enabled project, the MyCap Invitation Text has been updated for projects that are not yet converted to the new MyCap mobile app. This text change is to reduce confusion regarding the transition from the MyCap Classic app to the new app.

  • Change: The “variable auto-naming” feature found in the “Add New Field” popup in the Online Designer can now be disabled/hidden for all users by toggling a new system-level setting. The User Settings page in the Control Center now contains a setting where this feature can be 1) Disabled for all users, 2) Enabled for all users (default), or 3) Enabled for administrators only. (Ticket #215153)

  • Change: When copying a project on the Copy Project page, if the project being copied contains one or more Dynamic SQL fields, a notice will be displayed near the bottom of that page to inform the user that they may want to consider if the SQL query for the field(s) needs to be modified in order to work correctly in the new project.

Bug Fixes

  • Bug fix: External Module language files were mistakenly being overwritten by the Language::getLanguage() method, leading to the loss of module-specific language keys. This problem manifested when the tt function, used for internationalization within EMs, was called, particularly affecting pages that utilized the redcap_control_center hook. (Ticket #218492)

  • Bug fix: The “Map of Users” page in the Control Center might mistakenly not call the “redcap_control_center” hook under specific circumstances. (Ticket #218502)

  • Bug fix: The DbHealthCheck cron job might mistakenly fail when the web server is using PHP 8. Bug emerged in REDCap 13.11.0.

  • Bug fix: When using Multi-Language Management, the comments at the top of CSV export files from the MLM page mistakenly had a comma hard-coded as the CSV delimiter, which could lead to the file not being importable when a delimiter other than comma was chosen and depending on the type of software used to edit the file.

  • Bug fix: When using Multi-Language Management, the project-level overrides of some admin settings would mistakenly get ignored.

Version 13.11.1 (released November 03, 2023)

Bug Fixes

  • Major bug fix: When upgrading to REDCap 13.11.0, the upgrade SQL script might mistakenly fail on certain versions of MySQL (but not MariaDB), thus preventing some folks from successfully upgrading to v13.11.0.

  • Bug fix: Two-factor verification would mistakenly fail for users when the 6-digit 2FA code has a leading zero. (Ticket #218277)

  • Bug fix: When using Clinical Data Pull, the “View” link to view the adjudication popup would mistakenly not appear at the top of the data entry page after having opened the page the first time. (Ticket #218182)

Version 13.11.0 (released November 02, 2023)

New Features

  • New feature: New FHIR resources are available for Clinical Data Interoperability Services (CDIS) for extracting new types of data from a patient s chart. (Note: If using Epic, your institution will first need to upgrade to version 3 of the REDCap app in the Epic App Orchard/Vendor Services in order to use these new resources.) Below is a list of the new resources available: Appointment Endpoints - Appointments, Scheduled Surgeries Condition Endpoints (Epic Only) - Dental Finding, Genomics, Infection, Medical History, Reason for Visit Additional Endpoints - Coverage, Device: Implants, Diagnosis, Procedure

  • New piping parameters for date/datetime fields: :year - Returns the year component of a date/datetime field - e.g., [dob:year]. :month - Returns the month component of a date/datetime field - e.g., [visit_datetime:month]. :day - Returns the day component of a date/datetime field - e.g., [visit_date:day].

  • New special functions for date/datetime fields: year() - Returns the year component of a date/datetime field - e.g., year([dob]). month() - Returns the month component of a date/datetime field - e.g., month([visit_datetime]). day() - Returns the day component of a date/datetime field - e.g., day([visit_date]).

Changes/Improvements

  • Improvement: Form Display Logic Import/Export - Users can now export and import their Form Display Logic settings via a CSV file in the Online Designer. After clicking the Form Display Logic button on the page, it will reveal a drop-down list of options to 1) edit the FDL, 2) download the FDL as a CSV file, or 3) upload the FDL as a CSV file. This new feature will make it much easier for users to make modifications to their Form Display Logic when they have many instruments and/or events that they wish to utilize in the FDL.

  • Improvement: If using the Mailgun Email API, an optional Base URL setting has now been added to allow institutions to specify the Base URL that should be called for the Mailgun Email API. By default, “https://api.mailgun.net” is used, but those in the EU region may alternatively set it as “https://api.eu.mailgun.net” in the Mailgun section of the General Configuration page. (Ticket #206369)

  • Improvement: Survey Queue Import/Export - Users can now export and import their Survey Queue settings via a CSV file in the Online Designer. After clicking the Survey Queue button on the page, it will reveal a drop-down list of options to 1) edit the SQ, 2) download the SQ as a CSV file, or 3) upload the SQ as a CSV file. This new feature will make it much easier for users to make modifications to their Survey Queue when they have many instruments and/or events that they wish to utilize in the SQ.

  • Improvement: The “Help & FAQ” page has been updated with new content (thanks to the FAQ Committee).

  • Improvement: The rich text editor has been updated to TinyMCE v6.

  • Improvement: When using Multi-Language Management, it is now possible to preset the language of a survey by supplying the URL parameter “__lang”, which must be set to a valid (active) language id (and is case-sensitive). Example: https://redcap.vanderbilt.edu/surveys/?s=ABC123&__lang=es. When used, this will override both a survey respondent’s previous choice (stored in a browser cookie) as well as the language preference field. The @LANGUAGE-FORCE action tag will still take precedence, though. (Ticket #124976)

  • Additional CDIS enhancements: Refactored “Mapping Helper”- The user interface has been simplified for ease of use. The workflow is adjusted so that data for all resources can now be fetched in one action, reducing the number of clicks needed. Clinical Data Mart - There’s now an option to apply date ranges to specific resources individually, providing more granular control during data retrieval. Also, the existing background fetch feature within CDM has been extended to the “search” feature. This means when you’re using the search functionality, particularly with individual MRN selections, the system can perform data fetches in the background, freeing you up to work on other tasks. Clinical Data Pull - You can now map conditions to a specific clinical status. This is particularly useful for instances requiring detailed condition data.

  • Bug fix/change: When using MyCap in a project, in which the project has not been transitioned to use the new MyCap app (but instead is using the MyCap Classic app), if a user exports the project XML file to create a new project on the same server or on any server on REDCap 13.11.0 , that new project will also be using the MyCap Classic app. In previous versions, the new project would always be using the new MyCap app, which could cause issues in specific situations.

Bug Fixes

  • Bug fix: A user would be unable to close the field validation error popup (specifically in iOS or Android) when the field with the validation error is followed by a signature field. (Ticket #217572)

  • Bug fix: Fixed an issue affecting the behavior of custom CDIS mapping in the Clinical Data Pull (CDP) mapping interface, in which custom CDIS mapping fields were incorrectly designated as ‘primary,’ thus preventing users from utilizing them as intended. (Ticket #217391)

  • Bug fix: If a REDCap server is configured to use AAF authentication and that site has enabled the option to identify locals based on their AAF eduPersonScopedAffiliation, a user that should have been identified as a local would mistakenly not be identified as such, leading to them not being automatically granted project creation/copy rights upon account creation. This bug was introduced in REDCap 13.10.4.

  • Bug fix: In certain situations while on a survey page, a participant might be able to submit a survey when they should not, such as if the Save button is hidden on the survey page. (Ticket #217159)

  • Bug fix: In certain situations, the WebDAV file storage check on the Configuration Check page might mistakenly fail with a fatal PHP error. (Ticket #217684)

  • Bug fix: In certain situations, the cron job for the Background Data Import might fail with a fatal PHP error when using PHP 8. (Ticket #212276b)

  • Bug fix: The setting “Custom text to display at top of Project Home page” would mistakenly not display in the project if it did not contain actual text but only contained an image or an HTML “style” tag. (Ticket #217972)

  • Bug fix: Users would mistakenly be allowed to define Missing Data Codes where some of the codes could be duplicated in different cases (case sensitivity-wise). For example, “na” and “NA” would both be allowed as Missing Data Codes. Note: This issue cannot be fixed retroactively but will be prevented going forward when users attempt to create or modify Missing Data Codes on the Project Setup page. (Ticket #216818)

  • Bug fix: When attempting to save a calc or @CALCTEXT field in the Online Designer, in which the calculation contained a Smart Variable, it would prevent normal users from saving the field and would just get stuck saying “Saving…”. However, administrators would be able to save the field successfully.

  • Bug fix: When exporting and importing Automated Survey Invitations using a CSV file in the Online Designer, the import process might fail with a blank error message due to an inconsistency in the CSV delimiter used in the file. (Ticket #217941)

  • Bug fix: When using Multi-Language Management, the choice labels of multiple choice fields would not be piped correctly in some cases if the choice labels contain HTML. (Ticket #217955)

  • Bug fix: When using the @CALCDATE action tag in which the Daylight Saving Time barrier is crossed when calculating the resulting date, in specific cases the result might mistakenly be one day off (if a date field) or one hour off (if a datetime field). Similarly, when using the datediff() function in which one date/datetime exists in DST while the other does not, in some cases the result might be off by one hour when using units of “h”, “m”, or “s”. (Ticket #32022, #73668, #103913, #126830, #129720, #137174, #215534, #216566)

Version 13.10.6 (released October 26, 2023)

Changes/Improvements

  • Change/improvement: The Configuration Check page now has a new MySQL 8 specific check to ensure that the “Generated Invisible Primary Keys” (GIPK) setting in MySQL has been disabled on the database server. If not, it recommends to set sql_generate_invisible_primary_key=OFF in the my.cnf (or my.ini) configuration file. Additionally, this check has been added to the REDCap install page in order to prevent anyone from installing REDCap with this feature enabled. If the GIPK setting is left enabled, it will forever display false positives for the “Database Structure is Incorrect” check in the Control Center when in fact there is nothing wrong with the database structure.

  • Change: When using MyCap, some REDCap server configuration info is now included in the MyCap configuration JSON that gets pulled by the MyCap mobile app when refreshing the MyCap configuration on the participant’s mobile device. This server info will be stored on the mobile device and used only for troubleshooting purposes when any issues occur in the mobile app.

Bug Fixes

  • Bug Fix: When importing records that are assigned to a Data Access Group, in which records for other DAGs exist in the redcap_data table with a blank record name (due to an older bug that caused the name to be blank), this would mistakenly prevent the data import process from importing the records. (Ticket #217724)

  • Bug fix: An issue may occur with a CDIS-related cron job in which certain records are not processed due to MemoryMonitor interruptions, and thus records would mistakenly not get queued for future processing to pull their clinical data from the EHR. This fix ensures that these unprocessed records are correctly queued for the next execution of the cron job, preventing data loss and ensuring more robust processing.

  • Bug fix: Certain tables, such as the Record Status Dashboard and reports, might mistakenly not display with the correct width based on the current screen size, in which the table may display its scroll bar off the right side of the page (i.e., initially not visible) instead of it being visible after the page loads.

  • Bug fix: If the MyCap External Module is enabled in a project, the built-in MyCap feature would mistakenly have its “Enable” button as a clickable button on the Project Setup page. That button is now disabled/grayed out if the MyCap EM is already enabled in a project.

  • Bug fix: When a checkbox field has a multiple choice option whose raw code is the same as a missing data code in the project, the report page might mistakenly display the error “DataTables warning: table id=report_table - Incorrect column count” when trying to view a report that contains such a checkbox. (Ticket #217249)

  • Bug fix: When a user is assigned to a Data Access Group and views a project’s Logging page when no records exist in their DAG yet, the Logging page might crash and display an error message saying that an SQL query failed. This appears to only occur for certain versions of MySQL/MariaDB. (Ticket #217372)

  • Bug fix: When a user lacks the instrument-level user privilege to modify survey responses for a given instrument, then they open a data entry form that has been enabled as a survey, and before they submit the form, a survey response has already been started or completed by a participant, it would mistakenly allow the user to unwittingly overwrite the survey response when they submit the form. It now returns an error message in this specific scenario and prevents the user from making changes. (Ticket #217157)

  • Bug fix: When adding or editing a multiple choice field via the Online Designer, the text in the section “How do I manually code the choices?” mistakenly contained a line break in the text rather than actually displaying the HTML tag " " as visible in the text.

  • Bug fix: When an alert is set to trigger “When conditional logic is TRUE during a data import, data entry, or as the result of time-based logic”, in which a data value from a repeating instrument or repeating event is added via a data import, if the repeat instance number is “1” for the field being imported (or if the value is “new” when no repeating instances exist yet for that field), the import process might mistakenly not trigger the alert. (Ticket #214855)

  • Bug fix: When hovering over the “view list” link on the Alerts & Notifications page for a given alert, the popover dialog would mistakenly not be hidden again if the user moves their cursor off of the popover. To remedy this, the user must now click the “view list” link to see the popover, after which the popover will hide if manually closed or if the user clicks on anything outside of the popover on the page.

  • Bug fix: When using CDIS, specifically Clinical Data Mart, an intermittent issue in CDM projects would occur where searches for specific Medical Record Numbers (MRNs) would occasionally return duplicate results. The fix ensures that each MRN appears only once in the search outcomes.

  • Bug fix: When using Multi-Language Management, the “only one selection per column” notice on matrix fields was mistakenly not translatable via the MLM setup page. (Ticket #217480)

Version 13.10.5 (released October 19, 2023)

Changes/Improvements

  • Improvement: When using the Field Bank in the Online Designer to search specifically within the NIH CDE Repository, a new checkbox option exists in the search utility called “Search NIH-Endorsed CDEs”. If this search option is checked, REDCap will search only for fields that are “NIH-Endorsed” in the NIH CDE Repository. NIH-Endorsed CDEs have been reviewed and approved by an expert panel, and meet established criteria.

  • Security improvement: If no value has been set for the system setting “Restricted file types for uploaded files” at the bottom of the Security & Authentication page, the following value will be set for that setting to prevent harmful files from being uploaded to the system: “ade, adp, apk, appx, appxbundle, bat, cab, chm, cmd, com, cpl, diagcab, diagcfg, diagpack, dll, dmg, ex, exe, hta, img, ins, iso, isp, jar, jnlp, js, jse, lib, lnk, mde, msc, msi, msix, msixbundle, msp, mst, nsh, php, pif, ps1, scr, sct, shb, sys, vb, vbe, vbs, vhd, vxd, wsc, wsf, wsh, xll”.

  • Change/improvement: When using OpenID Connect authentication in specific situations, such as with Azure B2C, an optional “additional scope” value might need to be provided in order for authentication to function correctly. A new “Additional scope” setting has been added to the OIDC section of the Security & Authentication page for this, if needed. (Ticket #214076)

Bug Fixes

  • Minor security fix: When using Two-Factor Authentication, in which users are logging in and entering a 6-digit one-time passcode (OTP), there was no limit placed on the number of passcode submissions that can be attempted for a given user within a specific window of time. Thus, the passcode verification process was subject to brute force hacking (so long as the attempts did not exceed the general Rate Limiter setting in REDCap). This has been changed so that the passcode verification process cannot be utilized more than 10 times per minute. If exceeded, it will now return an error.

  • Medium security fix: Malicious users might be able to bypass the “Restricted file types for uploaded files” feature (if being utilized on the REDCap server) by uploading a file with an incorrect file extension into the File Repository of a project, and then changing the file’s extension using the “rename file” feature. For example, an attacker could take a file named “exploit.exe”, rename it to “image.jpg” on their local device, upload the file into the File Repository, rename the file to “image.exe”, and then trick another user into downloading it and executing it locally. Now, REDCap prevents users from modifying the file extension of any files uploaded into the File Repository. Note: The vulnerability does not pose a risk to the REDCap server since REDCap itself never executes any uploaded files, but this only poses a risk to users who may unwittingly download and execute the file. Also, the malicious user must have File Repository privileges inside a project in order to exploit this.

  • Major security fix: A Stored Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into specific POST parameters of an Online Designer related URL so that the custom JavaScript could be injected into the calculations of calc fields, @CALCTEXT, and @CALCDATE fields. Thus the custom JavaScript could be executed whenever anyone opens the data entry form or survey page. This could lead to privilege escalation if a malicious user tricks an administrator into viewing the instrument, thus potentially becoming an administrator themselves and able to access all projects and data. The user must be authenticated into REDCap and must have Project Design rights in order to exploit this in a project. Bug exists in all REDCap versions for the past 10 years. Note: This bug was supposedly fixed in the previous version but mistakenly was not.

  • Major bug fix: When a survey participant clicks the “Save & Return Later” button on a survey, REDCap would mistakenly not always find the participant’s email address (from a designated email field or from the participant list) when loading the page that displays the return code. In some cases, another participant might be sent an email containing the original participant’s survey link for completing the survey. Note: Despite sending the survey link to the wrong participant, the other participant would not be able to see the original participant’s responses because they do not have the Return Code. (Ticket #140765, #217097)

  • Bug fix: If the settings “Allow normal users to edit their primary email address on their Profile page?” or “Allow normal users to edit their first name and last name…” are set to “Do not allow editing”, a user that knows how to make a specially-crafted POST request to a specific end-point or knows how to manipulate the Profile page’s user interface in a specific way would be able to modify their first/last name and/or email address, respectively.

  • Bug fix: The language variable “design_1054” mistakenly existed twice in the file “English.ini”.

  • Bug fix: When a user imports a Project XML file that is truncated (for whatever reason) and is thus does not represent properly structured XML, in some situations REDCap might still attempt to process the XML fully without any error message, which might result in some things not getting set correctly in the resulting project, possibly unbeknownst to the user. It now attempts to do a better job of detecting if the XML is properly structured, and if not, returns an error message explaining this.

  • Bug fix: When a user imports data via the Background Data Import option, the data import would get logged under the generic user “SYSTEM” since the import is literally performed by the REDCap cron job. However, this creates ambiguity in the logging with regard to which user initiated the specific import batch. To reduce ambiguity in all future imports performed via the Background Data Import, the logging page will now list the user as “SYSTEM” appended in parentheses by the user that initiated the import - e.g., “SYSTEM (john.doe)”.

  • Bug fix: When using “Azure AD OAuth2 & Table-based” authentication, users clicking the “Logout” link in REDCap would mistakenly not be successfully logged out of Azure AD. (Ticket #216423b)

  • Bug fix: When using Multi-Language Management, a JavaScript error might occur when piping calculated fields under specific conditions.

  • Bug fix: When using Multi-Language Management, the option to “Create from file/from scratch” would mistakenly not be available on the Control Center MLM setup page when the corresponding language creation was disabled for projects.

  • Bug fix: When using Twilio or Mosio, it would mistakenly not send SMS messages to U.S. phone numbers with an 445 area code. (Ticket #216751)

  • Bug fix: When using Twilio or Mosio, it would mistakenly not send SMS messages to U.S. phone numbers with certain newer area codes, including 531 and 726. (Ticket #216751b)

Version 13.10.4 (released October 11, 2023)

Changes/Improvements

  • Improvements to AAF Authentication: Clearer instructions are provided to admins when setting up AAF authentication on the Security & Authentication page. AAF authentication now allows administrators to define multiple eduScopeTarget attributes that identify an authenticating user as a ‘local’, thus allowing sites to enable users from multiple institutions to create projects. AAF authentication now allows administrators to control which users are added to the Email Users page. Previously this was either Yes (all users) or No (no users). Now, the options are All Users, None, and Locals Only. When a user logs in for the first time via AAF, the Organization Name of their Identity Provider is now added to the Institution ID field in their User Profile. This change is not retroactive; existing users will not have their organization added to their profile automatically. When an AAF user logs in for the first time, it now logs the event.

  • Change/improvement: When adding/editing a Descriptive Text field in the Online Designer, the text in the “Optional file attachment, image, audio, or video” section of the popup has been modified to instruct the user that the “Embed an external video” feature can be used for more than just videos but for websites and surveys too (i.e., the “Magic Box” feature, as some call it). The text has been changed to “Optional media to embed or attach:” and “Embed media (video, website, survey, etc.)”, respectively. Other relevant text in the popup has also been modified to refer to “media” more generically rather than “video”.

  • Various updates and fixes for the External Module Framework, including 1) Avoided additional eval false positives during scans, 2) Added scan support for local paths to zip files, and 3) Improved constructor scan output.

Bug Fixes

  • Medium security fix: A user with Calendar privileges in a given project that knows how to make a specially-crafted POST request to a specific end-point might be able to edit or delete a calendar event in another project to which they do not have access.

  • Medium security fix: A user with Data Access Group privileges in a given project that knows how to make a specially-crafted POST request to a specific end-point might be able to rename or delete a DAG in another project to which they do not have access.

  • Major security fix: A Stored Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into specific POST parameters of an Online Designer related URL so that the custom JavaScript could be injected into the calculations of calc fields, @CALCTEXT, and @CALCDATE fields. Thus the custom JavaScript could be executed whenever anyone opens the data entry form or survey page. This could lead to privilege escalation if a malicious user tricks an administrator into viewing the instrument, thus potentially becoming an administrator themselves and able to access all projects and data. The user must be authenticated into REDCap and must have Project Design rights in order to exploit this in a project. Bug exists in all REDCap versions for the past 10 years.

  • Bug fix: When printing an instrument via the option “Download this survey with saved data (via browser’s Save as PDF)”, a vertical line/shadow would mistakenly appear on the left side of the resulting PDF.

  • Bug fix: When using “OpenID Connect & Table-based” authentication, users clicking the “Logout” link in REDCap would mistakenly not be successfully logged out of OIDC. (Ticket #216423)

  • Bug fix: When using Multi-Language Management, “style” HTML tags that span over multiple lines would mistakenly not work as expected when MLM is active.

  • Bug fix: When using Multi-Language Management, REDCap’s auto-logout feature would mistakenly not work on the MLM setup page in some circumstances. (Ticket #216234)

  • Bug fix: When using Multi-Language Management, a specific warning was mistakenly not translatable via the MLM setup page.

  • Bug fix: When using MyCap, the “No Fields” error might mistakenly not be displayed in the Online Designer if non-MyCap fields are added at the end of an instrument.

Version 13.10.3 (released October 05, 2023)

Changes/Improvements

  • Improvement: When setting up recurring Alerts & Notifications, users can now set the repeating interval value as a number with a decimal (in previous versions, the value could only be an integer). This will allow users to approximate the interval of a monthly recurring alert as 30.44 days since it is currently not possible for recurring alerts to be scheduled on exactly the same day and time each month. To help users, a note has been added in the repeating survey section of the alert setup dialog to inform them how to approximate a month as 30.44 days. (Ticket #215860)

  • Change: A note was added to the Smart Variable documentation, specifically for the charts, to denote that when using multiple fields in the chart, the data used in the chart will be naturally grouped from the same event and/or repeating instance. For example, if you’re plotting age vs weight in a scatter plot in a longitudinal project, it will only create points in the plot where both the age value and weight value exist on the same event. If one or both values are missing from a given event in a record, then no point can be plotted for that given record.

  • Change: In Multi-Language Management, the “Default” language term has been renamed to “Base Language” on the MLM setup page and in various documentation for improved clarity regarding the purpose and function of the Base Language in MLM.

  • Change: When using MyCap in a project, the instructional text in the individual “Invite Participant” popup has been modified slightly to cater better to whether the project has been transitioned to use the new MyCap mobile app or not.

Bug Fixes

  • Major bug fix: A user with “Alerts & Notifications” privileges in a given project that knows how to make a specially-crafted POST request to a specific end-point used for “Alerts & Notifications” functionality might be able to delete any general uploaded file that belongs to the project, whether it be an attachment uploaded via the rich text editor, a file uploaded to a File Upload field, a Descriptive Text field attachment etc. This user could potentially delete the stored edoc file for any of those such places in the project. However, it is important to note that the user can only delete files within their own project to which they have access. They cannot delete files in other projects to which they do not have access.

  • Major bug fix: If survey invitations have been scheduled manually (i.e., not via ASI) with one or more reminders, the unsent/scheduled reminders would mistakenly not be automatically removed whenever the participant completes the survey. (Ticket #203090)

  • Bug fix: In specific cases where the REDCap::saveData() method is being called, including data imports from the new MyCap mobile app, the process might mistakenly crash when using PHP 8. (Ticket #215928)

  • Bug fix: Several PHP 8 compatibility issues when using certain MyCap pages/processes.

  • Bug fix: Several different features in REDCap, in which an AJAX call returns JSON-encoded data, might get misinterpreted and thus would fail because the request failed to have the “Content-Type: application/json” header set. This would only occur for certain web server configurations. (Ticket #214401)

  • Bug fix: The @NOW-SERVER action tag would mistakenly not set the correct value for many time-validated field types, such as a Text field with “time_hh_mm_ss” validation, whenever an instrument/survey is loaded. Instead, it might set the value as the user/participant’s local time (according to their browser). (Ticket #216135)

  • Bug fix: The Unicode Transformation process might mistakenly not convert data in some database tables that have a “project_id” column in which the project_id value in the table is NULL. (Ticket #215615)

  • Bug fix: The end-points used for deleting instruments and fields in a project were mistakenly using a GET request (rather than a POST request), which could make it easier for a user to get tricked into unwittingly deleting an instrument or field if a malicious user sent them a specially-crafted link to click. Such a situation would not cause any permanent damage (e.g. no data would ever be deleted), and it could be easily fixed by re-adding the instrument/field back.

  • Bug fix: The hook functions “redcap_survey_page_top” and “redcap_survey_page” might mistakenly be provided with an incorrect DAG group_id value for records that have not yet been created, such as when viewing the first page of a public survey. In these cases, it would provide the DAG group_id of record “1” in the project if there exists a record named “1” when instead the group_id should be NULL. (Ticket #215884)

  • Bug fix: When uploading a CSV file using the Background Data Import, in which the record ID field is included in the data file but many rows in the file have no value provided for the record ID field (i.e., it’s blank), the import process could mistakenly go into an infinite loop until the script times out, which might cause the process to get stuck in “Initialization” status and thus can’t be canceled or removed.

  • Bug fix: When using Multi-Language Management, for Yes/No and True/False fields, “No”/“False” was mistakenly shown instead of their associated translation in some places (e.g., Codebook). (Ticket #216265)

  • Bug fix: When using a CDIS service (CDM or CDP) to pull data from an EHR, when dealing with date values used in the FHIR requests to the EHR system, some dates might mistakenly be converted to the current timezone. This has been fixed to ensure that the date conversion only occurs in the response received from the FHIR system.

