Changelog

This page includes a partial list of changes with each version of REDCap, including new features, improvements, and bug fixes. UIC REDCap is currently on Version 14.3.8, installed in May 2024.

Version 14.3.8 (released on 2024-05-02)

CHANGES IN THIS VERSION:

Improvement: Mobile Toolbox measures have been added for use in the MyCap mobile app. The Mobile Toolbox (MTB) is a research platform that includes a library of cognitive and other tests that can be administered remotely on a smartphone. The MTB’s measures include smartphone versions of assessments from the NIH Toolbox, the International Cognitive Ability Resource, and the Patient Reported Outcomes Measurement Information System. A list of all available MTB tasks in REDCap can be viewed via the “Import Active Task” button in the Online Designer for any MyCap-enabled project.
Improvement: New “Download SQL” button was added to the REDCap install page to make it easier to fetch the generated install SQL as a file rather than obtaining it from the webpage via copy-and-pasting. (Ticket #229260)
Improvement: The Codebook page now has checkboxes that can be toggled by the user to remember the collapsed state of the tables on the page on a per-project basis for the user. (Ticket #229673)
Major bug fix: When viewing the User Rights page and the survey page when using certain PHP versions, the page might mistakenly crash with a fatal PHP error. (Ticket #229976)
Change: Small changes to the redcap_log_view_requests database table to improve general application performance.
Bug fix: Certain queries on the project Logging page might mistakenly take too long to run for certain projects, thus making the page unnecessarily slow. (Ticket #229219)
Bug fix: If using Multi-Language Management and reCAPTCHA is enabled for the public survey, the reCAPTCHA page might mistakenly throw a JavaScript error when MLM is active.
Bug fix: When the system-level setting “Allow normal users to create new projects?” is set to “No”, and a user does not have the user-level option “Allow this user to request that projects be created for them…” checked on the Browse Users page, if the user knows how to navigate to the Create New Project page (even though the links to that page have been removed in the user interface), it would mistakenly display that page and would allow them to submit a request to create a project. Note: The project would not get created unless the admin mistakenly approved it while not realizing that this user should not be able to request new projects be created. (Ticket #229702)
Bug fix: Problematic code was causing the cron job to crash in certain unknown situations. (Ticket #229536)
Bug fix: When downloading an instrument PDF when the field label or section header text of a field is very long, in some cases the text in the PDF might mistakenly run over and obscure the PDF’s footer text. (Ticket #205997)
Bug fix: When users are not allowed to create or copy projects on their own, and they submit a “Copy Project” request to an administrator, in which the “Warning about miscellaneous attachments” dialog is displayed to the user on the Copy Project page, when the admin goes to approve the request, that dialog would mistakenly be displayed again (it should only be displayed initially to the user, not the admin) and thus would block the admin from successfully approving the request. (Ticket #228954)
Bug fix: When viewing the Stats & Charts page for Report B in a longitudinal project, in which one or more events are selected for Report B, the Stats & Charts page would mistakenly not filter the data on the page to those selected events but would instead display data from all events. (Ticket #228030)

Version 14.3.7 (released on 2024-04-29)

CHANGES IN THIS VERSION:

Change: The video “Full Project Build” was added as a new video on the project left-hand menu and on the Training Videos page.
Major bug fix: In specific situations when using Multi-Language Management in a project when the web server is running PHP 8.0 or higher, every project page would crash with a fatal PHP error. (Ticket #229529)
Bug fix: When exporting a project’s data to Stata, multiple choice fields would mistakenly have a “label values” entry in the Stata syntax file even when not all choice codings are integers. The “label values” entries should only be added to the Stata syntax file when a multiple choice field has an integer code for every choice. (Ticket #229277b)
Bug fix: Fixed several different SQL queries used in various places in the REDCap code that were silently failing in specific cases.

Version 14.3.6 (released on 2024-04-26)

CHANGES IN THIS VERSION:

Major bug fix: When the “href” attribute of any hyperlink has a value of “#” for any label or other user input, the entire label text would mistakenly be completely removed (i.e., would be blank) when output on the page. (Ticket #229451)
Bug fix: When importing the Survey Queue settings via CSV file, an error might mistakenly be returned if certain things, such as condition_surveycomplete_form_name, do not have a value, even when not needed. (Ticket #229186)

Version 14.3.5 (released on 2024-04-25)

CHANGES IN THIS VERSION:

Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom JavaScript/HTML in a specially crafted way into the “href” attribute of hyperlinks placed inside labels and other user input that is then output onto the webpage. The user must be authenticated into REDCap in order to exploit this, with one exception: a malicious survey participant could inject the JavaScript/HTML into a Text or Notes field whose value is then viewed on a report (i.e., it would appear as a hyperlink in the report that would have to be clicked by the user to be exploited). Bug exists in all versions of REDCap. (Ticket #228857)
Medium security fix: A Base Tag Hijacking vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML in a specially crafted way into labels and other user input that is then output onto the webpage. The user must be authenticated into REDCap in order to exploit this, with one exception: a malicious survey participant could inject the HTML into a Text or Notes field whose value is then viewed on a report. Bug exists in all versions of REDCap. (Ticket #229158)
Medium security fix/protection: All usages of the PHP function iconv() have been replaced in the REDCap code due to a vulnerability (CVE-2024–2961) discovered in Glibc (GNU C Library). Note: This is not a vulnerability in REDCap but in a PHP library. This vulnerability can be remediated at the web server level via configuration settings, but this security fix/protection seeks to protect all REDCap installations in the event that their IT support is not able to remediate this vulnerability at the server level. (Ticket #229281)
Improvement: The rich text editor used throughout REDCap now has a new drop-down option in the editor’s toolbar for setting the “font family” and “font size” of any text in the editor.
Improvement: The Database Query Tool in the Control Center now has the ability to utilize “Smart Variables Context”, which can be enabled on the page via checkbox option on the DQT menu so that administrators may provide the literal values of certain Smart Variables that can be piped into the query from text boxes on the page. Also, a link or button to navigate directly to the Database Query Tool has been added to several project pages, such data entry forms, survey pages, the Edit Field dialog in the Online Designer, etc. to allow admins to open the DQT directly with the current context values (e.g., project-id, record-name, event-id) already pre-filled on the page. This will make it much, much easier to execute queries on a specific project and/or record with less copy-and-pasting. Note: This feature will not be displayed if the DQT has not been enabled yet.
Improvement: When using MyCap in a longitudinal project, users can now decide on the event display format (ID, Label, or None) for titles of MyCap tasks displayed in the Upcoming Tasks section.
Change/improvement: A few more pages were added to the “Navigate to page” widget to allow users to go to specific pages via PID and keyboard shortcuts.
Change: The video “A Brief Overview of REDCap” was replaced with a new video.
Bug fix: Survey pages might mistakenly display text inside P tags in labels as different font sizes in different situations. (Ticket #228686)
Bug fix: When using Multi-Language Management and applying or canceling draft mode changes in projects where MLM is active, there would always be a message/warning that MLM settings/translations have been modified even when this is not actually the case. (Ticket #228877)
Bug fix: When renaming a record on the Record Home Page, in which the new record name is the same as the old record name but with leading zeros (or vice versa), if both the old and new record names are integers, REDCap would not rename the record and would mistakenly take the user to another page to create a new record under the new record name provided, which is confusing.
Bug fix: In certain situations when exporting a report, the survey completion timestamps would mistakenly be date shifted in the resulting export file if the “shift all dates” checkbox is checked while the “shift all survey completion timestamps” is not checked. (Ticket #228879)
Bug fix: A query used on the Data Access Groups page was incompatible with certain versions of MySQL that have ONLY_FULL_GROUP_BY set in the SQL Mode, thus causing the query to fail for some installations. The query has been replaced with an equivalent query that is compatible with all supported versions and configurations of MariaDB/MySQL. (Ticket #228974)
Bug fix: When using Google Cloud Storage for file storage in the system, uploading/downloading a file via Send-It for a File Upload field might mistakenly not work successfully. Additionally, file downloads might also fail when using GCS when downloading files attached to data queries in the Data Resolution Workflow dialog. (Ticket #226875c)
Bug fix: When using Twilio or Mosio for a survey that is taken as an SMS Conversation, if the survey is a repeating instrument, branching logic might not work successfully for fields that have branching logic referencing fields on the same instrument. (Ticket #227028)
Bug fix: The Smart Variables [event-number] and [event-id] would mistakenly not return a numerical value but a string, causing special functions that expect numeric values to fail to produce the correct result (e.g., mod()). (Ticket #228953)
Bug fix: When using the search capability for the Biomedical Ontology feature for a Text field on a form/survey, if the user’s search returned the message “[No results were returned]”, and the user then clicked on that message, it would mistakenly display a bunch of HTML below the field when instead it should not display anything below the field. (Ticket #229124)
Various changes/improvements to the External Module Framework, including 1) Allow external module ajax requests to work on dashboards & reports, 2) Added an instance parameter to the resetSurveyAndGetCodes() method, 3) Improve performance of the disabled modules dialog, and 4) Misc. security scan script improvements.
Bug fix: Certain options on the instrument view of the Online Designer, such as Form Display Logic settings and survey-related settings, would mistakenly not function on the page for MyCap enabled projects. (Ticket #228963)
Bug fix: When copying a project, the survey setting “Display page numbers at top of survey page” would mistakenly not get copied to the new project. (Ticket #229243)
Bug fix: When utilizing Microsoft Azure Blob Storage for file storage in REDCap, some operations (specifically the “delete file” action) might mistakenly fail for specific server configurations because the CURL options for VERIFY_HOST and VERIFY_PEER were mistakenly not being set to FALSE in the API request to Azure.
Bug fix: When regular users (non-admins) import data dictionaries containing Dynamic SQL fields, in certain cases REDCap might refuse to import the file, mistakenly stating that the query has changed when in fact it has not. (Ticket #229148)
Bug fix: When exporting a project’s data to Stata, multiple choice fields would mistakenly have a “label define” entry in the Stata syntax file even when not all choice codings are integers. The “label define” entries should only be added to the Stata syntax file when a multiple choice field has an integer code for every choice. (Ticket #229277)
Bug fix: When accessing a project that is enabled as a Project Template, if the current user is an administrator that is currently impersonating another user in the project, the “Project is used as a template” box would mistakenly be displayed on the Project Home Page. That should only be displayed when the user is an admin with “Modify system configuration pages” rights and while not impersonating a non-admin user. (Ticket #229370)
Bug fix: When an instrument contains an inline PDF attached to a Descriptive field, and the instrument is then downloaded as a PDF, the first page of the generated PDF might mistakenly have text that runs off the bottom of the page if the inline PDF is displayed (via iMagick conversion to an image) on the first page of the generated PDF. (Ticket #228282)

Version 14.3.4 (released on 2024-04-18)

CHANGES IN THIS VERSION:

Improvement: When moving one or more fields in the Online Designer, a new option will appear in the field selection drop-down to allow the user to move a field to an empty instrument (i.e., an instrument with no defined fields). In previous versions, fields could only be moved to an instrument containing at least one field (not counting the Form Status field).
Improvement: New built-in PDF Viewer
- This built-in PDF viewer remediates an old gap of functionality in which iOS and Android devices are not able to display more than the first page of an inline PDF. So whenever REDCap is displaying an inline PDF (e.g., for a Descriptive field, when using the INLINE action tag on a File Upload field, or on the e-Consent certification page), if the current device is iOS or Android or if it lacks a native PDF viewer, then REDCap’s built-in PDF Viewer will be utilized automatically. For all other devices, the device’s native PDF viewer will be used.
- Notable change: Previous versions of REDCap would not attempt to display an inline PDF on the certification page of an e-Consent survey, in which it would say “This browser does not support inline PDFs. Please open the PDF in a new tab.”. But now, it will actually display the inline PDF for all devices on the e-Consent certification page, whether using the device’s native PDF viewer or if using REDCap’s PDF viewer.
Improvement: Videos hosted by the VidYard video service (vidyard.com) can now be utilized for the “Embed media” option on Descriptive Text fields. Thus, VidYard URLs (e.g., https://share.vidyard.com/watch/XYZXYZ) are now fully compatible, similar to how YouTube and Vimeo URLs have always been.
Improvement: The “Help & FAQ” page has been updated with new content (thanks to the FAQ Committee).
Change: New MLM tip added at the bottom of the “Forms/Surveys” tab on the MLM setup page. The tip reads as follows: “Tip: Choose your “ASI Language Source” wisely - If ASIs have been translated in your MLM setup, it is typically recommended that you utilize the “Language preference field” option for determining the translation to be used for an ASI survey invitation. Choosing “User’s or survey respondent’s active language” as the ASI Language Source can have unexpected results. For example, if a participant’s survey response triggers the ASI, the ASI’s invitation text will be output in the correct language since it uses what the participant has chosen previously. However, if the ASI is triggered by an action of the project user, such as a data import or saving a data entry form, the ASI’s text will be in the language of the project user, which may not be the language that the participant prefers.”
Various fixes and changes to the External Module Framework, including the following: 1) Made it possible to download a list of users that have Project Design rights for all projects where a given module is enabled (appears as a new button in the View Usage dialog in the Control Center), 2) Queued all External Module AJAX requests to prevent them from getting canceled by REDCap’s duplicate query protection, and 3) Miscellaneous security scan improvements.
Bug fix: Data Quality rules A and B will now return checkbox fields in the list of discrepancies if none of the checkbox options have been checked for a given checkbox field. This reverts a change made in REDCap 13.7.10 LTS and 13.9.0 Standard (via Ticket #212048), which is now considered to have been a mistake. This has been changed because the previous behavior was considered to be inconsistent with regard to how checkboxes, especially required checkboxes, are treated on survey pages and data entry forms. For example, if a checkbox field is required and no checkboxes are checked, the Required Field alert is displayed to the user, which implies that a checkbox field with no checked checkboxes is considered to be a field with a missing value. Thus, to provide more consistency with how checkboxes are treated throughout REDCap, this fix has been applied to correct this issue. (Ticket #217798)
Change: All hard-coded references to “redcap.vanderbilt.edu” have been changed to “redcap.vumc.org” to reflect the recent change of the Vanderbilt REDCap server’s domain name. Note: The old URL will continue to work and automatically redirect to the new URL until April 2025.
Bug fix: After editing the Survey Queue settings in the Online Designer, the SQ button might mistakenly display multiple green check mark icons. (Ticket #228741)
Bug fix: When using the Field Bank in the Online Designer to search for fields, it might mistakenly show answer choices that say “Login to see the value.” for specific items. (Ticket #228217)
Bug fix: When completing a survey, a JavaScript error might occur during certain parts of the survey that might cause other important processes to be blocked on the page. (Ticket #228785)
Change: When copying a project via the Other Functionality page, a new note appears below the copy project option that says “NOTE: The new project will not contain the project’s logging history (audit trail), but if you wish to obtain it, you may freely download it any time at the top of the Logging page.”. This will help users understand upfront that the logging does not get copied during this process. (Ticket #228253)
Bug fix: If some surveys are set as inactive in a project, then the Copy Project page might mistakenly have the “Survey Queue and Automated Survey Invitation settings” option unchecked and disabled. (Ticket #228742)
Bug fix: When a Text or Notes field containing HTML tags in its value is being piped to another place on the same page/instrument, the HTML tags would mistakenly not be interpreted but instead would be escaped in its final piped form. This issue would only occur when the field has a SETVALUE or DEFAULT action tag. Bug emerged in 13.7.27 LTS and 14.0.3 Standard. (Ticket #228818)
Bug fix: In certain situations on a data entry form, the Custom Event Label might not display correctly and/or might get overwritten by the Custom Record Label (or vice versa). Bug emerged in REDCap 14.2.2. (Ticket #228503)

Version 14.3.3 (released on 2024-04-11)

CHANGES IN THIS VERSION:

Major bug fix: If a project is deleted by a user, when that project is eventually deleted from the database 30 days later, if the project’s data is stored in the redcap_data2, redcap_data3, or redcap_data4 database table, the data might mistakenly not get removed from those data tables when the project as a whole is deleted. This could leave orphaned data in those data tables. Note: During the upgrade process, REDCap will automatically delete any orphaned data still present in the redcap_data2, redcap_data3, and redcap_data4 database tables. Bug emerged in REDCap 14.0.0.
Major bug fix: When the e-signature functionality has been enabled on an instrument, the e-signature checkbox at the bottom of the data entry form would mistakenly be displayed and would be clickable even when the whole record is locked. If the whole record is locked, the e-signature checkbox should remain disabled. Additionally, it might be possible in certain situations (e.g., simultaneous users locking and editing a record) for a user to lock, unlock, or e-sign an instrument while the whole record is locked. Server-side checks have now been added to prevent that. (Ticket #225320)
Improvement/change: When uploading static attachment files to an alert on the Alerts & Notifications page, the maximum allowed attachment size has been increased from 10 MB to 20 MB. Please note that sending attachments larger than 10 MB might cause the email to be rejected by certain email providers.
Bug fix: When moving one or more fields in the Online Designer, in which the user chooses to create a new instrument and then move the field to the newly created instrument (via the last drop-down option in the “Move field to another location” dialog), the process would place the Form Status field on the new instrument so that it would mistakenly be located above the new fields rather than below them. Bug emerged in the previous version.
Bug fix: When using MyCap in a project and a MyCap task exists, if a user switches the project from classic to longitudinal (or vice-versa) then task schedules might remain orphaned.
Change: When editing a MyCap task’s settings in the Online Designer, if a task is scheduled one time then the “allow retroactive” option will now not be available.
Bug fix: When using Clinical Data Mart for CDIS, revisions were failing to be imported using the Data Mart import feature.
Bug fix: When importing a data dictionary, it would be possible to import fields that have a variable name ending with an underscore character. This should not be allowed, and thus it now displays an error message when attempting to do so. (Ticket #227821)
Bug fix: When the PDF Auto-Archiver is enabled for a survey, the IP address of the participant would mistakenly be stored in the PDF Survey Archive table in the File Repository. It was intended that the participant’s IP address should only be stored when completing a survey with the e-Consent Framework enabled.
Bug fix: When opening REDCap Messenger while in a project, and then attempting to create a new conversation, the project’s left-hand menu would mistakenly cover over the “Create new conversation” dialog. Bug emerged in REDCap 14.0.16 LTS and 14.2.2 Standard. (Ticket #228033)
Bug fix: When using the Mapping Helper for CDIS, the status mapping for different types of Condition resources was inaccurately handled.
Bug fix: When accessing an instrument in the Online Designer right after creating a new project from scratch (i.e., when only the Record ID field exists), some instructional text at the top would mistakenly be too wide and might be partially covered up by other things on the page. (Ticket #228129)
Bug fix: When importing the Survey Queue settings via CSV file, an error might mistakenly be returned if certain things, such as condition_surveycomplete_form_name, do not have a value, even when not needed. (Ticket #227928)
Bug fix: When exporting a query as a CSV file on the Database Query Tool page, the first line of the CSV file would mistakenly contain a line of HTML. Bug emerged in REDCap 14.3.0.
Bug fix: When performing an initial install of REDCap on certain versions of MySQL, the install SQL script might mistakenly fail during the creation of the MyCap project template. (Ticket #228041)
Bug fix: When the “Auto-suspend users after period of inactivity” setting is enabled, users who recently had their account created but had not logged in yet would mistakenly get auto-suspended. (Ticket #224747)
Bug fix: When editing some previously-saved content using the rich text editor (i.e., editing the body of an alert, ASI, project dashboard, or field label), in which an inline image was uploaded and saved by a user while on an earlier REDCap version, the inline image in the rich text editor would mistakenly appear as a broken image inside the editor if that older REDCap version’s directory has been removed from the REDCap web server. (Ticket #228239)

Version 14.3.2 (released on 2024-04-04)

CHANGES IN THIS VERSION:

Improvement: When moving one or more fields in the Online Designer, a new option will appear at the end of the field selection drop-down to allow the user to auto-create an instrument while moving the field(s) to that new instrument. Note: The new instrument will be named “New Instrument” by default, although the user can always rename it after the fact. (Ticket #227034)
Bug fix: The two new hooks “redcap_module_project_save_after” and “redcap_project_delete_after” that were added in the previous version were mistakenly added as traditional hooks when instead they should have only been added as EM-only hooks that can only be utilized by External Modules. This has been corrected.
Various updates and fixes to the External Module Framework, including 1) Added validation button and use of Logic Editor for JSON settings, and 2) Miscellaneous security scan script improvements.
Bug fix: When a participant is completing an e-Consent survey on a mobile device, and thus it is unable to display the inline PDF of their response at the end of the survey, although they are able to view the PDF by clicking the button on the page to view it in another tab, the “Working…” popup would mistakenly appear for 20 seconds before disappearing. Instead, it should only appear very briefly before revealing the page.
Bug fix: When using Multi-Language Management, a piping issue would occur when viewing survey pages for participant-specific survey links only. (Ticket #227555)
Bug fix: Automated Survey Invitations were mistakenly not getting triggered when set up with a survey completion condition together with conditional logic in which the “OR” option is selected. (Ticket #227693)
Bug fix: The datetimepicker calendar widget used for datetime fields would mistakenly inject numbers at the end of the field value when typing a datetime value that has a time beginning with “23:”. The Datetimepicker library has been updated to a newer version, which resolves this issue. (Ticket #227636)
Bug fix: When using MyCap, there is some missing text that is utilized for displaying notes inside the repeating instruments popup (for longitudinal projects).
Bug fix: When using Google Cloud Storage for file storage in the system, uploading/downloading a file via Send-It for a File Upload field might mistakenly not work successfully. Additionally, file downloads might also fail when using GCS when downloading files attached to data queries in the Data Resolution Workflow dialog. (Ticket #226875b)
Bug fix: When viewing a report in a longitudinal project or a project containing repeating instruments/events, it now displays the text “(‘records’ = total available data across all events and/or instances)” near the top of the report. In previous versions, it did not display any clarifying text for non-longitudinal projects that had repeating instruments, which caused confusion for users regarding the meaning of the word “records” in “Total number of records queried”.
Bug fix: When using the piping parameter “:inline” when piping a File Upload field, in which a unique event name (or event-based Smart Variable) is not prepended to the field but [first-instance] or [last-instance] is appended to the field (e.g., [my_upload_field:inline][last-instance]), the piping would fail to work correctly.