  • Bug fix: When using the Protected Email Mode feature, in which an alert is set up with an attachment file and the alert is set not to send immediately but at some later time, after the alert is triggered and the email is sent, when the recipient views the email on the Protected Email Mode page, the attachment would mistakenly not be downloadable on the page but would display an error when attempting to be download it. (Ticket #212760)

Version 13.10.2 (released September 28, 2023)

Changes/Improvements

  • Improvement: The Logic Editor is now utilized when an administrator is adding/editing the SQL query for a Dynamic SQL Field.

  • Change/improvement: A new check was added to the Configuration Check page that will alert the administrator if the PHP.INI configuration file used by the REDCap cron job has a timezone setting that differs from the timezone setting in the main PHP.INI file used by the web interface (but only if more than one PHP.INI is utilized). If the timezone settings differ, it warns that one must be changed so that they are the same, otherwise the cron job may not run correctly.

Bug Fixes

  • Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a specially crafted way into the URL on the Data Import Tool page. This bug only affects REDCap 13.8.0 and higher.

  • Bug fix: If using an HTML “style” tag inside user-defined text (e.g., field label, survey instructions), the CSS styles inside the tags might mistakenly not work on the page if line breaks or carriage returns occur anywhere inside the opening and closing style tag. (Ticket #215693)

  • Bug fix: In a MyCap-enabled project, slider labels (displayed above or next to the slider) were not displaying correctly in the MyCap config JSON and thus might cause issues in the MyCap mobile app.

  • Bug fix: Some project pages might fail with a fatal PHP error when using PHP 8 due to the calling of an undefined PHP constant in the External Module Framework. (Ticket #215348)

  • Bug fix: The “field suggest” feature when using the Logic Editor was mistakenly no longer appearing as of REDCap 13.7.13 LTS and 13.9.3 Standard Release. (Ticket #215285)

  • Bug fix: The Unicode Transformation process might mistakenly not display correct information regarding whether or not some specific steps in the process need to be completed.

  • Bug fix: The auto-fill form/survey feature for administrators might mistakenly fail for most/all time validated fields. (Ticket #215684)

  • Bug fix: When an [X-event-name] Smart Variable is prepended to a field variable (especially in combination with an [X-instance] Smart Variable) in logic, calculations, or piping, it might cause the evaluation of the logic/calc/piping not to be performed successfully. For example, for [previous-event-name][field], the direct previous event might be used when instead the previous designated event for that field’s instrument should be used. (Ticket #214317, #213503)

  • Bug fix: When renaming a record, the record name would mistakenly not get renamed on the Email Logging page. This would not cause any issues other than the Email Logging saying that an email belongs to the wrong record. (Ticket #215100)

  • Bug fix: When transitioning a MyCap-enabled project to use the new MyCap mobile app, some survey-related settings might mistakenly not be updated during the process (assuming they were being used to store the participant QR code and/or direct link), specifically the survey confirmation email body and the ASI email body.

  • Bug fix: When using CDIS, the SMART on FHIR authentication process was causing incorrect scope levels to be applied, specifically impacting Cerner users. The issue prevented the proper assignment of the “user” level during authentication, thus potentially leading to authorization errors.

  • Bug fix: When using Multi-Language Management, the “Access Denied!” a message that appears on data entry forms when a user has no access was mistakenly not a translatable element in MLM. (Ticket #215504)

  • Bug fix: When using MyCap in a project while publishing a new MyCap app version, in which a task exists with non-fixable errors, the success message popup will display a warning along with a success message that some tasks were not published due to errors.

  • Bug fix: When using the Clinical Data Mart design checker’s “fixDesign” process, a fatal PHP error might occur in certain situations.

  • Bug fix: When using the Data Resolution Workflow along with Data Access Groups in a project, if a user attempts to assign a data query to a user, in some situations the drop-down list of assignable users would mistakenly list users that are not currently eligible to be assigned to the data query because they are not currently assigned to the record’s DAG. It should only list users that are currently in the record’s DAG (or users not in any DAG) if the record itself is assigned to a DAG. (Ticket #213770)

Version 13.10.1 (released September 22, 2023)

Changes/Improvements

  • Improvement: The MyCap Help document has been updated, and a new Transition Guide has been added to help inform users regarding the process of transitioning to the new MyCap mobile app from MyCap Classic (the guide is linked in the popup that notifies users about transitioning). Additionally, a new PDF displaying a list of all MyCap app features has been linked in several places where MyCap documentation is located, in which the PDF compares the features of the new MyCap app with the previous MyCap Classic app.

  • Change/improvement: In the External Module Framework, the $module->redirectAfterHook() after hook method was added.

  • Change/improvement: Slight performance improvement when loading the Logging page in some projects.

Bug Fixes

  • Major bug fix: When using randomization while in production status, if a user is uploading a new allocation table to be appended to the existing production allocation table, in which the development allocation table happens to exactly match all the production allocations after the allocation upload has occurred, all the production allocations would mistakenly be erased, which would also remove the “randomized” status for any already randomized records. This is extremely rare, but is extremely destructive and difficult to restore back to its previous state.

  • Bug fix: A user that does not have Project Setup privileges in a project could potentially exploit a missing user rights check on the endpoints where field attributes are modified in the Online Designer by crafting special HTTP requests to those specific endpoints. This does not allow the user to do anything other than add new fields or edit the attributes of existing fields.

  • Bug fix: An administrator with only “Install, upgrade, and configure External Modules” admin privileges might not be able to view certain External Module pages or perform certain External Module operations, such as accessing the EM Manage page in the Control Center. (Ticket #214721, #214722)

  • Bug fix: An issue might occur when downloading a file from a File Upload field when REDCap is hosted on Google Cloud Platform due to the usage of an unnecessary project_id prefix for Google bucket file storage.

  • Bug fix: Fixed issue with the CDIS “Break the Glass” feature. When attempting to restore a serialized list of patients, an error is thrown due to the DateTime class not being listed within the “allowed_classes” parameter of the unserialize function. (Ticket #214670)

  • Bug fix: Minor MyCap-related bug fixes and UI changes.

  • Bug fix: The notification for the Unicode Transformation process on the Configuration Check page might mistakenly not be displayed on the page anymore after step 2a of the process has been completed. It should not go away until all 4 of the steps are completed.

  • Bug fix: When attempting to access the “App Data Dumps” on the REDCap Mobile App page in a project, if any of the data dump files somehow can’t be found in the file system (which would be unexpected), the page would crash with a fatal PHP error. From now on, it will merely skip any files in this situation. (Ticket #215007)

  • Bug fix: When date or datetime fields are piped into the choice label of a drop-down field, in which the date/datetime field has MDY or DMY date format and also exists on the same page as the drop-down field, the date/datetime values might not get piped in the correct format but may appear in the drop-down as a mangled date/datetime value.

  • Bug fix: When users delete or regenerate their API token in a project, the value of the old token was mistakenly not being logged on the project’s Logging page.

  • Bug fix: When users make API requests, the full API token was mistakenly being logged in the redcap_log_view table for each request. This is not typically an issue because such values in that table are not exportable via the front-end user interface but are only accessible via direct database access. However, if some institutions are sending the full export of their redcap_log_view table to their local security office, the logging of the API token in that table could be problematic. The API token will now be redacted in the redcap_log_view table. (Ticket #214322)

  • Bug fix: When viewing the MyCap participant list, the Baseline Date might mistakenly be displayed in an incorrect date format.

  • Bug fix: When viewing the Record Status Dashboard in certain cases when using PHP 8, the page might crash with a fatal PHP error. (Ticket #214370)

Version 13.10.0 (released September 08, 2023)

New Features

  • New feature: Longitudinal functionality for MyCap-enabled projects- In previous versions, longitudinal projects could not utilize MyCap (the feature would be disabled automatically). Now with the release of the new MyCap mobile apps on Android and iOS, longitudinal functionality is possible and is supported in the new MyCap mobile app. For any projects currently using MyCap, there will be a transition button on the MyCap Participants page that will allow the users to transition the project and any existing participants to use the new MyCap mobile app (note: this transition process is completely optional and not required unless wanting to use longitudinal functionality and other new MyCap features). The older MyCap mobile apps will still be available and updated in the Apple App Store and Google Play Store for the time being.

Changes/Improvements

  • Improvement: Enhancements to the Codebook page - For longitudinal projects, a table of all events names is displayed near the top of the page. If events and/or missing data codes exist, the table of them may be included in or excluded from the page printout via a checkbox at the top right corner of their table. Also, in the printout of the page, the time and project title are now displayed.

  • Various updates and fixes for the External Module Framework Miscellaneous security scan improvements. Replaced the setRoleForUser() implementation with UserRights::updateUserRoleMapping() so that logging would be included automatically. Control Center module list improvements: 1) Sorted the list of modules to enable by name, 2) Improved module list load time when modules with updates are not enabled anymore, 3) Displayed modules that are still enabled even though their directories are missing, and 4) Cached settings to improve module list load time.

Bug Fixes

  • Medium security fix: The Chart.js JavaScript library that is included in REDCap contains a bundled version of the Moment.js library, which contains a security vulnerability in that specific version. The bundled Moment.js library has been removed. It does not need to be replaced since REDCap already has the latest version of Moment.js included separately already.

  • Bug fix: An error was thrown during the deserialization of CDIS messages. The issue was caused by the DateTime class not being included in the list of allowed classes for deserialization.

  • Bug fix: REDCap’s internal function for copying files would mistakenly fail to copy files when using Google Cloud Storage as the file storage system. (Ticket #213946)

  • Bug fix: The newer background process that helps prune abandoned/zombie database processes might mistakenly be preventing some important processes from finishing, such as data fetching for CDIS (both CDM and CDP), data exports, and also the Easy Upgrade process.

  • Bug fix: When adding a new instrument in a MyCap-enabled project, the Online Designer page might mistakenly crash with a fatal PHP error when using PHP 8. (Ticket #213817)

  • Bug fix: When enabling Mosio SMS Services on a project, it would mistakenly allow users to enter a Mosio API Key that is already being used by another REDCap project. This should not be allowed. It will now prevent a user from entering a Mosio API Key if that key is already being used by another project. Additionally, if two projects already are using the same Mosio API Key before upgrading to this REDCap version, the Mosio configuration popup will auto-disable the SMS Conversation option to prevent both projects from using the same Mosio API Key, which could cause issues specifically when using the “Initiate survey as SMS conversation” option. (Ticket #213376)

  • Bug fix: When exporting a project as a Project XML file and then creating a new project from the XML file, if the Survey Login feature had been utilized and the Survey Settings checkbox had been checked when exporting the XML file, the Survey Login settings would mistakenly not get transferred into the newly created project. (Ticket #212987)

  • Bug fix: When using Azure AD V1 for authentication, the setting “AD attribute to use for REDCap username” on the Security & Authentication page mistakenly listed the employee ID attribute as “employeeID” when it should instead be “employeeId”. This could prevent proper authentication if that option was selected. (Ticket #213619)

  • Bug fix: When using Multi-Language Management, branching logic based on a field set by the action tags LANGUAGE-CURRENT-FORM/-SURVEY would mistakenly not work when the field is a text box field.

  • Bug fix: When using the Custom Record Label on a multi-arm longitudinal project, if an “ad hoc” calendar event is created and is attached to a specific record, the Custom Record Label might mistakenly not be displayed when viewing the calendar event in the calendar popup window. (Ticket #23367b)

  • Bug fix: When using the Survey Login feature and a survey participant begins a new survey while their survey login session is still active, the survey instructions would mistakenly not be displayed on the page by default. (Ticket #212987)

Version 13.9.3 (released August 31, 2023)

New Features

  • New action tag: @MC-PARTICIPANT-CODE- This action tag is a MyCap annotation that can be used with Text fields. When using this action tag on a field, the field will capture the MyCap participants participant code whenever they join a project via the MyCap mobile app. NOTE: This is used only for the MyCap mobile app. The fields value is not generated when viewing the data entry form but only when the MyCap app is making a call to REDCap when the participant joins the project. Additionally, while this action tag can be added to a new field in already-existing MyCap projects, a field with this action tag will be auto-added to any projects where MyCap is enabled in the project after the fact and for any new projects created using the MyCap project template.

Changes/Improvements

  • Improvement: When viewing the Survey Access Code dialog on the Public Survey Link page, users may now click a button to copy the QR code to their clipboard. Additionally, users may now click the QR code to download it or click a link below the QR code to download it in the higher resolution SVG format, if desired.

Bug Fixes

  • Minor security fix: A DOM-based Cross-site Scripting (XSS) vulnerability was discovered on all project-level pages that could possibly be exploited if a malicious user is able to manipulate the JavaScript “location” interface/variable in specific ways.

  • Bug fix: FHIR stats were mistakenly counted in DDP (Dynamic Data Pull) projects when using CDP (Clinical Data Pull) auto-adjudication.

  • Bug fix: When clicking the “Enable color-blind accessibility” displayed below a pie or donut Smart Chart on a data entry form or survey page, it would send the user/participant to a non-existent page, thus resulting in a 404 error. (Ticket #211920)

  • Bug fix: When pulling data from an EHR system via CDIS, date filters were not being correctly applied when fetching temporal data. (Ticket #212894)

  • Bug fix: When using “Azure AD OAuth2 & Table-based” authentication together with Duo two-factor authentication (2FA), after a user successfully logs in via Table-based authentication, they would mistakenly not be redirected to the Duo OAuth2 page for two-factor authentication. (Ticket #211697)

  • Bug fix: When using Multi-Language Management, the text “(Place a mark on the scale above)” that is displayed below Slider fields was mistakenly not translatable via MLM. It has now been added.

  • Bug fix: When using Table-based authentication and a user has somehow been granted access to a project and added to a user role (e.g., via user role CSV upload) despite the fact that the username does not exist as a real user account in the system, it would be impossible to remove the user from their role, to re-assign them to another role, or ultimately to remove them from the project. (Ticket #207764)

  • Bug fix: When using the Azure Communication Services Email API, the email functionality would fail to work if the Services Endpoint value did not end with a slash ("/").

  • Bug fix: When viewing the Online Designer in a MyCap-enabled project, the “Enable” button for enabling MyCap for a given a data collection instrument would mistakenly be disabled, thus preventing users from enabling the instrument as a MyCap task, if the instrument’s first field was part of a matrix of fields. (Ticket #213075)

  • Bug fix: When viewing the Stats & Charts page for a given report and clicking the “Missing” link to view a list of missing values, it might mistakenly display many false positives of repeating instances that do not really exist in the data. (Ticket #211913)

Version 13.9.2 (released August 25, 2023)

Changes/Improvements

  • Change/improvement: If a longitudinal project contains one or more records, and a user moves a field to a different instrument via the Online Designer, a warning will be displayed saying that moving fields to other instruments might potentially cause the orphaning of data, in which it tells the user to double-check their instrument-event mappings to ensure that no orphaning/data loss has occurred. And if it has, it tells the user that they can move the field back to its original instrument to restore any orphaned data. (Ticket #211829)

  • Change/improvement: When executing Data Quality rules, the Logging page now lists the specific DQ rule by name that was executed in the logged event, whereas previous versions merely stated “Execute data quality rule(s)” generically in the Logging. (Ticket #207900)

Bug Fixes

  • Major bug fix: If a repeating Automated Survey Invitation has been enabled in a project in which one or more records have triggered the ASI initially, if the ASI was then disabled for a certain amount of time and then re-enabled later, after which a user or participant triggered an ASI in any project in which the ASI is set to send immediately, it would mistakenly cause the repeating ASI in the original project to send/schedule hundreds or thousands of invitations for each record that was originally triggered in that original project. This issue was caused by the invitation-sending function being called recursively when an individual record triggers an ASI. (Ticket #210378)

  • Bug fix: Administrators that have “Perform REDCap Upgrades” privileges would receive an error message when attempting to use the Easy Upgrade feature if they did not also have some other admin privileges. This has been fixed so that only “Perform REDCap Upgrades” privileges are needed to perform an upgrade. (Ticket #211957)

  • Bug fix: After modifying the schedule of an existing record on the Scheduling page, the logged events of schedule modifications would correctly appear on the Logging page by default, but some of the schedule-related logged events would not appear on the Logging page when using the “Filter by record” option for that specific record. Note: This will be fixed for all schedule modifications going forward, but all existing logged events for schedule modifications cannot be fixed retroactively. (Ticket #208481)

  • Bug fix: Descriptive Text fields would mistakenly not be returned when a user searches for fields via the Field Finder on the Codebook page. (Ticket #212763)

  • Bug fix: If the File Storage method for REDCap is set to “Google Cloud Storage using API Service Account”, downloading the Instrument Zip file of an instrument that is enabled as a survey and contains a survey logo would mistakenly fail due to a fatal PHP error. (Ticket #212967)

  • Bug fix: In certain instances, the “Download PDF of instrument(s) via browser’s Save as PDF” feature may mistakenly not show all the text for Notes Box fields in the resulting PDF if the Notes Box fields contain a lot of text. (Ticket #211228)

  • Bug fix: In certain situations, the Background Data Import feature might mistakenly cause the cron job to fail with a fatal PHP error when running PHP 8. (Ticket #213086)

  • Bug fix: Public reports and public project dashboards might not display optimally when viewed on mobile devices, such as images appearing too large or the report table going outside of its parent box.

  • Bug fix: Several files located in the /redcap/webtools2/pdf/ subdirectories are no longer compatible with PHP 8.2.0 and higher. In addition to fixing the compatibility issues with PHP 8.2, all the files in /redcap/webtools2/pdf/ have now been incorporated directly into the REDCap version directory so that they can be kept up to date on an ongoing basis with future versions of PHP. (Ticket #211377)

  • Bug fix: The feature to compare data dictionaries/revisions on the Project Revision History page might produce unexpected results in which the comparison does not display the correct results. (Ticket #208391)

  • Bug fix: When calling the API Export Records method to retrieve data in “odm” format from a project that contains data for repeating events, if the “fields” parameter is provided in the API call and does not contain any field utilized on a repeating event, the resulting XML might mistakenly be malformed and not structured correctly. (Ticket #208787)

  • Bug fix: When entering a non-URL value (e.g., field variables, Smart Variables) into the “Embed an external video” text box while editing a Descriptive Text field in the Online Designer, it would mistakenly prepend “http://” to the beginning of the value entered.

  • Bug fix: When modifying any of the drop-down fields in the Survey Design Options section of the Survey Settings page for a given instrument, it would cause the Cancel button at the top or bottom of the page to no longer work unless clicked many times. (Ticket #211204)

  • Bug fix: When using the @DOWNLOAD-COUNT action tag in which the field being referenced by the action tag exists on the same page, if users or participants download the file using their browser’s right-click “Save as” option (as opposed to directly clicking it), it would mistakenly not register as a download to be incremented for the count field on the page. Although the server-side call to download the file via “Save as” would increment the counter field’s value on the back-end, the front-end value would now be out of sync. There’s no way to change the counter on the page from being temporarily out of sync, but REDCap will now auto-fix the value after the form/survey is submitted in order to reconcile the true count value and save it to the counter field. In summary, this fix should ensure that the counter field’s value is correct whether or not someone downloads the file with a normal click or via the right-click “Save as” option.

Version 13.9.1 (released August 18, 2023)

Bug Fixes

  • Bug fix: When using the Designate Instruments page in a longitudinal project while running PHP 8, editing the event grid may result in an error message, preventing the edits from being saved. This issue was supposedly fixed in a previous issue but mistakenly was not. (Ticket #212677)

Version 13.9.0 (released August 17, 2023)

New Features

  • New action tag: @MC-PARTICIPANT-JOINDATE- This action tag is a MyCap annotation that can be used with Text fields with date/time validation. When using this action tag on a field, the field will capture the install date/time of the MyCap participant whenever the participant joins a project via the MyCap mobile app. NOTE: This is used only for the MyCap mobile app. The fields value is not generated when viewing the data entry form but only when the MyCap app is making a call to REDCap when the participant joins the project. Additionally, while this action tag can be added to a new field in already-existing MyCap projects, a field with this action tag will be auto-added to any projects where MyCap is enabled in the project after the fact and for any new projects created using the MyCap project template.

  • New feature: Azure Communications Email API Integration As an alternative for sending outgoing emails from REDCap (rather than using the standard settings in PHP.INI to send them natively from the web server), you may use Azure Communications Email API, which is a third-party paid service that can send emails on behalf of REDCap. The option can be configured on the General Configuration page in the Control Center. You merely have to provide the API key and services endpoint for your Azure Communications account, and it will begin using the Azure Communications Email API to send all emails going out of REDCap. Note: This email service must be used together with REDCaps Universal From Address (located on the General Configuration page) using an authorized sender address in ones Azure account. Limitations: Due to limitations in the implementation of this API by Microsoft/Azure, this email-sending method is not able to display inline images in the body of emails, but any inline images will instead be represented as regular attachments. Additionally, the true sender s email address and display name are not able to be displayed to the recipient in their email client, thus the recipient will only see the REDCap Universal ‘From’ Address as the sender with no corresponding display name.

  • New feature: Azure Communications Email API Integration As an alternative for sending outgoing emails from REDCap (rather than using the standard settings in PHP.INI to send them natively from the web server), you may use Azure Communications Email API, which is a third-party paid service that can send emails on behalf of REDCap. The option can be configured on the General Configuration page in the Control Center. You merely have to provide the API key and services endpoint for your Azure Communications account, and it will begin using the Azure Communications Email API to send all emails going out of REDCap. Note: This email service must be used together with REDCaps Universal From Address (located on the General Configuration page) using an authorized sender address in ones Azure account. Limitations: Due to limitations in the implementation of this API by Microsoft/Azure, this email-sending method is not able to display inline images in the body of emails, but any inline images will instead be represented as regular attachments. Additionally, the true senders email address and display name are not able to be displayed to the recipient in their email client, thus the recipient will only see the REDCap Universal ‘From’ Address as the sender with no corresponding display name.

  • New math functions mod (dividend,divisor) - Modulo - Returns the remainder of the (integer) division (modulo) dividend/divisor. Both values must be integers. E.g. mod(10,4) will result in 2 because 2 is the remainder of 10 divided by 4. exponential (number) - Exponential of e - Returns “e” (Euler’s Number) raised to the power of a number: e^x. Note: The value of the exponent x must be a number. E.g. exponential(1) will return 2.718281828459045.

  • New text string functions replace_text (haystack, search, replace) - Replaces parts of a text value with a specified replacement text value - Finds text (“search”) inside another text (“haystack”) and replaces all found occurrences with the given text (“replace”). For example, assuming [field1] has a value of “Paul Taylor, Rob Taylor”, replace_text([field1], “Taylor”, “Harris”) would result in “Paul Harris, Rob Harris”. Note: This function performs a case-sensitive replacement. Additionally, you can search for line breaks (e.g. in Notes fields) with “\n”. concat_ws (separator, text, text, …) - Joins the text from multiple text strings with a separator - This works exactly like concat but inserts the separator in between each concatenated item. For example, concat_ws(” and “, [veggie1], [veggie2], “Tomatoes”) might result in “Peas and Carrots and Tomatoes”.

Changes/Improvements

  • Improvement: CDIS now has the ability to check the system capabilities of a FHIR conformance statement retrieved from a FHIR server. Based on the capabilities mentioned in the conformance statement, REDCap will dynamically disable any FHIR resources that are not available. Without this new check, users might not be aware of the resource availability on a particular FHIR system, and they could inadvertently select resources that are not supported, which could result in errors when attempting to fetch these unsupported FHIR resources.

  • Improvement: New background process that will help prune abandoned/zombie database processes (e.g., long-running queries that continue running on the database after a user has left the page on which the query is being run) that might decrease the overall performance of the database server. This process is performed every couple minutes by a cron job. This may or may not result in a noticeable database performance improvement.

  • Improvement: The Data Import Tool page now provides options in Step 1 to download the Data Import Template with alternative delimiters, such as tabs and semicolons.

  • Improvement: The full file name of a file uploaded to a File Upload field will be displayed when a user hovers over the file download link. This is helpful when the file name is very long and is thus not displayed in full on the page. (Ticket #93790)

  • Bug fixes and changes for CDIS: A patient’s address might not be parsed correctly in the FHIR payload, and PHP 8 related errors were occurring when pulling Observations data.

  • Change/improvement: Better memory management for some CDIS-related cron jobs.

  • Change/improvement: The Send-It page now checks the filesize of the file before the user attempts to upload it in order to ensure the file is not larger than the max allowed size. In previous versions, its filesize would only be checked after it had been uploaded.

  • Change/improvement: The favicon was updated to a higher resolution image.

  • Change/improvement: When performing a bulk import of new Table-based users via CSV file in the Control Center, the CSV file will now use the user s preferred CSV delimiter as specified on their Profile page. In previous versions, the page only accepted comma-delimited CSV files.

  • Change/improvement: When performing a bulk import of new Table-based users via CSV file in the Control Center, the CSV file will now use the users preferred CSV delimiter as specified on their Profile page. In previous versions, the page only accepted comma-delimited CSV files.

  • Change/improvement: When using Multi-Language Management and exporting CSV files of the MLM translations, a byte-order mark (BOM) is now added to all CSV files to allow them to be opened successfully in Excel.

  • Various fixes and changes for the External Module Framework, including 1) miscellaneous security scan improvements, and 2) action tag documentation may now be added to an EM’s config.json for display in the list of action tags available on a project.

  • Various updates and fixes for the External Modules Framework, including preventing deleted, completed, and in-analysis projects from appearing in module setting dropdowns.

Bug Fixes

  • Bug fix: Certain pages in REDCap were mistakenly no longer compatible with iPads/Mobile Safari. Bug emerged in REDCap 13.8.3. (Ticket #202806d)

  • Bug fix: For CDIS, fixed issues related to properly handling the absence of a valid FHIR access token, such as FHIR logs being saved with a “wrong format” error and also scenarios where the absence of a user ID caused unexpected behavior.

  • Bug fix: For certain server configurations, Send-It might cause some files to be corrupted when downloaded by the recipient. (Ticket #212072, #208036)

  • Bug fix: If a Notes field is embedded inside a checkbox field’s choice label on a survey that has “enhanced radio buttons and checkboxes” enabled, the checkbox choice would mistakenly get unchecked whenever the participant clicked or focused their cursor on the Notes field. Note: This does not affect embedded Text fields but only Notes fields. (Ticket #210763)

  • Bug fix: If a checkbox field contains a choice coding that contains a period, in which there exists another choice coding with the same value if the period is excluded (e.g., “2” vs “2."), those two choices would get mistakenly conflated as the same import/export version of the checkbox variable name, which could cause issues with data exports and reports not displaying correctly. From now on, any periods existing in a checkbox coding will be converted to an underscore in the resulting import/export variable name, whereas in previous versions the period was removed completely from the variable name. (Ticket #211904)

  • Bug fix: If a field has the @CALCTEXT action tag and also has date/datetime validation, server-side processing of the calculation (e.g., Data Quality rule H) might mistakenly fail to save a new/correct value for the @CALCTEXT field. (Ticket #211780)

  • Bug fix: If a longitudinal project is in production, a normal user with Project Design privileges on the “Designate Instruments for My Events” page could possibly remove an Instrument-Event mapping (i.e., uncheck a disabled checkbox in the mappings table), which they are not allowed to do to projects in production, if they know how to manipulate the webpage in specific ways and then click the Save button.

  • Bug fix: If a user has created a File Repository folder that is Data Access Group restricted or User Role restricted, and then a user deletes the DAG or User Role to which the folder is restricted, the folder would mistakenly be deleted, after which all of the files in the folder would be automatically moved into the main top-level folder in the File Repository. This has now been changed so that if a folder is restricted to a User Role, the folder will no longer be deleted when the User Role is deleted, but the folder and its files will remain as not restricted to any role. And if the folder is restricted to a DAG, users will simply be unable to delete the DAG until all its DAG-restricted folders are deleted first. (Ticket #210829)

  • Bug fix: If a user is utilizing the “Upload users (CSV)” method to update user privileges on the User Rights page, in which a user is being assigned to a Data Access Group or is being removed from a DAG, the upload process would mistakenly not log the DAG assignment/removal on the Logging page. (Ticket #210831)

  • Bug fix: If the query of a Dynamic SQL field begins with “select” followed immediately by a line break or carriage return (as opposed to a space), the Dynamic SQL field would not return any results and would not display any drop-down options. (Ticket #212474)

  • Bug fix: If using an HTML “style” tag inside user-defined text (e.g., field label, survey instructions), the CSS styles inside the tags might mistakenly not work on the page if line breaks or carriage returns occur anywhere inside the opening and closing style tag. (Ticket #211394)

  • Bug fix: In certain edge cases that involve the Records::getRecordList() method being called by a REDCap plugin, a fatal PHP error might occur when using PHP 8 if the “pid” parameter does not exist in the current URL but has been set as $_GET[‘pid’] manually by the plugin itself. (Ticket #212232)

  • Bug fix: In certain places throughout REDCap, the rich text editor might mistakenly display the “Insert/edit media” button on the editor toolbar. This was added unintentionally, and in most (if not all) cases, attempting to add media using that button would not be successful. That media button has now been removed from the editor. (Ticket #211132)

  • Bug fix: In certain situations, the Background Data Import feature might mistakenly cause the cron job to fail with a fatal PHP error when running PHP 8. (Ticket #212276)

  • Bug fix: In some cases when an external module is being used, a fatal PHP error might occur for certain PHP versions. (Ticket #211611)

  • Bug fix: Some folders in the File Repository might mistakenly not display due to a DataTables error caused by the JSON-encoding of mangled UTF-8 characters in the descriptions and attributes of the files being displayed in the file list. (Ticket #208637)

  • Bug fix: The act of creating or editing an alert on the Alerts & Notifications page would get logged on the Logging page. However, the Logging page would represent the alert’s “trigger_on_instrument_save_status” attribute incorrectly, displaying “any_status” when the alert is set to be triggered when an instrument is saved with Complete status only and as “complete_status_only” when set to be triggered on any form status. Note: The alert itself would be saved correctly, but the logged event for creating/editing the alert would merely be inaccurate. (Ticket #210832)

  • Bug fix: Using the function isblankormissingcode() in a calculation for non-numeric missing data codes might mistakenly cause the server-side rendering of the calculation (e.g. Data Quality rule H) to return an incorrect value. (Ticket #212145, #212178)

  • Bug fix: When a field variable is being piped or used in logic, and the field is prepended with the Smart Variable [first-event-name] or [last-event-name], in which the current context is a different instrument on which the field itself is located, the event field pair might result in a blank value or an incorrect value. (Ticket #210930)

  • Bug fix: When a user has an apostrophe in their username, and the user goes to create a new project, they may not be able to access the project they just created. (Ticket #210832)

  • Bug fix: When a user is running Data Quality rule A or B, it might mistakenly return checkbox fields as discrepancies. As noted by the single asterisk at the bottom of the Data Quality page, rules A and B note that “checkbox fields are also excluded since an unchecked checkbox is itself often considered to be a real value.” (Ticket #212048)

  • Bug fix: When a user is using the User Access Dashboard to delete or expire a user’s access in a project, in some cases the action would mistakenly not get logged on the project’s Logging page (although the action would be logged in the redcap_log_event database table, which might not be used by the project, thus making the logged event not accessible on the project’s Logging page).

  • Bug fix: When exporting a PDF of an instrument containing data via the API, the Logging page would mistakenly display the project ID in place of the record name in the Action column of the Logging table for this logged event. This will be fixed so that it will resolve this issue for both past logged events and future logged events. (Ticket #212245)

  • Bug fix: When importing a missing data code for a field that has a min/max validation range, the data import process would mistakenly return an error saying that the missing data code value was out of range. Instead, it should allow the missing data code value to be imported. (Ticket #211903)

  • Bug fix: When performing a data import that contains blank values for a Slider field, in which the import is set to allow blank values to overwrite existing saved values, the import process would mistakenly return an error message saying that the value must be an integer. It should instead not return any error message in this situation. (Ticket #211075)

  • Bug fix: When performing an API Metadata Import, a data dictionary snapshot would mistakenly be taken after the new metadata was saved via the API call when instead the snapshot should be taken immediately beforehand during this metadata import process.

  • Bug fix: When using CDIS, while REDCap is processing a bundle of FHIR resources, a PHP warning could be thrown if the FHIR bundle has no entries.

  • Bug fix: When using Missing Data Codes in a project, in which a Text field with field validation has the @nomissing action tag, users would be able to manually hand-enter Missing Data Codes into the Text field, even though the value entered failed the field validation.

  • Bug fix: When using Multi-Language Management and exporting general settings as a file, the data entry form and survey active states would mistakenly be swapped in the export file. (Ticket #211172)

  • Bug fix: When using Multi-Language Management, the MLM page in the Control Center might mistakenly not export the MLM usage stats in a way that the file can be opened successfully in Excel. (Ticket #211875)

  • Bug fix: When using an HTML5 video tag in user input text (e.g., field labels, survey instructions), in which the tag contains the “controls” attribute, the attribute would mistakenly be renamed to “cremoved” in the resulting HTML. (Ticket #211141)

  • Bug fix: When using an [aggregate-X] smart variable in a calculation or CALCTEXT field, depending on the context the calculated value might not always get saved successfully, and additionally the Logic Editor might note the calculation to have errors when it in fact does not. (Ticket #211063)

  • Bug fix: When using the Calendar Sync feature, calendar events that do not have a time specified (but only a date) might reflect an incorrect start time and end time in some external calendar applications. (Ticket #211137)

  • Bug fix: When using the Designate Instruments page in a longitudinal project while running PHP 8, editing the event grid may result in an error message, preventing the edits from being saved. (Ticket #211983, #211837)

  • Bug fix: When using the EHR launch window for Clinical Data Pull, the REDCap page embedded in the EHR might mistakenly not display any CDP projects for the user for the relevant patient. (Ticket #211654)

Version 13.8.5 (released August 03, 2023)

New Features

  • New action tag: @MC-PARTICIPANT-JOINDATE- This action tag is a MyCap annotation that can be used with Text fields with date/time validation. When using this action tag on a field, the field will capture the install date/time of the MyCap participant whenever the participant joins a project via the MyCap mobile app. NOTE: This is used only for the MyCap mobile app. The fields value is not generated when viewing the data entry form but only when the MyCap app is making a call to REDCap when the participant joins the project. Additionally, while this action tag can be added to a new field in already-existing MyCap projects, a field with this action tag will be auto-added to any projects where MyCap is enabled in the project after the fact and for any new projects created using the MyCap project template.

Changes/Improvements

  • Improvement: New background process that will help prune abandoned/zombie database processes (e.g., long-running queries that continue running on the database after a user has left the page on which the query is being run) that might decrease the overall performance of the database server. This process is performed every couple minutes by a cron job. This may or may not result in a noticeable database performance improvement.

  • Improvement: The Data Import Tool page now provides options in Step 1 to download the Data Import Template with alternative delimiters, such as tabs and semicolons.

  • Change/improvement: Better memory management for some CDIS-related cron jobs.

  • Change/improvement: The Send-It page now checks the filesize of the file before the user attempts to upload it in order to ensure the file is not larger than the max allowed size. In previous versions, its filesize would only be checked after it had been uploaded.

  • Change/improvement: The favicon was updated to a higher resolution image.

  • Various fixes and changes for the External Module Framework, including 1) miscellaneous security scan improvements, and 2) action tag documentation may now be added to an EMs config.json for display in the list of action tags available on a project.

Bug Fixes

  • Bug fix: For CDIS, fixed issues related to properly handling the absence of a valid FHIR access token, such as FHIR logs being saved with a “wrong format” error and also scenarios where the absence of a user ID caused unexpected behavior.

  • Bug fix: If a longitudinal project is in production, a normal user with Project Design privileges on the “Designate Instruments for My Events” page could possibly remove an Instrument-Event mapping (i.e., uncheck a disabled checkbox in the mappings table), which they are not allowed to do to projects in production, if they know how to manipulate the webpage in specific ways and then click the Save button.

  • Bug fix: If a user has created a File Repository folder that is Data Access Group restricted or User Role restricted, and then a user deletes the DAG or User Role to which the folder is restricted, the folder would mistakenly be deleted, after which all of the files in the folder would be automatically moved into the main top-level folder in the File Repository. This has now been changed so that if a folder is restricted to a User Role, the folder will no longer be deleted when the User Role is deleted, but the folder and its files will remain as not restricted to any role. And if the folder is restricted to a DAG, users will simply be unable to delete the DAG until all its DAG-restricted folders are deleted first. (Ticket #210829)

  • Bug fix: If a user is utilizing the “Upload users (CSV)” method to update user privileges on the User Rights page, in which a user is being assigned to a Data Access Group or is being removed from a DAG, the upload process would mistakenly not log the DAG assignment/removal on the Logging page. (Ticket #210831)

  • Bug fix: In some cases when an external module is being used, a fatal PHP error might occur for certain PHP versions. (Ticket #211611)

  • Bug fix: The act of creating or editing an alert on the Alerts & Notifications page would get logged on the Logging page. However, the Logging page would represent the alert’s “trigger_on_instrument_save_status” attribute incorrectly, displaying “any_status” when the alert is set to be triggered when an instrument is saved with Complete status only and as “complete_status_only” when set to be triggered on any form status. Note: The alert itself would be saved correctly, but the logged event for creating/editing the alert would merely be inaccurate. (Ticket #210832)

  • Bug fix: When a field variable is being piped or used in logic, and the field is prepended with the Smart Variable [first-event-name] or [last-event-name], in which the current context is a different instrument on which the field itself is located, the event field pair might result in a blank value or an incorrect value. (Ticket #210930)

  • Bug fix: When a user has an apostrophe in their username, and the user goes to create a new project, they may not be able to access the project they just created. (Ticket #210832)

  • Bug fix: When a user is using the User Access Dashboard to delete or expire a user’s access in a project, in some cases the action would mistakenly not get logged on the project’s Logging page (although the action would be logged in the redcap_log_event database table, which might not be used by the project, thus making the logged event not accessible on the project’s Logging page).

  • Bug fix: When performing a data import that contains blank values for a Slider field, in which the import is set to allow blank values to overwrite existing saved values, the import process would mistakenly return an error message saying that the value must be an integer. It should instead not return any error message in this situation. (Ticket #211075)

  • Bug fix: When using Missing Data Codes in a project, in which a Text field with field validation has the @nomissing action tag, users would be able to manually hand-enter Missing Data Codes into the Text field, even though the value entered failed the field validation.

  • Bug fix: When using Multi-Language Management and exporting general settings as a file, the data entry form and survey active states would mistakenly be swapped in the export file. (Ticket #211172)

  • Bug fix: When using an HTML5 video tag in user input text (e.g., field labels, survey instructions), in which the tag contains the “controls” attribute, the attribute would mistakenly be renamed to “cremoved” in the resulting HTML. (Ticket #211141)

  • Bug fix: When using the Calendar Sync feature, calendar events that do not have a time specified (but only a date) might reflect an incorrect start time and end time in some external calendar applications. (Ticket #211137)

Version 13.8.4 (released July 28, 2023)

Bug Fixes

  • Bug fix: If the system-level setting “ENABLE FILE UPLOADING FOR THE FILE REPOSITORY MODULE” is set to “disabled”, users would still be able to upload files into the File Repository in any project. Bug emerged in REDCap 13.1.0. (Ticket #210765)

  • Bug fix: The documentation for using reports as filters in Smart Charts, Smart Tables, or Smart Functions was confusing and has been updated for clarity. It notes now that when referencing a unique report name in Smart Charts, Smart Tables, or Smart Functions, no other filtering parameters can be used (e.g., DAGs, events) with the report filter and thus any other filters will be ignored. If users wish to additionally filter by DAGs and/or events, it is recommended that they add such filtering to the report itself by editing the report. The wizard on the Project Dashboard page has also been updated to reflect this.

  • Bug fix: The example Perl code in the API Playground for making Curl calls was outdated and would not run successfully for some users.

  • Bug fix: When using MyCap in a project, a blank Menu might be displayed for participants when using the MyCap mobile app, specifically for iOS devices.

  • Bug fix: When using Twilio, it would mistakenly not send SMS messages to U.S. phone numbers with an 934 area code. (Ticket #90686b)

  • Bug fix: When using the @Wordlimit or @charlimit action tag on a Text field, the first field on the page that uses either action tag might have its “X characters remaining” label or “X words remaining” label, respectively, duplicated multiple times below the field itself. (Ticket #208658)

Version 13.8.3 (released July 21, 2023)

Bug Fixes

  • Major bug fix: When a user has File Repository user privileges in a project with the e-Consent Framework enabled on one or more instruments, the user would mistakenly be able to download the e-Consent PDF files stored in the PDF Survey Archive folder in the File Repository, even when the user does not explicitly have “Full Data Set” data export rights for the given instrument. In order to download the e-Consent PDFs, the user should have “Full Data Set” data export rights for the given instrument. (Ticket #210214)

  • Bug fix: If a survey is using a system-level theme or a user-saved custom theme, the theme colors would mistakenly not get preserved in the Project XML file if a user exports the Project XML file and then creates a new project with it. (Ticket #210371)

  • Bug fix: If the Online Designer displays an error icon next to a MyCap-enabled instrument, it would allow the user to click the icon and attempt to try to fix the errors when the project is in production mode; however, it would fail to fix it and just re-display the error. Instead, it will now inform the user that errors exist but that they must put the project in draft mode first before they can fix the errors. (Ticket #210179)

  • Bug fix: In longitudinal projects with multiple arms, certain actions (such as deleting a record, renaming a record, and others) would mistakenly execute SQL queries that were not structured correctly and thus might make the database server unnecessarily slow due to long query times.

  • Bug fix: Some MyCap-related pages that deal with PROMIS instruments (auto-scoring and adaptive) might mistakenly crash due to a fatal PHP error when using PHP 8.

  • Bug fix: The CDIS messaging feature might mistakenly display the phrase “invalid date” where the date/time of the message should be.

  • Bug fix: The Scheduling page would mistakenly never display the record drop-down list. Bug emerged in the previous release: 13.8.2. (Ticket #210446)

  • Bug fix: Using an [X-event-name] Smart Variable in combination with an [X-instance] Smart Variable in logic, calculations, or piping might cause the evaluation of the logic/calc/piping not to be performed successfully. (Ticket #208887)

  • Bug fix: When a user is updating a language on the Multi-Language Management setup page, some import settings, such as the “Keep existing translations” option, would mistakenly not be honored during the language update process. (Ticket #210395)

  • Bug fix: When attempting to upload a CSV data file via the Data Import Tool using the background import process, in which the CSV headers (i.e., variable names) in the data file are wrapped in quotes, REDCap would mistakenly return an error message saying that the headers are not formatted correctly. (Ticket #210299)

  • Bug fix: When using Duo two-factor authentication, if the system is set to “Offline”, it would mistakenly prevent administrators from successfully logging in via Duo 2FA. (Ticket #202197)

  • Bug fix: When using certain action tags on a field where the value on the right side of the equal sign in the action tag definition is not wrapped in single quotes or double quotes and additionally other annotation text follows after the action tag in the Field Annotation text (e.g. @charlimit=8 More text here), the action tag might not be interpreted successfully and thus might not get enforced. (Ticket #210175)

  • Bug fix: When using the Clinical Data Pull, the EHR Launch process might mistakenly fail. (Ticket #210523)

  • Bug fix: When using the Data Resolution Workflow feature, if a user executes Data Quality rule H, fields that have been marked as “Verified data value” would mistakenly appear in the list of discrepancies (they should not appear there by default) and would not appear as “verified” in the DQ popup. (Ticket #209447)

Version 13.8.2 (released July 14, 2023)

Changes/Improvements

  • Bug fix/change: The @DOWNLOAD-COUNT action tag documentation has been updated for clarity to explain that if a field with @DOWNLOAD-COUNT also utilizes @inline or @INLINE-PREVIEW and displays an inline PDF that has been uploaded, if a user downloads the file via the inline PDF controls (which are generated by the browser and not by REDCap), the download will not get properly counted via @DOWNLOAD-COUNT. This is to clarify that @DOWNLOAD-COUNT only works when users/participants click the file download link on the page. (Ticket #208354)

  • Change: In longitudinal projects with Scheduling enabled, the “View or Edit Schedule” page will no longer render the record drop-down list of already-scheduled records on the page if the drop-down would contain more than 10,000 options. This is to prevent the page from becoming very slow for projects that contain lots of records that have been scheduled already. Users will still be able to view the schedule of individual records on the page though.

Bug Fixes

  • Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in the File Repository in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way inside the filename of an uploaded file. The user must be logged in to REDCap and also must have File Repository privileges in the project in order to exploit this. (Ticket #210134)

  • Bug fix: A fatal PHP error might occur related to CDIS when performing the Standalone launch inside REDCap. (Ticket #209840)

  • Bug fix: A fatal PHP error might occur related to specific CDIS processes.

  • Bug fix: A missing LOINC code was added to the CDIS mapping features.

  • Bug fix: If an administrator does not specifically have “Modify system configuration pages” admin rights, the date field on the Cron Jobs page in the Control Center would mistakenly be disabled.

  • Bug fix: If an inline image was added to text on an instrument via the rich text editor and then the project was later copied, the image would display correctly on the data entry form in the project copy, but it would mistakenly not display when viewing the instrument as a survey in the project copy.

  • Bug fix: If an unclosed HTML comment (i.e, “<!–” without quotes) exists in user-defined text that is displayed on the page (e.g., field label, survey instructions, a piped value from a Text field), it would mistakenly cause the page content to be truncated, thus preventing the user from seeing any of the page after where the text is located. (Ticket #207897)

  • Bug fix: If the URL of another REDCap server exists in user-defined text that is displayed on the page (e.g., field label, survey instructions, a piped value from a Text field), the REDCap version number in the URL would mistakenly be replaced with the REDCap version number of the current server. It should never replace the REDCap version number in any URLs unless the URL corresponds to the current REDCap server. (Ticket #208528)

  • Bug fix: In certain scenarios when selecting to use the background process for the Data Import Tool, it might not allow the user to upload a CSV data file because it mistakenly thinks that the last field variable in the CSV file is not a real field name. (Ticket #209823)

  • Bug fix: In certain scenarios, a couple fatal PHP errors might occur on survey pages when using PHP 8. (Ticket #210196)

  • Bug fix: In certain scenarios, the Background Data Import cron job might mistakenly crash without finishing. (Ticket #209911)

  • Bug fix: When a project is in Analysis/Cleanup status and the current user does not have Project Design & Setup privileges, the Project Home page and Project Setup page would mistakenly display a “Modify” button in the yellow section at the top of the page describing if users can modify records or not. This button should only be displayed for users with Design rights. Clicking the button would not actually change anything though, so this issue is more of an aesthetic issue that could cause confusion. (Ticket #107257)

  • Bug fix: When a user selects the option “Remove all date and datetime fields” when exporting data, or if that option is automatically imposed upon the user due to having De-Identified data export rights, survey completion timestamp fields would mistakenly not be removed from the resulting data export file. (Ticket #208758)

  • Bug fix: When an instrument has an embedded field that is immediately followed by a piped field or by another embedded field (with no space between them), the field/value might mistakenly not be rendered in the exported PDF of that instrument. (Ticket #210165)

  • Bug fix: When taking a survey while using a mobile device, the page would auto-scroll unnecessarily after completing a multiple choice field that has one or more visible fields embedded inside it. In this case, the page should not auto-scroll when the field contains embedded fields. (Ticket #208523)

  • Bug fix: When using Multi-Language Management and using the Right to Left (RTL) setting when there are multiple choice fields with horizontal alignment, the choices might not always display correctly. (Ticket #209612)

  • Bug fix: When using Twilio or Mosio for a survey implemented as an SMS conversation, Yes/No fields and True/False fields would not have their field labels rendered correctly in the conversation. Instead of their field label, it would display “No” or “False”, respectively. (Ticket #209624)

  • Bug fix: When using the Control Center page to update the database tables to support full Unicode, in some situations the resulting SQL might mistakenly contain a double comma, which would result in SQL errors and prevent the process from completing successfully. (Ticket #209856)

  • Bug fix: When viewing the PDF Survey Archive files for the e-Consent Framework in the File Repository, if the system-level e-Consent setting “Capture the IP address…” is set to “Do NOT capture IP address”, the table header in the File Repository would mistakenly say “IP Address” instead of “Identifier (Name, DOB”). (Ticket #209302)

Version 13.8.1 (released July 07, 2023)

Bug Fixes

  • Bug fix: A fatal PHP error might occur related to CDIS when performing the EHR launch of the REDCap window inside the EHR user interface.

  • Bug fix: A fatal PHP error might occur when attempting to send emails via the Email Users page, thus preventing the emails from being sent.

  • Bug fix: A fatal PHP error might occur when using Duo for two-factor authentication.

  • Bug fix: On certain occasions, the Control Center and/or Configuration Check page might mistakenly display the warning that “Some non-versioned files are outdated”, which might be incorrect and a false positive.

Version 13.8.0 (released July 07, 2023)

New Features

  • New feature: Background Data Import In the Data Import Tool, users may now alternatively import data using an asynchronous background process (as opposed to the existing real-time process). The background process is better for large data files. The background process will email the user after the data file has been fully imported, and the email will note any errors that may have occurred during the import process. During the background data import process, which is performed by several simultaneous cron jobs, each record will be imported one at a time. If there is any error with a record being imported, none of that individual records data will be imported, after which the user will be able to view all the errors with the option to re-download the records/data that failed to import, thus allowing the user to fix the data and attempt to import it again. Note: The background data import works with the Reason for Change project-level feature, which requires a reason for any changes made to an existing record. The feature is currently only available in the user interface (not in the API), but it may be available for the API in the future. If the background data import has begun, the user who initiated the import (or an administrator) can cancel the import process at any time. However, any data that was imported by the import process prior to it being canceled will not be undone after it is canceled. All changes made by the process up until cancellation are permanent.

Changes/Improvements

  • Various fixes and changes for the External Module Framework, including 1) Documented sanitizeFieldName() method, and 2) Miscellaneous security scan & documentation improvements.

Bug Fixes

  • Major security fix: A Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way on many pages that output user-defined text onto a REDCap webpage. This bug affects all versions of REDCap.

  • Major security fix: An SQL Injection vulnerability was found on a MyCap-related page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. In order to exploit this, the user must be logged in as a REDCap user and must also have one or more instruments enabled as MyCap tasks.

  • Critical security fix: A Blind SQL Injection vulnerability was found on data entry forms and survey pages, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. This bug affects all known REDCap versions.

  • Critical security fix: A Blind SQL Injection vulnerability was found when calling certain API methods, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by entering specially-crafted data into a Text field, changing the field to a File Upload field, and then calling the Delete File or Import File API method. This bug affects all known REDCap versions.

  • Critical security fix: A PHP Deserialization Remote Code Execution vulnerability was found in which a malicious user who is logged in could potentially exploit it by manipulating an HTTP request to a specific CDIS-related page while manipulating a certain CDIS-related cookie in a specific way. If successfully exploited, this could allow the attacker to remotely execute arbitrary code on the REDCap server. This vulnerability exists in REDCap 13.0.1 and higher.

  • Bug fix: A new Clinical Data Mart background process would not be scheduled if the current one was taking too long to complete.

  • Bug fix: After unsuspending a user on the Browse Users page on the “View User List By Criteria” tab, the “Display only X users” drop-down would mistakenly get reset. (Ticket #208937)

  • Bug fix: In some situations, the survey page might mistakenly throw a fatal PHP error for PHP 8. (Ticket #208147)

  • Bug fix: PHP 8 related fix for the Data Import Tool. (Ticket #208086)

  • Bug fix: PHP 8 related issue on certain MyCap pages in project. (Ticket #208688)

  • Bug fix: When using Multi-Language Management on a survey where Google reCAPTCHA is enabled, the Google reCAPTCHA text would mistakenly not be translatable. (Ticket #208797)

  • Bug fix: When using Multi-Language Management with the e-Consent Framework, some text on the e-Consent confirmation screen at the end of the survey was mistakenly not translatable.

  • Bug fix: When using Multi-Language Management, the language switcher and globe menu would not work on survey return pages when the survey is set up to show a logo and the option to “Hide survey title on survey page when display logo” is turned on. (Ticket #208961)

Version 13.7.2 (released June 23, 2023)

Changes/Improvements

  • Change: When performing a fresh installation of REDCap, the initial version will be included in the redcap_history_version database table. (Ticket #208590)

Bug Fixes

  • Bug fix: More compatibility fixes when using Epic Hyperdrive for CDIS in the context of EHR launches.

  • Bug fix: PHP 8 related fixes for CDIS functionality.

  • Bug fix: Related to CDIS, unnecessary steps were removed for the Smart on FHIR OAuth2 process.