Version 14.3.1 (released on 2024-03-28)

CHANGES IN THIS VERSION:

New hook: redcap_project_save_after - Allows custom actions to be performed after a project has been saved from a newly created, copied, or modified project. This allows for close control of the create, copy, and modify operations on a project.
New hook: redcap_project_delete_after - Allows custom actions to be performed after a delete action has been initiated. This allows for close control of the delete operation on a project.
Improvement: MyCap now supports repeating instrument functionality for longitudinal projects. In previous versions, repeating instruments were only supported for class/non-longitudinal projects.
Minor security fix: The TinyMCE library embedded in REDCap was upgraded to its latest version (7.0.0) due to a XSS (Cross-site Scripting) vulnerability in the library’s previous version.
Major bug fix: Users with API Import/Update privileges could successfully call the API method “Import User-DAG Assignments” without having Data Access Groups privileges in the project. Data Access Groups privileges should always be required when creating/renaming/deleting DAGs and when importing/exporting user-DAG assignments.
Bug fix: Users with API Export privileges could successfully call the API method “Export User-DAG Assignments” without having Data Access Groups privileges in the project. Data Access Groups privileges should always be required when creating/renaming/deleting DAGs and when importing/exporting user-DAG assignments.
Bug fix: Users with API Import/Update privileges could successfully call the API method “Import Repeating Instruments and Events” without having Project Design/Setup privileges in the project. It was instead checking for User Rights privileges instead of Project Design/Setup privileges.
Bug fix: Users with API Export privileges could successfully call the API method “Export Repeating Instruments and Events” without having Project Design/Setup privileges in the project.
Bug fix: Users with API Import/Update privileges could successfully call the API methods “Import DAGs” and “Delete DAGs” without having Data Access Groups privileges in the project.
Bug fix: Users with API Export privileges could successfully call the API method “Export DAGs” without having Data Access Groups privileges in the project.
Bug fix: Users with API Import/Update privileges could successfully call the API method “Import Project Settings” without having Project Design/Setup privileges in the project.
Bug fix: Users with API Export privileges could successfully call the API methods “Export Users”, “Export User Roles”, and “Export User-Role Assignments” without having User Rights privileges in the project.
Bug fix: When using Multi-Language Management, some MLM AJAX calls might mistakenly not work when using Shibboleth authentication. (Ticket #225282)
Bug fix: When using Google Cloud Storage for file storage in the system, uploading/downloading a file via Send-It for a File Upload field might mistakenly not work successfully. Additionally, file downloads might also fail when using GCS when downloading files attached to data queries in the Data Resolution Workflow dialog. (Ticket #226875)
Bug fix: When using Multi-Language Management and adding a system language to a project where the language set on the Control Center’s General Configuration page differs from the language set in a project (via Edit Project Settings page), the “The original values of some translated items have changed” message would mistakenly be shown. (Ticket #227077)
Bug fix: When using MyCap and viewing the Online Designer, the “Enable” MyCap buttons for PROMIS battery instruments are now disabled since these are not yet supported in the MyCap mobile app.
Bug fix: The order of the alerts as displayed in the “Re-evaluate Alerts” dialog mistakenly does not match the order of the alerts on the Alerts & Notifications page. (Ticket #227234)
Bug fix: When using the randomization feature, while a radio strata field exists on the same instrument as the randomization field, after the record is randomized on the data entry form, the strata field’s “reset” link (for resetting its value) would mistakenly still appear on the page until the page is refreshed or returned to later. The “reset” link should be immediately hidden after randomization has occurred. (Ticket #226998)
Bug fix: When a survey participant submits the first page of a survey and gets the “Some fields are required” prompt because some required fields were left empty, the “start time” of the response would mistakenly not get stored in the backend database, thus preventing REDCap from displaying the start time or duration of the survey at any time afterward, including via Smart Variables (e.g., [survey-time-started], [survey-duration]). Note: This only occurs when required fields are left empty on the first page of the survey, not on subsequent pages. While this fix will prevent the issue from occurring in the future, it will unfortunately not be able to retroactively fix the issue for already-affected responses that are missing their start time and duration values. (Ticket #226240)
Bug fix: If the E-signature feature is disabled system-wide via the Modules/Services Configuration page in the Control Center, the user rights option “Locking/Unlocking with E-signature authority” would mistakenly still appear when adding/editing a role or user. Additionally, if the E-signature feature is enabled system-wide but is not available for a specific user to use (e.g., if using Entra ID authentication but not using Two-Factor Authentication with the E-signature 2FA PIN option enabled), the user rights option “Locking/Unlocking with E-signature authority” would mistakenly still appear for that specific user. (Ticket #227220)
Bug fix: When using CDP, encounter diagnosis mappings and potentially other kinds of conditions in CDP projects were not being applied correctly, causing data not to be imported correctly from the EHR. (Ticket #227307)

Version 14.3.0 (released on 2024-03-21)

CHANGES IN THIS VERSION:

New feature: Custom Query Folders - For improved organization, Custom Queries on the Database Query Tool page can now be organized into folders. Additionally, custom queries can be exported and imported using a CSV file.
New action tags: @MC-PARTICIPANT-JOINDATE-UTC and @MC-PARTICIPANT-TIMEZONE - These action tags will capture the MyCap participant’s timezone and also the install date/time (in UTC time) of the MyCap participant whenever the participant joins a project via the MyCap mobile app. NOTE: This is used only for the MyCap mobile app. The fields’ values are not generated when viewing the data entry form but only when the MyCap app is making a call to REDCap when the participant joins the project. Additionally, while these action tags can be added to a new field in already-existing MyCap projects, a field with this action tag will be auto-added to any projects where MyCap is enabled in the project after the fact and for any new projects created using the MyCap project template.
Improvement: API examples in C Sharp (C#) code were added to the API Playground.
Improvement: When viewing a user on the Browse Users page in the Control Center, it now lists a new row “Number of users of which user is a sponsor” in the table. It will list how many sponsees the user has and also a link to open a dialog that will list the username and first/last name of all their sponsees. (Ticket #225819)
Improvement: In the Online Designer, when a user clicks on the green button “Field is embedded elsewhere on this page” on an embedded field in the table, the page will scroll up to where the field is embedded and flash a red border around the container field. This will make it easier for users to find where a field is embedded.
Improvement: In the Online Designer, the variable name for each field on the page is clickable, and when clicked, will copy the variable name to the user’s clipboard.
Improvement: In the Online Designer, when a user attempts to click into the variable name field in the Edit Field popup while the project is in production, the dialog that notes that the variable name is not editable when in production will now also display the variable name as clickable in the dialog’s text, and when clicked, will copy the variable name to the user’s clipboard.
Bug fix: In specific situations when downloading an instrument PDF in a longitudinal project, the process would mistakenly crash when using PHP 8. (Ticket #226047)
Bug fix: When utilizing the project-by-project Unicode Transformation process, which is done using a cron job via Step 2 on the Unicode Transformation page, the data in the Data Resolution Workflow related table might mistakenly not get transformed (i.e., the comments for data queries in DRW).
Bug fix: When using CDIS, some mapping for Adverse Events were not being pulled, such as causality.
Bug fix: Multi-language Management mistakenly failed to translate a number of survey exit pages (survey offline, response limit reached), and the language selector would be inaccessible. (Ticket #226237)
Bug fix: When using CDP or DDP Custom, the “database” icon would mistakenly not be displayed next to a mapped field on the data entry form for right-aligned Notes fields. (Ticket #226554)
Bug fix: When using CDP or DDP Custom, the Record Status Dashboard page might mistakenly attempt to automatically pull data from the EHR for records on the page when viewing that page as an administrator that is not a user in the project. Instead, it will now only do this for project users.
Bug fix: The “characters/words remaining” message mistakenly was not translated on data entry and survey pages when using Multi-language Management. (Ticket #226676)
Bug fix: When using the Stats & Charts page in a longitudinal project, in which some data had been collected on specific instruments and then later those instruments were undesignated for certain events, thus orphaning some of the data, the charts displayed on the page would mistakenly include the orphaned data for the undesignated instruments when they should be excluding that data. (Ticket #30382)
Bug fix: When a confirmation email is defined for a survey on the Survey Settings page, and then later the user selects “No” to disable the confirmation email on that page, it would mistakenly not disable the confirmation email setting after clicking the Save Changes button. Note: This would only be noticeable if the user returned to the page afterward. (Ticket #226697)
Bug fix: When an inline image is used in the body of an alert, the image might mistakenly not be displayed (i.e., a broken image icon would appear) when a user views an already-sent alert message in the Notification Log. (Ticket #226089)
Bug fix: When using the Data Resolution Workflow while a project is in Analysis/Cleanup status with data as Read-only/Locked, users might still be able to submit a data entry form after navigating to the form in a specific way from the Resolve Issues page. Users should not be able to submit a data entry form while in Analysis/Cleanup status with data as Read-only/Locked. (Ticket #226735)
Bug fix: When the datediff() function is used in a calculated field, in which it contains “today” or “now” as one of the two parameters and the other parameter is a DMY or MDY formatted date/datetime field from another event and also exists on a repeating event or repeating instrument, a calculation error message might appear on the survey page or data entry form, thus preventing the page from working correctly. (Ticket #226037)
Bug fix: When taking a survey using a mobile device, in certain situations the Submit button might be partially obscured by the browser window and thus might not be clickable. (Ticket #226895)
Bug fix: If a project has a repeating Automated Survey Invitation, and then later the survey instrument is set to be no longer repeating (via the Project Setup page settings), the ASI would continue to function as if the survey was still a repeating instrument.
Bug fix: When a regular user (non-admin) is uploading a CSV data file via the Background Data Import, the upload process might mistakenly fail due to a PHP error if the user is not assigned to a Data Access Group. (Ticket #226639)
Bug fix: When using CDIS, a query in the code was structured incorrectly so that it might mistakenly not return recently modified records in certain use cases, thus affecting CDIS’ ability to import data from the EHR effectively.

Version 14.2.2 (released on 2024-03-07)

CHANGES IN THIS VERSION:

Improvement: The Custom Event Label, if being used in a longitudinal project, will now display at the top of the data entry form in the yellow event bar. In previous versions, it only appeared above each event column on the Record Home Page. Now it appears in both places.
Improvement: Users may now use “now” or “today” (wrapped in quotes) instead of a field variable in the special functions day(), month(), and year() in order to capture a specific date component of today’s date.
Change: The Configuration Check page will no longer display a warning if any REDCap database tables have “compressed” row_format. REDCap now allows both “compressed” and “dynamic” as the row_format. (Ticket #224878)
Bug fix: When viewing the Stats & Charts page in a longitudinal project, the page might mistakenly crash in very specific scenarios when running PHP 8. (Ticket #225493)
Bug fix: The API method “Export a File from the File Repository” would mistakenly output an incorrect MIME type for a file being exported. (Ticket #225517)
Bug fix: Modifying the value of a Notes field that has the @RICHTEXT action tag would mistakenly not cause the “Save your changes” prompt to be displayed if a user attempts to leave the page afterward. (Ticket #225367)
Bug fix: The special function concat_ws() would mistakenly include fields with blank values in its output. It is expected that blank values should not be included. For example, if we have @CALCTEXT(“ and “, [dob1], [dob2], [dob3), it would mistakenly output “2024-03-01 and and 2024-03-01” when field “dob2” is empty/blank, whereas it should instead output “2024-03-01 and 2024-03-01”.
Bug fix: If a participant attempts to load a survey using a non-public survey link after the participant’s record has been deleted in the project, they would be mistakenly redirected to the REDCap login page, which is confusing. Instead, an appropriate error message is now displayed to let them know the survey is no longer active or that they are no longer a participant. (Ticket #225427)
Bug fix: When using the Clinical Data Pull in CDIS, specifically when launching the CDP window in an EHR context, an undefined JavaScript function might produce a JavaScript error, thus causing certain things not to function correctly on the page.
Bug fix: When using the Clinical Data Pull in CDIS, the “address-district” demographics field was mistakenly missing, and thus EHR data could not be pulled for it.
Bugfix: When MLM is active, matrix headers mistakenly were shown over each line of a matrix field when output as an instrument PDF. (Ticket #225203)
Bug fix: If matrix field labels contain tags, the downloaded PDF of the instrument might mistakenly display the field labels overlapping each other.
Bug fix: When using Double Data Entry as DDE person 1 or 2, records that are locked at the record level would not appear to be locked and might mistakenly allow a user to modify a locked record. (Ticket #225431)
Bug fix: When creating an alert in a longitudinal project, the “Email To” option would display an event-ambiguous email field (i.e., “Any Event”) that could be chosen. However, in many situations, this might cause the alert not to be sent (or it is attempted to be sent with a blank sender address). To prevent this issue, the “Any Event” field options are now no longer displayed as choices for the “Email To” field for alerts. (Ticket #224839)
Bug fix: When using MLM, importing UI translations would mistakenly not be possible in projects with subscribed languages, even when UI overrides are explicitly allowed.
Bug fix: When exporting data to R, any backslashes in the R syntax file would mistakenly not get escaped. Now all backslashes are replaced with a double backslash in the resulting R code. (Ticket #225046)
Bug fix: When a project’s first instrument is a repeating instrument, and a user is performing a data import of new (not existing) repeating instances for another repeating instrument in the project, new empty instances would mistakenly get created for the first instrument when new instances should only get added for the desired repeating instrument. (Ticket #224932)
Bug fix: When viewing scheduled alerts on the Notification Log page for alerts that are recurring, the scheduled send time might mistakenly appear to be incorrect in the Notification Log if the alerts are set to recur every X minutes/hours/days, in which X is a number with a decimal (i.e., not an integer). Note: This does not appear to prevent the alert from being sent at the appropriate time, but this is simply a display issue in the Notification Log. (Ticket #225860)
Bug fix: When using a mobile device and attempting to open Messenger, the Messenger panel might mistakenly be obscured and not viewable in certain contexts.
Bug fix: A fatal error might occur when calling REDCap::saveData() when providing “array” data in an incorrect format to the method while running PHP 8. (Ticket #225896)
Bug fix: The API Playground’s example R code for the API Export File method was not correct and has been fixed. (Ticket #101454b)
Bug fix: When CDIS is enabled, specifically Clinical Data Mart, with one or more EHRs defined on the CDIS page in the Control Center, the My Projects page might mistakenly crash in certain situations when using PHP 8. (Ticket #225890)
Bug fix: When calling the “Import Users” API method and providing the data payload in CSV format, the “forms_export” privileges provided in the CSV might mistakenly not get parsed correctly, which might cause the API script to return an error, specifically when using PHP 8, or it would mistakenly set the user’s data export rights to “No Access” across the board for all instruments.
Bug fix: The query cache efficiency check on the Configuration Check page might mistakenly display a false positive saying that the MySQL query cache is not efficient when actually it is. (Ticket #225731)
Bug fix: It is possible to perform data imports in which the record name contains a line break or carriage return character. Those characters should not be allowed in record names. (Ticket #224506)

Version 14.2.1 (released on 2024-02-29)

CHANGES IN THIS VERSION:

Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into a field’s data value when viewed on the Data Comparison Tool page. The user must be authenticated into REDCap in order to exploit this in a project. Bug exists in all REDCap versions for the past 10 years.
Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into specific translated labels when using Multi-Language Management. The user must be authenticated into REDCap in order to exploit this in a project. Bug exists in all REDCap versions beginning with v12.0.0.
Major security fix: A Stored Cross-site Scripting (XSS) vulnerability was discovered in the File Repository in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way inside the folder name of a folder created in the File Repository. The user must be logged in to REDCap and also must have File Repository privileges in the project in order to exploit this. Bug emerged in REDCap 13.1.0.
Bug fix: If a user assigned to a Data Access Group is importing records via the Background Data Import, those records would mistakenly not get assigned to the user’s DAG. In addition, if record auto-numbering has been selected for the import, it would also not prepend the record names with the DAG ID number and a dash. (Ticket #224833)
Bug fix: When using “OpenID Connect & Table-based” authentication, clicking the “Logout” link in REDCap might mistakenly result in a logout error in the Identity Provide/SSO service. Bug emerged in REDCap 13.10.4. (Ticket #224757) * Bug fix/change: The “Azure AD” authentication is now referred to as “Microsoft Entra ID (formerly Azure AD)” in the REDCap user interface due to the fact that Microsoft renamed the product to “Microsoft Entra ID” at the end of 2023.
Bug fix: A fatal PHP error might occur for PHP 8 when viewing the Record Home Page or Record Status Dashboard for a record on an arm that has no events. (Ticket #225089)
Bug fix: When entering text for an alert message when adding/editing an alert on the Alerts & Notifications page, in which the field list menu would appear after entering the “[” character, clicking a field in the field list would mistakenly not inject that variable name into the alert message. (Ticket #224895)
Bug fix: When using the repeatable settings in the External Modules configuration dialog, removing a single repeating setting instance would mistakenly remove all repeating instances in the dialog. Bug emerged in REDCap 13.11.0. (Ticket #225171)
Bug fix: When using the Data Resolution Workflow, a fatal PHP error for PHP 8 in certain situations when data is being saved in certain contexts, such as data imports, when some data values have been “Verified”. (Ticket #225198)
Bug fix: If using certain versions of MariaDB, the “YOUR REDCAP DATABASE STRUCTURE IS INCORRECT!” error message might display as a false positive in the Control Center, even when nothing is wrong with the database table structure.
Bug fix: When Double Data Entry is enabled, and the current user is either DDE person #1 or #2, in which Form Display Logic has been defined in the project, the Form Display Logic might mistakenly not work correctly when viewing the Record Home Page. (Ticket #225125)
Bug fix: The Copy Project page would mistakenly have the wrong label for the “Copy Project Dashboards” checkbox. Bug emerged in the previous version.

Version 14.2.0 (released on 2024-02-22)

CHANGES IN THIS VERSION:

Medium security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered on the Data Quality page in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into parameters in certain AJAX requests.
New feature: Project Dashboard Folders - Project Dashboards in a project can now be organized into folders. If a user has Project Setup & Design privileges, they will see an “Organize” link on the left-hand project menu above the Project Dashboards panel. They will be able to create folders and then assign their Project Dashboards to a folder, after which the Project Dashboards will be displayed in collapsible groups on the left-hand menu. (Ticket #137183)
New feature: Account Expiration Email Templates - At the bottom of the User Settings page in the Control Center, administrators may optionally customize the email text of the account expiration emails that are sent to users prior to the users’ impending expiration. Two text editors exist on the page, in which admins may define text for users with sponsors and also for users without sponsors. If no custom text is provided, stock text will be utilized in the outgoing emails to users. (Ticket #58767)
Improvement: If using CDIS, new data fields “Legal Sex” and “Sex for Clinical Use” can now be mapped for Clinical Data Pull projects and also will be included in Clinical Data Mart projects. Note: Currently, only Epic is providing data for these fields, but other EHR systems will likely add them too in the near future.
Improvement: New “Test Run” option when re-evaluating Alerts and Automated Survey Invitations - When performing the “Re-evaluate” feature for Alerts and ASIs, a new toggle that says “Enable Test Run?” can be clicked in the dialog, which will perform a test run (dry run) to simulate what would have happened (e.g., schedule or send alerts/invitations) but without actually doing anything. This will allow users to feel more confident if they actually need to perform a real re-evaluation of Alerts or ASIs so that they know beforehand how many records will be affected during the re-evaluation. In addition, users may download a CSV file of all affected record names afterward, whether using the test run option or not.
Improvement: The Project Home Page now contains an icon in the Current Users table to allow users to download the current user list as a CSV file.
Improvement: The “Help & FAQ” page has been updated with new content (thanks to the FAQ Committee).
Bug fix: The EHR launch process in CDIS might mistakenly fail in specific situations where Azure AD is the authentication method in REDCap.
Bug fix: The Rapid Retrieval caching system might mistakenly fail with a fatal PHP error in some specific instances. (Ticket #224840)
Bug fix: The developer method REDCap::getUserRights() would mistakenly not return instrument-level Data Export Rights information. (Ticket #224887)
Bug fix: If using CDIS, the Clinical Data Pull mapping tool might mistakenly throw a JavaScript error. Additionally, Descriptive fields were mistakenly being excluded from the CDP mapping tool.
Bug fix: If the @SETVALUE action tag exists on a field on an e-Consent survey, it would mistakenly allow the field’s value to be overridden even when the e-Consent setting “Allow e-Consent responses to be edited by users” is not checked. (Ticket #225008)

Version 14.1.6 (released on 2024-02-15)

CHANGES IN THIS VERSION:

Improvement: The “Help & FAQ” page has been updated with new content (thanks to the FAQ Committee).
Change: The “Email Alerts” converter that migrates alerts from the Email Alerts external module to alerts in “Alerts & Notifications” has been officially removed. This feature was technically removed four years ago, but there still existed an Easter Egg in the redcap_config database table that would allow it to be used during emergency situations.
Change/improvement: All logged events concerning Alerts & Notifications will now additionally display the alert’s Unique Alert ID in order to make it easier to discern alerts from each other if alerts are reordered or moved after being created (i.e., if their alert number changes over time). (Ticket #222857)
Improvement: The “Help & FAQ” page has been updated with new content (thanks to the FAQ Committee).
Bug fix: When the “Auto-suspend users after period of inactivity” setting is enabled, users who recently had their account created but had not logged in yet would mistakenly get auto-suspended. Bug emerged in the previous version. (Ticket #224266)
Bug fix: If any text used in an outgoing SMS text message contains an HTML hyperlink, in which the link’s text is virtually the same as the link’s URL, it would mistakenly display the URL in parentheses after the link text in the resulting SMS message. It should only do this when the link text is different from the URL. (Ticket #109648)
Several bug fixes for the External Module Framework.
Bug fix: When an Automated Survey Invitation with conditional logic is being evaluated when a record’s data is being saved, in which the conditional logic references a field in a repeating instrument or repeating event where the field does not have an X-instance Smart Variable appended or an instance number appended to itself, the logic might not get evaluated as expected.
Bug fix: When using the datediff() function in which the Daylight Saving Time barrier is crossed when calculating the result of two datetime values, in specific cases the result might mistakenly be one hour off if using units of “h”, “m”, or “s” for the function. (Ticket #223682)
Bug fix: In some cases when inline PDFs are attached to Descriptive fields, and a user downloads the PDF of the instrument, if the iMagick PHP extension is installed on the web server, there would mistakenly be a blank page following the inline PDFs in the resulting REDCap-generated PDF of the instrument. (Ticket #222014)
Bug fix: In places that display a drop-down list of records for the “Test logic with a record” feature, most notably in the branching logic dialog, Survey Queue setup dialog, and ASI setup dialog, the dialog might mistakenly never load if the project contains many thousands of records. For now on, it will display a normal drop-down list if the project contains 1000 records or fewer, and if the project contains more than 1000 records, it will instead automatically revert to displaying an auto-suggest text box to allow the user to manually enter the record name (rather than attempting to display an extremely long drop-down). (Ticket #224531)
Bug fix: If the Custom Event Label is used in a longitudinal project and contains any HTML tags, all the tags would mistakenly get stripped out when exporting the project’s Project XML file. (Ticket #224571)

Version 14.1.5 (released on 2024-02-08)

CHANGES IN THIS VERSION:

Improvement: Administrators are now able to view survey pages even when the system or a project is in “offline” status. Note: The admin must have logged into REDCap (i.e., they have a session cookie) before the system/project was taken offline in order to access a survey page. (Ticket #223524)
Improvement: Enhanced settings for importing email addresses from EHRs via Clinical Data Interoperability Services (CDIS) - Previous versions of REDCap had a CDIS feature to allow or disallow projects from importing the email addresses of patients from the EHR, in which it was either completely disallowed or an admin could enable the feature on an individual project via the Edit Project Settings page. The new features provide more options so that it can be 1) disabled for all projects, 2) enabled for all projects, or 3) allow individual projects to decide (via the admin-only setting on the Edit Project Settings page). (Ticket #223068)
Improvement: When using CDIS in a project, a new status indicator for FHIR access tokens will appear underneath each user in the Current Users table on the Project Home page. This feature helps team members and admins quickly see who needs to update their access token, essential for CDIS background fetch processes.
Bug fix: When utilizing the project-by-project Unicode Transformation process, which is done using a cron job via Step 2 on the Unicode Transformation page, if processing individual projects that do not have any surveys enabled, it would mistakenly execute several unnecessary, long-running SQL queries on each project lacking surveys, which would make the overall process take much longer to fully complete than it should.
Bug fix: It might be possible for users or participants to manipulate an HTTP request in a specially-crafted way in order to upload files of any file type into a Signature field on a data entry form or survey. Note: This does not pose a security issue of any kind, and if certain file extensions are defined in the “Restricted file types for uploaded files” list in the Control Center, then those file types will be blocked immediately and not saved in the system.
Bug fix: In some rare cases, the “collation_connection” setting for the REDCap database connection might mistakenly be taking effect, which could thus lead to possible encoding issues when pulling information from or storing information in the REDCap database.
Bug fix: The simultaneous user prevention check on data entry forms would mistakenly prevent multiple users from accessing and editing different repeating instances of the same record-event-instrument in a project.
Bug fix: On certain pages/dialogs, the calendar datepicker popup might mistakenly fail to be displayed when expected (e.g., when editing an alert). Bug was supposedly fixed in the previous version but still persists in some places throughout the application. (Ticket #223627)
Bug fix: When importing Form Display Logic via a CSV file, the checkboxes for the FDL’s optional settings would mistakenly all become unchecked after the import. (Ticket #223666)
Bug fix: When the “Auto-suspend users after period of inactivity” setting is enabled, users who have not been added to any projects might mistakenly not get auto-suspended. (Ticket #223659)
Bug fix: When uploading a CSV file to add or rename Data Access Groups on the DAG page in a project, in which the user provides a unique group name in the CSV file for a DAG that does not yet exist, the error message provided would be confusing as to what the problem is. In this situation, a more detailed error message is provided to inform the user that the unique group name is only used for renaming DAGs and should be left blank when creating new DAGs. (Ticket #223526)
Various updates to the External Module Framework, including adding the “redcap_module_api_before” hook and miscellaneous security scan improvements.
Bug fix: When the Rapid Retrieval caching feature is using file-based storage and is utilizing the alternate storage location (instead of using REDCap temp for storage), it might store some of the RR files in the REDCap temp directory by mistake. (Ticket #223738)
Bug fix: When using Google Cloud Storage for file storage in the system, uploading a file on the main Send-It page might mistakenly not work successfully. (Ticket #221098b)

Version 14.1.4 (released on 2024-01-30)

CHANGES IN THIS VERSION:

Major security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered on the “Importing instrument from the REDCap Shared Library” page in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into input elements on the page. The user must be authenticated into REDCap in order to exploit this. Bug exists in all REDCap versions for the past 10 years.
Major security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered in the Database Query Tool in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into saved queries on the page. The user must be an admin and must be authenticated into REDCap in order to exploit this. Bug emerged in REDCap 12.3.0.
Major security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered on the Alerts & Notifications page in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into parameters in certain AJAX requests. The user must be authenticated into REDCap in order to exploit this. Bug emerged in REDCap 9.0.0.
Major security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered on the confirmation page displayed for users who have put in specific requests to the REDCap administrator (e.g., requested a project be moved to production) in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into the URL. The user must be authenticated into REDCap in order to exploit this. Bug exists in all REDCap versions for the past 10 years.
Medium security fix: A Broken Access Control vulnerability was discovered in which a logged-in user who is not a REDCap administrator could create Custom Application Links and have those open on the left-hand menu for any and all projects in the system. Only admins should be able to create, modify, and delete Custom Application Links in the Control Center. This could be used to trick users into navigating to potentially malicious websites.
Medium security fix: Lower-level REDCap administrators (e.g., with “Manage user accounts” rights) could potentially escalate their own admin privileges by utilizing information from certain tables in the database via the Database Query Tool page. Going forward, only administrators with ‘Admin Rights’ privileges, ‘Modify system configuration pages’ privileges, or ‘Access to all projects and data with maximum privileges’ privileges are allowed to access the Database Query Tool.
Medium security fix: There is a possibility in very specific situations that a malicious user might be able to reactivate another user’s session and take it over after the other user has logged out of REDCap. This would require obtaining the other user’s session ID.
Minor security fix: Cross-site Request Forgery (CSRF) protection was mistakenly not applied to the user action of deleting arms on the Define My Events page.
Minor security fix: If a logged-in user has specific knowledge of the REDCap system, they might be able to manipulate the parameters of a specific AJAX endpoint in order to send custom crafted emails impersonating any email sender (i.e., they can set the email’s From address to anything they wish).
Major bug fix: On certain pages/dialogs, the calendar datepicker popup might mistakenly fail to be displayed when expected (e.g., when composing survey invitations). Bug emerged in the previous version. (Ticket #223277)
Bug fix: A fatal error would occur when using Azure AD authentication. Bug emerged in REDCap 14.1.2. (Ticket #223173)
Bug fix: The Rapid Retrieval caching feature might mistakenly cause some API calls to hang and eventually time out. (Ticket #223083)
Bug fix: Since Microsoft will soon be deprecating their Azure Storage PHP client libraries that are currently used by REDCap, the Azure Storage library has now been replaced in REDCap with new custom-built methods for making calls directly to the Azure Blob Storage REST API. (Ticket #216356)
Bug fix: If the first instrument in a project is taken as a public survey, it can end up with two different (but equally valid) return codes, assuming the survey has “Save & Return Later” enabled. However, it could be confusing for users to see two different return codes and think something is wrong. For consistency, the return code on the data entry form will now match the return code displayed to the participant on the survey page. (Ticket #208079)
Bug fix: In very specific situations when using branching logic on a multi-page survey that is a repeating instrument/survey, some survey pages might get mistakenly skipped if the repeating instance number is greater than “1” when all fields on the page have branching logic that references field values on the current repeating instance. (Ticket #223126)
Bug fix: For Step 2 when editing an alert and setting “Send it how many times?” to “Multiple times on a recurring basis”, the number interval of the recurrence could mistakenly only be 4 characters long at the maximum. (Ticket #223020)
Bug fix: When a REDCap administrator has limited data export privileges in a project and then calls the Export Report API method, REDCap would mistakenly remove many of the fields in the resulting data set, which should not happen to administrators. (Ticket #223259)
Bug fix: When using Multi-Language Management, certain types of fields (yesno, truefalse, matrix field choices) would fail to be properly piped when the fields do not exist on the same form. (Ticket #222446)
Bug fix: In some situations, it might be possible for a user or admin to duplicate the process of moving a project to production status, which would inadvertently cause the project to end up in Analysis/Cleanup status instead. (Ticket #222935)
Bug fix: When using the @if action tag on a survey question, in which the participant is returning to the survey via their “Save & Return Later” return code, the @if logic might mistakenly not get evaluated correctly on the page to which they return, thus possibly utilizing the wrong action tags for the field. Note: This does not occur for subsequent pages in the survey after returning to the survey but only to the initial page loaded upon their return. (Ticket #223291)

Version 14.1.3 (released on 2024-01-25)

CHANGES IN THIS VERSION:

Bug fix: When downloading an Instrument Zip file or various CSV files, the process might crash due to a fatal PHP error if the user has Space or Tab as their preferred “Delimiter for CSV file downloads” (as defined on their Profile page). (Ticket #222524)
Bug fix: The simultaneous user prevention check on data entry forms would mistakenly prevent multiple users from accessing and editing different repeating instances of the same record-event-instrument in a project.
Bug fix: When using Clinical Data Pull for CDIS, the CDP cron job might mistakenly miss some records when fetching EHR data in the background.
Bug fix: When using multiple EHR systems with Clinical Data Pull for CDIS, the incorrect FHIR base URL was being used for data retrieval during the background fetch process of CDP projects. This error not only hindered the data fetch process when fetching EHR data, but it also led to the internal FHIR token manager inadvertently deleting valid access tokens for users.
Bug fix: When using Multi-Language Management, floating matrix headers were not aligned properly on surveys for right-to-left languages. (Ticket #222689)
Bug fix: When upgrading from a version prior to REDCap 14.0.1, an SQL error might occur during the REDCap upgrade with regard to an “alter table” statement for the database table “redcap_outgoing_email_sms_log”.
Bug fix: When viewing the “Stats & Charts” page for any report that has one or more Live Filters selected on the page, and then the user selects an instrument and/or record in the Display Options box near the top of the page, all Live Filter selections would mistakenly get reset back to a blank value. (Ticket #222699)
Various updates and fixes for the External Modules Framework, including 1) Fixed a module setting race condition when using a “Read Replica” database server, and 2) Displayed logged parameters on the View Logs page for External Modules.
Bug fix: When using Multi-Language Management, the Forms/Surveys tab on the MLM setup page might fail to load due to a JavaScript error.
Bug fix: If a file in the Recycle Bin in the File Repository is permanently deleted by a REDCap admin, the file would be marked as having been permanently deleted but would mistakenly still exist in the file storage system. (Ticket #222787)
Bug fix: When using CDIS, an issue might occur if REDCap is using Azure AD OAuth2 & Table-based authentication method, particularly during an EHR launch for Clinical Data Pull.
Bug fix: When using the text “month”, “day”, or “year” followed by an opening parenthesis inside quotes in a @CALCTEXT equation, the calculation would not get parsed correctly, thus resulting in a calculation error on the survey page or data entry form. (Ticket #222973)
Bug fix: When using CDIS, a project’s Edit Project Settings page might be missing a Save button if the REDCap server lacks configurations for at least one FHIR system. (Ticket #222919)
Bug fix: When the calendar datepicker popup is displayed near the rich text editor, in some situations part of the calendar might mistakenly get covered up by the editor’s toolbar. (Ticket #223011)
Bug fix: When Rapid Retrieval is disabled, REDCap might still be creating *.rr cache files in the temp folder. (Ticket #223076)
Bug fix: If an administrator is not a user in a project but clicks the “Create API token now” button on the project’s API page, the token would not be created (as expected) but it would mistakenly log the event “Create API token for self” as if it was created. (Ticket #222977)

Version 14.1.2 (released on 2024-01-18)

CHANGES IN THIS VERSION:

Major bug fix: When a user views a report and modifies the “report_id” parameter in the URL while on the report’s “Stats & Charts” page or when editing the report, in which the report_id is changed to the report_id of a report in another project to which the user does not have access, the user would mistakenly be able to view the report name and the number of results returned from that report from the other project. Note: No identifying data or record names from the other project are able to be accessed using these methods; only the report name and the total count of results returned from the report can be extracted.
Change: The “Copy Project” page now contains more informational text when copying a project containing surveys. The new text explains that when copying all records, the survey completion time for any survey responses will not be copied with the normal project data because the completion times are considered to be equivalent to project logging, which never gets copied during this process. (Ticket #222256)
Bug fix: When viewing the Record Status Dashboard when Data Access Groups exist in a project, in certain situations the RSD page might load a bit slowly due to an excessive amount of SQL queries being run. This was fixed in the previous version, but it only covered specific situations. (Ticket #221998b)
Bug fix: When upgrading to REDCap 14.1.1 from any earlier version, an SQL error might occur in some rare cases when performing the REDCap upgrade process due to a foreign key constraint in the redcap_ehr_user_map database table. (Ticket #222084)
Bug fix: When using Clinical Data Mart in CDIS, there were issues in the list of mappable items within CDM projects, in which the following condition types were not mappable as generic entries: encounter-diagnosis-list, problem-genomics-list, problem-medical-history-list, and problem-reason-for-visit-list.
Bug fix: If a user was given “Edit Access” rights to a specific report, but they have been given “Add/Edit/Organize Reports” user privileges for the project, if they append “&addedit=1” to the URL when viewing the report, it might appear that they can edit the report. However, clicking the “Save Report” button on the page would actually do nothing and would forever say “Working”. So while they aren’t able to bypass any report access privileges, it could be confusing because it appears as though maybe they could. (Ticket #222150)
Bug fix: If a project is being moved back to Production status from Analysis/Cleanup status, the process of moving it back to Production would mistakenly not clear out the “inactive_time” timestamp in the backend database for the project. This issue has no impact on the application. (Ticket #222175)
Bug fix: When using Multi-Language Management, instruments with matrix fields would fail to load due to a JavaScript error. This bug was introduced in the previous version. (Ticket #222211)
Bug fix: When using Clinical Data Pull in CDIS, some CDP projects with the auto-adjudication feature enabled might display the adjudication count as a negative number. (Ticket #134564)
Various changes and fixes for the External Modules Framework, including fixing a bug that was preventing link editing in rich text module settings caused by a conflict between Bootstrap dialogs and TinyMCE.
Bug fix: When using Clinical Data Pull in CDIS, an out-of-memory error could occur when handling large volumes of data being pulled from the EHR.
Bug fix: When erasing all data in a project or deleting all records when moving a project to production, the process might take a disproportionately large amount of time to complete (or it might get stuck) if the project contains a large amount of data points (i.e., several million or more rows). The process now deletes data from the redcap_dataX table in smaller batches rather than attempting to delete all rows with a single query.
Bug fix: When saving the Survey Login settings in the Online Designer, the confirmation dialog would mistakenly not be displayed due to a JavaScript error.
Bug fix: When erasing all data in a project or deleting all records when moving a project to production, the process might mistakenly not delete the ‘Survey Login Success’ and ‘Survey Login Failure’ logged events in the project if the Survey Login feature is being utilized. (Ticket #222429)
Bug fix: When using Clinical Data Mart in CDIS, the CDM data fetching process might fail when using specific versions of MySQL/MariaDB, specifically MySQL versions prior to 8.0 and MariaDB versions prior to 10.2.1. (Ticket #219308)