  • Bug fix: The “Design Checker” for the Clinical Data Mart might mistakenly fail with an error when attempting to fix the structure of a CDM project. (Ticket #207348)

  • Bug fix: When exporting a Project Dashboard as a PDF, some parts of the page that should not be included in the PDF were included.

  • Bug fix: When using Multi-Language Management, when uploading a file on the MLM setup page to import translations into an existing language, the merging from file would mistakenly not be performed.

Version 13.7.1 (released June 08, 2023)

Bug Fixes

  • Major bug fix: When using Multi-Language Management and uploading a file on the MLM setup page to import translations into an existing language, the process of merging from file would mistakenly not be performed.

  • Bug fix: When downloading a PDF of an instrument, the PDF would only download in the desired language if it was set to active for MLM in Data Entry mode. It should not require a language to be active in Data Entry mode to allow downloads of PDFs in that language.

Version 13.7.0 (released June 08, 2023)

New Features

  • New features: New Multi-Language Management workflow for adding new languages to projects, plus many other improvements. Improved workflow and user interface for adding new languages to projects. Project languages can now “subscribe” to system languages (i.e., any changes/additions to UI translations made in the Control Center will automatically be visible in projects). Several new administrator options to control how new languages can be initialized in projects (independently allow/disallow initialization from system languages, language files, or from scratch). These (global) settings can be overruled on a project by project basis. Editing/updating of existing languages has been redesigned and split into separate edit (rename, etc.) and update (sync with system languages or import translations from files) dialogs. Added an option to download (empty - i.e. without data) PDFs of all or individual instruments. The default setting for the ASI Language Source is not “Language preference field” (instead of “User’s or survey respondent’s active language”). Many user interface fixes related to the switch to Bootstrap 5 in REDCap 13.4.0.

Bug Fixes

  • Bug fix: MyCap push notifications might mistakenly not work when using a proxy for the REDCap web server. (Ticket #207578)

  • Bug fix: Piping Smart Variables or field variables into the Data Entry Trigger URL would mistakenly cause “span” HTML tags to be inserted into the URL.

  • Bug fix: When downloading a PDF of an instrument that contains a Descriptive Text field with an inline PDF attachment, in certain cases the inline PDF might overlap the next field below it when instead it should begin a new page right after the inline PDF. (Ticket #206391)

  • Bug fix: When exporting a project or project data as CDISC ODM/Project XML, a fatal PHP error might occur when using PHP 8. (Ticket #78389)

  • Bug fix: When importing and exporting user rights or user roles via CSV files on the User Rights page, some user privilege categories (e.g. Alerts & Notifications) might mistakenly not be found in the downloaded CSV user rights/roles files. (Ticket #206747, #207132)

  • Bug fix: When piping a data value into the choice label of a multiple choice field on a repeating instrument, the correct data value might mistakenly not get piped correctly when viewing the choice label on a report or in a CSV Labels data export. (Ticket #207193)

  • Bug fix: When selecting files in the File Repository and clicking the Move button, the “folder” drop-down list in the dialog would mistakenly display folders that have been deleted. (Ticket #207763)

  • Bug fix: When using CDIS, the project menu was not hidden in an EHR launch context.

  • Bug fix: When using Multi-Language Management, the “:value” piping modifier would not mistakenly not work when performing piping on MLM-enabled forms and surveys. (Ticket #207629)

  • Bug fix: When using Multi-Language Management, the error dialog displayed when a user enters an invalid choice for an auto-complete drop-down field was mistakenly not available for translation on the MLM setup page. (Ticket #207825)

  • Bug fix: When using date-based or time-based [survey-X] Smart Variables in conjunction with a [X-instance] Smart Variable while also using the “:value” modifier (e.g., [survey-time-completed:my_survey:value][last-instance]), a blank value might mistakenly be returned instead of the expected value. (Ticket #206098b)

  • Bug fix: When using the Calendar Sync feature, the calendar feed or export might mistakenly be off by one hour for cities in specific time zones. (#206585b)

  • Bug fix: When using the Copy Project feature and selecting to copy the reports in a project, the resulting new project’s reports would mistakenly not have the same unique report names. The unique report names of the new project should be exactly the same as the original project. (Ticket #207248)

  • Bug fix: When viewing multi-page inline PDFs on the e-Consent certification screen on surveys when using certain devices, such as iPads, only the first page of the PDF might be viewable on the webpage. An option is now displayed near the bottom of the e-Consent certification screen on surveys to allow the participant to download and view the PDF in another browser tab if they are using a device that does not support multi-page inline PDFs. (Ticket #205407)

  • Updates to the External Module Framework: 1) Prevented uncaught exceptions in the PHP error log, and 2) Added system setting support in getSubSettings().

Version 13.6.1 (released June 02, 2023)

Changes/Improvements

  • Change/improvement: CDIS-related tasks now use a new memory monitoring feature to improve system stability by preventing out-of-memory crashes, in which it actively tracks memory usage and stops long-running, memory-intensive background processes when the PHP thread’s memory usage approaches a predefined threshold (75% by default).

  • Change/improvement: When searching for action tags in the Action Tag list/dialog, any action tags added to the dialog via an External Module would mistakenly not be included in the search as the user types in the search box. (Ticket #207364)

  • Various fixes and changes to the External Module Framework.

Bug Fixes

  • Bug fix: A non-existent CDP-related CSS file would get called on the Online Designer page and thus would throw a silent 404 error in the browser console. (Ticket #207222)

  • Bug fix: Data entry forms and survey pages might mistakenly crash due to a fatal PHP error in very specific scenarios when using PHP 8. (Ticket #207349)

  • Bug fix: If a user does not have “Add/Edit/Organize Reports” privileges, “Report B” would mistakenly not appear for them on the “My Reports & Exports” page. (Ticket #206987)

  • Bug fix: In certain places throughout REDCap where the Logic Editor is used, when modifying the text in the editor, an error might appear saying “Odd number of single quotes exist” (or something similar) when apostrophes, quotes, parentheses, and some other characters are utilized in an “inline comment” (beginning with // or #) in the editor. (Ticket #207092)

  • Bug fix: Medication statuses were mistakenly being ignored in CDIS mapping and thus were not being imported from the EHR.

  • Bug fix: On the MyCap-enabled project, the Online Designer might mistakenly crash due to a fatal PHP error in very specific scenarios when using PHP 8. (Ticket #207381)

  • Bug fix: When copying the MyCap generated invitation text, which would contain a REDCap version number in the URL of the QR code image, and pasting it onto a webpage in REDCap, such as in the survey completion text or in a field label, the QR code would mistakenly fail to load on the page if that older version of REDCap had been removed from the web server.

  • Bug fix: When re-evaluating Alerts & Notifications, in which one or more alerts are recurring, the process might report an incorrect number of alerts that were removed/unscheduled during re-evaluation as a result of the alert’s conditional logic no longer being True. This does not affect any behavior but only the count of alerts that were removed/unscheduled during the re-eval process. (Ticket #206980)

  • Bug fix: When using DDP Custom, dates were not converted to strings in the JSON encoding process for the data web service. (Ticket #206063)

Version 13.6.0 (released May 25, 2023)

New Features

  • New features for Clinical Data Interoperability Services (CDIS): New additions to the CDIS Configuration page in the Control Center. Custom Mapping: Institutions can now define their own mappings and specify additional LOINC codes for labs and vitals. Metadata Download: Users can download CSV files containing metadata for mapping FHIR data to REDCap’s fields. Metadata files are available for DSTU2 and R4 versions. Custom FHIR Authentication Parameters: This new feature enables administrators to define custom HTML query parameters for the SMART on FHIR authentication process. By allowing institutions to specify key-value pairs along with context information, such as “standalone launch,” “EHR launch,” and “always,” this enhancement provides increased flexibility during authentication. The user interface facilitates the specification of multiple entries, thus granting administrators greater control over the authentication process.

Bug Fixes

  • Minor security fix: An SQL Injection vulnerability was found on a MyCap-related page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. In order to exploit this, the user must be logged in as a REDCap user and must also have one or more instruments enabled as MyCap tasks.

  • Major bug fix: If a REDCap user knows the report_id of a report from another REDCap project to which they do not have access, they could manipulate the URL of a report in one of their own projects by replacing the report_id in the URL with the other project’s report_id and thus be able to view (but not export) all the data from the other project’s report. Note: The user would not be able to access anything else from that other project though. Additionally, the user must be logged in and must have access to at least one project in order to exploit this issue. Bug emerged in REDCap 12.2.0. (Ticket #206894)

  • Bug fix: A missing LOINC code was added to the CDIS mapping features.

  • Bug fix: CDIS-related processes might fail in specific cases due to PHP 8 incompatibility.

  • Bug fix: Fixed compatibility issue when using Epic Hyperdrive for CDIS in the context of EHR launches. It addresses a known issue where the cookie samesite policy conflicts with Hyperdrive. By detecting the Hyperdrive user agent, REDCap disables the samesite policy, ensuring seamless integration and functionality.

  • Bug fix: If a field has been piped into the min or max validation range of a Text field, in which the piped field does not have a saved value yet, a user attempting to import data will mistakenly get an error stating that the field “should not be greater than the field maximum” or “less than the field minimum”, which would thus prevent the user from importing the data. (Ticket #203219)

  • Bug fix: If using Multi-Language Management, if a radio or checkbox field exists on an MLM-enabled survey that also has the Enhanced Choice survey option enabled, in which another field on the survey page is embedded inside one of that field’s choice labels, the field would not be successfully embedded on the page but would display an error message saying that that field has been embedded multiple times on the page, which is not true. This bug was supposedly fixed in REDCap 13.5.2, but mistakenly it was not.

  • Bug fix: Some project-level features in the Additional Customizations popup were mistakenly not being added to the Project XML file when exporting->importing a project. These include the following features: Enable the Data History popup, Display the Today/Now button, Prevent branching logic from hiding fields that have values, and Require a ‘reason’ when making changes to existing records. (Ticket #206575)

  • Bug fix: When a user attempts to place a production project into draft mode, it might mistakenly just reload the same page with no changes, thus preventing the project from being put in draft mode. This often occurs when multiple users are changing things in the Online Designer near the same time while in production. (Ticket #6346b)

  • Bug fix: When an administrator uses the “Auto-fill” link on a survey with the “Enhanced Choices” option enabled, it might mistakenly fail to work for some checkboxes and radio button fields. (Ticket #206769)

  • Bug fix: When deleting scheduled survey invitations on the Survey Invitation Log using the “Delete all selected” button, it might crash with a fatal PHP error if deleting only one participant at a time when using PHP 8.

  • Bug fix: When uploading an Instrument Zip file that contains survey settings, in which the survey theme of the survey does not exist on the current REDCap server, the upload would hang and never finish. Now, if the survey theme does not exist on the current REDCap server, the default survey theme will be used instead. (Ticket #206167)

  • Bug fix: When using the “Copy existing choices” feature for multiple choice fields in the Edit Field popup in the Online Designer, it would mistakenly strip out all HTML in the choice labels. (Ticket #206644)

  • Bug fix: When using the Calendar Sync feature, the calendar feed or export might mistakenly be off by one hour for cities in specific time zones. (Ticket #204252, #206585)

  • Bug fix: When viewing the App Data Dumps tab on the REDCap Mobile App page and clicking an “Included Records” button, it would mistakenly not display the list of records from the data dump file. Bug emerged in REDCap 13.4.0.

  • Bug fix: When viewing the REDCap Mobile App’s “App Data Dumps” page and clicking the “Import Data from File” button for a specific data dump file, it would mistakenly throw a fatal PHP error on the page when using PHP 8. (Ticket #137777b)

Version 13.5.4 (released May 22, 2023)

Bug Fixes

  • Major bug fix: Due to an unexpected issue with the deployment of 13.5.3, some fixes from 13.5.2 mistakenly did not get included in 13.5.3. Thus, 13.5.4 will stand as a replacement for 13.5.3.

Version 13.5.3 (released May 19, 2023)

Bug Fixes

  • Major bug fix: When a participant clicks the “Save & Return Later” button on the first page of a multi-page public survey, and then returns to complete the survey later, it might mistakenly not update the original create but would instead create a duplicate record containing the values submitted on the last survey page. This does not affect single-page surveys. (Ticket #206623)

  • Major bug fix: When a participant completes the first page of a multi-page survey, it might mistakenly create a duplicate record that contains only the responses submitted on the first survey page. This does not affect single-page surveys. (Ticket #206613)

Version 13.5.2 (released May 19, 2023)

Changes/Improvements

  • Change: All errors in the redcap_error_log database table that are more than 30 days old will be automatically removed (to free up space) via a routine cron job.

  • Improvement/change: Improvements to the usability of “Email Users” page in the Control Center. Previously, the page featured buttons for selecting user groups and a separate “search” input field for table filtering. Now the buttons' functionality has been modified to filter the table directly, just like the “search” input, allowing admins to quickly filter the table by clicking on the buttons, and subsequently select all or specific users from the displayed list. This new behavior simplifies the user selection process, providing a more intuitive experience, and enabling efficient user filtering.

Bug Fixes

  • Major bug fix: If a field is required and is embedded in the choice label of a multiple choice field on a multi-page survey, in which the field itself has branching logic and is also used in the branching logic or calculation of another field on a separate survey page, the field’s value might mistakenly get erased when submitting a survey page where the field does not exist but where the field is used in a branching logic or calculation.

  • Bug fix: A JavaScript error would mistakenly get thrown on the Alerts & Notifications page when creating an alert. This may or may not cause other issues on the page.

  • Bug fix: A JavaScript error would mistakenly get thrown on the Survey Settings page, but this would not affect anything on the page.

  • Bug fix: A JavaScript error would mistakenly get thrown on the survey page after clicking the Save button on a multi-page survey, which might cause some things not to work on the survey. (Ticket #206073)

  • Bug fix: Fixed issue with the “Navigate to page” feature when navigating to the Multi-Language Management page in the Control Center.

  • Bug fix: If a survey has “Save & Return Later” enabled and allows participants to return without needing a return code, but it does not allow them to return if the survey has already been completed, then in certain circumstances after a participant completes a public survey in this case, in which they have a unique survey link back to their response (e.g., from an email), they would mistakenly be allowed to modify their completed response. (Ticket #206154)

  • Bug fix: If using Multi-Language Management, if a radio or checkbox field exists on an MLM-enabled survey that also has the Enhanced Choice survey option enabled, in which another field on the survey page is embedded inside one of that field’s choice labels, the field would not be successfully embedded on the page but would display an error message saying that that field has been embedded multiple times on the page, which is not true.

  • Bug fix: If using Multi-Language Management, the same field could mistakenly be embedded multiple times on the same page when embedded via MLM translations. (Ticket #206370)

  • Bug fix: If using Multi-Language Management, the translated choice labels for Yes/No and True/False fields would mistakenly not display correctly on the Codebook page. (Ticket #206001)

  • Bug fix: The login page for “Shibboleth & Table-based” authentication might not display the Shib and Table-based login options correctly. Bug emerged in REDCap 13.4.0. Bug was supposedly fixed in REDCap 13.4.3 and 13.4.9 but mistakenly was not. (Ticket #204025)

  • Bug fix: When a non-REDCap user receives a Send-It download link via email for a REDCap installation that is using a directory-based authentication method (e.g., Shibboleth), the recipient would never be able to download the file because it would mistakenly always require them to log in as a REDCap user.

  • Bug fix: When creating or editing a report, pressing the Enter key while in any text input (e.g., the Value text box in Step 3) would mistakenly cause the “List of users with access” popup to display. (Ticket #204875)

  • Bug fix: When downloading the Project XML file for a project, in some circumstances the process might fail with a fatal PHP error when using PHP 8. (Ticket #206404)

  • Bug fix: When opening a data entry form or survey page in certain versions of iOS in Mobile Safari or in Internet Explorer, the page would never fully load due to a JavaScript error. This bug was supposedly fixed several versions earlier but mistakenly was not. (Ticket #202806c)

  • Bug fix: When using an [X-instance] Smart Variable with other survey-related Smart Variables while using PHP 8, it might cause a fatal PHP error if no repeating instances exist yet for the targeted repeating instrument/event. (Ticket #206098)

Version 13.5.1 (released May 12, 2023)

Bug Fixes

  • Major bug fix: When using PHP 8, if any Custom Application Links have been created and thus appear on a project’s left-hand menu, it would cause every project page to crash with a fatal PHP error. (Ticket #205890)

  • Bug fix: Fixed issue with the “Navigate to page” feature when navigating to the Multi-Language Management page in the Control Center.

Version 13.5.0 (released May 11, 2023)

New Features

  • New feature: @INLINE-PREVIEW action tag - When this action tag is added to File Upload fields or Description Text fields, a preview button will be displayed next to the field on survey pages and data entry forms if the uploaded file is an image or PDF file. Clicking the preview button will immediately display the image/PDF inline on the page, after which it can be closed again, if desired. This allows users/participants to view the file without having to download it to their local device.

Changes/Improvements

  • Improvement: All fatal PHP errors will now be logged in the “redcap_error_log” database table to aid REDCap administrators in tracking down the cause of certain PHP errors. On pages that do not disclose any details (for security reasons) about a fatal PHP error when it occurs, such as on surveys and when the user is not an administrator, the generic error message now adds the following text in small font: “REDCap Admins Only: Details of the error may be obtained by running the database query below. select error from redcap_error_log where error_id = X”, which can assist administrators in reporting the error.

  • Improvement: If using Azure AD authentication (either Endpoint V1 or V2), you may now specify the tenant GUID on the Security & Authentication page, whereas in previous versions “common” was always used as the tenant value. This provides greater flexibility for those using Azure AD. (Ticket #121604)

  • Improvement: Inline image support (via Descriptive Text field, INLINE or INLINE-PREVIEW action tag, or the :inline piping parameter) now works for SVG and WEBP image files.

  • Improvement: The “Contact REDCap Administrator” link/button on the left-hand project menu now supports the piping of Smart Variables in its URL if using the “Alternate URL for Contact REDCap Admin links…” setting, which is located on the General Configuration page in the Control Center. Note: Data entry specific Smart Variables (e.g., record-name, event-name) cannot be piped; only high-level project/user-related Smart Variables can be piped (e.g. project-id, user-email).

  • Improvement: When viewing an inline PDF (whether via Descriptive Text field, INLINE or INLINE-PREVIEW action tag, or the :inline piping parameter), a PDF resizer option will appear immediately below the embedded PDF, allowing users to adjust the vertical size of the PDF displayed on the page. Clicking the center button on the resizer will set the PDF to be the full height of the browser.

  • Change: Survey completion timestamp fields will no longer return errors when a user attempts to import them via data import. Instead, they will merely return a warning, and their value will be ignored during the import process.

  • Improvement/change: When EHR data that is fetched in a Clinical Data Pull (CDP) context is too big to be stored in the database, it will truncate the data and add the prefix --- DATA TOO LARGE, TRUNCATED , which could happen when a patient has many medications, allergies, or conditions, for example.

Bug Fixes

  • Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way on many pages that output user-defined text onto a REDCap webpage. This bug affects all versions of REDCap.

  • Major security fix: A Cross-site Scripting (XSS) vulnerability was discovered in a file download process in which a malicious user could potentially exploit it by inserting HTML/XML tags and/or JavaScript in a very specific way into an SVG file that is then uploaded into a File Upload field or as a Descriptive Text field attachment, and then having a logged-in REDCap user attempt to download that file using a specially crafted URL. This bug affects all versions of REDCap.

  • Bug fix: The DAG Switcher API method would mistakenly always return the message “ERROR: Invalid DAG” even when the API is being called correctly. Bug emerged in 13.1.27 LTS and 13.4.11 Standard. (Ticket #205557)

  • Bug fix: When opening a data entry form or survey page in certain versions of iOS in Mobile Safari or in Internet Explorer, the page would never fully load due to a JavaScript error. This bug was supposedly fixed two versions earlier but mistakenly was not. (Ticket #202806b)

  • Bug fix: When performing randomization on a record, a JavaScript error might mistakenly occur, which would cause calculated fields on the current page not to be recalculated post-randomization. (Ticket #205428)

  • Bug fix: When using Multi-Language Management, snapshots would be created for all projects when approving DRAFT mode, even when MLM was not in use (no languages). Now a snapshot is made only when MLM is active (not disabled) AND there is at least one language defined. Additionally, there was no automatic snapshot taken when projects are moved to production initially. Now a snapshot is taken automatically (same rules as for DRAFT).

  • Bug fix: When using Multi-Language Management, the Survey Login page text might mistakenly not get translated. (Ticket #205427)

  • Bug fix: When using Multi-Language Management, the language switcher button displayed at the top of data entry forms would not be positioned correctly when compared to other buttons right next to it.

  • Bug fix: When using MyCap, the MyCap “getStudyImages” API test would mistakenly fail if the project has been copied or created via Project XML upload, in which the images zip file was not getting stored in the back-end database.

  • Bug fix: When utilizing the “Include PDF of completed survey as attachment” option in the Confirmation Email section on the Survey Settings page for a survey that is using the e-Consent Framework, the PDF consent form that is attached to the email would mistakenly not include the e-Consent Type in the filename of the PDF. It should have listed the e-Consent Type as part of the filename for the email attachment.

  • Bug fix: When viewing an open conversation in REDCap Messenger, the “Actions” drop-down would mistakenly not open when clicked. Bug emerged in REDCap 13.4.0.

Version 13.4.13 (released May 04, 2023)

Bug Fixes

  • Medium security fix: A Blind SQL Injection vulnerability was found on a MyCap-related page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. In order to exploit this, the user must be logged in as a REDCap user and must also have one or more instruments enabled as MyCap tasks. (Ticket #205078)

  • Medium security fix: A vulnerability was found in the “Save & Return Later” feature on survey pages, in which a malicious user could potentially exploit it by manipulating an HTTP request in a specially-crafted way that would allow them to email themselves the private survey link of another survey participant. If return codes are not required to return to the survey, using brute force methods the attacker might be able to view sensitive data that survey participants have entered. However, if return codes are required, then the attacker will not be able to view any survey responses. (Ticket #205081)

  • Major bug fix: The Project Setup->Other Functionality page might mistakenly crash due to a fatal PHP error when using certain versions of PHP 8.

  • Major bug fix: When using Multi-Language Management and saving MLM translations on the MLM setup page, all Action Tag translations and all choice label translations for multiple choice fields would be permanently lost upon save. Bug emerged in the previous release. (Ticket #205076, #205146)

  • Bug fix: For CDIS-related FHIR calls specifically to Epic, the FHIR coding systems have been updated to reflect the Epic FEB23 update.

  • Bug fix: When downloading the Project XML file for a project, in some circumstances the process might fail with a fatal PHP error when using PHP 8. (Ticket #204965)

Version 13.4.12 (released May 03, 2023)

Changes/Improvements

  • Improvement: More options for the new “Navigate to page” feature for administrators: 1) Admins can now navigate to Control Center pages via typing “cc”, 2) Help is context sensitive (project links are disabled and “cc” prefix is removed while in the Control Center), 3) Destinations in the popup are now clickable links (project links are not clickable when viewed on a Control Center page), 4) Holding CTRL while pressing ENTER or clicking a link will open in a new tab, and 5) External Module related pages support the EM framework’s alternate /external_modules/ directory location, if being used.

Bug Fixes

  • Critical security fix: A Blind SQL Injection vulnerability was found on survey pages, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request to the survey end-point in a specially-crafted way.

  • Bug fix: Fixed more issues related to error checking for the Imagick PHP extension check on the Configuration Check page.

  • Bug fix: Hovering over the “view list” links to view scheduled/sent alerts on the Alerts & Notifications page would mistakenly not display anything. Bug emerged in REDCap 13.4.0 (Standard).

  • Bug fix: If proxy server settings have been provided on the General Configuration page in the Control Center, those settings would mistakenly fail to be used by the internal MyCap API check on the MyCap Configuration Check page and thus could result in a false positive saying that issues exist.

  • Bug fix: If some Smart Variables are used in a calculation or conditional logic, in which the evaluation of the calculation/logic results in a blank/empty string (i.e., after applying the current context and the current data during the logic evaluation process), an incorrect value might be returned from the calculation/logic. For example, this could cause calculated fields and Data Quality rule H not to function as expected. (Ticket #203945)

  • Bug fix: The Email Users page in the Control Center might become unusable and/or lock up when attempting to select users to email when lots of users (thousands or tens of thousands) exist in REDCap. (Ticket #203947)

  • Bug fix: The Share->Copy Link functionality might stop functioning for files in the File Repository if attempting to perform the functionality in a specific way more than once while on the page. (Ticket #204876)

  • Bug fix: The wrong language variable is used for the WebDAV file server check on the Configuration Check page. (Ticket #204838)

  • Bug fix: When a Survey Base URL is defined in the Control Center and a survey participant clicks the “Close survey” button after completing a survey, if the survey had been opened in the participant’s browser from outside of REDCap, such as clicking a link in an email, in which the browser will not let the webpage close the tab but instead falls back to displaying the “You may now close this tab/window” message on the page, the participant would mistakenly not be taken to a URL beginning with the Survey Base URL but would instead be taken to the non-survey Base URL defined in the Control Center, which could be confusing to the participant. (Ticket #204422)

  • Bug fix: When a user tries to send a MyCap announcement to their MyCap participants, the Announcement dialog would always mistakenly close before a message can be added. (Ticket #204571)

  • Bug fix: When attempting to upload Alerts & Notifications via CSV file, if the “email-to” field contains the value [survey-participant-email], REDCap would mistakenly return an error message saying the value isn’t valid when it actually is. (Ticket #201256)

  • Bug fix: When clicking inside the “Deactivate” and “Permanently Delete” dialogs on the Alerts & Notifications page, the dialog would mistakenly close. In addition, the Cancel buttons were also not working in the dialogs. Bug emerged in REDCap 13.4.0. (Ticket #204799)

  • Bug fix: When exporting a PDF of a survey response in some specific ways, it might mistakenly return the word “ERROR” instead of outputting the PDF. Bug emerged in REDCap 13.4.9. (Ticket #204340)

  • Bug fix: When opening a data entry form or survey page in certain versions of iOS in Mobile Safari, the page would never fully load due to a JavaScript error. (Ticket #202806, #204332)

  • Bug fix: When using Multi-Language Management and using the eConsent Framework, the footer of the eConsent PDF, when displayed at the end of a survey, would mistakenly not have its text translated by MLM. This issue was supposedly fixed in the previous version but mistakenly was not. (Ticket #204669)

  • Bug fix: When using Multi-Language Management on a survey, the Font Resize buttons might mistakenly not display text for the correct/selected language when hovering over the buttons. Bug emerged in REDCap 13.4.0.