Version 14.1.1 (released on 2024-01-11)

CHANGES IN THIS VERSION:

Major security fix: Several Reflected XSS (Cross-site Scripting) and Stored XSS vulnerabilities were discovered in which a malicious user could potentially exploit them by inserting custom JavaScript in a specially crafted way into specific URLs or POST parameters in several places, including the Data Quality page, Custom Application Links, Report Folders, and other places. The user must be authenticated into REDCap in order to exploit these in a project. Bugs exist in all REDCap versions for the past 10 years.
Major security fix: An SQL Injection vulnerability was found on a Calendar-related page, some MyCap-related pages, the Define My Events page, the Online Designer, the Record Home Page, and other places, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. In order to exploit these, the user must be logged in as a REDCap user. Bugs exist in all REDCap versions for the past 10 years.
Major bug fix: The Clinical Data Mart in CDIS might mistakenly not work at all and thus might not allow users to pull any data from the EHR. Bug emerged in REDCap 14.1.0 Standard.
Improvement: If a user has a sponsor, their sponsor’s username, name, and email will be listed at the top of their Profile page. (Ticket #138684)
Bug fix: The upgrade process might unexpectedly stop due to an SQL error in the upgrade SQL script when upgrading to or higher than REDCap 14.0.1 in some cases.
Various CDIS-related bug fixes, especially related to EHR user mapping when using multiple EHR systems
Bug fix: In certain situations when using Clinical Data Pull for CDIS, the process might stop with a fatal PHP error for some PHP version.
Bug fix: When using Multi-Language Management, in which the highlighting feature for untranslated items is enabled, some items would mistakenly be highlighted on the page that should not be highlighted. (Ticket #221418)
Bug fix: An error might occur during the “refresh token” process in CDIS. If an HTTP error occurred while refreshing the token, it was not correctly caught and handled.
Bug fix: If a record contains multiple consecutive spaces in its record name, some things might not display correctly on certain pages when viewing the record, such as the floating table of repeating instances when clicking on the “stack” status icon for a repeating instrument on the Record Home Page or Record Status Dashboard.
Bug fix: When using Clinical Data Pull in CDIS, conditions or medications were not shown in the CDP adjudication dialog unless a specific status was specified.
Bug fix: During the cache file creation process for Rapid Retrieval, concurrent write attempts could lead to PHP errors and potentially high CPU usage in some specific cases. (Ticket #221459)
Bug fix: The “Create new API token for user” dialog might mistakenly display the option “External Modules API”, which is not a published feature yet. (Ticket #221904)
Bug fix: When using Clinical Data Mart in CDIS, the CDM auto-fetch feature was not properly scheduling a fetch process.
Bug fix: When viewing the Record Status Dashboard when Data Access Groups exist in a project, in certain situations the RSD page might load a bit slowly due to an excessive amount of SQL queries being run. (Ticket #221998)
Bug fix: When using Multi-Language Management, the MLM setup page might not sort the choices of multiple choice fields in the correct order as seen in the Codebook and Online Designer. (Ticket #221888)
Bug fix: Usernames with apostrophes could not be added to a project or assigned to a user role through the user interface on the User Rights page. (Ticket #221933)
Bug fix: When using the Survey Queue, in which survey participants are added initially via the Participant List, if neither the Designated Email field nor the Participant Identifier is used in the project, and the Survey Response Status is “Anonymous*”, the Survey Queue’s “Get link to my survey queue” popup would mistakenly display the participant’s email address, thus breaking the participant’s anonymity in the project. Going forward, it will no longer display the participant’s email address in that popup in this situation. (Ticket #221804)
Bug fix: When using the Background Data Import process, in which an error occurs, if a user goes to download the CSV file containing the list of errors for the import batch, the first letter of the error message in a given row might be missing.

Version 14.1.0 (released on 2024-01-04)

CHANGES IN THIS VERSION:

New Multi-EHR functionality for Clinical Data Interoperability Services (CDIS) - Multiple electronic health record systems (EHRs) can now be defined on the CDIS page in the Control Center, whereas in previous versions only one could be defined. This will allow users to pull clinical data from many different EHR systems, if they desire. After a REDCap administrator has defined one or more EHR systems on the CDIS page, any given REDCap project can utilize a specific EHR connection. Note: A project can only be connected to one single EHR. The first EHR connection will serve as the “default”, and thus whenever CDP or Data Mart is enabled in a project, it will initially point to the default connection, but this can be changed after the fact to point to one of the other EHR connections that are defined in the Control Center. As previously, all users attempting to pull data from any EHR connection will need to have signed in through the EHR (either using the Standalone Launch or CDP’s EHR Launch) in order to obtain a FHIR access token for that specific EHR. Thus the user must still have a valid account for each EHR from which they are attempting to pull data.
Improvement: New “Read Only” user privilege for the User Rights page - Users and roles can now be given “Read Only” access to the User Rights page, which will allow users to view the page but not be able to take any actions on the page. Note: If a user is in a Data Access Group while viewing the page, it is still the case that they can only view users from their own DAG on the page.
Improvement: Performance improvement when using iMagick (i.e., rendering PDF attachments for Descriptive fields as images embedded inside REDCap-generated PDFs) by using a new internal image cache. Whenever a PDF attachment for a Descriptive field is rendered as an image via iMagick, the image of each PDF page will be cached and stored separately so that the next time the PDF attachment is being rendered inside a PDF, it will use the cached image(s) rather than perform a real-time conversion of the PDF to images every time, which can be time consuming. Note: The image cache of the PDF attachment will be stored and used for up to 30 days, after which it will be automatically deleted from the system.
Change/improvement: A notice was added on the Database Query Tool page so that when exactly 500 rows are returned from a query that does not contain a “limit” clause, it notes that more rows might exist that are not being displayed on the page. This is because “limit 0,500” is always appended to any query that lacks a “limit” clause. This will reduce confusion for admins who might assume that they are viewing the full results of a query when they might not be.
Bug fix: When using CDIS in certain contexts where data is being pulled for specific research studies, the FHIR ID of a research study might not be found.
Bug fix: When importing alerts via a CSV file, if the file contains some mangled characters due to incorrect encoding, the file might fail to upload and would mistakenly not produce any error message.
Bug fix: When using CDIS, issues might occur when fetching “conditions” data having a status other than “active”. Additionally, new FHIR resources were inadvertently excluded from mapping in CDP projects. This includes the following mappable resources: encounter, coverage, procedure, device, and all conditions (including their status).
Bug fix: If using file-based storage for Rapid Retrieval, in which an alternative storage directory has been defined, in certain cases many of the cached files in the alternative directory would mistakenly not get deleted after the 5-day expiration time.
Bug fix: The REDCap::evaluateLogic() developer method’s documentation mistakenly did not include information about the current_context_instrument parameter, which is required for the correct evaluation of logic that contains certain Smart Variables. This parameter should be provided to the method if the logic is being evaluated within the context of a specific instrument (e.g., while on a survey page or data entry form). This parameter has been added to the method’s documentation. (Ticket #220861)
Bug fix: When enabling Twilio in a project, it is possible in certain cases to enter the same Twilio phone number (if it is a U.S. number) for more than one project. This could be done by entering the phone number in one project with the U.S. country code, and then entering it in another project without the U.S. country code. (Ticket #221468)
Bug fix: When using the functions day(), month(), or year(), more than once inside a calculation, it might not parse the calc correctly, thus possibly returning incorrect results. (Ticket #221544)

Version 14.0.4 (released on 2023-12-28)

CHANGES IN THIS VERSION:

Medium security fix: The AWS SDK PHP third-party library contained a medium security vulnerability that would mistakenly allow an attacker to possibly perform URI path traversal. The library was updated to the latest version.
Major bug fix: The API Delete Users method was mistakenly not checking if a user had User Rights privileges in the project in addition to API Import/Update privileges in order to successfully make a call to the API method.
Change/improvement: When using the eConsent Framework on a survey, the certification page now says “Working…” until the inline PDF finally loads on the page. This will reduce confusion for participants in case the PDF takes an abnormal time to load. (Ticket #221228)
Bug fix: When using Multi-language Management, the “Initialize a new language from available system languages” option was mistakenly checked (while also disabled) even when no system languages are available, leading to a JavaScript error when “Continue” is clicked. (Ticket #221273)
Bug fix: In specific situations where multiple File Upload fields are piped onto a page in a specific way, it may cause a JavaScript error that prevents the instrument from loading. (Ticket #221225)
Bug fix: If Form Display Logic or Survey Queue Logic references a specific repeating instance of a field, specifically instance “1”, “first-instance”, or “last-instance”, when the field exists on a repeating event that currently contains no data for a given record, the logic might mistakenly not evaluate correctly. (Ticket #221229)
Bug fix: Direct links to the FAQ in certain places throughout REDCap were not working. They would merely take the user to the top of the Help & FAQ page instead of to a specific item. Bug emerged in REDCap 13.4.0. (Ticket #221329)

Version 14.0.3 (released on 2023-12-21)

CHANGES IN THIS VERSION:

Improvement: The Unicode Transformation process (found via the Configuration Check page if your installation was installed prior to REDCap 8.5.0) now contains a “Step 2 Alternative” method, which utilizes a project-by-project Unicode Transformation process using a cron job. Previous versions required that SQL be run over all projects at the same time (which might take quite a while) while REDCap was offline.
- If your REDCap installation was installed roughly 8 years ago or if it contains more than 1000 projects, it is recommended that you use Step 2 Alternative to minimize server downtime during the Unicode Transformation process.
- After performing Step 1, Step 2 Alternative will provide some SQL to enable the cron job. Once initiated, you may refresh the page to view its project-by-project progress until all steps appear green on the page after it has finished.
- Note: Step 1 will still need to be run in real time while REDCap is offline. Thus downtime is unavoidable for Step 1. But the benefit of Step 2 Alternative is that it allows one to complete the remaining steps of the Unicode Transformation process without any downtime.
Improvement: If a report has been set as “public”, a link icon will appear next to the report title on the left-hand project menu. If a user clicks the link icon, the public report will open in a new tab.
Improvement: If a project dashboard has been set as “public”, a link icon will appear next to the project dashboard title on the left-hand project menu. If a user clicks the link icon, the public project dashboard will open in a new tab.
Improvement: When in a project context when the Read Replica feature is enabled, the Read Replica’s utilization will now be maximized by referencing the last time a “write event” occurred in the project’s Logging (such as data being saved or the project being modified in some way) when being compared with the replica’s lag time (rather than merely using a static maximum lag time of 3 seconds as the cutoff). This means that, for example, if a project has not had any logged “write events” in the past 5 minutes, the replica will be used on specific pages in that project so long as the replica’s lag time (i.e., behind the primary database) is less than 5 minutes. Whereas in previous versions, the replica would only be utilized if the replica’s lag time was 3 seconds or less. This increases the utilization of the replica, thus improving overall system performance.
Major bug fix: When checkbox field values are being imported during a data import (via the API or Data Import Tool), in which some calculated fields in the project reference the checkbox field in their calculations, the calc fields might mistakenly not get updated during the import process. (Ticket #221111)
Change: Some help text was added to the Form Display Logic and Survey Queue instructions to inform users that their conditional logic will be evaluated at the record level and not within the context of an event or a repeating instance, which means that it is not possible to use relative instance or relative event Smart Variables - i.e., those with the name ‘current’, ‘next’, or ‘previous’, such as [next-instance] or [previous-event-name].
Bug fix: When piping a field on the same instrument on which it is located, the piping might mistakenly not work in a repeating instrument or repeating event context. (Ticket #220610)
Bug fix: When calling the Rename Record API method, the API request would mistakenly get logged as “Switch DAG (API)” when it should instead be logged as “Update record (API)”.
Various bug fixes and improvements to the External Module Framework:
- Added the isModulePage() and isREDCapPage() module methods (courtesy of Andrew Poppe)
- Added the dashboard-list module setting type (courtesy of Andrew Poppe)
- Added the visibility-filter option for the dashboard-list and form-list module setting types (courtesy of Andrew Poppe)
- Removed survey-list module setting type in favor of form-list with a visibility-filter option
- Misc. security scan script improvements
Bug fix: In rare cases, a database query run on the Participant List page might cause the page to load very slowly or even time out. (Ticket #211469)
Bug fix: When renaming a record in a multi-arm longitudinal project, in which the new record name already exists in another arm but in another case (e.g., renaming a record to “aa3” in arm 1 when there is already a record “AA3” in arm 2), issues can occur when trying to access the record in either arm in the user interface afterward. When this occurs going forward, the new record name will be forced to be the same case as the existing record in the other arm. (Ticket #217809)
Bug fix: When uploading a data import file via the Background Data Import, in which the process somehow gets stuck during the initialization phase, the upload would mistakenly appear with a “queued” status. Going forward, if any imports are stuck in the initialization phase for more than one hour, they will be automatically cancelled by the system. (Ticket #220714)
Bug fix: When uploading a data import file via the Background Data Import, in which the process somehow gets stuck processing for a long period of time, the upload would mistakenly appear with a “processing” status forever. Going forward, if any imports are stuck in the processing phase for more than one day, they will be automatically cancelled by the system.
Bug fix: When performing an API Export Records call with type=eav, in some rare cases the record ID field might mistakenly have duplicate rows for some records in the exported data. (Ticket #220860)
Bug fix: In the Online Designer, when a field has a section header immediately above it, and the field is then moved to be directly above that section header, the field would mistakenly revert back to its original position.
Bug fix: When entering data on a data entry form or survey while using a mobile device, in which a text field on the page has field validation and the user has entered a value that will throw a field validation error, if they click the “Add signature” link or “Upload file” link for a signature or file upload field, respectively, while their cursor is still in the text field, then they would get stuck in an infinite loop of popups and not be able to continue data entry on the page. (Ticket #219569)
Change: The length of time in which the record list cache will be automatically reset has been increased from 1 week to 2 weeks. This was done because the record list cache has seen years of stability and can now be trusted to be accurate for longer periods of time. This change will reduce how often the cache will need to be rebuilt for an active project, which should improve overall system performance.
Bug fix: A warning might mistakenly be encountered during the extraction of an identifier from a FHIR request within a CDIS project. The adjustment involves ensuring that the returned identifier is a single value rather than an array.
Bug fix: In some cases when exporting the Project XML file for a project, the process might mistakenly crash with a fatal PHP error when using PHP 8. (Ticket #221097)
Bug fix: When using Google Cloud Storage for file storage in the system, and the “Organize the stored files by REDCap project ID?” setting is enabled, uploading a file on the main Send-It page (i.e., via the tab from the My Projects page) might cause a fatal PHP error when using PHP 8. (Ticket #221098)
Bug fix: Using the function isblankormissingcode() in branching logic would not always return the correct result if the field used in the function is numeric. (Ticket #218984)
Bug fix: If fields are embedded into the field label of a File Upload field or Signature field, the “Upload file”/“Add signature” dialog would mistakenly display the embedded fields as editable, whereas it should instead display them as read-only since their values cannot be modified there inside the dialog. (Ticket #221137)
Bug fix: The “Insert a dynamic variable” feature on the Email Users page in the Control Center would mistakenly never work, in which the variables would not get successfully replaced in the email body when sending the emails.

Version 14.0.2 (released on 2023-12-14)

CHANGES IN THIS VERSION:

Improvement: The Rapid Retrieval caching feature is now utilized for data exports and also for the API methods Export Records and Export Report, whereas in previous versions Rapid Retrieval was only utilized on report pages and the record status dashboard page.
Improvement: If the Read Replica feature is enabled, all API export methods will now utilize the Read Replica, whereas in previous versions the only API methods that utilized the Read Replica were the Export Records, Export Report, and Export Logging methods.
Improvement/change: For projects with the “Delete a record’s logging activity when deleting the record?” setting enabled on the Edit Project Settings page, a request to the API Delete Record method may now include the parameter delete_logging=0 if the user wants to prevent the record’s logging activity from being deleted when the record is deleted. If the setting is enabled in the project, then the default value will be ‘1’ for delete_logging (to maintain the existing behavior in previous versions), and if the project-level setting is not enabled, the default value will be ‘0’. If the project-level setting has been enabled, this API parameter must be provided with a value of ‘0’ in order to prevent the record’s logging activity from being deleted when the record is deleted (Ticket #96300)
Change: The PID number for a project is now displayed on the My Projects page for all user types, whereas in previous versions it was only displayed for admins (users with some kind of Control Center access). (Ticket #220689)
Major bug fix: When exporting a report (including using the API Report Export method) in CSV, XML, or JSON format, in which the report does NOT have “order by” fields, the resulting exported data might mistakenly contain duplicate rows, some of which might appear empty while others have the expected data for the given record/event. (Ticket #219392b)
Bug fix: The EHR patient portal for CDIS might mistakenly fail to accurately display whether a patient was already associated with a given project. Bug emerged in REDCap 14.0.0.
Bug fix: When importing data (via API or Data Import Tool), in which the record name of the record being imported already exists in the project but has a different case (e.g., “101A” vs “101a”), it might cause extra logged events to be added during the data import process, even when no data is being modified. This issue does not seem to affect existing data in any negative way. (Ticket #219755)
Bug fix: On the Codebook page, collapsing of some tables on the page would not work in certain browsers.
Bug fix: When using CDP (Clinical Data Pull), data was mistakenly not being automatically fetched from the EHR and imported into a given CDP project as part of the CPD cron job. The issue was observed specifically in scenarios where certain records lacked a specified Medical Record Number (MRN).
Bug fix: When sending invitations through the Participant List via the Compose Survey Invitations dialog, in some rare cases the action of scheduling/sending the invitations might result in a fatal PHP error for PHP 8. (Ticket #220549)
Bug fix: In specific cases, the @richtext action tag might cause the Notes field’s rich text editor to be read-only when it should be editable on the page.
Bug fix: In a MyCap-enabled project, the MyCap participant install dates and baseline dates would mistakenly get carried over into copied projects and projects created via Project XML upload.
Bug fix: When using CDIS, a patient’s preferred language might not be correctly extracted from a patient’s FHIR payload. (Ticket #219743)
Various fixes and changes to the External Module Framework, including the following: 1) The getProjectsWithModuleEnabled() method begins included modules enabled via the “Enable module on all projects by default” setting as of framework version 15, and 2) Fixed copy/paste/cut issue in rich text editor.
Bug fix: When using Shibboleth authentication, the REDCap redirect URL was mistakenly not URL-encoded in the Shibboleth handler address, which might cause the user not to get redirected back to the correct place after returning from a successful Shibboleth login. (Ticket #220564)
Bug fix: When upgrading REDCap more than once in a single day, the “redcap_history_version” database table would mistakenly only list the last upgrade of the day. (Ticket #220627)
Bug fix: When clicking the increase/decrease font-size button at the top of survey pages, the speaker icons used for text-to-speech functionality would mistakenly not change size.
Bug fix: The Scheduling page would mistakenly never display the record drop-down list. Bug was originally fixed in version 13.8.3 but then reappeared again in 14.0.0. (Ticket #210446b)
Bug fix: When importing data via the Data Import Tool’s background data import, if the CSV file contains any File Upload fields, even if they are empty columns, it would mistakenly display an error saying that some variable names in the file were invalid, which is confusing. File Upload fields will now be ignored for this field pre-check since ultimately they are ignored during the data import process since files cannot be uploaded using this method. (Ticket #218575)
Bug fix: Some example R code in the API Playground was syntactically incorrect and would cause errors if it was run in R as is. Bug emerged in 13.7.24 LTS and 14.0.0 Standard Release. (Ticket #219535b)

Version 14.0.1 (released on 2023-12-07)

CHANGES IN THIS VERSION:

Improvement: Improved user interface elements on the Codebook page. A new instrument table lists instrument names and also event designations, if longitudinal. The instrument and event tables are now collapsible. Additionally, the tables denote if an instrument is a repeating instrument or is designated to a repeating event, and the event table denotes if an event is a repeating event. All tables on the page are now collapsed by default. (Ticket #220221)
Improvement: For Descriptive Text fields on the Codebook page, the attachment’s filename and its display format are now listed on the page if it has an attachment, and the media URL and its display format are now listed on the page if it has a media URL. (Ticket #220204)
Major bug fix: When exporting a report (including using the API Report Export method) in CSV, XML, or JSON format, in which the report is ordered by a field other than the record name and the total size of the exported data is fairly large (containing several hundred or thousand records), the resulting exported data might mistakenly be missing many rows of data. Bug emerged in the previous version. (Ticket #220275)
Bug fix: The administrator’s browser time that is displayed at the bottom of the main Control Center page was not formatted correctly. (Ticket #219917)
Bug fix: If a proxy is specified on the General Configuration page in the Control Center, the username-password authentication for HTTP requests made during CDIS remote calls to the EHR system might not always work successfully under certain conditions. (Ticket #219039c)
Bug fix: The EHR Launch in CDIS might mistakenly fail due to a fatal PHP namespace error.
Various fixes and updates to the External Module Framework.
Bug fix: The query cache efficiency check on the Configuration Check page might mistakenly display a false positive saying that the MySQL query cache is not efficient when actually it is. (Ticket #220049)
Bug fix: When a project has been deleted, some orphaned rows for that project might still exist in certain database tables. (Ticket #220047)
Bug fix: If a survey does not have survey instruction text, and the participant navigates back to page 1 after being on page 2 of the survey, the page would mistakenly display the “View survey instructions” link under the survey title.
Bug fix: When using the Survey Login feature in a longitudinal project, in which a field referenced on the survey login page exists on a different event as the survey currently being taken, the logged event’s description of the successful/failed login on the Logging page would mistakenly have the wrong event for the context of the survey login. (Ticket #220174)
Bug fix: When using Azure AD authentication with Endpoint V2, the setting “AD attribute to use for REDCap username” was mistakenly not using all of the options listed in the drop-down but would only use the “userPrincipalName” option, if selected. Now all options can be used in Endpoint V2. (Ticket #134789b)
Bug fix: When clicking the “Download metadata only (XML)” button on the Project Setup->Other Functionality page, it mistakenly would not log the file download. It now logs the download event as “Download REDCap project XML file (metadata only)” on the Logging page. (Ticket #220203)
Bug fix: Referencing a field from another instrument or another event inside the function month(), day(), or year() for a calculated field would mistakenly cause a calculation error to occur on the page. (Ticket #220405)
Bug fix: In some situations when copying a project, in which the records are also copied, the new project would appear not to have any records until the administrator clicked the “Clear all record and page caches” button on the Other Functionality page.

Version 14.0.0 (released on 2023-11-30)

CHANGES IN THIS VERSION:

New action tag: @SHOWCHOICE - When applied to a multiple-choice field, this action tag will hide all choices except for the ones listed in its argument. This action tag is useful if you wish to only show a subset of choices depending on some logic (e.g., depending on data access groups) via the IF action tag. The format must follow the pattern @SHOWCHOICE='??', in which the coded values should be inside single or double quotes for the choice(s) you wish to show. If more than one choice needs to be shown, then provide all the coded values separated by commas. For example, to show the choice ‘Monday (1)’, you would have @SHOWCHOICE=‘1’, but if you wanted to additionally show ‘Tuesday (2)’, you would have @SHOWCHOICE=‘1,2’. NOTE: The @SHOWCHOICE action tag supports piping into its argument - e.g., @SHOWCHOICE="[my_checkbox:checked:value]".
New page-level caching feature: “Rapid Retrieval”
- REDCap now implements an automatic, transparent form of page-level caching (known as “Rapid Retrieval”) to help speed up certain pages that are known to be slow. Currently, Rapid Retrieval operates only on reports and on the Record Status Dashboard page. When a cache is being utilized, a note will appear at the top of the page that says “Page speed was boosted using Rapid Retrieval”. The Rapid Retrieval cache can be cleared for an entire project by an administrator using the “Clear the Record List Cache” button on the Project Setup->Other Functionality page, in which the button text now says “Clear all record & page caches.”
- On the Modules/Services Configuration page in the Control Center, the Rapid Retrieval functionality can be disabled for the whole system, if desired. It has two options: File-based storage (default, recommended) and Database storage. If set to ‘File-based storage’, the Rapid Retrieval feature will store all cached files in REDCap’s ‘temp’ folder by default. If set to ‘Database storage’, they will be stored in the redcap_cache database table. When using File-based storage, there is an additional setting named “Alternative directory to store cached files” that is completely optional, in which you may set an alternate location on your web server for storing the cached files, whether for security or performance related reasons.
- Suggestion: The File-based storage method is recommended in most cases, such as on very active servers, because the Database storage method can tend to cause the database to be too busy, in which it may bog down the server and/or cause the MySQL binary log to grow too rapidly. You may try both options to see if one performs better overall. There is no harm in changing this setting at any time while the system is running.
- Additional notes: When using File-based storage, the cached files are completely encrypted (at rest) on the web server, and the files are quickly removed by a cron job once they have been invalidated and can no longer be utilized. This form of active pruning keeps the cached files from taking up too much space on the web server.
New feature: Additional “redcap_data” tables
- To help improve long-term server performance over time through horizontal scaling, REDCap now makes use of 3 new “redcap_data” tables named redcap_data2, redcap_data3, and redcap_data4. As new projects are created, they will be assigned to one of the four data tables, which will be the single place where that project’s data is stored. Utilizing more “data” tables will allow REDCap to maintain its speed and remain performant over time. The addition of these new tables is a completely automatic and transparent change that users will likely never realize or need to know about. However, administrators should be aware of it, especially in regard to the creation of Dynamic SQL fields (see below), which will be affected by this change. Note: No existing projects will be impacted by this change in v14.0.0; thus, it will only affect new projects created after upgrading to v14.0.0. Also, a project’s data table can always be obtained on the Edit Project Settings page after selecting a project, in which the table name will be listed at the top of that page.
- New [data-table] Smart Variable - Since a project’s data can be stored in any of the 4 data tables, writing queries for Dynamic SQL fields can be tricky. On the Add/Edit Field dialog on the Online Designer, it will note the current project’s data table after selecting “Dynamic SQL Field” in the dialog. However, instead of using the literal data table name in their SQL query, admins may instead use [data-table], which will be replaced with the current table’s data table name. If you wish to obtain the data table name for another project, append a colon and the PID of the other project - e.g., [data-table:7345], in which the PID of the other project is “7345”. It is advised that going forward, administrators should utilize the [data-table] Smart Variable for Dynamic SQL fields rather than using the literal data table name.
- New developer method REDCap::getDataTable($pid) - New REDCap class method for plugins/modules/hooks that will return the “redcap_dataX” database table name for a specified project by providing its project_id. If $project_id is null or not provided, it will return “redcap_data” by default. It is recommended that if any External Module developers have any EMs that reference the “redcap_data” explicitly in their EM code, they should replace it similar to how it is done in the code below:
  $data_table = method_exists('\REDCap', ‘getDataTable’) ? \REDCap::getDataTable($project_id) : “redcap_data”;
  $sql = “select * from $data_table where project_id = $project_id”;
- New “Move Project Data” page
  - This page allows REDCap administrators to move the data stored in a given REDCap project to another redcap_dataX table in the database in order to [hopefully] improve the general performance of the project. The performance improvement will depend greatly on the size and structure of the project and will also depend on many things in the overall system, such as the current size of the redcap_data table and the power of the database server.
  - Note: The data transfer process on this page will perform multiple checks to ensure that all data gets moved successfully, and if anything goes wrong, it will automatically roll back all changes.
  - How to find this page - The “Edit Project Settings” page in the Control Center contains a link to the “Move Project Data” page.
New feature: “Read Replica” Server
- To help offset server load if the REDCap system has been experiencing routine slowness, REDCap can connect to a read-only, secondary database server that uses MySQL/MariaDB replication to stay in sync with REDCap’s primary database server.
- The Read Replica server will be utilized only for read-only operations in the following places in REDCap: viewing reports, exporting data (including API exports), viewing record status dashboards, viewing and exporting the project logging page (including API logging exports), using the data search tool, viewing the scheduling page, executing data quality rules, viewing project dashboards, and viewing the Control Center’s System Statistics and User Activity Log pages.
- The effort of enabling the Read Replica functionality is very minimal once a replica server has been created and is successfully replicating from the REDCap primary database server. Most of the work will be simply setting up the replica server. Instructions for setting up the Read Replica can be found near the top of the General Configuration page in the Control Center.
- NOTE: The Read Replica is only recommended for use if you have been experiencing performance issues with your REDCap server, such as a routine or off-and-on slowness. Before enabling the Read Replica feature, it is advised that you explore other ways to improve database performance first, such as adding more RAM and CPUs to your database server to see if that provides some improvement. If those things do not help, then using the Read Replica might be a good option.
Improvement: The @HIDECHOICE action tag now supports piping into its argument - e.g., @HIDECHOICE="[my_checkbox:checked:value]".
Improvement: The bottom of the main Control Center page now displays the current time of the user’s browser and the current time of the REDCap server (with its timezone).
Major bug fix: When exporting a report (including using the API Report Export method) in CSV, XML, or JSON format, in which the report is ordered by a field other than the record name and the total size of the exported data is fairly large (containing several hundred or thousand records), the resulting exported data might mistakenly contain duplicate rows, some of which might appear empty while others have the expected data for the given record/event. (Ticket #219392)
Bug fix: For certain REDCap installations, the events on the Define My Events page would not be ordered correctly. (Ticket #219188)
Bug fix: When opening certain dialog popups throughout the application, in which the dialog contains a lot of text, the page might mistakenly auto-scroll downward unexpectedly, thus causing the user to have to scroll back up in order to read the dialog contents.
Bug fix: If a proxy is specified on the General Configuration page in the Control Center, it was mistakenly not using username-password authentication for HTTP requests made during CDIS remote calls to the EHR system. (Ticket #219039b)
Change: When viewing the “View or Edit Schedule” tab on the Scheduling page when more than 10K drop-down options would be displayed in the already-scheduled drop-down list of records, in which the drop-down will display at all, the text on the page has been modified for better clarity since it was confusing regarding how to view an already-scheduled record in this situation.
Bug fix: Issues related to copy, paste, and cut in the TinyMCE 6 rich text editor. (Ticket #219212, #219274, #218550, #219286)
Bug fix: The “Upcoming Scheduled Survey Invitations” popup on the Record Home Page might not display all the upcoming invitations scheduled in the next 7 days but might mistakenly omit some. (Ticket #218769)
Several fixes and improvements for the External Modules Framework, including 1) Added the report-list and survey-list EM setting types, and 2) Resolved a queryLogs() bug when referencing username in WHERE clauses (Ticket #217622).
Change: When downloading the Survey Queue settings via CSV file, the CSV filename now contains the project title and timestamp of the download.
Bug fix: When downloading the Survey Queue settings via CSV file, the download action was mistakenly not being logged.
Bug fix: When uploading the Survey Queue settings via CSV file, the upload action was mistakenly being logged multiple times.
Bug fix: Some example R code in the API Playground was syntactically incorrect and would cause errors if it was run in R as is. (Ticket #219535)
Bug fix: When a datediff() function has a literal date value (e.g., “22-07-2023”) for the first or second parameter in the function, in which the date value is in DMY or MDY date format, the datediff might mistakenly not perform the calculation correctly in some instances - most specifically server-side processes, such as auto-calculations, data imports, and Data Quality rule H. (Ticket #219662)
Bug fix: When using the RICHTEXT action tag for a field on a data entry form that is disabled/readonly (due to limited user rights or when viewing a survey response that is not in edit mode), the field’s rich text editor would mistakenly not appear disabled/readonly and would allow users to type and modify its content, even though the page is not able to be submitted. (Ticket #219212b)
Bug fix: In some rare cases when using nested IF action tags for a field in which spaces or line breaks appear in specific places in the IF’s logic, the IF action tag might mistakenly not evaluate correctly.
Bug fix: Form Display Logic might mistakenly not be evaluated correctly on the Record Home Page when a record has not been created yet but is in the process of being created. (Ticket #219883)

Version 13.11.4 (released on 2023-11-18)

CHANGES IN THIS VERSION:

Major bug fix: When a user is uploading a project’s Survey Queue settings via a CSV file in the Online Designer, in certain situations, the process might mistakenly erase the Survey Queue settings of *ALL PROJECTS* in the entire system. This bug affects only Standard Releases 13.11.0, 13.11.1, 13.11.2, and 13.11.3. If you are on an affected version, it is advised that you upgrade ASAP. Additionally, this fix in 13.11.4 has also been backported to all affected versions so as to prevent further damage. (Ticket #219088)

Version 13.11.3 (released on 2023-11-16)

CHANGES IN THIS VERSION:

Improvement: New MLM-related Action Tags - If using Multi-Language Management, the LANGUAGE-SET action tag can now be selectively applied to data entry forms via LANGUAGE-SET-FORM) or surveys via LANGUAGE-SET-SURVEY.
Improvement: When using MyCap in a longitudinal project, a more streamlined process is provided for helping users add new active tasks and designate them for specific events in the project. This process is now much less confusing and less disjointed than in previous versions.
Improvement: A new parameter was added to the method REDCap::storeFile() to allow one to set the filename of the file being stored. In previous versions, the filename would be extracted from the file path itself. This new parameter is useful to assign a filename to files that have a temporary filename, such as when resulting from a file upload.
Bug fix: If the Mosio SMS Services have been enabled in a project, the configuration step for Mosio on the Project Setup page would mistakenly not be displayed if the system-level Twilio feature (rather than the system-level Mosio feature) had been left disabled on the Modules/Services Configuration page in the Control Center.
Bug fix: The Data Viewing Rights & Data Export Rights might not be set correctly for user roles after adding a new instrument to a project while in production. When adding a new instrument, the rights would always get set to “No access” for that instrument for all roles, despite the fact that the setting “Default instrument-level user access…” on the User Settings page in the Control Center might be set otherwise. Note: This does not affect individual users' rights but only user roles. (Ticket #218708)
Bug fix: When a Table-based user navigates into a project, after which the Password Expire Warning popup is displayed if their password is about to expire soon, and then the user clicks the “Change my password” button, they are mistakenly taken to a blank page. This issue only occurs if the Password Expire Warning popup is displayed while they are inside a project (as opposed to on the My Projects page). (Ticket #218606)
Bug fix: If using Multi-Language Management, under certain circumstances the language preference of a logged-in user was mistakenly overwritten by a browser cookie. (Ticket #218766)
Minor changes and improvements to the External Module Framework.
Bug fix: If a proxy is specified on the General Configuration page in the Control Center, it was mistakenly not being utilized for HTTP requests made during CDIS remote calls to the EHR system. (Ticket #219039)
Bug fix: When merging two records while using Double Data Entry (DDE), the merging process might mistakenly replace specific characters with HTML entities in the values of the third record that was created. (Ticket #218547)
Bug fix: In some situations, the AWS SDK might mistakenly fail when attempting to store or retrieve files from S3. The AWS SDK for PHP has been updated to the latest version in order to resolve this.
Bug fix: When piping a value onto a form/survey from outside the current context, in certain situations the piped value might mistakenly get wrapped in invisible HTML “span” tags when output onto the page, which should only occur when the field being piped exists on the same page. (Ticket #219031)
Bug fix: When using a designated email field (whether project-level or survey-level), there might be some inconsistency with regard to saving the email field if the field exists on multiple events or on a repeating instrument/event, in which REDCap attempts to keep all values the same for the field in all places in the record. One of the worst side effects is that it might mistakenly create extra repeating instances on a record when the email field exists on a repeating instrument when multiple repeating instances already exist for another instrument on the same record. (Ticket #217938)
Bug fix: When performing a data import on the Data Import Tool page when using PHP 8, a fatal PHP error might mistakenly occur. (Ticket #212225b)

Version 13.11.2 (released on 2023-11-09)

CHANGES IN THIS VERSION:

Improvement: When using the “Erase all data” feature on the Other Functionality page, it now lists the total number of records in the dialog so that the user is aware. (Ticket #218329)
Change: The “variable auto-naming” feature found in the “Add New Field” popup in the Online Designer can now be disabled/hidden for all users by toggling a new system-level setting. The User Settings page in the Control Center now contains a setting where this feature can be 1) Disabled for all users, 2) Enabled for all users (default), or 3) Enabled for administrators only. (Ticket #215153)
Bug fix: When using Multi-Language Management, the project-level overrides of some admin settings would mistakenly get ignored.
Change/bug fix: In a MyCap-enabled project, the MyCap Invitation Text has been updated for projects that are not yet converted to the new MyCap mobile app. This text change is to reduce confusion regarding the transition from the MyCap Classic app to the new app.
Bug fix: When using Multi-Language Management, the comments at the top of CSV export files from the MLM page mistakenly had a comma hard-coded as the CSV delimiter, which could lead to the file not being importable when a delimiter other than comma was chosen and depending on the type of software used to edit the file.
Bug fix: The “Map of Users” page in the Control Center might mistakenly not call the “redcap_control_center” hook under specific circumstances. (Ticket #218502)
Change: When copying a project on the Copy Project page, if the project being copied contains one or more Dynamic SQL fields, a notice will be displayed near the bottom of that page to inform the user that they may want to consider if the SQL query for the field(s) needs to be modified in order to work correctly in the new project.
Bug fix: External Module language files were mistakenly being overwritten by the Language::getLanguage() method, leading to the loss of module-specific language keys. This problem manifested when the tt function, used for internationalization within EMs, was called, particularly affecting pages that utilized the redcap_control_center hook. (Ticket #218492)
Bug fix: The DbHealthCheck cron job might mistakenly fail when the web server is using PHP 8. Bug emerged in REDCap 13.11.0.