  • Bug fix: When using Multi-Language Management, fields on a data entry form that are piped on the page would mistakenly disappear from the page immediately after the form has loaded. (Ticket #204372)

  • Bug fix: When using Multi-Language Management, in certain cases an error would occur when attempting to import MLM settings via CSV or JSON files, thus preventing the upload from completing.

  • Bug fix: When using Multi-Language Management, the Form Complete status field on data entry forms would mistakenly not change to the correct translated text when switching languages on the page while using iOS. (Ticket #203189b)

  • Bug fix: When using the [form-link] or [survey-link] Smart Variable with Custom Text while also having the [new-instance] Smart Variable appended to it, it would mistakenly return a blank string instead of a survey link.

  • Bug fix: When utilizing the “Include PDF of completed survey as attachment” option in the Confirmation Email section on the Survey Settings page for a survey that is using the e-Consent Framework, the PDF consent form that is attached to the email would mistakenly have REDCap’s back-end stored filename as the PDF filename rather than the intended user-friendly version of the filename. Additionally, the consent PDF was mistakenly not listed by name in the logged details of the event on the Logging page.

Version 13.4.11 (released April 27, 2023)

Changes/Improvements

  • Improvement: Searching has now been added in the Action Tags popup and Smart Variables popup to allow users to find content faster in those popups.

  • Improvement: When viewing PDF attachments on Descriptive Text fields on a data entry form or survey, in which the PDF is set to be displayed inline, the PDF frame is now adjustable at the bottom so that its vertical size may be modified by the user/participant for better viewing.

Bug Fixes

  • Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in a file download process in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way into an HTML file that is then uploaded into a File Upload field or as a Descriptive Text field attachment, and then having a logged-in REDCap user attempt to download that file using a specially crafted URL.

  • Major bug fix: Partially completed one-page surveys might mistakenly behave as if the participant has not started the survey if they return to the partially completed survey after having entered some data. (Ticket #204003)

  • Major bug fix: When a survey participant opens a public survey under certain conditions, such as when multiple participants are using the same device, the survey page (and/or subsequent pages) might mistakenly get populated with the previous participant’s responses, thus allowing participants to see data they should not. This fix reverts functionality from Ticket #142376 (from REDCap 13.4.3 Standard and 13.1.19 LTS) that attempted to gracefully recover a participant’s session if they used their browser’s BACK button on a survey as a means of returning to a previous survey page. (Ticket #204164)

  • Critical security fix: A PHP Deserialization Remote Code Execution vulnerability was found in which a malicious user who is not logged in could potentially exploit it by manipulating an HTTP request to a survey page while uploading a specially crafted file. If successfully exploited, this could allow the attacker to remotely execute arbitrary code on the REDCap server. This vulnerability exists only in the following REDCap versions: LTS 13.1.11 through 13.1.26 and Standard Release 13.3.0 through 13.4.10.

  • Bug fix: DDP Custom might mistakenly fail to pull and display data correctly due to internal field-mapping issues.

  • Bug fix: During the MyCap EM to REDCap migration process, the migration popup was displaying the wrong “number of tasks” if there are any inadequately-enabled tasks on the EM side.

  • Bug fix: Fixed an issue with the auto-adjudication setting related to the use of email addresses in a CDIS project, in which it was causing the email addresses not to be fetched from the EHR.

  • Bug fix: Fixed issues related to error checking for the Imagick PHP extension check on the Configuration Check page. (Ticket #203313b)

  • Bug fix: If the dates used together in a datediff() function or in a @CALCDATE action tag do not have the same date format, the resulting error message would mistakenly mention “Since the DATEFORMAT parameter was not provided as the fourth parameter in the equation, ‘ymd’ format was assumed”. The date format parameter is a legacy feature and is no longer used or needed, so that specific part of the error message has been removed in these cases. (Ticket #204213)

  • Bug fix: If the first column of the Record Status Dashboard table is a sticky/floating column (because the table is very wide), the column’s background color might mistakenly be transparent instead of a solid color, thus causing the table to look strange. (Ticket #203655)

  • Bug fix: If the unique group name of a Data Access Group happens to be an integer and also happens to be the same value as the Group ID number of another DAG in the same project, users would mistakenly not be able to utilize the DAG Switcher if they attempt to move in and out of the DAG whose Group ID number matches the unique group name of another DAG. (Ticket #204033)

  • Bug fix: Requests to the survey end-point that contained “__passthru” and “route” in the URL would mistakenly not get logged in the redcap_log_view table.

  • Bug fix: Some “popover” help text on various pages would mistakenly not display when a user’s cursor hovers over them. Bug emerged in REDCap 13.4.0 (Standard).

  • Bug fix: The “Field Finder” on the Codebook page might mistakenly display some HTML in the search results if the user begins the search with the letter “c”.

  • Bug fix: When publishing a MyCap configuration in a project, some chart fields might not get stored correctly in the config and thus might affect participants using the MyCap mobile app on iOS.

  • Bug fix: When using “&new” in a survey URL of a repeating survey, in which the URL also contains extra URL parameters for the purpose of survey pre-filling, those extra parameters would mistakenly be lost and thus will not be pre-filled after redirecting the participant to a not-yet-created repeating survey instance. (Ticket #204113)

  • Bug fix: When using DUO as an option for two-factor authentication, the 2FA process would mistakenly redirect users to the REDCap home page after a successful login rather than redirecting them to the current page they were originally on. (Ticket #203337)

  • Bug fix: When using Duo two-factor authentication, the REDCap login page might mistakenly be blank when using Mobile Safari on an iOS device. (Ticket #203626)

  • Bug fix: When using Multi-Language Management and using the eConsent Framework, the footer of the eConsent PDF, when displayed at the end of a survey, would mistakenly not have its text translated by MLM.

  • Bug fix: When using Multi-Language Management, some browsers might attempt to auto-translate part of the webpage when viewing a page translated via MLM. Such a browser action will now be prevented in order to allow the form or survey to be viewed exactly how the user intended. (Ticket #203925)

  • Bug fix: When using Multi-Language Management, some browsers might attempt to display a popup to ask the user if the page should be auto-translated by the browser. In the previous version, the auto-translate action is now prevented, but this new fix now prevents the translation popup from displaying altogether in order to reduce confusion for users/participants when using MLM. (Ticket #203925b)

  • Bug fix: When using Multi-Language Management, the @LANGUAGE-FORCE action tag (if being used on a field) would mistakenly not work as expected.

  • Bug fix: When viewing a Public Project Dashboard on PHP 8, the page might mistakenly crash due to a fatal PHP error. (Ticket #203634)

Version 13.4.10 (released April 20, 2023)

Bug Fixes

  • Major bug fix: When copying a project and all its records, any fields that have no action tags (i.e., have nothing in the Field Annotation) would mistakenly have their value converted into a MyCap participant code for all records/events. Additionally, some repeating instance data might get orphaned or not get copied over correctly. (Ticket #203436)

  • Bug fix: The Control Center’s Configuration Check page might mistakenly display an incorrect message that the Imagick PHP extension is not installed correctly when in fact the issue was that Ghostscript was not installed correctly on the server. (Ticket #203313)

  • Bug fix: The MyCap mobile app might mistakenly crash in certain situations on the About page if the About page’s image for the app is stored incorrectly in the project’s MyCap configuration.

Version 13.4.9 (released April 19, 2023)

Changes/Improvements

  • Improvement: New ‘Go to project page’ feature for administrators only will appear on the top navbar (when not inside a project) and on the left-hand menu when inside a project. Entering the PID of a project and hitting Enter/Tab will navigate the admin directly to the project. Additionally, if the PID is followed by a specific 1-3 letter abbreviation, they can navigate to a specific page within the project - e.g., ‘181 an’ to go to the Alerts & Notifications page in PID 181. To go to a specific record on the Record Home Page, also enter the record number - e.g., ‘34 rhp 999’ to view record 999 on the Record Home Page of PID 34.

  • Change/Improvement: When a participant attempts to log in to a survey via the Survey Login feature, the attempt is now logged, in which the following things are recorded in the project logging: 1) whether the login attempt was a success or failure, 2) the project fields being utilized in the login attempt, and 3) the context (e.g., the record, survey, and event).

  • Minor changes and improvements for the External Module Framework: 1) Prevented hidden settings from being stripped out of getSubSettings() calls, and 2) Added the isAuthenticated() method.

Bug Fixes

  • Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by entering an HTML “iframe” tag in a carefully crafted manner into the value of a text field on a form or survey. Additionally, that text field’s value must be piped to another place on that same page in order to exploit it. This bug exists in all versions of REDCap, both LTS and Standard Release.

  • Medium security fix: A Path Traversal vulnerability was found in a specific endpoint relating to the Clinical Data Pull feature, in which a malicious user could potentially exploit it by manipulating an HTTP request on a specific CDP page.

  • Major security fix: A Blind SQL Injection vulnerability was found on the Alerts & Notifications page, in which a malicious user could potentially exploit it by manipulating an HTTP request on that page or indirectly via the survey page.

  • Critical security fix: A Remote Code Execution vulnerability was found in the process whereby files are uploaded via File Upload fields and via the Data Import Tool, in which a malicious user could potentially exploit it by manipulating an HTTP request while uploading a specially crafted file on the Data Import Tool page, on a data entry form, or on a survey page. If successfully exploited, this could allow the attacker to remotely execute arbitrary code on the REDCap server. This vulnerability exists in all versions of REDCap.

  • Critical security fix: An Insecure Direct Object References (IDOR) vulnerability was found, in which a malicious user could potentially exploit it by manipulating an HTTP request in a specially crafted manner on a survey page. This could allow the attacker to export PDFs containing data of individual survey participants (potentially containing sensitive/private information). Any valid survey link (including a public survey link) could be used and manipulated in order to export a PDF containing data for any record within the project to which the survey link belongs.

  • Bug fix: After renaming a record in a longitudinal project and using the Form Display Logic feature, the Record Home Page might mistakenly give a fatal PHP error when using PHP 8. (Ticket #203014)

  • Bug fix: CDIS-related bug that could cause issues when refreshing a user’s FHIR access token, in which the format of the date used to check for expiration was wrong.

  • Bug fix: Due to various API changes in the third-party web service used by the Field Bank feature, the Field Bank would no longer return any results if a user searched for a field in the Field Bank dialog in the Online Designer. This affects REDCap versions 10.7.0 and higher.

  • Bug fix: If the two authentication settings “Number of failed login attempts…” and “Amount of time user will be locked out after having failed login attempts…” on the Security & Authentication page somehow have non-integer values, it could cause the REDCap login page to crash with a fatal PHP error when using PHP 8. (Ticket #202976)

  • Bug fix: Long-running CDIS-related cron jobs might mistakenly prevent External Module cron jobs from running at their expected interval.

  • Bug fix: The DAG Switcher table might mistakenly display a bunch of up/down arrows below the table header row due to a CSS issue.

  • Bug fix: The link to the Training Videos on the login page would be incorrect in some situations. (Ticket #203245)

  • Bug fix: The login page for “Shibboleth & Table-based” authentication might mistakenly display both the Shib and Table-based login options under the Shib login tabs when using more than one Shibboleth login option. Bug emerged in REDCap 13.4.0. (Ticket #200919b)

  • Bug fix: When an adaptive or auto-scoring survey that has been downloaded from the REDCap Shared Library is not the first instrument in the project and is set to “Redirect to a URL” on the Survey Settings page, the survey participant would mistakenly not be redirected to the defined URL after completing the survey. (Ticket #203316)

  • Bug fix: When an administrator uses the “Auto-fill” link on a data entry form or survey, it might mistakenly fail on Text fields that lack field validation. Bug emerged in the previous version. (Ticket #202933)

  • Bug fix: When clicking any of the table headers for the project list table on the My Projects page, it would mistakenly hide all the projects in the list except for those in the “Unorganized Projects” folder. Additionally, if any project folders were previously open, the user would find that all project folders had been closed after reloading the page. (Ticket #203046)

  • Bug fix: When copying a MyCap-enabled project that contains records, in which the records are also being copied, the process would fail to copy the records into the MyCap Participant List in the new project. The records would get copied correctly but mistakenly not added to the MyCap Participant List.

  • Bug fix: When two administrators are viewing the Multi-Language Management page in the Control Center at the same time, the second person to navigate there will not be able to view the page while the first person is still viewing it due to a fatal PHP crash. Bug emerged in the previous version. (Ticket #202782)

  • Bug fix: When using Multi-Language Management on a data entry form, the MLM language switcher drop-down displayed on the form might mistakenly be obscured and/or not visible while using certain iOS devices. (Ticket #203189)

  • Bug fix: When using Multi-Language Management on form or survey, the choice label from radio button fields that are inside a matrix would fail to pipe successfully if on the page. (Ticket #201392)

  • Bug fix: When using Multi-Language Management, the @LANGUAGE-FORCE action tag might not work as intended under specific conditions. (Ticket #202553)

  • Bug fix: When using Twilio telephony services for surveys, U.S. phone numbers having the area code “986” would mistakenly not work for SMS or voice calls unless the number has a “1” prepended to it. (Ticket #203044)

  • Bug fix: When using an [aggregate-X] Smart Variable in a calculation or any kind of conditional logic or branching logic, in which the value returned for the [aggregate-X] Smart Variable is greater than “999”, the logic might mistakenly not function as expected. (Ticket #203063)

  • Bug fix: When using the “Compare” feature for data dictionaries and/or snapshots on the Project Revision History page, on certain occasions it would not perform the comparison correctly and thus would display incorrect results.

Version 13.4.8 (released April 12, 2023)

Changes/Improvements

  • Change/improvement: HTML “strike” strikethrough tags are now allowed in user-defined text, such as field labels, survey instructions, etc.

Bug Fixes

  • Major security fix: A Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way on any page that outputs user-defined text, such as field labels, survey instructions, etc. This bug allows anyone to inject the “script” tag on any page that outputs user-defined text. In addition, the HTML “s” strikethrough tag can no longer be used as an allowed HTML tag, but instead it is preferred that users use the HTML “strike” tag as an equivalent replacement if users are hand-coding HTML on a page. This excludes the usage of the strikethrough button in the rich text editor, which is unaffected by this issue. This bug does not affect any LTS versions. Bug emerged in REDCap 13.4.3 Standard.

  • Major bug fix: The Simultaneous User Check, which ensures that two users cannot modify the same record/event/form/instance on the same project was mistakenly not working and would never display the warning to prevent users from being on the same instrument at the same time for a given record. Bug emerged in REDCap 13.2.0 (Standard). LTS is not affected by this bug.

  • Bug fix: A CDIS-related database query could throw a fatal error when computing information for a DataMart revision.

  • Bug fix: Several missing LOINC codes were added to the CDIS mapping features.

  • Bug fix: The “Auto-fill Form” link for administrators to use on forms and surveys would mistakenly insert the wrong value for specific field validations, such as Number (1 decimal place), Number (comma as decimal), and other number types. (Ticket #202401)

  • Bug fix: The warning popup that is displayed when a user attempts to download a data dictionary when one or more of the instruments in the project have been imported from the REDCap Shared Library, in which the user must first agree to the Shared Library’s Terms of Use, was mistakenly not being displayed when users also perform the following other relevant actions: download an instrument zip file, download a Project XML file, or copy the project.

  • Bug fix: When downloading a PDF of an instrument that contains a Descriptive Text field with an inline PDF attachment, in certain cases an extra empty page might appear in the resulting PDF right before where the inline PDF is rendered. (Ticket #202598)

  • Bug fix: When loading the first page of a multi-page public survey, in which no records exist in the project yet, the survey page might display a “REDCap crashed” error when running PHP 8. (Ticket #202648)

  • Bug fix: When using MyCap, records might not appear in the MyCap Participant List if they were created while the MyCap feature was disabled in the project, after which MyCap was later enabled. (Ticket #202374)

  • Bug fix: When using the Smart Variable [stats-table] and limiting its data via appending a unique report name, in which the report itself returns zero results, the stats table would mistakenly display statistics for all records in the project. (Ticket #201751)

Version 13.4.7 (released April 07, 2023)

Changes/Improvements

  • Change/improvement: Some performance improvements and minor changes for the Unicode Transformation page, such as the exclusion of specific database table columns since they do not need to be transformed.

  • Change/improvement: When a cron job crashes and sends an email to the REDCap administrator, the email now includes a full stack trace of the error.

  • Change: Improved memory management for several CDIS-related processes, especially those performed by the cron job.

Bug Fixes

  • Bug fix: If the REDCap database table structure has utf8mb4 collation while REDCap’s database connection is configured to use utf8[mb3], both the db_character_set and db_collation values in the redcap_config database table will be modified to ensure that the character set is aligned. This fix will occur during the upgrade process and will also be added to the Unicode Transformation page.

  • Bug fix: If using Multi-Language Management, the @LANGUAGE-CURRENT-FORM action tag was working on (completed) surveys viewed on data entry pages, which should never have been the case.

  • Bug fix: If using Multi-Language Management, the MLM “Change Language” tooltip might not display the correct mouseover text due to issues with Bootstrap 5. Related, the position and spacing of the language selector on data entry forms was off also.

  • Bug fix: Some users that are accessing a CDIS project might find that project pages might take a very long time to load. This only affects certain users on CDIS projects, but it is unknown which users might be affected by this.

  • Bug fix: The modal dialog displayed when attaching a file via the rich text editor might not look correct because some CSS styles were mistakenly missing for certain elements in the dialog.

  • Bug fix: The new instance button for repeating instruments on the Record Home might mistakenly not be disabled when the form icon is disabled by Form Display Logic.

  • Bug fix: The tables that list the choices for multiple choice fields on the Codebook page were mistakenly missing some of their borders.

  • Bug fix: When a @CALCTEXT field contains an if() function that has a plus sign ( ) inside of single quotes or double quotes, the resulting text would mistakenly have the text “1 1” replacing every plus sign. This would occur when viewing a @CALCTEXT field on a data entry form or survey but not via server-side calculation methods, such as Data Quality rule H. (Ticket #141653)

  • Bug fix: When piping a field variable that has an [X-event-name] Smart Variable prepended to it while also having an [X-instance] Smart Variable appended to it, it might mistakenly return a blank value rather than piping the correct value. (Ticket #142932)

Version 13.4.6 (released April 03, 2023)

Bug Fixes

  • Major bug fix: Reverted the bug fix in Ticket #142759, which sought to provide server-side checking to prevent @READONLY fields from having their data values modified through the client side (e.g. JavaScript). This has been reverted because there appear to be too many scenarios in which this server-side checking was blocking legitimate data entry and thus some data was not getting saved properly. Most of these scenarios occurred when using certain action tags together with @READONLY, as described in Ticket #202226 (i.e., @CALCTEXT, @CALCDATE, @DEFAULT, @SETVALUE), but other scenarios, such as when performing survey pre-filling (via URL parameters or via POST requests) for @READONLY fields, could not easily be incorporated into the server-side checking. Therefore, the server-side checking for @READONLY fields (added to REDCap 13.1.20 LTS and 13.4.4 Standard) has been removed/reverted because it was preventing legitimate data entry on forms and surveys in various scenarios.

Version 13.4.5 (released April 01, 2023)

Changes/Improvements

  • Change: When using the Unicode Transformation page, if a database table’s row_format is COMPACT, it will now add ROW_FORMAT=DYNAMIC to the SQL transformation script so that this does not need to be done separately (can be time-consuming on its own).

Bug Fixes

  • Major bug fix: Opening a data entry form when using PHP 8 would crash the page with a fatal PHP error on certain occasions. Bug emerged in the previous version.

Version 13.4.4 (released March 31, 2023)

Bug Fixes

  • Bug fix: Fields that have a @READONLY action tag could have their data value modified on a survey page or data entry form by manipulating the webpage via JavaScript or via the web browser’s developer console. (Ticket #142759)

  • Bug fix: If using MySQL 8 for the REDCap database, admins might see false positives for the database structure check in the Control Center, in which it might mistakenly say “Your Database Structure is Incorrect” when it is actually correct. Bug emerged in the previous version. (Ticket #202144)

  • Various CDIS-related fixes

Version 13.4.3 (released March 31, 2023)

Changes/Improvements

  • Improvement: “Postal Code (UK)” was added as a new field validation. After upgrading, an administrator will need to enable it on the Field Validation Types page in the Control Center. (Ticket #201961)

  • Improvement: When using the Google/Microsoft Authenticator option for two-factor authentication in REDCap, users will be able to enroll using their Google/Microsoft Authenticator app the very first time they log in to REDCap via 2FA, in which the enrollment QR code will be displayed there the first time they log in via 2FA. This allows institutions to utilize the Google/Microsoft Authenticator option for REDCap without necessarily having to offer the less secure Email option, which is often the fallback/default for when users initially log in via 2FA. In previous REDCap versions, users would have to use a 2FA option other than Google/Microsoft Authenticator the first time they logged in via 2FA. So this behavior change provides a more secure way to offer 2FA. (Ticket #141099)

  • CDIS-related changes/improvements: Created DTO (data transfer objects) for CDIS mapping to improve the code’s reliability, readability, and maintainability. Implemented the ability to include additional parameters in CDIS mapping using a specific syntax.

  • Change/improvement: HTML “s” strikethrough tags are now allowed in user-defined text, such as field labels, survey instructions, etc.

  • Improvement/change: If a participant returns to the first page of a multi-page survey (e.g., by clicking the Previous Page button or returning via their Return Code), the survey instructions can be viewed again by clicking the “View survey instructions” link at the top of page 1. In previous versions, the survey instructions could never be viewed again after the survey had been started (i.e., the first page had been submitted). (Ticket #201430)

  • Improvement/change: The main Control Center page now displays a warning if REDCap recognizes that your web server and cron job are using different PHP.INI files, as this can sometimes cause undesired side effects.

Bug Fixes

  • Major bug fix: If a user calls the “Export Records” API method and explicitly provides the “fields” API parameter as a comma-delimited text string (instead of an array), the API might mistakenly export the data for all project fields, including data for fields for which the API user does not have data export rights. (Ticket #200812)

  • Bug fix: Custom Survey Queue Text might mistakenly have many unnecessary line breaks, thus causing the text to have large, empty gaps. (Ticket #201330)

  • Bug fix: Floating matrix headers on data entry forms (but not on surveys) would mistakenly move too much to the right side of the page while floating.

  • Bug fix: If a participant is taking a multi-page public survey and uses their browser’s Back button to go back to the first survey page, then then afterward continues forward again on the survey, it would mistakenly create a duplicate response/record in the project (Ticket #142376)

  • Bug fix: If an alert is set to be triggered during a data import, in which it will send an alert for each new repeating instance of a repeating instrument, the alert would mistakenly fail to get triggered if the imported value of the “redcap_repeat_instance” field is literally “new” rather than an integer. (Ticket #200445)

  • Bug fix: If the record ID field has any kind of field validation, the validation would mistakenly fail to be enforced when renaming the record on the Record Home Page. (Ticket #200101)

  • Bug fix: Small fixes for the page “Updating your REDCap Database Tables to support full Unicode”.

  • Bug fix: Some project-level pages would mistakenly appear too wide and would display a horizontal scrollbar when they should not. (Ticket #202024)

  • Bug fix: The “Save & Mark Survey as Complete” button on data entry forms might mistakenly be displayed in situations in which it should not. (Ticket #142863)

  • Bug fix: The Configuration Check page had several checks that would mistakenly fail due to language strings not being escaped. This bug was introduced in the previous version. This issue was supposedly fixed in REDCap 13.4.2, but mistakenly it was not. (Ticket #201609)

  • Bug fix: The login page for “Shibboleth & Table-based” authentication might mistakenly display both the Shib and Table-based login options under the Shib login tab. Bug emerged in REDCap 13.4.0. (Ticket #200919)

  • Bug fix: The process that checks for errors in the REDCap database structure might have reported false positives if REDCap is running on newer MariaDB versions (10.3.37 , 10.4.27 , 10.5.18 , 10.6.11 , 10.7.7 , 10.8.6 , 10.9.4 , 10.10.2 , 10.11.0 ), in which the “SHOW CREATE TABLE” query in these newer MariaDB versions excludes a column’s charset and collation if the column matches the default charset/collation of the table.

  • Bug fix: Vertically-aligned checkboxes (and some other elements as well) might not display correctly (or might be invisible) on survey pages while using an RTL (right-to-left) translated language via Multi-Language Management. (Ticket #201476, #200785)

  • Bug fix: When a repeating instrument for a record has an instance 2 but not an instance 1 saved, the left-hand instrument menu might mistakenly display a gray status icon for the repeating instrument (as if no instances exist) when viewing other instruments within the record. (Ticket #202054)

  • Bug fix: When composing an invitation for a repeating survey on the Participant List page, the Compose Invitations dialog would mistakenly pre-check the checkbox of participants in the dialog’s participant list in which the participant row represents a placeholder for a not-yet-existing repeating instance of the survey. In this case, users might not wish to send an invitation to these placeholders, but they exist there in the participant list just in case they do wish to invite them. So leaving them pre-checked when the Compose dialog opens could cause users to mistakenly send another repeating survey invitation to the participant when the user did not intend to do that.

  • Bug fix: When creating a new project via the MyCap project template, the project creation process would mistakenly update the baseline date setting configuration before updating the project configuration, thus causing some things to be out of sync with regard to MyCap settings in the project in certain cases.

  • Bug fix: When following the directions on the page “Updating your REDCap Database Tables to support full Unicode”, the process might mistakenly fail due to certain MySQL/MariaDB errors occurring when attempting to convert certain characters to utf8mb4 via the UPDATE queries provided on the page. If you have attempted to use this page previously and had to stop due to these errors, then after upgrading, we recommend you try it again using the new SQL provided on that page.

  • Bug fix: When taking an adaptive or auto-scoring survey that was imported from the REDCap Shared Library while the Survey Queue is being utilized, clicking the Survey Queue icon at the top right of the survey page might mistakenly not display the Survey Queue.