Version 13.11.1 (released on 2023-11-03)

CHANGES IN THIS VERSION:

Major bug fix: When upgrading to REDCap 13.11.0, the upgrade SQL script might mistakenly fail on certain versions of MySQL (but not MariaDB), thus preventing some folks from successfully upgrading to v13.11.0.
Bug fix: Two-factor verification would mistakenly fail for users when the 6-digit 2FA code has a leading zero. (Ticket #218277)
Bug fix: When using Clinical Data Pull, the “View” link to view the adjudication popup would mistakenly not appear at the top of the data entry page after having opened the page the first time. (Ticket #218182)

Version 13.11.0 (released on 2023-11-02)

CHANGES IN THIS VERSION:

New feature: New FHIR resources are available for Clinical Data Interoperability Services (CDIS) for extracting new types of data from a patient’s chart. (Note: If using Epic, your institution will first need to upgrade to version 3 of the REDCap app in the Epic App Orchard/Vendor Services in order to use these new resources.) Below is a list of the new resources available:
Appointment Endpoints - Appointments, Scheduled Surgeries
Condition Endpoints (Epic Only) - Dental Finding, Genomics, Infection, Medical History, Reason for Visit
Additional Endpoints - Coverage, Device: Implants, Diagnosis, Procedure
Additional CDIS enhancements:
Refactored “Mapping Helper”- The user interface has been simplified for ease of use. The workflow is adjusted so that data for all resources can now be fetched in one action, reducing the number of clicks needed.
Clinical Data Mart - There’s now an option to apply date ranges to specific resources individually, providing more granular control during data retrieval. Also, the existing background fetch feature within CDM has been extended to the “search” feature. This means when you’re using the search functionality, particularly with individual MRN selections, the system can perform data fetches in the background, freeing you up to work on other tasks.
Clinical Data Pull - You can now map conditions to a specific clinical status. This is particularly useful for instances requiring detailed condition data.
New special functions for date/datetime fields:
year() - Returns the year component of a date/datetime field - e.g., year([dob]).
month() - Returns the month component of a date/datetime field - e.g., month([visit_datetime]).
day() - Returns the day component of a date/datetime field - e.g., day([visit_date]).
New piping parameters for date/datetime fields:
:year - Returns the year component of a date/datetime field - e.g., [dob:year].
:month - Returns the month component of a date/datetime field - e.g., [visit_datetime:month].
:day - Returns the day component of a date/datetime field - e.g., [visit_date:day].
Improvement: Survey Queue Import/Export - Users can now export and import their Survey Queue settings via a CSV file in the Online Designer. After clicking the “Survey Queue” button on the page, it will reveal a drop-down list of options to 1) edit the SQ, 2) download the SQ as a CSV file, or 3) upload the SQ as a CSV file. This new feature will make it much easier for users to make modifications to their Survey Queue when they have many instruments and/or events that they wish to utilize in the SQ.
Improvement: Form Display Logic Import/Export - Users can now export and import their Form Display Logic settings via a CSV file in the Online Designer. After clicking the “Form Display Logic” button on the page, it will reveal a drop-down list of options to 1) edit the FDL, 2) download the FDL as a CSV file, or 3) upload the FDL as a CSV file. This new feature will make it much easier for users to make modifications to their Form Display Logic when they have many instruments and/or events that they wish to utilize in the FDL.
Improvement: The rich text editor has been updated to TinyMCE v6.
Improvement: The “Help & FAQ” page has been updated with new content (thanks to the FAQ Committee).
Improvement: If using the Mailgun Email API, an optional Base URL setting has now been added to allow institutions to specify the Base URL that should be called for the Mailgun Email API. By default, “https://api.mailgun.net” is used, but those in the EU region may alternatively set it as “https://api.eu.mailgun.net” in the Mailgun section of the General Configuration page. (Ticket #206369)
Improvement: When using Multi-Language Management, it is now possible to preset the language of a survey by supplying the URL parameter “__lang”, which must be set to a valid (active) language id (and is case-sensitive). Example: https://redcap.vanderbilt.edu/surveys/?s=ABC123&__lang=es. When used, this will override both a survey respondent’s previous choice (stored in a browser cookie) as well as the language preference field. The @LANGUAGE-FORCE action tag will still take precedence, though. (Ticket #124976)
Bug fix: When using the @CALCDATE action tag in which the Daylight Saving Time barrier is crossed when calculating the resulting date, in specific cases the result might mistakenly be one day off (if a date field) or one hour off (if a datetime field). Similarly, when using the datediff() function in which one date/datetime exists in DST while the other does not, in some cases the result might be off by one hour when using units of “h”, “m”, or “s”. (Ticket #32022, #73668, #103913, #126830, #129720, #137174, #215534, #216566)
Bug fix: Fixed an issue affecting the behavior of custom CDIS mapping in the Clinical Data Pull (CDP) mapping interface, in which custom CDIS mapping fields were incorrectly designated as ‘primary,’ thus preventing users from utilizing them as intended. (Ticket #217391)
Bug fix: In certain situations, the cron job for the Background Data Import might fail with a fatal PHP error when using PHP 8. (Ticket #212276b)
Bug fix: If a REDCap server is configured to use AAF authentication and that site has enabled the option to identify locals based on their AAF eduPersonScopedAffiliation, a user that should have been identified as a local would mistakenly not be identified as such, leading to them not being automatically granted project creation/copy rights upon account creation. This bug was introduced in REDCap 13.10.4.
Bug fix: The setting “Custom text to display at top of Project Home page” would mistakenly not display in the project if it did not contain actual text but only contained an image or an HTML “style” tag. (Ticket #217972)
Bug fix: In certain situations, the WebDAV file storage check on the Configuration Check page might mistakenly fail with a fatal PHP error. (Ticket #217684)
Bug fix: When attempting to save a calc or @CALCTEXT field in the Online Designer, in which the calculation contained a Smart Variable, it would prevent normal users from saving the field and would just get stuck saying “Saving…”. However, administrators would be able to save the field successfully.
Bug fix: In certain situations while on a survey page, a participant might be able to submit a survey when they should not, such as if the Save button is hidden on the survey page. (Ticket #217159)
Bug fix: A user would be unable to close the field validation error popup (specifically in iOS or Android) when the field with the validation error is followed by a signature field. (Ticket #217572)
Bug fix/change: When using MyCap in a project, in which the project has not been transitioned to use the new MyCap app (but instead is using the MyCap Classic app), if a user exports the project XML file to create a new project on the same server or on any server on REDCap 13.11.0 , that new project will also be using the MyCap Classic app. In previous versions, the new project would always be using the new MyCap app, which could cause issues in specific situations.
Bug fix: When exporting and importing Automated Survey Invitations using a CSV file in the Online Designer, the import process might fail with a blank error message due to an inconsistency in the CSV delimiter used in the file. (Ticket #217941)
Bug fix: When using Multi-Language Management, the choice labels of multiple choice fields would not be piped correctly in some cases if the choice labels contain HTML. (Ticket #217955)
Bug fix: Users would mistakenly be allowed to define Missing Data Codes where some of the codes could be duplicated in different cases (case sensitivity-wise). For example, “na” and “NA” would both be allowed as Missing Data Codes. Note: This issue cannot be fixed retroactively but will be prevented going forward when users attempt to create or modify Missing Data Codes on the Project Setup page. (Ticket #216818)

Version 13.10.6 (released on 2023-10-26)

CHANGES IN THIS VERSION:

Change/improvement: The Configuration Check page now has a new MySQL 8 specific check to ensure that the “Generated Invisible Primary Keys” (GIPK) setting in MySQL has been disabled on the database server. If not, it recommends to set sql_generate_invisible_primary_key=OFF in the my.cnf (or my.ini) configuration file. Additionally, this check has been added to the REDCap install page in order to prevent anyone from installing REDCap with this feature enabled. If the GIPK setting is left enabled, it will forever display false positives for the “Database Structure is Incorrect” check in the Control Center when in fact there is nothing wrong with the database structure.
Change: When using MyCap, some REDCap server configuration info is now included in the MyCap configuration JSON that gets pulled by the MyCap mobile app when refreshing the MyCap configuration on the participant’s mobile device. This server info will be stored on the mobile device and used only for troubleshooting purposes when any issues occur in the mobile app.
Bug fix: An issue may occur with a CDIS-related cron job in which certain records are not processed due to MemoryMonitor interruptions, and thus records would mistakenly not get queued for future processing to pull their clinical data from the EHR. This fix ensures that these unprocessed records are correctly queued for the next execution of the cron job, preventing data loss and ensuring more robust processing.
Bug fix: When a user lacks the instrument-level user privilege to modify survey responses for a given instrument, then they open a data entry form that has been enabled as a survey, and before they submit the form, a survey response has already been started or completed by a participant, it would mistakenly allow the user to unwittingly overwrite the survey response when they submit the form. It now returns an error message in this specific scenario and prevents the user from making changes. (Ticket #217157)
Bug fix: When a user is assigned to a Data Access Group and views a project’s Logging page when no records exist in their DAG yet, the Logging page might crash and display an error message saying that an SQL query failed. This appears to only occur for certain versions of MySQL/MariaDB. (Ticket #217372)
Bug fix: Certain tables, such as the Record Status Dashboard and reports, might mistakenly not display with the correct width based on the current screen size, in which the table may display its scroll bar off the right side of the page (i.e., initially not visible) instead of it being visible after the page loads.
Bug fix: If the MyCap External Module is enabled in a project, the built-in MyCap feature would mistakenly have its “Enable” button as a clickable button on the Project Setup page. That button is now disabled/grayed out if the MyCap EM is already enabled in a project.
Bug fix: When using CDIS, specifically Clinical Data Mart, an intermittent issue in CDM projects would occur where searches for specific Medical Record Numbers (MRNs) would occasionally return duplicate results. The fix ensures that each MRN appears only once in the search outcomes.
Bug fix: When using Multi-Language Management, the “only one selection per column” notice on matrix fields was mistakenly not translatable via the MLM setup page. (Ticket #217480)
Bug fix: When adding or editing a multiple choice field via the Online Designer, the text in the section “How do I manually code the choices?” mistakenly contained a line break in the text rather than actually displaying the HTML tag " " as visible in the text.
Bug fix: When an alert is set to trigger “When conditional logic is TRUE during a data import, data entry, or as the result of time-based logic”, in which a data value from a repeating instrument or repeating event is added via a data import, if the repeat instance number is “1” for the field being imported (or if the value is “new” when no repeating instances exist yet for that field), the import process might mistakenly not trigger the alert. (Ticket #214855)
Bug fix: When a checkbox field has a multiple choice option whose raw code is the same as a missing data code in the project, the report page might mistakenly display the error “DataTables warning: table id=report_table - Incorrect column count” when trying to view a report that contains such a checkbox. (Ticket #217249)
Bug fix: When hovering over the “view list” link on the Alerts & Notifications page for a given alert, the popover dialog would mistakenly not be hidden again if the user moves their cursor off of the popover. To remedy this, the user must now click the “view list” link to see the popover, after which the popover will hide if manually closed or if the user clicks on anything outside of the popover on the page.
Bug Fix: When importing records that are assigned to a Data Access Group, in which records for other DAGs exist in the redcap_data table with a blank record name (due to an older bug that caused the name to be blank), this would mistakenly prevent the data import process from importing the records. (Ticket #217724)

Version 13.10.5 (released on 2023-10-19)

CHANGES IN THIS VERSION:

Major security fix: A Stored Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into specific POST parameters of an Online Designer related URL so that the custom JavaScript could be injected into the calculations of calc fields, @CALCTEXT, and @CALCDATE fields. Thus the custom JavaScript could be executed whenever anyone opens the data entry form or survey page. This could lead to privilege escalation if a malicious user tricks an administrator into viewing the instrument, thus potentially becoming an administrator themselves and able to access all projects and data. The user must be authenticated into REDCap and must have Project Design rights in order to exploit this in a project. Bug exists in all REDCap versions for the past 10 years. Note: This bug was supposedly fixed in the previous version but mistakenly was not.
Medium security fix: Malicious users might be able to bypass the “Restricted file types for uploaded files” feature (if being utilized on the REDCap server) by uploading a file with an incorrect file extension into the File Repository of a project, and then changing the file’s extension using the “rename file” feature. For example, an attacker could take a file named “exploit.exe”, rename it to “image.jpg” on their local device, upload the file into the File Repository, rename the file to “image.exe”, and then trick another user into downloading it and executing it locally. Now, REDCap prevents users from modifying the file extension of any files uploaded into the File Repository. Note: The vulnerability does not pose a risk to the REDCap server since REDCap itself never executes any uploaded files, but this only poses a risk to users who may unwittingly download and execute the file. Also, the malicious user must have File Repository privileges inside a project in order to exploit this.
Minor security fix: When using Two-Factor Authentication, in which users are logging in and entering a 6-digit one-time passcode (OTP), there was no limit placed on the number of passcode submissions that can be attempted for a given user within a specific window of time. Thus, the passcode verification process was subject to brute force hacking (so long as the attempts did not exceed the general Rate Limiter setting in REDCap). This has been changed so that the passcode verification process cannot be utilized more than 10 times per minute. If exceeded, it will now return an error.
Major bug fix: When a survey participant clicks the “Save & Return Later” button on a survey, REDCap would mistakenly not always find the participant’s email address (from a designated email field or from the participant list) when loading the page that displays the return code. In some cases, another participant might be sent an email containing the original participant’s survey link for completing the survey. Note: Despite sending the survey link to the wrong participant, the other participant would not be able to see the original participant’s responses because they do not have the Return Code. (Ticket #140765, #217097)
Security improvement: If no value has been set for the system setting “Restricted file types for uploaded files” at the bottom of the Security & Authentication page, the following value will be set for that setting to prevent harmful files from being uploaded to the system: “ade, adp, apk, appx, appxbundle, bat, cab, chm, cmd, com, cpl, diagcab, diagcfg, diagpack, dll, dmg, ex, exe, hta, img, ins, iso, isp, jar, jnlp, js, jse, lib, lnk, mde, msc, msi, msix, msixbundle, msp, mst, nsh, php, pif, ps1, scr, sct, shb, sys, vb, vbe, vbs, vhd, vxd, wsc, wsf, wsh, xll”.
Improvement: When using the Field Bank in the Online Designer to search specifically within the NIH CDE Repository, a new checkbox option exists in the search utility called “Search NIH-Endorsed CDEs”. If this search option is checked, REDCap will search only for fields that are “NIH-Endorsed” in the NIH CDE Repository. NIH-Endorsed CDEs have been reviewed and approved by an expert panel, and meet established criteria.
Change/improvement: When using OpenID Connect authentication in specific situations, such as with Azure B2C, an optional “additional scope” value might need to be provided in order for authentication to function correctly. A new “Additional scope” setting has been added to the OIDC section of the Security & Authentication page for this, if needed. (Ticket #214076)
Bug fix: When using Multi-Language Management, a JavaScript error might occur when piping calculated fields under specific conditions.
Bug fix: When using Twilio or Mosio, it would mistakenly not send SMS messages to U.S. phone numbers with an 445 area code. (Ticket #216751)
Bug fix: When using Multi-Language Management, the option to “Create from file/from scratch” would mistakenly not be available on the Control Center MLM setup page when the corresponding language creation was disabled for projects.
Bug fix: The language variable “design_1054” mistakenly existed twice in the file “English.ini”.
Bug fix: If the settings “Allow normal users to edit their primary email address on their Profile page?” or “Allow normal users to edit their first name and last name…” are set to “Do not allow editing”, a user that knows how to make a specially-crafted POST request to a specific end-point or knows how to manipulate the Profile page’s user interface in a specific way would be able to modify their first/last name and/or email address, respectively.
Bug fix: When a user imports data via the Background Data Import option, the data import would get logged under the generic user “SYSTEM” since the import is literally performed by the REDCap cron job. However, this creates ambiguity in the logging with regard to which user initiated the specific import batch. To reduce ambiguity in all future imports performed via the Background Data Import, the logging page will now list the user as “SYSTEM” appended in parentheses by the user that initiated the import - e.g., “SYSTEM (john.doe)”.
Bug fix: When a user imports a Project XML file that is truncated (for whatever reason) and is thus does not represent properly structured XML, in some situations REDCap might still attempt to process the XML fully without any error message, which might result in some things not getting set correctly in the resulting project, possibly unbeknownst to the user. It now attempts to do a better job of detecting if the XML is properly structured, and if not, returns an error message explaining this.
Bug fix: When using “Azure AD OAuth2 & Table-based” authentication, users clicking the “Logout” link in REDCap would mistakenly not be successfully logged out of Azure AD. (Ticket #216423b)
Bug fix: When using Twilio or Mosio, it would mistakenly not send SMS messages to U.S. phone numbers with certain newer area codes, including 531 and 726. (Ticket #216751b)

Version 13.10.4 (released on 2023-10-11)

CHANGES IN THIS VERSION:

Major security fix: A Stored Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into specific POST parameters of an Online Designer related URL so that the custom JavaScript could be injected into the calculations of calc fields, @CALCTEXT, and @CALCDATE fields. Thus the custom JavaScript could be executed whenever anyone opens the data entry form or survey page. This could lead to privilege escalation if a malicious user tricks an administrator into viewing the instrument, thus potentially becoming an administrator themselves and able to access all projects and data. The user must be authenticated into REDCap and must have Project Design rights in order to exploit this in a project. Bug exists in all REDCap versions for the past 10 years.
Medium security fix: A user with Calendar privileges in a given project that knows how to make a specially-crafted POST request to a specific end-point might be able to edit or delete a calendar event in another project to which they do not have access.
Medium security fix: A user with Data Access Group privileges in a given project that knows how to make a specially-crafted POST request to a specific end-point might be able to rename or delete a DAG in another project to which they do not have access.
Change/improvement: When adding/editing a Descriptive Text field in the Online Designer, the text in the “Optional file attachment, image, audio, or video” section of the popup has been modified to instruct the user that the “Embed an external video” feature can be used for more than just videos but for websites and surveys too (i.e., the “Magic Box” feature, as some call it). The text has been changed to “Optional media to embed or attach:” and “Embed media (video, website, survey, etc.)”, respectively. Other relevant text in the popup has also been modified to refer to “media” more generically rather than “video”.
Improvements to AAF Authentication:
Clearer instructions are provided to admins when setting up AAF authentication on the Security & Authentication page.
AAF authentication now allows administrators to define multiple eduScopeTarget attributes that identify an authenticating user as a ‘local’, thus allowing sites to enable users from multiple institutions to create projects.
AAF authentication now allows administrators to control which users are added to the Email Users page. Previously this was either Yes (all users) or No (no users). Now, the options are All Users, None, and Locals Only.
When a user logs in for the first time via AAF, the Organization Name of their Identity Provider is now added to the Institution ID field in their User Profile. This change is not retroactive; existing users will not have their organization added to their profile automatically.
When an AAF user logs in for the first time, it now logs the event.
Bug fix: When using Multi-Language Management, REDCap’s auto-logout feature would mistakenly not work on the MLM setup page in some circumstances. (Ticket #216234)
Bug fix: When using MyCap, the “No Fields” error might mistakenly not be displayed in the Online Designer if non-MyCap fields are added at the end of an instrument.
Various updates and fixes for the External Module Framework, including 1) Avoided additional eval false positives during scans, 2) Added scan support for local paths to zip files, and 3) Improved constructor scan output.
Bug fix: When printing an instrument via the option “Download this survey with saved data (via browser’s Save as PDF)”, a vertical line/shadow would mistakenly appear on the left side of the resulting PDF.
Bug fix: When using Multi-Language Management, a specific warning was mistakenly not translatable via the MLM setup page.
Bug fix: When using “OpenID Connect & Table-based” authentication, users clicking the “Logout” link in REDCap would mistakenly not be successfully logged out of OIDC. (Ticket #216423)
Bug fix: When using Multi-Language Management, “style” HTML tags that span over multiple lines would mistakenly not work as expected when MLM is active.

Version 13.10.3 (released on 2023-10-05)

CHANGES IN THIS VERSION:

Improvement: When setting up recurring Alerts & Notifications, users can now set the repeating interval value as a number with a decimal (in previous versions, the value could only be an integer). This will allow users to approximate the interval of a monthly recurring alert as 30.44 days since it is currently not possible for recurring alerts to be scheduled on exactly the same day and time each month. To help users, a note has been added in the repeating survey section of the alert setup dialog to inform them how to approximate a month as 30.44 days. (Ticket #215860)
Major bug fix: A user with “Alerts & Notifications” privileges in a given project that knows how to make a specially-crafted POST request to a specific end-point used for “Alerts & Notifications” functionality might be able to delete any general uploaded file that belongs to the project, whether it be an attachment uploaded via the rich text editor, a file uploaded to a File Upload field, a Descriptive Text field attachment etc. This user could potentially delete the stored edoc file for any of those such places in the project. However, it is important to note that the user can only delete files within their own project to which they have access. They cannot delete files in other projects to which they do not have access.
Major bug fix: If survey invitations have been scheduled manually (i.e., not via ASI) with one or more reminders, the unsent/scheduled reminders would mistakenly not be automatically removed whenever the participant completes the survey. (Ticket #203090)
Change: In Multi-Language Management, the “Default” language term has been renamed to “Base Language” on the MLM setup page and in various documentation for improved clarity regarding the purpose and function of the Base Language in MLM.
Change: When using MyCap in a project, the instructional text in the individual “Invite Participant” popup has been modified slightly to cater better to whether the project has been transitioned to use the new MyCap mobile app or not.
Bug fix: The end-points used for deleting instruments and fields in a project were mistakenly using a GET request (rather than a POST request), which could make it easier for a user to get tricked into unwittingly deleting an instrument or field if a malicious user sent them a specially-crafted link to click. Such a situation would not cause any permanent damage (e.g. no data would ever be deleted), and it could be easily fixed by re-adding the instrument/field back.
Bug fix: When using a CDIS service (CDM or CDP) to pull data from an EHR, when dealing with date values used in the FHIR requests to the EHR system, some dates might mistakenly be converted to the current timezone. This has been fixed to ensure that the date conversion only occurs in the response received from the FHIR system.
Bug fix: When using the Protected Email Mode feature, in which an alert is set up with an attachment file and the alert is set not to send immediately but at some later time, after the alert is triggered and the email is sent, when the recipient views the email on the Protected Email Mode page, the attachment would mistakenly not be downloadable on the page but would display an error when attempting to be download it. (Ticket #212760)
Bug fix: The hook functions “redcap_survey_page_top” and “redcap_survey_page” might mistakenly be provided with an incorrect DAG group_id value for records that have not yet been created, such as when viewing the first page of a public survey. In these cases, it would provide the DAG group_id of record “1” in the project if there exists a record named “1” when instead the group_id should be NULL. (Ticket #215884)
Bug fix: The Unicode Transformation process might mistakenly not convert data in some database tables that have a “project_id” column in which the project_id value in the table is NULL. (Ticket #215615)
Bug fix: Several PHP 8 compatibility issues when using certain MyCap pages/processes.
Bug fix: When uploading a CSV file using the Background Data Import, in which the record ID field is included in the data file but many rows in the file have no value provided for the record ID field (i.e., it’s blank), the import process could mistakenly go into an infinite loop until the script times out, which might cause the process to get stuck in “Initialization” status and thus can’t be canceled or removed.
Bug fix: In specific cases where the REDCap::saveData() method is being called, including data imports from the new MyCap mobile app, the process might mistakenly crash when using PHP 8. (Ticket #215928)
Change: A note was added to the Smart Variable documentation, specifically for the charts, to denote that when using multiple fields in the chart, the data used in the chart will be naturally grouped from the same event and/or repeating instance. For example, if you’re plotting age vs weight in a scatter plot in a longitudinal project, it will only create points in the plot where both the age value and weight value exist on the same event. If one or both values are missing from a given event in a record, then no point can be plotted for that given record.
Bug fix: The @NOW-SERVER action tag would mistakenly not set the correct value for many time-validated field types, such as a Text field with “time_hh_mm_ss” validation, whenever an instrument/survey is loaded. Instead, it might set the value as the user/participant’s local time (according to their browser). (Ticket #216135)
Bug fix: When using Multi-Language Management, for Yes/No and True/False fields, “No”/“False” was mistakenly shown instead of their associated translation in some places (e.g., Codebook). (Ticket #216265)
Bug fix: Several different features in REDCap, in which an AJAX call returns JSON-encoded data, might get misinterpreted and thus would fail because the request failed to have the “Content-Type: application/json” header set. This would only occur for certain web server configurations. (Ticket #214401)

Version 13.10.2 (released on 2023-09-28)

CHANGES IN THIS VERSION:

Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a specially crafted way into the URL on the Data Import Tool page. This bug only affects REDCap 13.8.0 and higher.
Improvement: The Logic Editor is now utilized when an administrator is adding/editing the SQL query for a Dynamic SQL Field.
Change/improvement: A new check was added to the Configuration Check page that will alert the administrator if the PHP.INI configuration file used by the REDCap cron job has a timezone setting that differs from the timezone setting in the main PHP.INI file used by the web interface (but only if more than one PHP.INI is utilized). If the timezone settings differ, it warns that one must be changed so that they are the same, otherwise the cron job may not run correctly.
Bug fix: When renaming a record, the record name would mistakenly not get renamed on the Email Logging page. This would not cause any issues other than the Email Logging saying that an email belongs to the wrong record. (Ticket #215100)
Bug fix: The Unicode Transformation process might mistakenly not display correct information regarding whether or not some specific steps in the process need to be completed.
Bug fix: The “field suggest” feature when using the Logic Editor was mistakenly no longer appearing as of REDCap 13.7.13 LTS and 13.9.3 Standard Release. (Ticket #215285)
Bug fix: When using the Clinical Data Mart design checker’s “fixDesign” process, a fatal PHP error might occur in certain situations.
Bug fix: Some project pages might fail with a fatal PHP error when using PHP 8 due to the calling of an undefined PHP constant in the External Module Framework. (Ticket #215348)
Bug fix: When transitioning a MyCap-enabled project to use the new MyCap mobile app, some survey-related settings might mistakenly not be updated during the process (assuming they were being used to store the participant QR code and/or direct link), specifically the survey confirmation email body and the ASI email body.
Bug fix: When using Multi-Language Management, the “Access Denied!” a message that appears on data entry forms when a user has no access was mistakenly not a translatable element in MLM. (Ticket #215504)
Bug fix: In a MyCap-enabled project, slider labels (displayed above or next to the slider) were not displaying correctly in the MyCap config JSON and thus might cause issues in the MyCap mobile app.
Bug fix: When using MyCap in a project while publishing a new MyCap app version, in which a task exists with non-fixable errors, the success message popup will display a warning along with a success message that some tasks were not published due to errors.
Bug fix: When using the Data Resolution Workflow along with Data Access Groups in a project, if a user attempts to assign a data query to a user, in some situations the drop-down list of assignable users would mistakenly list users that are not currently eligible to be assigned to the data query because they are not currently assigned to the record’s DAG. It should only list users that are currently in the record’s DAG (or users not in any DAG) if the record itself is assigned to a DAG. (Ticket #213770)
Bug fix: When using CDIS, the SMART on FHIR authentication process was causing incorrect scope levels to be applied, specifically impacting Cerner users. The issue prevented the proper assignment of the “user” level during authentication, thus potentially leading to authorization errors.
Bug fix: The auto-fill form/survey feature for administrators might mistakenly fail for most/all time validated fields. (Ticket #215684)
Bug fix: When an [X-event-name] Smart Variable is prepended to a field variable (especially in combination with an [X-instance] Smart Variable) in logic, calculations, or piping, it might cause the evaluation of the logic/calc/piping not to be performed successfully. For example, for [previous-event-name][field], the direct previous event might be used when instead the previous designated event for that field’s instrument should be used. (Ticket #214317, #213503)
Bug fix: If using an HTML “style” tag inside user-defined text (e.g., field label, survey instructions), the CSS styles inside the tags might mistakenly not work on the page if line breaks or carriage returns occur anywhere inside the opening and closing style tag. (Ticket #215693)

Version 13.10.1 (released on 2023-09-22)

CHANGES IN THIS VERSION:

Improvement: The MyCap Help document has been updated, and a new Transition Guide has been added to help inform users regarding the process of transitioning to the new MyCap mobile app from MyCap Classic (the guide is linked in the popup that notifies users about transitioning). Additionally, a new PDF displaying a list of all MyCap app features has been linked in several places where MyCap documentation is located, in which the PDF compares the features of the new MyCap app with the previous MyCap Classic app.
Major bug fix: When using randomization while in production status, if a user is uploading a new allocation table to be appended to the existing production allocation table, in which the development allocation table happens to exactly match all the production allocations after the allocation upload has occurred, all the production allocations would mistakenly be erased, which would also remove the “randomized” status for any already randomized records. This is extremely rare, but is extremely destructive and difficult to restore back to its previous state.
Change/improvement: Slight performance improvement when loading the Logging page in some projects.
Change/improvement: In the External Module Framework, the $module->redirectAfterHook() after hook method was added.
Bug fix: When viewing the MyCap participant list, the Baseline Date might mistakenly be displayed in an incorrect date format.
Bug fix: A user that does not have Project Setup privileges in a project could potentially exploit a missing user rights check on the endpoints where field attributes are modified in the Online Designer by crafting special HTTP requests to those specific endpoints. This does not allow the user to do anything other than add new fields or edit the attributes of existing fields.
Bug fix: When viewing the Record Status Dashboard in certain cases when using PHP 8, the page might crash with a fatal PHP error. (Ticket #214370)
Bug fix: When users make API requests, the full API token was mistakenly being logged in the redcap_log_view table for each request. This is not typically an issue because such values in that table are not exportable via the front-end user interface but are only accessible via direct database access. However, if some institutions are sending the full export of their redcap_log_view table to their local security office, the logging of the API token in that table could be problematic. The API token will now be redacted in the redcap_log_view table. (Ticket #214322)
Bug fix: When users delete or regenerate their API token in a project, the value of the old token was mistakenly not being logged on the project’s Logging page.
Bug fix: Fixed issue with the CDIS “Break the Glass” feature. When attempting to restore a serialized list of patients, an error is thrown due to the DateTime class not being listed within the “allowed_classes” parameter of the unserialize function. (Ticket #214670)
Bug fix: An administrator with only “Install, upgrade, and configure External Modules” admin privileges might not be able to view certain External Module pages or perform certain External Module operations, such as accessing the EM Manage page in the Control Center. (Ticket #214721, #214722)
Bug fix: An issue might occur when downloading a file from a File Upload field when REDCap is hosted on Google Cloud Platform due to the usage of an unnecessary project_id prefix for Google bucket file storage.
Bug fix: The notification for the Unicode Transformation process on the Configuration Check page might mistakenly not be displayed on the page anymore after step 2a of the process has been completed. It should not go away until all 4 of the steps are completed.
Bug fix: When attempting to access the “App Data Dumps” on the REDCap Mobile App page in a project, if any of the data dump files somehow can’t be found in the file system (which would be unexpected), the page would crash with a fatal PHP error. From now on, it will merely skip any files in this situation. (Ticket #215007)
Bug fix: When date or datetime fields are piped into the choice label of a drop-down field, in which the date/datetime field has MDY or DMY date format and also exists on the same page as the drop-down field, the date/datetime values might not get piped in the correct format but may appear in the drop-down as a mangled date/datetime value.
Bug fix: Minor MyCap-related bug fixes and UI changes.

Version 13.10.0 (released on 2023-09-08)

CHANGES IN THIS VERSION:

New feature: Longitudinal functionality for MyCap-enabled projects - In previous versions, longitudinal projects could not utilize MyCap (the feature would be disabled automatically). Now with the release of the new MyCap mobile apps on Android and iOS, longitudinal functionality is possible and is supported in the new MyCap mobile app. For any projects currently using MyCap, there will be a “transition” button on the MyCap Participants page that will allow the users to transition the project and any existing participants to use the new MyCap mobile app (note: this transition process is completely optional and not required unless wanting to use longitudinal functionality and other new MyCap features). The older MyCap mobile apps will still be available and updated in the Apple App Store and Google Play Store for the time being.
Medium security fix: The Chart.js JavaScript library that is included in REDCap contains a bundled version of the Moment.js library, which contains a security vulnerability in that specific version. The bundled Moment.js library has been removed. It does not need to be replaced since REDCap already has the latest version of Moment.js included separately already.
Improvement: Enhancements to the Codebook page - For longitudinal projects, a table of all events names is displayed near the top of the page. If events and/or missing data codes exist, the table of them may be included in or excluded from the page printout via a checkbox at the top right corner of their table. Also, in the printout of the page, the time and project title are now displayed.
Bug fix: The newer background process that helps prune abandoned/zombie database processes might mistakenly be preventing some important processes from finishing, such as data fetching for CDIS (both CDM and CDP), data exports, and also the Easy Upgrade process.
Various updates and fixes for the External Module Framework
Miscellaneous security scan improvements.
Replaced the setRoleForUser() implementation with UserRights::updateUserRoleMapping() so that logging would be included automatically.
Control Center module list improvements: 1) Sorted the list of modules to enable by name, 2) Improved module list load time when modules with updates are not enabled anymore, 3) Displayed modules that are still enabled even though their directories are missing, and 4) Cached settings to improve module list load time.
Bug fix: When using Azure AD V1 for authentication, the setting “AD attribute to use for REDCap username” on the Security & Authentication page mistakenly listed the employee ID attribute as “employeeID” when it should instead be “employeeId”. This could prevent proper authentication if that option was selected. (Ticket #213619)
Bug fix: When using the Survey Login feature and a survey participant begins a new survey while their survey login session is still active, the survey instructions would mistakenly not be displayed on the page by default. (Ticket #212987)
Bug fix: When exporting a project as a Project XML file and then creating a new project from the XML file, if the Survey Login feature had been utilized and the Survey Settings checkbox had been checked when exporting the XML file, the Survey Login settings would mistakenly not get transferred into the newly created project. (Ticket #212987)
Bug fix: When using the Custom Record Label on a multi-arm longitudinal project, if an “ad hoc” calendar event is created and is attached to a specific record, the Custom Record Label might mistakenly not be displayed when viewing the calendar event in the calendar popup window. (Ticket #23367b)
Bug fix: When adding a new instrument in a MyCap-enabled project, the Online Designer page might mistakenly crash with a fatal PHP error when using PHP 8. (Ticket #213817)
Bug fix: When enabling Mosio SMS Services on a project, it would mistakenly allow users to enter a Mosio API Key that is already being used by another REDCap project. This should not be allowed. It will now prevent a user from entering a Mosio API Key if that key is already being used by another project. Additionally, if two projects already are using the same Mosio API Key before upgrading to this REDCap version, the Mosio configuration popup will auto-disable the SMS Conversation option to prevent both projects from using the same Mosio API Key, which could cause issues specifically when using the “Initiate survey as SMS conversation” option. (Ticket #213376)
Bug fix: An error was thrown during the deserialization of CDIS messages. The issue was caused by the DateTime class not being included in the list of allowed classes for deserialization.
Bug fix: When using Multi-Language Management, branching logic based on a field set by the action tags LANGUAGE-CURRENT-FORM/-SURVEY would mistakenly not work when the field is a text box field.
Bug fix: REDCap’s internal function for copying files would mistakenly fail to copy files when using Google Cloud Storage as the file storage system. (Ticket #213946)

Version 13.9.3 (released on 2023-08-31)

CHANGES IN THIS VERSION:

Minor security fix: A DOM-based Cross-site Scripting (XSS) vulnerability was discovered on all project-level pages that could possibly be exploited if a malicious user is able to manipulate the JavaScript “location” interface/variable in specific ways.
New action tag: @MC-PARTICIPANT-CODE - This action tag is a MyCap annotation that can be used with Text fields. When using this action tag on a field, the field will capture the MyCap participant’s participant code whenever they join a project via the MyCap mobile app. NOTE: This is used only for the MyCap mobile app. The field’s value is not generated when viewing the data entry form but only when the MyCap app is making a call to REDCap when the participant joins the project. Additionally, while this action tag can be added to a new field in already-existing MyCap projects, a field with this action tag will be auto-added to any projects where MyCap is enabled in the project after the fact and for any new projects created using the MyCap project template.
Improvement: When viewing the Survey Access Code dialog on the Public Survey Link page, users may now click a button to copy the QR code to their clipboard. Additionally, users may now click the QR code to download it or click a link below the QR code to download it in the higher resolution SVG format, if desired.
Bug fix: When pulling data from an EHR system via CDIS, date filters were not being correctly applied when fetching temporal data. (Ticket #212894)
Bug fix: FHIR stats were mistakenly counted in DDP (Dynamic Data Pull) projects when using CDP (Clinical Data Pull) auto-adjudication.
Bug fix: When using Table-based authentication and a user has somehow been granted access to a project and added to a user role (e.g., via user role CSV upload) despite the fact that the username does not exist as a real user account in the system, it would be impossible to remove the user from their role, to re-assign them to another role, or ultimately to remove them from the project. (Ticket #207764)
Bug fix: When viewing the Online Designer in a MyCap-enabled project, the “Enable” button for enabling MyCap for a given a data collection instrument would mistakenly be disabled, thus preventing users from enabling the instrument as a MyCap task, if the instrument’s first field was part of a matrix of fields. (Ticket #213075)
Bug fix: When viewing the Stats & Charts page for a given report and clicking the “Missing” link to view a list of missing values, it might mistakenly display many false positives of repeating instances that do not really exist in the data. (Ticket #211913)
Bug fix: When clicking the “Enable color-blind accessibility” displayed below a pie or donut Smart Chart on a data entry form or survey page, it would send the user/participant to a non-existent page, thus resulting in a 404 error. (Ticket #211920)
Bug fix: When using “Azure AD OAuth2 & Table-based” authentication together with Duo two-factor authentication (2FA), after a user successfully logs in via Table-based authentication, they would mistakenly not be redirected to the Duo OAuth2 page for two-factor authentication. (Ticket #211697)
Bug fix: When using the Azure Communication Services Email API, the email functionality would fail to work if the Services Endpoint value did not end with a slash ("/").
Bug fix: When using Multi-Language Management, the text “(Place a mark on the scale above)” that is displayed below Slider fields was mistakenly not translatable via MLM. It has now been added.

Version 13.9.2 (released on 2023-08-25)

CHANGES IN THIS VERSION:

Major bug fix: If a repeating Automated Survey Invitation has been enabled in a project in which one or more records have triggered the ASI initially, if the ASI was then disabled for a certain amount of time and then re-enabled later, after which a user or participant triggered an ASI in any project in which the ASI is set to send immediately, it would mistakenly cause the repeating ASI in the original project to send/schedule hundreds or thousands of invitations for each record that was originally triggered in that original project. This issue was caused by the invitation-sending function being called recursively when an individual record triggers an ASI. (Ticket #210378)
Change/improvement: When executing Data Quality rules, the Logging page now lists the specific DQ rule by name that was executed in the logged event, whereas previous versions merely stated “Execute data quality rule(s)” generically in the Logging. (Ticket #207900)
Change/improvement: If a longitudinal project contains one or more records, and a user moves a field to a different instrument via the Online Designer, a warning will be displayed saying that moving fields to other instruments might potentially cause the orphaning of data, in which it tells the user to double-check their instrument-event mappings to ensure that no orphaning/data loss has occurred. And if it has, it tells the user that they can move the field back to its original instrument to restore any orphaned data. (Ticket #211829)
Bug fix: In certain instances, the “Download PDF of instrument(s) via browser’s Save as PDF” feature may mistakenly not show all the text for Notes Box fields in the resulting PDF if the Notes Box fields contain a lot of text. (Ticket #211228)
Bug fix: The feature to compare data dictionaries/revisions on the Project Revision History page might produce unexpected results in which the comparison does not display the correct results. (Ticket #208391)
Bug fix: Descriptive Text fields would mistakenly not be returned when a user searches for fields via the Field Finder on the Codebook page. (Ticket #212763)
Bug fix: After modifying the schedule of an existing record on the Scheduling page, the logged events of schedule modifications would correctly appear on the Logging page by default, but some of the schedule-related logged events would not appear on the Logging page when using the “Filter by record” option for that specific record. Note: This will be fixed for all schedule modifications going forward, but all existing logged events for schedule modifications cannot be fixed retroactively. (Ticket #208481)
Bug fix: When calling the API Export Records method to retrieve data in “odm” format from a project that contains data for repeating events, if the “fields” parameter is provided in the API call and does not contain any field utilized on a repeating event, the resulting XML might mistakenly be malformed and not structured correctly. (Ticket #208787)
Bug fix: Administrators that have “Perform REDCap Upgrades” privileges would receive an error message when attempting to use the Easy Upgrade feature if they did not also have some other admin privileges. This has been fixed so that only “Perform REDCap Upgrades” privileges are needed to perform an upgrade. (Ticket #211957)
Bug fix: When using the @DOWNLOAD-COUNT action tag in which the field being referenced by the action tag exists on the same page, if users or participants download the file using their browser’s right-click “Save as” option (as opposed to directly clicking it), it would mistakenly not register as a download to be incremented for the count field on the page. Although the server-side call to download the file via “Save as” would increment the counter field’s value on the back-end, the front-end value would now be out of sync. There’s no way to change the counter on the page from being temporarily out of sync, but REDCap will now auto-fix the value after the form/survey is submitted in order to reconcile the true count value and save it to the counter field. In summary, this fix should ensure that the counter field’s value is correct whether or not someone downloads the file with a normal click or via the right-click “Save as” option.
Bug fix: When modifying any of the drop-down fields in the Survey Design Options section of the Survey Settings page for a given instrument, it would cause the Cancel button at the top or bottom of the page to no longer work unless clicked many times. (Ticket #211204)
Bug fix: Several files located in the /redcap/webtools2/pdf/ subdirectories are no longer compatible with PHP 8.2.0 and higher. In addition to fixing the compatibility issues with PHP 8.2, all the files in /redcap/webtools2/pdf/ have now been incorporated directly into the REDCap version directory so that they can be kept up to date on an ongoing basis with future versions of PHP. (Ticket #211377)
Bug fix: If the File Storage method for REDCap is set to “Google Cloud Storage using API Service Account”, downloading the Instrument Zip file of an instrument that is enabled as a survey and contains a survey logo would mistakenly fail due to a fatal PHP error. (Ticket #212967)
Bug fix: When entering a non-URL value (e.g., field variables, Smart Variables) into the “Embed an external video” text box while editing a Descriptive Text field in the Online Designer, it would mistakenly prepend “http://” to the beginning of the value entered.
Bug fix: Public reports and public project dashboards might not display optimally when viewed on mobile devices, such as images appearing too large or the report table going outside of its parent box.
Bug fix: In certain situations, the Background Data Import feature might mistakenly cause the cron job to fail with a fatal PHP error when running PHP 8. (Ticket #213086)