  • Bug fix: When taking an adaptive or auto-scoring survey that was imported from the REDCap Shared Library while the Survey Queue is being utilized, the Survey Queue might mistakenly fail to be displayed at the end of the survey or (if using auto-start) the next survey in the queue would fail to begin automatically. (Ticket #201816)

  • Bug fix: When the survey expiration date is saved in YMD date format on the first save of the Survey Settings page, the date format is corrupted and not saved correctly. (Ticket #201743)

  • Bug fix: When two users are simultaneously on the same data entry form in a project about to create a new record, in which both users have been assigned the same tentative record name prior to the record being created, if the second user to click Submit is also locking the instrument, the second user’s record would skip a number in the record creation sequence (e.g., user 1 creates record “101” while user 2 creates “103” instead of “102”) while also mistakenly not locking the second user’s new record. (Ticket #201814)

  • Bug fix: When uploading a CDISC ODM XML file of data on the Data Import Tool page, in certain situations while using PHP 8, the page could crash with a fatal PHP 8 error. (Ticket #200728)

  • Bug fix: When user privileges are edited or when users are added to a project via the CSV file upload on the User Rights page, it would mistakenly not log the individual events of each user being edited or added, respectively. (Ticket #200514)

  • Bug fix: When using an ontology service (e.g., BioPortal) on a Text field, the cron job that sends Alerts and Automated Survey Invitations might mistakenly crash with a fatal PHP error if the field’s value is piped into the email body of the Alert or ASI. (Ticket #201928)

  • CDIS-related bug fixes: Resolved an issue where an error during FHIR authentication prevented the complete log from being displayed. Fixed a bug where fhir_identity_provider, a CDIS setting, was not given proper priority during the FHIR authentication process. Addressed a bug where the “next” page of a bundle containing too many entries could have no reference to the FHIR resource, resulting in a logging error.

Version 13.4.2 (released March 24, 2023)

Bug Fixes

  • Major bug fix: When appending “&new” to the end of a survey URL for a repeating survey, it would mistakenly not redirect to the next not-yet-created repeating instance of the survey but would instead display the message that the survey had been completed.

  • Bug fix: The Configuration Check page had several checks that would mistakenly fail due to language strings not being escaped. This bug was introduced in the previous version. (Ticket #201609)

  • Bug fix: When clicking the Check All button on the Email Users page in the Control Center, if some text had been entered into the Search filter beforehand, every user would mistakenly be selected rather than just the visible users in the table. This could cause the email to go to all users instead of just specific ones.

  • Bug fix: When copying a project or creating a project from a template, the creator of the project would mistakenly not have “Alerts & Notifications” privileges. (Ticket #201585)

  • Bug fix: When the REDCap API has been disabled at the system level, the Tableau Export option on the “Other Export Options” page would mistakenly still appear. (Ticket #200248)

  • Bug fix: When using Duo two-factor authentication, REDCap would mistakenly not honor when a user checked the checkbox to not prompt for the MFA login again for 7 days. (Ticket #201444)

Version 13.4.1 (released March 24, 2023)

Changes/Improvements

  • Improvement: New option for Form Display Logic: Hide forms that are disabled. When enabled, all forms that are disabled will also be hidden (not visible) on the Data Collection menu and on the Record Home Page.

  • Improvement: The Database Query Tool page in the Control Center now has a text box to easily filter database tables in the table list.

  • Improvement: The text for the setting Require a ‘reason’ when making changes to existing records is now available for translation on the Multi-Language Management page.

  • Minor security improvement: The “Clickjacking Prevention” feature is now always automatically enabled on the Password Recovery page (when using “Table-based” or “X & Table-based” authentication).

  • Change: Hundreds of phrases and words of static text were abstracted in the REDCap code to allow them to be translated via the Language Updater. (Thanks to Hugo Potier for all his help with this task.)

  • Change: Reworded the “Tip for min/max limits” text in the Online Designer for greater clarity.

Bug Fixes

  • Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in the File Repository in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way inside the “comment” text of an uploaded file. (Ticket #200457)

  • Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered on survey pages in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way into the survey URL in order to pre-fill a Text field on the page, in which the field must have the @DEFAULT action tag and must also be piped somewhere on the current page. (Ticket #201503)

  • Bug fix: Fixed typo in Multi-Language Management logEvent() method. This does not seem to affect anything though.

  • Bug fix: Floating matrix headers on survey pages and data entry forms might mistakenly move all the way to the left side of the page while floating.

  • Bug fix: If a horizontally-aligned checkbox is embedded inside the choice label of another checkbox that is vertically-aligned, the first checkbox of the embedded field might mistakenly not be visible. (Ticket #201393)

  • Bug fix: In a classic/non-longitudinal project, when navigating directly to a data entry form prior to choosing a record (via the form list under “Hide data collection instruments” on the left-hand menu), the page would mistakenly be too narrow.

  • Bug fix: In some rare scenarios when a participant submits the first page of a public survey, the page might result in a “too many redirects” error, thus preventing the user from completing the survey. (Ticket #200351)

  • Bug fix: In some situations, a required field that is embedded inside another required field hidden by branching logic might mistakenly not be able to have its value removed when a user deletes the value and then clicks Save on a survey or data entry form. The value would reappear again if the page was reloaded.

  • Bug fix: Piping in a survey’s Survey Completion Text would always fail to work. (Ticket #200909)

  • Bug fix: Several missing LOINC codes were added to the CDIS mapping features.

  • Bug fix: Small tweaks and fixes for the page “Updating your REDCap Database Tables to support full Unicode”.

  • Bug fix: Some dialog popups on MyCap-related setup pages might mistakenly close when clicking inside them.

  • Bug fix: Some matrix headers might mistakenly disappear when scrolling down on a survey or data entry form.

  • Bug fix: The admin-only “auto-fill” button on surveys and data entry forms might not be located in the correct position on the page after resizing the webpage.

  • Bug fix: The borders of table cells for tables created by the rich text editor might mistakenly be invisible when they have been set to be displayed with a border.

  • Bug fix: The footer (gray box) at the bottom of all project pages might mistakenly not appear in the correct position but might be too far left. (Ticket #200912)

  • Bug fix: The onhover action of the gear icons on the User Activity Log page in the Control Center would mistakenly not work and would not display the project title, as expected. (Ticket #200729)

  • Bug fix: The survey auto-continue feature might mistakenly not work with PROMIS computer adaptive test (CAT) surveys but instead would just display the text “Thank you for your interest, but you have already completed this survey”. (Ticket #200757, #200621)

  • Bug fix: When a PDF file is attached to a Descriptive Text field and is set to display inline, it might not always get positioned in the correct place in the resulting PDF that is generated.

  • Bug fix: When a PDF file is attached to a Descriptive Text field and is set to display inline, the inline PDF might be displayed with too low a resolution inside the resulting PDF that is generated. Its resolution has been increased from 120 DPI to 200 DPI to make it more readable. (Ticket #200582)

  • Bug fix: When a PDF file is attached to a Descriptive Text field and is set to display inline, the inline PDF might mistakenly be too large for the page and might run off the page if more than one or two lines of text exist for the Descriptive Text field’s field label. The resulting PDF that is generated will instead begin the inline PDF on a new page by itself in this scenario. (Ticket #200582b)

  • Bug fix: When clicking inside the “Preview message by record” dialog on the Alerts & Notifications page, the dialog would mistakenly close.

  • Bug fix: When composing a survey invitation, in which the Smart Variable [survey-link:instrument] or [survey-url:instrument] is used (i.e., with an instrument name) inside the body of the invitation, the dialog titled “Invitation text is missing [survey-link] variable” would mistakenly appear when it should not. (Ticket #200914)

  • Bug fix: When embedding a matrix field and using the “:icons” notation, the balloon and history icons would mistakenly not be displayed for the embedded matrix field.

  • Bug fix: When submitting the first page of a public survey, in which an MDY or DMY formatted date/datetime field was submitted, the survey might mistakenly display the “invalid values entered!” dialog saying that the field’s submitted value was incorrect, which is not true.

  • Bug fix: When using Multi-Language Management, the image upload and file attachment modals might not work on the MLM setup page.

  • Bug fix: When using Multi-Language Management, the proper language would not get used for the e-Consent PDF in certain situations (Ticket #200944).

  • Bug fix: When using Multi-Language Management, the survey acknowledgement page might not show the appropriate language.

Version 13.4.0 (released March 10, 2023)

New Features

  • New feature: Mosio SMS Services REDCap has the capability to send SMS text messages for surveys and for Alerts & Notifications by using a third-party web service named Mosio (www.mosio.com). In this way, users can invite a participant to take a survey by sending them an SMS message, in which the data would be collected in REDCap directly from their phone without having to use a webpage. There are two ways REDCap currently works with Mosio: 1) Surveys Sending survey invitations and also sending questions and getting replies via text message, and 2) Alerts - Sending one-way Alerts & Notifications via text message. The Mosio Two-Way Text Messaging (SMS) Services work exactly the same as the current Twilio functionality, with the exception of the Voice Call features. Mosio can only send and receive SMS messages. If a user wishes to switch a project from using Twilio to using Mosio, the only thing that needs to be done is for them to get a Mosio account and API key, then disable Twilio and enable Mosio in their REDCap project using their API key. That’s all that needs to be done to migrate from Twilio. If you wish to disable the Mosio functionality at the system-level so that users do not see the feature on the Project Setup page, an administrator may do so on the Modules/Services Configuration page in the Control Center (similar to the Twilio settings there). For more information and to get a Mosio account, visit https://www.mosio.com/redcap. Mosio specializes in research communications automation, helping researchers improve engagement, adherence, and data collection in studies. The service is both HIPAA and 21 CFR Part 11 compliant and willing to sign BAAs.

Changes/Improvements

  • Bug fix/change: Inline PDF attachments on Description Text fields were mistakenly not being rendered as inline in PDF exports. Last year when the inline PDF feature was added for attachments on Description Text fields, in which in previous REDCap versions only images could be displayed as an inline attachment on the web page and in the exported PDF file, the feature was mistakenly not fully implemented because the PDF attachment was not rendered inline inside the resulting exported PDF file for a form or survey. To fix this, any PDF attachments that are set to be displayed as inline on a Descriptive Text field will now correctly be rendered as inline in the PDF of the form/survey in order to be consistent with how inline images have always been treated in PDFs. Additionally, the ImageMagick PHP extension is required for this fix to work. It is a common but not universal PHP extension. A new check has been added to the Configuration Check page to detect if this extension has been enabled on the REDCap web server, and if not, the page will provide a link with instructions for installing it, if desired. NOTE: If administrators wish to disable this setting so that inline PDF attachments are not rendered as inline inside the PDF files, they may disable this functionality at the system level on the Modules/Services Configuration page in the Control Center.

  • Change: Replaced all hard-coded links to REDCap Community pages to point to the new REDCap Community website hosted on the Vanderbilt REDCap server. Previous links pointed to the old AnswerHub site.

  • Change: The Internet Explorer web browser is no longer supported in REDCap.

  • Change: The project PID was added to the email subject of all “Request to Move Project to Production” emails that are sent to REDCap administrators. (Ticket #76956)

  • Change: The third-party package named Bootstrap that is embedded inside REDCap has been upgraded from Bootstrap 4 to Bootstrap 5. Most external modules should be unaffected by this change since most of the deprecated Bootstrap 4 classes and conventions have been backported into this version to make the transition as seamless as possible.

Bug Fixes

  • Major bug fix: If the Automatic Upgrade (blue button on the Upgrade page), Easy Upgrade, and/or Auto-Fix options are available in your REDCap installation (regardless of whether you have actually used those options or not), it could be possible for someone that is not logged in to REDCap to directly access the upgrade page of an older version sitting on the web server (e.g., https://…/redcap_v11.1.0/upgrade.php) and click the blue Upgrade button for the Automatic Upgrade, which would mistakenly revert the system back to that version. Note: Doing this would not run any other SQL but only the few queries that change the “redcap_version” in the redcap_config database table (and a couple of other minor things). If either the Automatic Upgrade or Easy Upgrade option is available on your system, then it is recommended that you additionally go and remove EVERY ugprade.php file that exists inside all previous REDCap version folders. This is just a one time thing, and is not necessary to do in the future. (Ticket #200338)

  • Bug fix: The Smart Variables [survey-time-started], [survey-date-started], [survey-time-completed], [survey-date-completed], [survey-duration], [survey-duration-completed] might mistakenly return the value for record “1” in a project (if record “1” exists) when these Smart Variables are used in a calculated field, @CALCTEXT field, or branching logic on the first page of a public survey. These would, however, work correctly if used in a field label, choice label, etc., if used on a non-public survey, or if used on survey page 2 or higher of a public survey.

  • Bug fix: When a user deletes all the data in a single event for a record (in the UI or via the API), the resulting logged event seen on the Logging page would mistakenly note that it happened to the first event instead of to the specified event.

  • Bug fix: When copying a MyCap-enabled project, it would mistakenly copy the MyCap tasks into the new project, even when the MyCap copy option is not checked.

  • Bug fix: When migrating a project using the MyCap external module to begin using the native MyCap feature, the migration process might mistakenly not process certain MyCap tasks correctly that were not adequately enabled in the MyCap EM.

  • Bug fix: When the Record ID field has the @HIDDEN-PDF action tag, the field would mistakenly not get hidden in the downloaded PDF when clicking the PDF option “This data entry from with saved data (via browser’s Save as PDF)” while on a data entry form. (Ticket #111718b)

  • Bug fix: When the min or max validation range of a date- or number-formatted Text field contains certain Smart Variables, the min/max range check might mistakenly not work on a form or survey due to a JavaScript error. (Ticket #143298)

  • Bug fix: While the ability of individual projects to have their own authentication method was removed in REDCap 13.1.2, this setting was mistakenly not removed from the Edit Project Settings page (in which changing its value on that page does nothing to affect anything). (Ticket #200379)

Version 13.3.4 (released March 03, 2023)

Changes/Improvements

  • Change/improvement: On the Calendar page, the year selection drop-down list now extends to 10 years in the future by default, and if the year is changed via the drop-down, the drop-down’s option will extend to 10 years in the future of either the current year or the selected year (whichever is largest). (Ticket #143067)

  • Change: HTML “style” tags are now allowed in user-defined text, such as field labels, survey instructions, etc.

Bug Fixes

  • Minor security fix: An SQL Injection vulnerability was found on the Database Activity Monitor page, in which a malicious user could potentially exploit it by manipulating an HTTP request on another page while an administrator views the Database Activity Monitor page.

  • Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in the @CALCTEXT action tag in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way inside the text of the @CALCTEXT action tag.

  • Bug fix: An issue specific to PHP 8.1 might cause some features of the Clinical Data Mart to crash with a fatal PHP error.

  • Bug fix: Any HTML tags used inside the equation of a @CALTEXT field would mistakenly not display correctly in the View Equation popup on data entry forms. (Ticket #143228)

  • Bug fix: In some cases after a participant has completed a survey, if they return to the survey using a private survey link (i.e., not a public survey link) while the survey has “Save & Return Later” disabled, the participant might mistakenly be allowed to modify the existing survey response. (Ticket #143400)

  • Bug fix: Large configurations for Multi-Language Management might mistakenly get truncated in the database when saved. The configuration columns in the MLM database tables were increased to handle this. (Ticket #143355)

  • Bug fix: Several missing LOINC codes were added to the CDIS mapping features.

  • Bug fix: The Stats & Charts page might mistakenly crash in certain situations due to a fatal PHP error when using PHP 8. (Ticket #143019b)

  • Bug fix: The embedded PDF on the e-Consent certification page of a survey with the e-Consent Framework enabled would mistakenly look squished (have incorrect dimensions) when taking the survey on an iPad. (Ticket #143212)

  • Bug fix: When REDCap is sending a confirmation email to a survey participant after completing a survey, it might mistakenly cause a fatal PHP error on the page. (Ticket #143145)

  • Bug fix: When piping a File Upload field with “:link” or “:inline” in the body of outgoing emails (e.g., alerts, ASIs), the piping would mistakenly not be successful under certain circumstances. (Ticket #143158)

  • Bug fix: When using Multi-Language Management, in which an Automated Survey Invitation has been translated, the ASI might mistakenly be sent out in the fallback language in some cases. (Ticket #143119b)

  • Bug fix: When using Multi-Language Management, in which an Automated Survey Invitation has been translated, the ASI might mistakenly not be sent in the desired language when there are conflicting things (or none) dictating what the language should be for the ASI. To prevent this issue regarding language ambiguity in ASIs, a new MLM setting had to be added to allow users to define the language source of a given ASI at the survey level (but not at the survey-event level), in which users may choose the “Language preference field” or “User’s or survey respondent’s active language” as the ASI Language Source on the MLM setup page. (Ticket #143119)

  • Bug fix: When using comments in calculations or logic, if the comment contained a quote or apostrophe, it would mistakenly get included in the check to ensure that there is always an even number of quotes/apostrophes in the calculation/logic. This would sometimes throw an error and prevent users from being able to add or edit the calc/logic. (Ticket #143367)

Version 13.3.3 (released February 24, 2023)

Bug Fixes

  • Major bug fix: On public surveys where the participant fails to enter a value for a required field on the first page of the survey, in which the survey page has dozens or hundreds of fields, the survey page might mistakenly crash with an HTTP 414 error (URL Too Long) after being submitted, thus preventing the participant from completing the survey. Bug emerged in REDCap 13.1.11 (LTS) and 13.3.0 (Standard). (Ticket #142829)

  • Bug fix: If Automated Survey Invitations have been set up for a survey, in which some invitations have already been scheduled for a record, if the survey instrument gets marked as “Complete” via normal save operations on the data entry form (with the exception of clicking the “Save & Mark Survey as Complete” button), the scheduled invitations would mistakenly get automatically deleted. They should only get deleted if the survey has been completed via the survey page or by a user clicking the “Save & Mark Survey as Complete” button on the data entry form. Bug emerged in REDCap 9.3.7. (Ticket #142989)

  • Bug fix: In some cases, images that were added via the rich text editor to a project dashboard, to custom text on a report, or to survey components (instructions, questions, etc.) would mistakenly not display on the public version of the dashboard, on a public report, or on the survey, respectively, unless the person viewing it was currently logged in as a REDCap user. (Ticket #142302)

  • Bug fix: The Azure AD (V1) authentication was mistakenly displaying “samAccountName” as an option to use for “AD attribute to use for REDCap username” when instead it should have been using “onPremisesSamAccountName”. (Ticket #134789)

  • Bug fix: The Stats & Charts page might mistakenly crash in certain situations due to a fatal PHP error when using PHP 8. (Ticket #143019)

  • Bug fix: The admin detection on survey pages might mistakenly fail in certain situations and thus fail to display the “Auto-fill survey” link at the top-right of a survey page whenever an administrator is viewing the survey.

  • Bug fix: When creating a Table-based authentication user or when adding a user to a project, if the username that was entered contained illegal characters, the error message would fail to note that the @ symbol is allowed in usernames. (Ticket #142999)

  • Bug fix: When piping instance-related Smart Variables into the email text of a survey’s Confirmation Email, the resulting piped text might mistakenly not be formed correctly. For example, appending [new-instance] to the [survey-link] Smart Variable, in which survey-link contains custom display text, would output the survey URL instead of the survey link with the custom text. (Ticket #143059)

  • Bug fix: When re-evaluating an Automated Survey Invitation for a repeating survey that has been set up with a repeating ASI, the re-evaluation process might report that some invitations were scheduled when they were not.

  • Bug fix: When using Duo two-factor authentication, if the system is set to “Offline”, it would mistakenly prevent administrators from successfully logging in via Duo 2FA. (Ticket #143003)

Version 13.3.2 (released February 17, 2023)

Bug Fixes

  • Bug fix: Over 20 missing LOINC codes were added to the CDIS mapping features.

  • Bug fix: The “resources” link in the MyCap informational dialog on the Project Setup page mistakenly pointed to the wrong URL. (Ticket #142514)

  • Bug fix: The CSV file upload for importing Automated Survey Invitations (ASIs) in the Online Designer would mistakenly fail with an error if the user’s preferred CSV delimiter was not set to “comma” via their user profile. (Ticket #142555)

  • Bug fix: The cron job used for the Clinical Data Mart or Clinical Data Pull might mistakenly fail due to the user ID being used instead of the username when creating a new instance of the job.

  • Bug fix: When a record is correctly assigned to a Data Access Group, it might not appear to be assigned to its DAG while viewing the Record Status Dashboard, the Add/Edit Records page, and reports if data values for the record somehow got stored incorrectly in the backend redcap_data table in multiple/mixed cases (e.g., “101a” vs “101A”). Un-assigning and then re-assigning the record back to its original DAG might fix this issue temporarily, but the bug would arise again whenever the project’s internal “Record List Cache” was cleared/rebuilt. (Ticket #141329, #142544) NOTE: If the issue still exists after the upgrade, click the “Clear the Record List Cache” button on the Project Setup->Other Functionality page.

  • Bug fix: When exporting CSV files in various places throughout REDCap, the process might mistakenly fail for PHP 8 under specific unexpected conditions.

Version 13.3.1 (released February 10, 2023)

Changes/Improvements

  • Change/improvement: Added a new internal service check to the Configuration Check page that checks REDCap’s ability to make server-side HTTP calls to its own survey end-point. For some server/network configurations, this kind of HTTP call was failing silently and causing some survey pages to timeout sporadically. This check will help administrators become aware of this issue if it exists.

Bug Fixes

  • Bug fix: Data values imported for a patient’s “birth-sex” via FHIR using the Clinical Data Operability Services might mistakenly get converted into an incorrect value (“UNK”) in some specific cases. (Ticket #141976)

  • Bug fix: If a repeating instrument has been enabled as a survey, but the survey setting “(Optional) Repeat the survey” has not been enabled on the Survey Settings page, then when viewing the participant list, a placeholder instance might mistakenly not be displayed in the participant list to represent a not-yet-taken instance of the repeating survey. There should always be at least one untaken placeholder instance displayed for each record in the participant list for repeating surveys because this allows users to open a new instance of the survey or email the participant a link to that new survey instance. (Ticket #141545)

  • Bug fix: If a user that has “read-only” user privileges for a specific instrument is viewing the Data History of a File Upload field on that instrument, the “Delete” link next to each file/revision would mistakenly be displayed in the Data History popup. Users with read-only instrument-level privileges should not be able to delete older revisions of a File Upload field. (Ticket #141709)

  • Bug fix: If a whole record has been locked or if a data entry form has been locked for a given record, any survey participant who happened to have opened their survey prior to the record/instrument being locked would mistakenly still be able to submit and save their survey response, and as a result, possibly overwrite any existing data on the locked record/form. (Ticket #139555)

  • Bug fix: If using the e-Consent Framework with the setting “Allow e-Consent responses to be edited by users?” enabled, users with edit privileges would mistakenly be prevented from modifying the data on the consent form via a data import. (Ticket #140846)

  • Bug fix: In very specific situations where a field is a required field and is embedded in another field, in which the container field is hidden by an @HIDDEN action tag while the field embedded inside it also has an @HIDDEN action tag, the user would mistakenly get prompted by the Required Field dialog for a hidden embedded field if the container and/or embedded fields have @HIDDEN-SURVEY while on a data entry form or if they have @HIDDEN-FORM while on a survey page. (Ticket #142212)

  • Bug fix: The “System Statistics” page in the Control Center did not display the label correctly for the count of projects utilizing the Clinical Data Pull feature.

  • Bug fix: The Survey Queue page might crash due to a fatal PHP error when using PHP 8. (Ticket #142125)

  • Bug fix: When creating/editing a report, the explanatory dialog for Step 3’s “Show data for all events for each record returned” checkbox was outdated and mistakenly did not mention anything about the setting’s usage in projects containing repeating instruments/events. (Ticket #141953)

  • Bug fix: When downloading a data dictionary or an instrument zip file, any Dynamic Query (SQL) fields that contain “\n” in their SQL query would mistakenly have the text “\n” replaced with “|” in the resulting downloaded file. (Ticket #141734)

  • Bug fix: When performing certain actions in the File Repository, such as uploading files, an error message would mistakenly be displayed afterward saying that there is a DataTables warning. Bug emerged in REDCap 13.3.0 (Standard).

  • Bug fix: When the “Text-To-Speech” feature is enabled on a survey, the speaker buttons would mistakenly not appear next to the field labels of fields in a matrix, thus preventing participants from utilizing the feature there. (Ticket #141787)

  • Bug fix: When using the @RICHTEXT action tag on a Notes field, changing the text in the editor (i.e., the field’s value) might mistakenly not trigger calculations or branching logic accordingly. (Ticket #142127)

  • Bug fix: When using the page “Updating your REDCap Database Tables to support full Unicode”, some REDCap installations (depending on their specific database configuration) might experience a few minor SQL errors during the unicode transformation process.

  • Bug fix: When using the rich text editor to translate a survey’s survey instructions on the Multi-Language Management setup page, any images uploaded via the rich text editor would mistakenly not load when viewing the translations on a survey page (that is, unless the person viewing the survey is a REDCap user and is currently logged in to REDCap). (Ticket #141658b)

Version 13.3.0 (released February 02, 2023)

New Features

  • New feature: Administrators will now see an Auto-Fill Form or Auto-Fill Survey button at the top right of forms and surveys, respectively. Clicking the button will auto-fill all visible fields on the entire instrument. This is to help with testing or troubleshooting data collection.

  • New feature: Embedding file attachments in text & emails Users may now attach one or more files into the text of a survey invitation, an alert, or a field label on a form/survey, among other things, by clicking the file attachment (paperclip) icon in the rich text editor and then by uploading a file from their local device. This feature is available for every rich text editor with the exception of non-project pages (e.g., the Email Users page) and also any field with the @RICHTEXT action tag. If administrators wish to disable the ability to embed attachments in text via the rich text editor, they may disable this functionality at the system level on the Modules/Services Configuration page in the Control Center. Note: This setting operates independently from the other setting File Repository: Users are able to share files via public links (found on the File Upload Settings page in the Control Center); thus, even if public file sharing has been disabled globally, users can still upload file attachments via the rich text editor so long as its associated setting has been enabled globally. Note: All files uploaded via the rich text editor will be represented in the text of the editor as a public file-sharing link, which allows the file to be downloaded in any context (e.g., on surveys, on authenticated REDCap pages, and in public areas like emails and public dashboards). This means that if anyone has possession of this link, they will be able to download the file (at least, until the file has been deleted). All files uploaded via the rich text editor will be automatically stored in a special Miscellaneous File Attachments folder in the File Repository where they can be accessed and/or deleted, if necessary. If any such file is deleted from the Miscellaneous File Attachments folder in the File Repository, the associated download link for the file will cease to be active and thus will become a dead link wherever it has been used.

  • New feature: New one-way messaging system for Clinical Data Interoperability Services (CDIS) that is designed to provide secure communication to users who are utilizing asynchronous CDIS processes, such as background data pulling via a cron job. This new system has been developed to address the need for a secure means of communication outside of REDCap Messenger, particularly for messages that contain protected health information (PHI). Emails were not a viable option for these types of messages, as they do not provide the necessary level of security to protect PHI from unauthorized access. The system utilizes encryption techniques to ensure the confidentiality and integrity of all messages exchanged.

Changes/Improvements

  • Improvement: A new “preformatted code block” button was added to the toolbar of all rich text editors.

  • Various updates and fixes for the External Module Framework.

Bug Fixes

  • Bug fix: Fixed PHP 8 related error when an administrator tries to hide the blue Easy Upgrade box in the Control Center. (Ticket #141539)

  • Bug fix: When a survey participant enters data on a public survey, in which some required fields are left blank, it is possible for the participant to re-submit the page in the browser (via the browser Back/Reload button) and thus cause duplicate records to be created. This can especially happen for certain browsers, such as Mobile Safari on iOS devices, when minimizing the browser and then re-opening the browser later. (Ticket #141012)

  • Bug fix: When using “now” as the min/max for a date field or using “today” as the min/max for a datetime field, the validation range check would mistakenly not detect an out-of-range value. (Ticket #141646)

  • Bug fix: When using comment lines inside the Field Annotation for a @CALCTEXT field, Data Quality rule H would mistakenly not perform the calculation successfully. (Ticket #141558)

  • Bug fix: When using the rich text editor to translate a label on the Multi-Language Management setup page, any images uploaded via the rich text editor would mistakenly not load when viewing the translations on a survey page (that is, unless the person viewing the survey is a REDCap user and is currently logged in to REDCap). (Ticket #141658)

  • Bug fix: When using the rich text editor to translate a label on the Multi-Language Management setup page, the image icon was mistakenly missing from the editor’s toolbar interface, thus preventing users from uploading alternative images into the translated text.

Version 13.2.5 (released January 27, 2023)

Changes/Improvements

  • Improvement: Comment lines can be added to calculations and logic to serve as annotations to explain various parts of the logic/calc. Thanks to Gnther Rezniczek for helping add this new feature.

  • Improvement: When setting up the Survey Queue or an individual Automated Survey Invitation, the survey drop-down for the When the following survey is completed setting in the dialog now has a built-in search feature to easily find a specific survey in a long list. Additionally, if the survey title does not match the instrument title, the drop-down list will also display the user-facing form name for the survey, which should help users find the right survey quicker in certain cases.

Bug Fixes

  • Bug fix: A fatal PHP error might occur for PHP 8 on a project using the Clinical Data Pull feature, in which a user clicks the “Delete data for THIS FORM only” button at the bottom of a data entry form. (Ticket #141230)

  • Bug fix: Bug fix: When MyCap is enabled in a project, on some rare occasions when migrating a project using the MyCap external module, the process might fail due to an SQL error. (Ticket #138168b)

  • Bug fix: If a required field’s field label contains a lot of HTML, in which the field value is left empty when submitting a survey page or data entry form, the “Some fields are required” dialog that is displayed would mistakenly not look correctly on some occasions due to the HTML in the label. To prevent this issue and to make the field label more readable, the required field dialog will now strip all HTML from the field label when displaying it. (Ticket #141262)

  • Bug fix: Importing data for a patient’s race via Clinical Data Interoperability Services (CDIS) might mistakenly fail in cases where the patient has more than one race listed in the EHR.

  • Bug fix: In some cases, images that were added via the rich text editor to a project dashboard would mistakenly not display on the public version of the dashboard unless the person viewing it was currently logged in as a REDCap user.

  • Bug fix: The replacement function utf8_encode_rc() for PHP’s utf8_encode() might prevent certain users from logging in successfully, in which this ultimately is caused by certain unknown web server configurations. (Ticket #140393)

  • Bug fix: When a user is viewing the field drop-down for the Data Search feature on the Add/Edit Records page in a project that has more than 20K records, the note text in the first option of the field drop-down would mistakenly be truncated, thus preventing the user from being able to read it. (Ticket #141317)

  • Bug fix: When changing an existing alert from sending “immediately” and “every time” to sending not immediately (e.g., “Send on next X at time Y”) without explicitly clicking the “Just once” radio option in Step 2B after doing so, these changes made to Step 2 would mistakenly not get saved when saving the alert. (Ticket #140491)

  • Bug fix: When creating a project using the MyCap project template included in REDCap, in some cases the resulting project might result in errors when a participant loads the project on their MyCap mobile app.

  • Bug fix: When exporting a project’s data to SAS, in which the project is using Missing Data Codes and also the exported data set contains Text or Notes fields, the resulting SAS syntax file might mistakenly be missing an underscore at the end of the variable name for the “format” attribute for the Text and Notes fields. (Ticket #103142)

  • Bug fix: When uploading a CSV file of user privileges on the User Rights page, the “lock_records” privilege would mistakenly return an error if its value is set to “2”, which is a valid value. (Ticket #141141)

  • Bug fix: When using Clinical Data Pull and launching the CDP REDCap page embedded inside of Epic Hyperspace (this does not affect other EHRs but only Epic), the embedded page would not function correctly due to incompatibilities with Internet Explorer, which is the embedded browser utilized by Hyperspace. This bug emerged in the previous REDCap version.

  • Bug fix: When using the Randomization page while a project is in production status, a REDCap administrator is unintentionally able to erase the randomization model of the project, which should only be allowed while in development status (even for admins). The “Erase randomization model” button will now stay disabled for everyone when a project is in production. (Ticket #141286)

  • Updates for the External Module Framework, including: 1) Added arguments allowing $module->getProjectsWithModuleEnabled() to return projects in analysis/cleanup status and with completed dates, and 2) Miscellaneous scan script updates and unit test updates.

Version 13.2.4 (released January 20, 2023)

Changes/Improvements

  • Improvement: When using the built-in MyCap feature, users can now explicitly define the title of the project as seen by participants in the MyCap Mobile App. A new button has been added near the top of the MyCap App Design to allow users to set the project title that is displayed in the app. If not defined, it will default to using the user-facing title of the REDCap project, which was how it behaved in previous versions of REDCap.

Bug Fixes

  • Major bug fix: If a user is creating a new record on a data entry form, in which record auto-numbering is enabled in the project and the form is submitted by the user with a required field that has no value, if the project’s internal Record List Cache (a secondary list of records in the database for improving performance) had not been built yet or was recently cleared (which is done automatically by REDCap internally), the user submitting the form might trigger the Record List Cache building process, which might inadvertently create multiple identical records instead of just creating the one record.

  • Major bug fix: In certain situations where survey invitations get scheduled for a repeating Automated Survey Invitation, in which the record’s data is later modified, the repeating invitations that were scheduled might mistakenly get unscheduled. (Ticket #140851)

  • Bug fix: If a checkbox field has a large amount of choices, thus causing the checkbox options to become a scrollable box, the overall height of the scrollable box would mistakenly be too short on surveys that have the “Enhanced radio buttons and checkboxes” feature enabled. Since the enhanced radios/checkboxes are much larger than regular radios/checkboxes, the scrollable area has been made twice as tall in these cases in order to provide a less confusing user experience to survey participants.

  • Bug fix: If a project title contains some UTF-8 encoded characters, the project title would mistakenly display as garbled when viewing it on the My Projects page on a mobile device. (Ticket #140814)

  • Bug fix: If a repeating Automated Survey Invitation has reminders enabled, the Survey Invitation Log might mistakenly display a bell icon and number (representing a reminder) next to a recurring invitation that is not actually a reminder.

  • Bug fix: If a survey participant clicks the “Save & Return Later” button on a survey, which has no survey title (i.e., it was left blank), the email sent to the participant might be slightly confusing because it displays only two double quotes where the survey title should be. It now displays slightly different text if the survey title has not been defined.

  • Bug fix: Some LH-aligned radio buttons might mistakenly cause the page to be too wide if a radio choice label is very long. Unfortunately, the only way to fix this issue fully is to revert a change in the previous version that improved the text wrapping of the choice labels of horizontally-aligned checkbox fields.

  • Bug fix: The Multi-Language Management page in the Control Center might incorrectly denote a translated language as being 100% complete when it is only 99.9% complete. (Ticket #140724)

  • Bug fix: Various issues related to checkbox fields with many options, such as displaying a horizontally-aligned checkbox field as too wide in Firefox. Also, the new feature added in the previous version that would cause a long list of checkbox options to become scrollable has now been completely removed since so many users complained about it being problematic for them. (Ticket #140759)

  • Bug fix: When a datetime field is using “now” as the min or max validation range, and the user clicks the “Now” button next to the field after having been on the page for more than one minute, the “out of range” popup would mistakenly display.

  • Bug fix: When piping a Notes field that has the @RICHTEXT action tag, the HTML formatting in the field’s value might mistakenly not render correctly on the page, especially if the value contains HTML tables. (Ticket #140910)

  • Bug fix: When using Multi-Language Management, if some slider fields do not have their slider label values translated, it could cause some parts of the survey page or data entry form not to display all its translated text successfully. (Ticket #140871)

  • Bug fix: When using the Randomization page and downloading an example allocation table in Step 2, for certain randomization models, the CSV file produced may become too large to be processed, which might throw an error, and/or it might take an abnormally large amount of time to output the CSV file. To prevent these situations, the example allocation tables now will only output a maximum of 50,000 rows regardless of the randomization model set up in the project. (Ticket #140909)

Version 13.2.3 (released January 13, 2023)

Bug Fixes

  • Bug fix: Checkbox fields that are horizontally-aligned might mistakenly have a choice’s checkbox and its label appear on two different lines due to text wrapping. Instead, an individual choice’s checkbox and label now no longer wrap to the next line but instead stay together on the same line. (Note: This fix does not apply when viewing a form/survey on a mobile device.)

  • Bug fix: Clicking the “View Equation” link for a @CALCTEXT field on a data entry form or survey page while the project is in production status but not in draft mode would mistakenly display an error message instead of displaying the calculation. (Ticket #140645)

  • Bug fix: If PDF files had been stored in the File Repository’s “PDF Survey Archive” folder, after which the Auto-Archiver and/or e-Consent Framework had been disabled for all surveys in the project, the “PDF Survey Archive” folder would mistakenly no longer be visible in the File Repository, thus preventing users from accessing previously-saved files. That folder will now be displayed if the Auto-Archiver and/or e-Consent Framework is enabled or if any files already exist in the folder. (Ticket #140435)

  • Bug fix: If REDCap is using an external file storage method (e.g., AWS S3, Azure Blob Storage) for storing all files in the system, the Project Revision History’s version comparison feature would mistakenly fail, and it would result in a fatal PHP error when using PHP 8. (Ticket #140551)

  • Bug fix: If a Project Template has Form Display Logic, new projects created from that Project Template would mistakenly not have the Form Display Logic settings copied over. (Ticket #140489)

  • Bug fix: If a checkbox field has a large amount of choices, it could cause the field to mistakenly take up a disproportionate amount of the survey page or data entry form, thus resulting in a bad user experience. In this case now, the whole list of checkbox options will instead become scrollable so that the checkbox field does not become too unwieldy while still allowing the user to see all the choices.

  • Bug fix: If a participant email address contains one or more capital letters and is added manually to the Participant List multiple times, the Participant List would mistakenly fail to display a number and parentheses immediately before the email address on each row (e.g., “1) rob@aaa.com”) to help differentiate the multiple instances of the same email address. (Ticket #140466)

  • Bug fix: In very specific situations where a field is a required field and is embedded in another field, in which the container field is hidden by an @HIDDEN action tag while the field embedded inside it does not have an @HIDDEN action tag but does have a @DEFAULT action tag, the default value added to the embedded field via the @DEFAULT action tag would mistakenly not get saved when saving the page.

  • Bug fix: Various fixes related to issues with using Duo two-factor authentication, including issues caused by the use of a proxy with the REDCap web server. (Ticket #140186, #137099)

  • Bug fix: When downloading a CSV file of either users or user roles on the User Rights page, the form-level viewing rights and form-level export rights in the CSV file might mistakenly contain instruments that have been deleted from the project. (Ticket #140668)

  • Bug fix: When using Duo two-factor authentication, some important debugging information would mistakenly not get output to the page when an error occurred, in which it prevented admins from effectively troubleshooting certain network-based configuration issues that could cause Duo not to work dependably for users.

Version 13.2.2 (released January 06, 2023)

Bug Fixes

  • Bug fix: A SQL query might mistakenly not get formatted correctly and thus might fail when CDIS is sending a notification to a user via REDCap Messenger regarding the completion of an asynchronous CDIS task.

  • Bug fix: If a user assigned to a Data Access Group views a report that has DAG filtering imposed via “Step 3: Additional Filters” in the report settings, in which the user’s DAG is not one of the selected DAGs of the Additional Filters, the report might mistakenly display some records from the user’s DAG when instead it should not return any records in the report. A similar behavior might also occur for a user that is not assigned to a DAG when viewing the same report, but instead occurring when using the DAG Live Filter to select a DAG that is not one of the selected DAGs of the Additional Filters. (Ticket #140302)

  • Bug fix: In certain situations in which REDCap or an External Module executes a specific parameterized query to the database, the query might mistakenly fail due to an “illegal mix of collations”.

  • Bug fix: The “How do I format the equation?” link in the “Edit Field” dialog in the Online Designer would mistakenly open the wrong question on the “Help & FAQ” page.

  • Bug fix: Unless using the latest version of the REDCap Mobile App, a @CALCTEXT field might mistakenly not function correctly in the Mobile App if its calculation contains multiple nested IF() statements.

  • Bug fix: When a participant is viewing their survey queue, if they click the “Get link to my survey queue” button and then click “Send” to email the survey queue link to themselves, the Email Logging page would mistakenly not associate the email with a record in a project when searching for emails on that page. This can make it very difficult to find this email via the Email Logging page. In the future, this action will associate the email with a specific record on the Email Logging page.

Version 13.2.1 (released December 29, 2022)

Bug Fixes

  • Major bug fix: If using AAF authentication or any of the “X & Table-based” authentication methods (excluding “LDAP & Table-based”), the login process might not function correctly and might appear as if the authentication has mistakenly reverted to only “Table-based” authentication. Bug emerged in REDCap 13.2.0 (Standard). (Ticket #140065)

  • Bug fix: Certain Font Awesome icons might mistakenly not display correctly on survey pages.

Version 13.2.0 (released December 29, 2022)

New Features

  • New feature: Azure AD & Table-based authentication method- The Security & Authentication page contains a section of custom settings for using the Azure AD authentication method in REDCap. All the existing Azure AD settings apply to this new authentication method, with the addition of a new custom button text for the Azure AD button on the login page.

Changes/Improvements

  • Important change: Dropped support for PHP 7.2. Only PHP 7.3.0 and higher are now supported in REDCap.

  • Important change: New option displayed on the Configuration Check page to update the REDCap database tables to support full Unicode. REDCap installations that were initially installed using a version prior to REDCap 8.5.0 will have an older, legacy type of database collation/encoding and charset (character set). If your REDCap installation is affected, it is highly recommended that you follow the steps detailed on the page that is linked on the Configuration Check page in order to update your database. Please note that this is NOT an urgent issue, but it is something we recommend you address sooner rather than later since your current database collation and charset (UTF8 or UTFMB3) have been deprecated in the latest versions of MySQL/MariaDB and thus will eventually be removed altogether in future versions of MySQL/MariaDB. The full process of updating your database tables may take many minutes or possibly hours to run all the pertinent SQL to convert both the table structure and table data. Please follow the instructions on that page carefully, and make sure you perform a database backup before starting the process. (Thanks to Tony Jin for his help with this effort.)

Bug Fixes

  • Bug fix: The Cron Jobs page in the Control Center might crash with a fatal PHP error for certain versions of PHP if the “exec” function is disabled in PHP as a “dangerous” function on the REDCap web server. (Ticket #140034)

  • Bug fix: The user privilege for “Alert & Notifications” was mistakenly not getting copied for project users when using the “Copy Project” feature while electing to copy the current users into the new project. (Ticket #140023)

Version 13.1.7 (released January 06, 2023)

Bug Fixes

  • Bug fix: A SQL query might mistakenly not get formatted correctly and thus might fail when CDIS is sending a notification to a user via REDCap Messenger regarding the completion of an asynchronous CDIS task.

  • Bug fix: Certain Font Awesome icons might mistakenly not display correctly on survey pages.

  • Bug fix: If a user assigned to a Data Access Group views a report that has DAG filtering imposed via “Step 3: Additional Filters” in the report settings, in which the user’s DAG is not one of the selected DAGs of the Additional Filters, the report might mistakenly display some records from the user’s DAG when instead it should not return any records in the report. A similar behavior might also occur for a user that is not assigned to a DAG when viewing the same report, but instead occurring when using the DAG Live Filter to select a DAG that is not one of the selected DAGs of the Additional Filters. (Ticket #140302)

  • Bug fix: In certain situations in which REDCap or an External Module executes a specific parameterized query to the database, the query might mistakenly fail due to an “illegal mix of collations”.

  • Bug fix: The “How do I format the equation?” link in the “Edit Field” dialog in the Online Designer would mistakenly open the wrong question on the “Help & FAQ” page.

  • Bug fix: The Cron Jobs page in the Control Center might crash with a fatal PHP error for certain versions of PHP if the “exec” function is disabled in PHP as a “dangerous” function on the REDCap web server. (Ticket #140034)

  • Bug fix: The user privilege for “Alert & Notifications” was mistakenly not getting copied for project users when using the “Copy Project” feature while electing to copy the current users into the new project. (Ticket #140023)

  • Bug fix: Unless using the latest version of the REDCap Mobile App, a @CALCTEXT field might mistakenly not function correctly in the Mobile App if its calculation contains multiple nested IF() statements.

  • Bug fix: When a participant is viewing their survey queue, if they click the “Get link to my survey queue” button and then click “Send” to email the survey queue link to themselves, the Email Logging page would mistakenly not associate the email with a record in a project when searching for emails on that page. This can make it very difficult to find this email via the Email Logging page. In the future, this action will associate the email with a specific record on the Email Logging page.

Version 13.1.5 (released December 28, 2022)

New Features

  • New LTS branch based off of REDCap 13.1.4 (Standard)

Version 13.1.4 (released December 28, 2022)

Changes/Improvements

  • Improvement: The “Help & FAQ” page has been updated with new content (thanks to the FAQ Committee).

Bug Fixes

  • Bug fix: If the value of a Text or Notes field contains an email address that is immediately followed by a line break/carriage return, the email address would mistakenly not get converted into a “mailto” link properly when displayed on a report. (Ticket #139960)

  • Bug fix: Text describing that piping can now be used in the URL of a Data Entry Trigger and the URL of an external video for a Descriptive Text field was mistakenly not added in the previous version. It has now been added in order to inform users that piping can be used in these places now.

  • Bug fix: The user privilege for “Alert & Notifications” was mistakenly not getting copied for project users when using the “Copy Project” feature while electing to copy the current users into the new project. (Ticket #140023)

  • Bug fix: When testing a calculation using the “Test calculation with a record” drop-down for a calculated field in the “Edit Field” popup on the Online Designer, there are certain situations where the process might mistakenly crash with a fatal PHP error when using PHP 8. (Ticket #139955)

  • Bug fix: When the system-level setting “Allow reports to be made ‘public’?” has been set to “No”, administrators are still allowed to make reports public, which is expected; however, when anyone attempts to view the report using the public link, it displays an error saying that it cannot be displayed. Anyone with the public link should be able to view the report. (Ticket #132901b)

Version 13.1.3 (released December 22, 2022)

Bug Fixes

  • Major bug fix: An error would occur when enabling External Modules on PHP 7, thus preventing modules from being successfully enabled. Bug emerged in REDCap 13.1.2 (Standard).

Version 13.1.2 (released December 22, 2022)

Changes/Improvements

  • Improvement: When exporting the project logging via CSV file or via API, the record name is now included as a separate column/attribute “record” in the resulting output if the logged event is record-centric (and if not, the record value will be left blank). (Ticket #132246)

  • Improvement: The on/off switches on the Multi-Language Management setup page now have green/red coloring to more clearly denote their on/off state. (Ticket #139703)

  • Improvement: Users may now pipe Smart Variables or field variables into the Data Entry Trigger URL.

  • Improvement: When setting up an alert, Step 2’s sub-section When to send the alert? now contains the new drop-down choice “the day (beginning at midnight) that the alert was triggered” in the sub-option Send the alert X days Y hours Z minutes before/after [drop-down] . This new choice in the drop-down allows users to schedule the notification based on the day the alert was triggered and provides greater control and precision with regard to when exactly the notification will be sent. For example, if this new drop-down option is selected along with setting it to send the alert 1 day 8 hours after, this will cause the notification to be scheduled to be sent at exactly 8:00am the next morning. In previous versions, it was not possible to get this level of precision for the notification send-time based upon the alert trigger-time unless you used a date fields value as a reference. (Note: This new option is very similar to the one added for Automated Survey Invitations in REDCap 12.5.0.)

  • Improvement:' Users may now pipe Smart Variables or field variables into the External Video URL for Descriptive Text fields.

  • Change/improvement: The Database Activity Monitor page now specifies if a specific request is an instance of the REDCap cron job.

  • Change/improvement: When a user creates, edits, copies, or deletes a report, the logged event of this specific action now contains the list of all fields in the report. This improves the granularity of the audit trail for reports. (Ticket #139193)

  • Change: REDCap no longer supports individual projects having their own authentication method that is different from the system-level authentication method. Going forward, every project will automatically assume the same authentication method of the system as defined on the “Security & Authentication” page in the Control Center. (Note: The “auth_meth” column name in the “redcap_projects” database table has not been removed in order to be backward compatible with any custom scripts that might be specifically querying that column in an SQL query.)

  • Change:PHP 8.2 is now supported in REDCap. Note: The release notes of REDCap 13.1.0 (Standard) mistakenly noted that PHP 8.2 was supported in REDCap 13.1.0, which was only partially true because PHP 8.2 was not yet supported by the External Module Framework, which is a part of REDCap.

  • Various changes and improvements for the External Module Framework: Various changes and improvements for the External Module Framework: PHP 8.2 is now supported. Added the methods $module->disableModule(), $module->isSuperUser(), and $module->escape(). Added the allow-project-overrides and project-name setting options. New feature to hide external modules from non-admins in the list of enabled modules in a project. Made the scan script warn when system hooks are used. Miscellaneous scan script improvements. Fixed a bug where escaped HTML displays in field list values.

Bug Fixes

  • Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered on the User Rights page where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way inside a CSV file when importing user privileges or user roles on that page.

  • Bug fix: If Two-Factor Authentication is enabled in REDCap, and a user is using Clinical Data Pull, in which they are viewing a REDCap window specifically inside Epic Hyperspace, a JavaScript error might be displayed on the page. Bug was introduced in REDCap 12.5.7. (Ticket #139775)

  • Bug fix: If a project is created using a Project XML file, in which the XML file contains public reports, the unique public report link/hash of any public reports in the original project would mistakenly get duplicated and attributed to the newly created project. This would not cause any noticeable problems for the user because the public report link would always point to the original project and not to the new project created.

  • Bug fix: If a user shared a public link to a file in the File Repository, that public link would still be functional and active even after an administrator has disabled the “File Repository: Users are able to share files via public links” setting in the Control Center. (Ticket #139899)

  • Bug fix: In very specific cases when a report is set to only display the record ID field, in which the report has filter logic that contains fields on a repeating instrument/event, the resulting report might mistakenly include grayed out columns that correspond to the fields (or to the form status fields of the fields' instrument) that are used in the filter logic. (Ticket #139584)

  • Bug fix: REDCap might fail with a fatal PHP error on various pages when using PHP 8 under very specific conditions. (Ticket #139416)

  • Bug fix: The @IF action tag would mistakenly not function correctly for fields in PDF exports. For example, @IF([field]="”, @HIDDEN-PDF, “") would not function correctly to show/hide the field in the resulting PDF export.

  • Bug fix: Users with instrument-level locking privileges could inadvertently bypass locking controls and modify data on a locked data entry form if they have another browser tab open of that same data entry form before it was locked, and then saved that form within 30 seconds of locking the form in the other tab. (Ticket #139555)

  • Bug fix: When using the Clinical Data Mart, a patient’s Medical Record Number (MRN) might get stored as an empty string in the FHIR logs table, thus causing the Data Mart to crash.

Version 13.1.1 (released December 16, 2022)

Changes/Improvements

  • Improvement: Descriptive Text fields can now have inline PDF attachments that display as an embedded PDF on the page (rather than just displaying a download link).

  • Change: HTML tags are no longer stripped out of Project Dashboard titles as displayed in the “My Project Dashboards” list on the left-hand menu or on the Project Dashboards page. Additionally, the title of Project Dashboards are no longer limited to 150 characters.

Bug Fixes

  • Bug fix: A fatal PHP error would occur when using DDP Custom in a project for PHP 8. (Ticket #138771b)

  • Bug fix: A field with the @CALCTEXT action tag, in which the calculation contains text strings with line breaks, might mistakenly cause calculation errors to appear on the page and prevent the @CALCTEXT from working.

  • Bug fix: If a user is adding an external video URL to a Descriptive Text field, in which they mistakenly paste some Embed HTML or an invalid URL into the field’s video URL attribute, if REDCap doesn’t recognize it as a Vimeo or YouTube link, REDCap might mistakenly try to output the text directly onto the page as-is without verifying that it is a valid URL. (Ticket #139291)

  • Bug fix: If a user uploaded a Project XML file for a Clinical Data Mart project, it would mistakenly enable the Data Mart feature in the newly created project even when the CDM feature is disabled at the system level. This would cause some errors to occur in the project. (Ticket #139577)

  • Bug fix: In very specific situations where a field is a required field and is embedded in another field, in which both fields have branching logic, if the container field is hidden by branching logic while the field embedded inside it has branching logic that evaluates to True (meaning that the embedded field would otherwise be visible if the container field itself were visible), REDCap would mistakenly display an error saying that the embedded field is required and thus needs a value, which is incorrect since the embedded field is not even visible on the page. (Ticket #139582)

  • Bug fix: Some calculations or branching logic might mistakenly fail to work and would display an error if they are substantially long. Bug emerged in the previous version. (Ticket #127140)

  • Bug fix: Surveys that are set to use Comic Sans as the font for the survey text would mistakenly not display correctly when viewing the survey on iOS devices. (Ticket #95086)

  • Bug fix: The “Data Collection Strategies for Repeating Surveys” informational dialog would mistakenly not open.

  • Bug fix: The Standalone Launch process for Clinical Data Interoperability Services might mistakenly fail for some server configurations due to a duplicate slash (/) in the link to the page.

  • Bug fix: When a user creates a new project, either as an empty project or using a Project XML file, the project creator’s user rights would mistakenly be missing the “Alerts & Notifications” privilege.

  • Bug fix: When a user performs a data export containing fields from an instrument for which they have “De-identified” data export rights, and the user selects the de-id option to “Shift all dates” (rather than “Remove all date and datetime fields”) in the export dialog, the date fields would not be date shifted but would mistakenly be completed removed from the resulting exported data set. Bug emerged in REDCap 12.2.0. (Ticket #139392)

  • Bug fix: When an image is embedded (via the rich text editor) in an email for a survey invitation or alert, in which the Protected Email Mode is enabled in the project, the page where the recipient would view their email in REDCap might mistakenly not display the embedded image on the page but would show a broken image placeholder. (Ticket #139648)

  • Bug fix: When piping a field value for a field on a repeating instrument/event, in which the piped value originates from another repeating instance (e.g., [field][previous-instance]), the current instance’s value might mistakenly be piped instead of the value from the desired instance. (Ticket #139581)

  • Bug fix: When using Clinical Data Pull, in which a user is accessing an embedded REDCap page inside of Epic Hyperspace, some parts of the page might mistakenly not work due to JavaScript errors.

  • Bug fix: When using MyCap in a project and with a Custom Participant Label that utilizes the piping of fields (rather than selecting a single field from the field drop-down list), the Custom Participant Label would mistakenly not be displayed on the MyCap Participant List page.

  • Bug fix: When using the date/time picker widget to select a value for a date or datetime field on a survey page or data entry form, and then later on the same page the user uses the time picker on a “Time (HH:MM)” or “Time (HH:MM:SS)” validated field, after selecting the value for the Time field, the page would mistakenly scroll back to the last date/time field on that page where the date/time picker was used, which could be very confusing and disorienting to the user. (Ticket #139201)

Version 13.1.0 (released December 09, 2022)

New Features

  • New feature: Redesign of the File Repository Overview: The File Repository page has been redesigned to make it easier to store, organize, and share the files in your projects.Users now have the ability to create folders and sub-folders to help organize their files more effectively. If using Data Access Groups or user roles, users may optionally limit access to a new folder so that it is DAG-restricted and/or role-restricted. Uploading multiple files is much faster with a new drag-n-drop feature that allows for uploading dozens of files at a time. Sharing files is better too, in which users may obtain a public link to conveniently share a file with someone. New API methods also exist that allow users to upload, download, and delete files programmatically using the API. Additionally, the File Repository has a new built-in Recycle Bin folder that makes it easy to restore files that have been deleted. Users can upload as many files as they wish. There is no limit. Additionally, there is no limit to how many folders and sub-folders that can be created (or how deep that they can be nested within other folders). Sharing: Files can be shared via Send-It or using a public link. If you do not want users to be able to share files using the public link functionality, this may be disabled on the File Upload Settings page in the Control Center. Once disabled, users will only be able to share files using Send-It. File storage limit: Admins may optionally set a file storage limit that applies to all projects so that users cannot upload too many files in an abusive fashion. The value can be set in MB on the File Upload Settings page in the Control Center. There is also a project-level override for the file storage limit on the Edit Project Settings page for any given project. Note: Files in the starred folders (e.g. Data Export Files, e-Consent PDFs, Recycle Bin) do not count toward the overall file space usage of the project. Recycle Bin: Files that are deleted from the File Repository will be put in the Recycle Bin folder where they will be kept for up to 30 days before being permanently deleted. Any file in the Recycle Bin can be restored back to its original location (so long as doing so does not surpass the project’s file storage limit, if enabled). Administrators can force delete any file in the Recycle Bin, which deletes it immediately and permanently. New API methods for the File Repository: 1) Create a New Folder in the File Repository, 2) Export a List of Files/Folders from the File Repository, 3) Export a File from the File Repository, 4) Import a File into the File Repository, and 5) Delete a File from the File Repository.

  • New method for plugins/hooks/modules: REDCap::addFileToField - Attaches a file to a File Upload field for a specified record when provided with the doc_id of an existing file from the REDCap system.

  • New method for plugins/hooks/modules: REDCap::getFile - Returns an array containing the file contents, original file name, and mime-type of a file stored in the REDCap system by providing the file’s doc_id number (the primary key from the redcap_edocs_metadata database table).

Changes/Improvements

  • Improvement: The Alerts & Notifications page now has its own separate user privilege. Previously, only users with Project Design and Setup privileges could access the Alerts & Notifications page. Now, users must explicitly be given Alerts & Notifications privileges in order to access the Alerts & Notifications page. Note: During the upgrade to REDCap 13.1.0 or higher, any users with “Project Design and Setup” rights will automatically be given “Alerts & Notifications” rights in order to keep continuity with their current access to the Alerts & Notifications page.

  • Improvement: When importing User Role assignments via CSV file uploads on the User Rights page or via the API, if the project contains Data Access Groups, users can now be assigned to a DAG during the User Role assignment import process by providing an extra parameter named “data_access_group” with a valid unique DAG name. This will allow users to be added to the project, assigned to a role, and assigned to a DAG all at the same time. Additionally, when exporting User Role assignments via CSV file or via the API, the “data_access_group” attribute will be exported for each user if the project contains DAGs (to be consistent with the Import User-Role Assignment format). (Ticket #119192)

  • Improvement:For OpenID Connect authentication, the Response Mode (response_mode) authorization parameter can now be explicitly set in the OIDC authentication settings on the “Security & Authentication” page in the Control Center. This will allow admins to choose between “query (default)” and “form_post” for the response_mode OIDC setting.

  • Improvement:New setting added to the User Settings page in the Control Center: “Notify the REDCap admin via email when a new account is created (excluding Table-based user accounts)?” When enabled, this setting can be used to notify admins whenever new users enter the system. Table-based users are not included because their accounts are created by an administrator. (Ticket #133382)

  • Improvement:New setting added to the User Settings page in the Control Center: “Send a “welcome” email to new users when they create a REDCap account (excluding Table-based user accounts) - i.e., when they log in the first time using an external authentication method?”. The “welcome” email will consist of the following stock text: “You have successfully created an account in REDCap athttps://your-redcap-server.edu/. Your REDCap username is “USERNAME”. Please note that REDCap does not manage your password. If you have difficulty logging in, you should contact your local IT department. Welcome to REDCap!”.

  • Security improvement: Restricted file types for uploaded files - At the bottom of the Security & Authentication page in the Control Center, administrators may now provide a list of all disallowed file types/extensions (e.g., exe) in order to prevent users from uploading files of these types into REDCap (often for security purposes). When set, this setting will be applied to all places throughout REDCap where users are allowed to upload files.

  • Change/improvement: Added a new option $project_id parameter for the developer method REDCap::getSurveyReturnCode().

  • Change/improvement:When importing User Role assignments via CSV file uploads on the User Rights page or via the API, users can now be assigned to a role if they do not currently have access to the project. In previous versions, only existing project users could not be assigned to a role via CSV file or via API. (Ticket #119192)

  • Change/improvement:When setting the designated email field on the Project Setup page or when setting the survey-level designated email field on the Survey Settings page, if the selected field is utilized in more than one event and/or is utilized on a repeating instrument or repeating event, a warning message will be displayed in a yellow box immediately below the email field drop-down to inform the user that any update to the field on any event or repeating instance will change the value of the field in ALL events and repeating instances. This should help provide more transparency to users who might get confused by the fact that the field’s value gets updated in all places if the designated email field is located in more than one context in the project. (Ticket #131999)

  • Change: Added full support for parameterized queries in REDCaps db_query() function.

  • Change:PHP 8.2 is now supported in REDCap.

Bug Fixes

  • Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered on the Project Modifications page (where an admin would view a user’s Draft Mode changes) where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way in a field’s Field Label, Choice Labels, or Field Notes. (Ticket #139108)

  • Major bug fix: A malicious user could potentially delete a file uploaded into a project to which they do not have access by manipulating an HTTP request on the Alerts & Notifications page in another project. (Ticket #138873)

  • Bug fix: A couple REDCap pages that are served as AJAX requests via JavaScript mistakenly had their “Content-Type” header set as “text/html” when instead it should have been “application/json”, which was causing these requests not to be loaded successfully in the REDCap user interface in certain server/network environments.

  • Bug fix: A fatal PHP error would occur when certain Data Quality rules when using PHP 8. (Ticket #131294b)

  • Bug fix: A fatal PHP error would occur when using DDP Custom in a project for PHP 8. (Ticket #138771)

  • Bug fix: A malicious user could potentially delete or edit a REDCap Messenger message, even when the user did not create the message and is not an administrator, by manipulating the parameters and/or query string of an HTTP request performed by Messenger. (Ticket #138859)

  • Bug fix: A malicious user could potentially view a deleted message in REDCap Messenger by manipulating the parameters and/or query string of an HTTP request performed by Messenger. Only administrators should be allowed to view deleted messages in the Messenger interface. (Ticket #138873)

  • Bug fix: If a user on a data entry form clicks the PDF download option called “This survey with saved data (via browser’s Save as PDF)”, if some fields on the page have been modified but not yet saved, REDCap will display a confirmation to the user to ensure that they understand that the resulting PDF will not contain only saved data values but instead may contain both saved and yet-to-be-saved values. (Ticket #138777)

  • Bug fix: If an external module calls a randomization-related method in a project that does not have randomization enabled, it might throw a fatal PHP error for PHP 8. (Ticket #138756)

  • Bug fix: If one or more fields in a project utilize the @IF action tag, the REDCap Mobile App page would mistakenly fail to display a warning at the top of page to explain that the @IF action tag is not supported by the mobile app and thus fields with @IF might not function in the mobile app the same as they do on survey pages and data entry forms.

  • Bug fix: Language ID and display names on the MLM “Usage” page in the Control Center could mistakenly be mismatched in some cases. (Ticket #138808)

  • Bug fix: Multi-line text used inside single quotes or double quotes in the @CALCTEXT action tag might mistakenly have some words mistakenly replaced in the resulting text if they look like JavaScript or PHP operators (e.g., “or”, “and”). (Ticket #138785)

  • Bug fix: The MLM “Usage” page in the Control Center would mistakenly fail to render HTML special characters in project titles. (Ticket #138887)

  • Bug fix: The REDCap Mobile App page mistakenly noted that the mobile app does not support Field Embedding, which is no longer true. That warning message has been removed.

  • Bug fix: When both randomization and MyCap are enabled on a project, users would be unable to enable any instrument as a MyCap task in the Online Designer (excluding active tasks that were imported).

  • Bug fix: When creating a new project via a Project XML file, if the project is longitudinal and utilizes the Survey Queue and/or Automated Survey Invitations, the Survey Queue and ASI settings might mistakenly not get added from the XML file when the project is created. (Ticket #139035)

  • Bug fix: When using certain text or HTML inside the text of the @CALCTEXT action tag, the output value of the field might mistakenly be missing some spaces if text elements in the @CALCTEXT contained leading or trailing spaces. Additionally, text used in @CALCTEXT that contains HTML or single/double quotes might mistakenly get mangled and not display correctly on the page for the @CALCTEXT field. (Ticket #138396)

  • Bug fix: When using the AAF authentication method, the PHP method User::updateUsernameForAaf() mistakenly would not update all the database tables that contain a “user” or “username” column. Four tables were missing from the list. Thus, some database tables would not get updated when the method is called. (Ticket #138396)

  • Bug fix: When using the Survey Auto-Continue feature, in which a participant clicks a survey link of an already-completed survey and is redirected 20+ times through a bunch of subsequent already-completed completed surveys, some browsers might mistakenly display a too many redirects error to the participant instead of properly redirecting them to the next unfinished survey. (Ticket #138914)

Version 13.0.2 (released December 02, 2022)

Changes/Improvements

  • Improvement:MLM Usage Page - A new Usage tab will be displayed on the Multi-Language Management page in the Control Center that will display a list of all projects using MLM and in what ways they are utilizing MLM, such as the number of languages in the project (and how many are active) and whether the following MLM options apply to the given project: Deactivated by user, Enabled by admin, Deactivated by admin, and Debug mode turned on.

  • Change/improvement: The path to the web server’s PHP error log file is now listed at the bottom of the main Control Center page. This information will be useful to help admins locate their web server’s error log, which can sometimes be difficult to find.

  • Change: Added an MLM-related note at the top of the survey page where participants enter their survey access code. The note mentions that the language choices seen on that particular page might not necessarily be available on the survey that they are able to enter after entering their access code.

  • Change: The Break the Glass feature for Epic in CDIS has been updated to automatically refresh any expired BTG token. Previously, BTG tokens were short-lived and did not refresh, thus causing some issues with users.

Bug Fixes

  • Major bug fix: Several PHP 8 related issues for MyCap would sometimes prevent data from syncing correctly back to the REDCap server from the MyCap mobile app.

  • Major bug fix: When using certain external authentication methods, survey pages might sometimes mistakenly time out if the project’s internal Record List Cache (a secondary list of records in the database for improving performance) had not been built yet, which is done automatically by REDCap internally. This would cause an internal API call to fail when it is made inline while loading survey pages, thus causing the survey page not to load. This was supposedly fixed in version 12.4.13 LTS and 12.5.6 Standard Release, but mistakenly was not. (Ticket #104761b)

  • Bug fix: Dozens of REDCap pages that are served as AJAX requests via JavaScript mistakenly had their “Content-Type” header set as “text/html” when instead it should have been “application/json”, which was causing these requests not to be loaded successfully in the REDCap user interface in certain server/network environments.

  • Bug fix: In some specific circumstances, the Data Import Tool might mistakenly crash due to a fatal PHP error for PHP 8. (Ticket #138527)

  • Bug fix: The calendar feed might mistakenly provide incorrect times of calendar events for certain geographical regions that do not observe Daylight Saving Time. (Ticket #130176)

  • Bug fix: Typo on OpenID Connect’s login screen. (Ticket #138381)

  • Bug fix: When a calculated field uses the datediff() function, in which the first parameter is literally “today” while the second parameter is a datetime field, the calculation might mistakenly return a blank value. (Ticket #138033)

  • Bug fix: When creating a new project where a user selects a project template but then chooses to upload a Project XML file, REDCap might get confused about which option was selected and behave unexpectedly, such as creating the project without granting access to the initial user. (Ticket #138361)

  • Bug fix: When exporting a project as a Project XML file, the export process might mistakenly fail with a fatal PHP error for PHP 8. (Ticket #138389)

  • Bug fix: When using Clinical Data Pull, when launching from the EHR context, the button “Show record in project” would mistakenly not work if the record name was non-numeric.

  • Bug fix: When using the Clinical Data Pull, temporal fields were mistakenly not displayed in the CDP mapping table because REDCap metadata was incorrectly removed from the settings payload.

Version 13.0.1 (released November 23, 2022)

Changes/Improvements

  • Improvement:A link to the Codebook page was added inside the Add/Edit Field dialog on the Online Designer. This will allow the user to open the Codebook in a new tab without having to close the dialog to do so. (Ticket #138300)

  • Improvement:When setting up repeating Automated Survey Invitations, users can now set the repeating interval value as a number with a decimal (in previous versions, the value could only be an integer). This will allow users to approximate the interval of a monthly repeating ASI as 30.44 days since it is currently not possible for repeating ASIs to be scheduled on exactly the same day and time each month. To help users, a note has been added in the repeating survey section of the ASI setup dialog to inform them how to approximate a month as 30.44 days. (Ticket #136957)

  • Improvements for CDIS Expiration indicator for the Break the Glass feature: The new Break the Glass workflow uses tokens that expire in an hour from their creation. The interface will now show if a token is expired. Delete button for the Break the Glass feature: Users can remove entries from the list of Break the Glass protected patients using a button.

  • Change: Slight tweak in the SQL queries used on the project Logging page to make the page load faster for older projects. (Ticket #138200)

Bug Fixes

  • Major bug fix: Regarding Multi-Language Management, if the system-level setting “Require admin activation of multi-language support in projects” is disabled, the “Multi-Language Management” left-hand menu link would mistakenly not be visible to normal users unless one or more MLM languages had already been created in the project. Bug emerged in REDCap 13.0.0.

  • Bug fix: Bar charts and pie charts might mistakenly be displayed on Public Dashboards despite having an insufficient amount of data to display (based on the setting “Minimum number of data points required to display Smart Charts, Smart Tables, or Smart Functions on a public Project Dashboard…"). (Ticket #137411)

  • Bug fix: For a repeating Automated Survey Invitation that has conditional logic and has the “Ensure logic is still true” checkbox checked, if a record has invitations scheduled for the repeating ASI, and the ASI’s conditional logic no longer evaluates as True for the record, the repeating invites will stop sending (as expected), but the repeating invites would mistakenly still be displayed on the Survey Invitation Log. This would give the false impression to the user that those invitations will be sent when, in fact, they will not. (Ticket #134780)

  • Bug fix: If the RemoveTempAndDeletedFiles cron job happens to be running at the same time as the Easy Upgrade process is extracting a new REDCap version, on certain server configurations the cron job might mistakenly delete some of the REDCap files being deployed in the new version, thus leaving the new REDCap version directory missing some critical files. (Ticket #137910)

  • Bug fix: The Mapping Helper feature in CDIS might mistakenly not appear or be usable in Data Mart projects.

  • Bug fix: Using the Break the Glass feature in CDIS might mistakenly fail if the user has no access token.

  • Bug fix: When MyCap is enabled in a project, clicking the [?] link to the right of the green Publish button at the top of the Online Designer would mistakenly display an empty dialog when viewing/editing the fields in an instrument (but it looks correct when viewing the instrument list in the Online Designer). (Ticket #138146)

  • Bug fix: When MyCap is enabled in a project, on some rare occasions when migrating a project using the MyCap external module, the process might fail due to an SQL error. (Ticket #138168)

  • Bug fix: When entering a value for the “Domain allowlist for user email addresses'' setting on the User Settings page in the Control Center, it would mistakenly not allow top-level domains to be entered if they contain more than 4 characters (e.g., vanderbilt.health). It now appropriately allows top-level domains up to the maximum 63 characters. (Ticket #104291)

  • Bug fix: When performing field embedding on a survey page or data entry form, the page might crash due to a fatal PHP error if the project has a very large amount of fields.

  • Bug fix: When renaming an instrument in the Online Designer and then immediately creating a new instrument right after the renamed instrument, the new instrument might mistakenly get relocated to the first-instrument position after being created, and the record ID field might mistakenly get relocated to another position. Bug emerged in REDCap 13.0.0.

  • Bug fix: When using repeating Automated Survey Invitations, a record’s Record Home Page might mistakenly say that there are upcoming scheduled invitations that will be sent in the next 7 days despite the fact that they are actually scheduled to be sent more than 7 days later. This only involves repeating ASIs that have been scheduled.

  • Bug fix: When using the “Mapping Helper” feature or CDP Mapper for CDIS, some things might not load correctly because of some HTML needing to be escaped first in the resulting JSON.

  • Bug fix: When viewing the MyCap Participant List, in which a baseline date is being used, the baseline date value seen in the table for each participant would mistakenly be displayed in the wrong date format or would appear mangled. (Ticket #138166)

Version 13.0.0 (released November 17, 2022)

New Features

  • New feature: Integration of the MyCap External Module Introduction:MyCap is a participant-facing mobile application (on iOS and Android) used for data collection and the automated administration of active tasks (activities performed by participants using mobile device sensors under semi-controlled conditions). All data collected in the MyCap app is automatically sent back to the REDCap server as soon as internet connection is available (i.e., it can also be used for offline participant data collection). MyCap is a no-code solution for research teams conducting longitudinally-designed projects or projects with frequent participant contact. MyCap also facilitates participant engagement and retention by providing quick access to project staff and two-way communications (e.g., messaging and announcements) within the app. MyCap is available on any iOS device (iOS v11.0+) and any Android device (Android v8.0+). For more information about MyCap, check out theMyCap website,publication,resources, and a list ofMyCap use cases. System-level settings:The MyCap feature will be enabled globally by default after upgrading or installing REDCap, but it can be disabled (so that no users see the option in their projects) on the Modules/Services Configuration page in the Control Center. That page also contains a setting where, assuming MyCap is enabled globally, an admin can set it so that 1) users can enable MyCap in their projects on their own, or 2) users will need to click a button in their project to send a request requiring admin approval to enable MyCap in the project. Project-level settings:The ability to enable or request to enable MyCap in a project will be in the Main Project Settings section at the top of the Project Setup page. There is an informational dialog there that can be opened that contains helpful links to many resources, including the MyCap website, the MyCap Help document (a detailed 16-page instruction manual on setup and usage), and three videos. Project Utilization:Utilizing MyCap in a project consists of two main parts: 1) design, and 2) managing participants. The design portion is where users can enable instruments as MyCap tasks, import active tasks, and design the look and feel of the MyCap app (as the participant sees it).These things pertaining to design are performed in the Online Designer and thus require Project Design and Setup rights. The participant portion requires a new user right Manage MyCap Participants that appears on the User Rights page after MyCap has been enabled in a project.Having this privilege, a user will have access to the MyCap Participant Management page on the left-hand menu. This page will allow users to view, invite, and message their MyCap participants. In many ways, it is very similar to the Survey Distribution Tools page when using surveys. External Module Migration:If users have been using the MyCap external module, there is an upgrade path to import all the MyCap EM settings into the built-in MyCap feature. In projects with the MyCap EM enabled, users will see a Migrate to REDCap button on the left-hand menu, which opens a dialog with plenty of information about the new built-in MyCap feature. As the dialog will note, users themselves cannot perform the migration, but a REDCap admin must do so for them. The migration is fast and only requires a couple button clicks, after which it will disable the MyCap EM in the project. Note: Currently, the MyCap EM is planned to be supported only until June 2023, so it is recommended that users using the EM attempt to fully migrate well before that time. Smart Variables and Action Tags:Several new Smart Variables and Action Tags can be used with MyCap, some of which are a required, integral part of how users invite participants and also how MyCap imports data into a project. See the documentation for Smart Variables containing the prefix mycap- and Action Tags containing the prefix @MC-. Stats:System-level MyCap statistics can be seen on the System Statistics page in the Control Center.

Changes/Improvements

  • Improvement for the External Modules Framework:New “Developer Tools” section & “Module Security Scanning” link on the Control Center -> External Modules -> Manage page.

  • Improvement:New Multi-Language Management option to require admin activation of multi-language support in projects Administrators may now change the behavior of the Multi-Language Management feature so that project users cannot view or use MLM in a project until a REDCap administrator has first enabled it explicitly in that project. This behavior can be changed on the Settings tab on the Multi-Language Management page in the Control Center where it says Require admin activation of multi-language support in projects. Note: Enabling that system-level setting will not affect any projects where multi-language support is already enabled (either because it had previously been enabled explicitly by an admin or there is at least one language already set up). Additionally, the following new admin-only options have been added to the Settings tab on the MLM setup page in each project, in which these options only appear to admins and only when the system-level setting has been set where only admins may enable MLM: 1. Enable multi-language support for this project - Allows users with Project Setup and Design rights to see the MLM menu link and to use the MLM setup page. 2. Disable and hide multi-language support for this project - Turning on this option will hide the MLM menu link and prevent access to Multi-Language Management for users even when there are languages defined. This overrides the Enable option above.

  • Change/improvement: A new check was added to the Configuration Check page to detect if the Zlib PHP extension has been installed on the REDCap web server. (Ticket #137725)

  • Change/improvement: New and improved workflow and user interface for the Break the Glass feature when using Clinical Data Interoperability Services (CDIS) with Epic.

  • Change/improvement: On the Alerts & Notifications page, users are now able to copy deactivated alerts. In previous versions, alerts could not be copied until they were first reactivated.

  • Change/improvement: The path to the web server’s PHP.INI configuration file is now listed at the bottom of the main Control Center page (below the date of the last REDCap upgrade). This information will be useful to help admins locate their web server’s config file, which can sometimes be difficult to find.

  • Change: As a convenience, when deleting a conversation in REDCap Messenger, the user is no longer prompted to enter the word “delete”.

Bug Fixes

  • Bug fix: An error message would be seen by a REDCap admin attempting to approve an External Module Activation Request for a user. (Ticket #137672)

  • Bug fix: Certain versions of MariaDB do not output the “COLLATE” portion of a database table’s column definition in the results of a “SHOW CREATE TABLE” query, thus causing false positives to display in the Control Center that say that the “database structure is incorrect”. (Ticket #137551, #137575, #137321)

  • Bug fix: For some users, the My Projects page might be unusually slow to load due to a change in REDCap 12.5.17 (Standard) that removed the usage of AJAX requests on the page. To fix this performance issue, the change from 12.5.17 has been reverted back to the old behavior.

  • Bug fix: For some web server configurations, the server’s session “garbage collection” might mistakenly not run or might not run very often, thus causing the redcap_sessions database table to become overly bloated. The garbage collection process is now run manually via a cron job to ensure this task gets performed regardless of server configuration. (Ticket #137675)

  • Bug fix: When a user not assigned to a Data Access Group filters the results on the Logging page by DAG, the page might crash with an error if no users are currently assigned to that DAG in the project. (Ticket #137764)

  • Bug fix: When more than ten completed surveys are displayed in a participant’s Survey Queue, the “all surveys completed” row might appear in the wrong place in the table. (Ticket #137550)

  • Bug fix: When using REDCap::saveData() in a plugin, hook, or external module, in which the “dataLogging” parameter is passed to the method as FALSE, the record list cache (i.e., the back-end secondary list of records) would mistakenly fail to get updated during this process. This means that if new records are being created via REDCap::saveData() with dataLogging=FALSE, those records would appear not to have been created until an admin clicked the “Clear the Record List Cache” button, after which the records would finally appear in the project, such as on the Record Status Dashboard, reports, and the Add/Edit Records page. (Ticket #137836)

  • Bug fix: When viewing the REDCap Mobile App’s “App Data Dumps” page, in which a data dump file could not be found on the server for unknown reasons, it would mistakenly throw a fatal PHP error on the page for PHP 8. (Ticket #137777)