Version 13.9.1 (released on 2023-08-18)

CHANGES IN THIS VERSION:

Bug fix: When using the Designate Instruments page in a longitudinal project while running PHP 8, editing the event grid may result in an error message, preventing the edits from being saved. This issue was supposedly fixed in a previous issue but mistakenly was not. (Ticket #212677)

Version 13.9.0 (released on 2023-08-17)

CHANGES IN THIS VERSION:

New text string functions
replace_text (haystack, search, replace) - Replaces parts of a text value with a specified replacement text value - Finds text (“search”) inside another text (“haystack”) and replaces all found occurrences with the given text (“replace”). For example, assuming [field1] has a value of “Paul Taylor, Rob Taylor”, replace_text([field1], “Taylor”, “Harris”) would result in “Paul Harris, Rob Harris”. Note: This function performs a case-sensitive replacement. Additionally, you can search for line breaks (e.g. in Notes fields) with “\n”.
concat_ws (separator, text, text, …) - Joins the text from multiple text strings with a separator - This works exactly like concat but inserts the separator in between each concatenated item. For example, concat_ws(" and “, [veggie1], [veggie2], “Tomatoes”) might result in “Peas and Carrots and Tomatoes”.
New math functions
mod (dividend,divisor) - Modulo - Returns the remainder of the (integer) division (modulo) dividend/divisor. Both values must be integers. E.g. mod(10,4) will result in 2 because 2 is the remainder of 10 divided by 4.
exponential (number) - Exponential of e - Returns “e” (Euler’s Number) raised to the power of a number: e^x. Note: The value of the exponent x must be a number. E.g. exponential(1) will return 2.718281828459045.
New feature: Azure Communications Email API Integration
As an alternative for sending outgoing emails from REDCap (rather than using the standard settings in PHP.INI to send them natively from the web server), you may use Azure Communications Email API, which is a third-party paid service that can send emails on behalf of REDCap.
The option can be configured on the General Configuration page in the Control Center. You merely have to provide the API key and services endpoint for your Azure Communications account, and it will begin using the Azure Communications Email API to send all emails going out of REDCap. Note: This email service must be used together with REDCap’s Universal “From” Address (located on the General Configuration page) using an authorized sender address in one’s Azure account.
Limitations: Due to limitations in the implementation of this API by Microsoft/Azure, this email-sending method is not able to display inline images in the body of emails, but any inline images will instead be represented as regular attachments. Additionally, the true sender’s email address and display name are not able to be displayed to the recipient in their email client, thus the recipient will only see the REDCap Universal ‘From’ Address as the sender with no corresponding display name.
Improvement: The full file name of a file uploaded to a File Upload field will be displayed when a user hovers over the file download link. This is helpful when the file name is very long and is thus not displayed in full on the page. (Ticket #93790)
Improvement: CDIS now has the ability to check the system capabilities of a FHIR conformance statement retrieved from a FHIR server. Based on the capabilities mentioned in the conformance statement, REDCap will dynamically disable any FHIR resources that are not available. Without this new check, users might not be aware of the resource availability on a particular FHIR system, and they could inadvertently select resources that are not supported, which could result in errors when attempting to fetch these unsupported FHIR resources.
Change/improvement: When performing a bulk import of new Table-based users via CSV file in the Control Center, the CSV file will now use the user’s preferred CSV delimiter as specified on their Profile page. In previous versions, the page only accepted comma-delimited CSV files.
Change/improvement: When using Multi-Language Management and exporting CSV files of the MLM translations, a byte-order mark (BOM) is now added to all CSV files to allow them to be opened successfully in Excel.
Bug fix: When using the EHR launch window for Clinical Data Pull, the REDCap page embedded in the EHR might mistakenly not display any CDP projects for the user for the relevant patient. (Ticket #211654)
Bug fix: When using CDIS, while REDCap is processing a bundle of FHIR resources, a PHP warning could be thrown if the FHIR bundle has no entries.
Bug fix: In certain places throughout REDCap, the rich text editor might mistakenly display the “Insert/edit media” button on the editor toolbar. This was added unintentionally, and in most (if not all) cases, attempting to add media using that button would not be successful. That media button has now been removed from the editor. (Ticket #211132)
Bug fix: Certain pages in REDCap were mistakenly no longer compatible with iPads/Mobile Safari. Bug emerged in REDCap 13.8.3. (Ticket #202806d)
Bug fix: When using the Designate Instruments page in a longitudinal project while running PHP 8, editing the event grid may result in an error message, preventing the edits from being saved. (Ticket #211983, #211837)
Various updates and fixes for the External Modules Framework, including preventing deleted, completed, and in-analysis projects from appearing in module setting dropdowns.
Bug fix: When using Multi-Language Management, the MLM page in the Control Center might mistakenly not export the MLM usage stats in a way that the file can be opened successfully in Excel. (Ticket #211875)
Bug fix: For certain server configurations, Send-It might cause some files to be corrupted when downloaded by the recipient. (Ticket #212072, #208036)
Bug fix: When a user is running Data Quality rule A or B, it might mistakenly return checkbox fields as discrepancies. As noted by the single asterisk at the bottom of the Data Quality page, rules A and B note that “checkbox fields are also excluded since an unchecked checkbox is itself often considered to be a real value.” (Ticket #212048)
Bug fix: When performing an API Metadata Import, a data dictionary snapshot would mistakenly be taken after the new metadata was saved via the API call when instead the snapshot should be taken immediately beforehand during this metadata import process.
Bug fix: In certain edge cases that involve the Records::getRecordList() method being called by a REDCap plugin, a fatal PHP error might occur when using PHP 8 if the “pid” parameter does not exist in the current URL but has been set as $_GET[‘pid’] manually by the plugin itself. (Ticket #212232)
Bug fix: If a checkbox field contains a choice coding that contains a period, in which there exists another choice coding with the same value if the period is excluded (e.g., “2” vs “2."), those two choices would get mistakenly conflated as the same import/export version of the checkbox variable name, which could cause issues with data exports and reports not displaying correctly. From now on, any periods existing in a checkbox coding will be converted to an underscore in the resulting import/export variable name, whereas in previous versions the period was removed completely from the variable name. (Ticket #211904)
Bug fix: In certain situations, the Background Data Import feature might mistakenly cause the cron job to fail with a fatal PHP error when running PHP 8. (Ticket #212276)
Bug fix: When importing a missing data code for a field that has a min/max validation range, the data import process would mistakenly return an error saying that the missing data code value was out of range. Instead, it should allow the missing data code value to be imported. (Ticket #211903)
Bug fix: Using the function isblankormissingcode() in a calculation for non-numeric missing data codes might mistakenly cause the server-side rendering of the calculation (e.g. Data Quality rule H) to return an incorrect value. (Ticket #212145, #212178)
Bug fix: If a field has the @CALCTEXT action tag and also has date/datetime validation, server-side processing of the calculation (e.g., Data Quality rule H) might mistakenly fail to save a new/correct value for the @CALCTEXT field. (Ticket #211780)
Bug fixes and changes for CDIS: A patient’s address might not be parsed correctly in the FHIR payload, and PHP 8 related errors were occurring when pulling Observations data.
Bug fix: When exporting a PDF of an instrument containing data via the API, the Logging page would mistakenly display the project ID in place of the record name in the Action column of the Logging table for this logged event. This will be fixed so that it will resolve this issue for both past logged events and future logged events. (Ticket #212245)
Bug fix: Some folders in the File Repository might mistakenly not display due to a DataTables error caused by the JSON-encoding of mangled UTF-8 characters in the descriptions and attributes of the files being displayed in the file list. (Ticket #208637)
Bug fix: If a Notes field is embedded inside a checkbox field’s choice label on a survey that has “enhanced radio buttons and checkboxes” enabled, the checkbox choice would mistakenly get unchecked whenever the participant clicked or focused their cursor on the Notes field. Note: This does not affect embedded Text fields but only Notes fields. (Ticket #210763)
Bug fix: If the query of a Dynamic SQL field begins with “select” followed immediately by a line break or carriage return (as opposed to a space), the Dynamic SQL field would not return any results and would not display any drop-down options. (Ticket #212474)
Bug fix: If using an HTML “style” tag inside user-defined text (e.g., field label, survey instructions), the CSS styles inside the tags might mistakenly not work on the page if line breaks or carriage returns occur anywhere inside the opening and closing style tag. (Ticket #211394)
Bug fix: When using an [aggregate-X] smart variable in a calculation or CALCTEXT field, depending on the context the calculated value might not always get saved successfully, and additionally the Logic Editor might note the calculation to have errors when it in fact does not. (Ticket #211063)

Version 13.8.5 (released on 2023-08-03)

CHANGES IN THIS VERSION:

Improvement: New background process that will help prune abandoned/zombie database processes (e.g., long-running queries that continue running on the database after a user has left the page on which the query is being run) that might decrease the overall performance of the database server. This process is performed every couple minutes by a cron job. This may or may not result in a noticeable database performance improvement.
New action tag: @MC-PARTICIPANT-JOINDATE - This action tag is a MyCap annotation that can be used with Text fields with date/time validation. When using this action tag on a field, the field will capture the install date/time of the MyCap participant whenever the participant joins a project via the MyCap mobile app. NOTE: This is used only for the MyCap mobile app. The field’s value is not generated when viewing the data entry form but only when the MyCap app is making a call to REDCap when the participant joins the project. Additionally, while this action tag can be added to a new field in already-existing MyCap projects, a field with this action tag will be auto-added to any projects where MyCap is enabled in the project after the fact and for any new projects created using the MyCap project template.
Improvement: The Data Import Tool page now provides options in Step 1 to download the Data Import Template with alternative delimiters, such as tabs and semicolons.
Change/improvement: The favicon was updated to a higher resolution image.
Change/improvement: The Send-It page now checks the filesize of the file before the user attempts to upload it in order to ensure the file is not larger than the max allowed size. In previous versions, its filesize would only be checked after it had been uploaded.
Change/improvement: Better memory management for some CDIS-related cron jobs.
Bug fix: If a user has created a File Repository folder that is Data Access Group restricted or User Role restricted, and then a user deletes the DAG or User Role to which the folder is restricted, the folder would mistakenly be deleted, after which all of the files in the folder would be automatically moved into the main top-level folder in the File Repository. This has now been changed so that if a folder is restricted to a User Role, the folder will no longer be deleted when the User Role is deleted, but the folder and its files will remain as not restricted to any role. And if the folder is restricted to a DAG, users will simply be unable to delete the DAG until all its DAG-restricted folders are deleted first. (Ticket #210829)
Bug fix: If a user is utilizing the “Upload users (CSV)” method to update user privileges on the User Rights page, in which a user is being assigned to a Data Access Group or is being removed from a DAG, the upload process would mistakenly not log the DAG assignment/removal on the Logging page. (Ticket #210831)
Bug fix: If a longitudinal project is in production, a normal user with Project Design privileges on the “Designate Instruments for My Events” page could possibly remove an Instrument-Event mapping (i.e., uncheck a disabled checkbox in the mappings table), which they are not allowed to do to projects in production, if they know how to manipulate the webpage in specific ways and then click the Save button.
Bug fix: When using the Calendar Sync feature, calendar events that do not have a time specified (but only a date) might reflect an incorrect start time and end time in some external calendar applications. (Ticket #211137)
Bug fix: When using an HTML5 video tag in user input text (e.g., field labels, survey instructions), in which the tag contains the “controls” attribute, the attribute would mistakenly be renamed to “cremoved” in the resulting HTML. (Ticket #211141)
Bug fix: For CDIS, fixed issues related to properly handling the absence of a valid FHIR access token, such as FHIR logs being saved with a “wrong format” error and also scenarios where the absence of a user ID caused unexpected behavior.
Bug fix: When using Multi-Language Management and exporting general settings as a file, the data entry form and survey active states would mistakenly be swapped in the export file. (Ticket #211172)
Various fixes and changes for the External Module Framework, including 1) miscellaneous security scan improvements, and 2) action tag documentation may now be added to an EM’s config.json for display in the list of action tags available on a project.
Bug fix: When a user is using the User Access Dashboard to delete or expire a user’s access in a project, in some cases the action would mistakenly not get logged on the project’s Logging page (although the action would be logged in the redcap_log_event database table, which might not be used by the project, thus making the logged event not accessible on the project’s Logging page).
Bug fix: When using Missing Data Codes in a project, in which a Text field with field validation has the @nomissing action tag, users would be able to manually hand-enter Missing Data Codes into the Text field, even though the value entered failed the field validation.
Bug fix: When performing a data import that contains blank values for a Slider field, in which the import is set to allow blank values to overwrite existing saved values, the import process would mistakenly return an error message saying that the value must be an integer. It should instead not return any error message in this situation. (Ticket #211075)
Bug fix: When a user has an apostrophe in their username, and the user goes to create a new project, they may not be able to access the project they just created. (Ticket #210832)
Bug fix: The act of creating or editing an alert on the Alerts & Notifications page would get logged on the Logging page. However, the Logging page would represent the alert’s “trigger_on_instrument_save_status” attribute incorrectly, displaying “any_status” when the alert is set to be triggered when an instrument is saved with Complete status only and as “complete_status_only” when set to be triggered on any form status. Note: The alert itself would be saved correctly, but the logged event for creating/editing the alert would merely be inaccurate. (Ticket #210832)
Bug fix: In some cases when an external module is being used, a fatal PHP error might occur for certain PHP versions. (Ticket #211611)
Bug fix: When a field variable is being piped or used in logic, and the field is prepended with the Smart Variable [first-event-name] or [last-event-name], in which the current context is a different instrument on which the field itself is located, the event field pair might result in a blank value or an incorrect value. (Ticket #210930)

Version 13.8.4 (released on 2023-07-28)

CHANGES IN THIS VERSION:

Bug fix: When using Twilio, it would mistakenly not send SMS messages to U.S. phone numbers with an 934 area code. (Ticket #90686b)
Bug fix: If the system-level setting “ENABLE FILE UPLOADING FOR THE FILE REPOSITORY MODULE” is set to “disabled”, users would still be able to upload files into the File Repository in any project. Bug emerged in REDCap 13.1.0. (Ticket #210765)
Bug fix: The documentation for using reports as filters in Smart Charts, Smart Tables, or Smart Functions was confusing and has been updated for clarity. It notes now that when referencing a unique report name in Smart Charts, Smart Tables, or Smart Functions, no other filtering parameters can be used (e.g., DAGs, events) with the report filter and thus any other filters will be ignored. If users wish to additionally filter by DAGs and/or events, it is recommended that they add such filtering to the report itself by editing the report. The wizard on the Project Dashboard page has also been updated to reflect this.
Bug fix: When using the @Wordlimit or @charlimit action tag on a Text field, the first field on the page that uses either action tag might have its “X characters remaining” label or “X words remaining” label, respectively, duplicated multiple times below the field itself. (Ticket #208658)
Bug fix: The example Perl code in the API Playground for making Curl calls was outdated and would not run successfully for some users.
Bug fix: When using MyCap in a project, a blank Menu might be displayed for participants when using the MyCap mobile app, specifically for iOS devices.

Version 13.8.3 (released on 2023-07-21)

CHANGES IN THIS VERSION:

Major bug fix: When a user has File Repository user privileges in a project with the e-Consent Framework enabled on one or more instruments, the user would mistakenly be able to download the e-Consent PDF files stored in the PDF Survey Archive folder in the File Repository, even when the user does not explicitly have “Full Data Set” data export rights for the given instrument. In order to download the e-Consent PDFs, the user should have “Full Data Set” data export rights for the given instrument. (Ticket #210214)
Bug fix: Some MyCap-related pages that deal with PROMIS instruments (auto-scoring and adaptive) might mistakenly crash due to a fatal PHP error when using PHP 8.
Bug fix: If the Online Designer displays an error icon next to a MyCap-enabled instrument, it would allow the user to click the icon and attempt to try to fix the errors when the project is in production mode; however, it would fail to fix it and just re-display the error. Instead, it will now inform the user that errors exist but that they must put the project in draft mode first before they can fix the errors. (Ticket #210179)
Bug fix: When using Duo two-factor authentication, if the system is set to “Offline”, it would mistakenly prevent administrators from successfully logging in via Duo 2FA. (Ticket #202197)
Bug fix: When a user is updating a language on the Multi-Language Management setup page, some import settings, such as the “Keep existing translations” option, would mistakenly not be honored during the language update process. (Ticket #210395)
Bug fix: When attempting to upload a CSV data file via the Data Import Tool using the background import process, in which the CSV headers (i.e., variable names) in the data file are wrapped in quotes, REDCap would mistakenly return an error message saying that the headers are not formatted correctly. (Ticket #210299)
Bug fix: In longitudinal projects with multiple arms, certain actions (such as deleting a record, renaming a record, and others) would mistakenly execute SQL queries that were not structured correctly and thus might make the database server unnecessarily slow due to long query times.
Bug fix: The Scheduling page would mistakenly never display the record drop-down list. Bug emerged in the previous release: 13.8.2. (Ticket #210446)
Bug fix: When using certain action tags on a field where the value on the right side of the equal sign in the action tag definition is not wrapped in single quotes or double quotes and additionally other annotation text follows after the action tag in the Field Annotation text (e.g. @charlimit=8 More text here), the action tag might not be interpreted successfully and thus might not get enforced. (Ticket #210175)
Bug fix: If a survey is using a system-level theme or a user-saved custom theme, the theme colors would mistakenly not get preserved in the Project XML file if a user exports the Project XML file and then creates a new project with it. (Ticket #210371)
Bug fix: When using the Data Resolution Workflow feature, if a user executes Data Quality rule H, fields that have been marked as “Verified data value” would mistakenly appear in the list of discrepancies (they should not appear there by default) and would not appear as “verified” in the DQ popup. (Ticket #209447)
Bug fix: Using an [X-event-name] Smart Variable in combination with an [X-instance] Smart Variable in logic, calculations, or piping might cause the evaluation of the logic/calc/piping not to be performed successfully. (Ticket #208887)
Bug fix: When using the Clinical Data Pull, the EHR Launch process might mistakenly fail. (Ticket #210523)
Bug fix: The CDIS messaging feature might mistakenly display the phrase “invalid date” where the date/time of the message should be.

Version 13.8.2 (released on 2023-07-14)

CHANGES IN THIS VERSION:

Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in the File Repository in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way inside the filename of an uploaded file. The user must be logged in to REDCap and also must have File Repository privileges in the project in order to exploit this. (Ticket #210134)
Bug fix: When an instrument has an embedded field that is immediately followed by a piped field or by another embedded field (with no space between them), the field/value might mistakenly not be rendered in the exported PDF of that instrument. (Ticket #210165)
Change: In longitudinal projects with Scheduling enabled, the “View or Edit Schedule” page will no longer render the record drop-down list of already-scheduled records on the page if the drop-down would contain more than 10,000 options. This is to prevent the page from becoming very slow for projects that contain lots of records that have been scheduled already. Users will still be able to view the schedule of individual records on the page though.
Bug fix: A fatal PHP error might occur related to specific CDIS processes.
Bug fix: A fatal PHP error might occur related to CDIS when performing the Standalone launch inside REDCap. (Ticket #209840)
Bug fix: When viewing the PDF Survey Archive files for the e-Consent Framework in the File Repository, if the system-level e-Consent setting “Capture the IP address…” is set to “Do NOT capture IP address”, the table header in the File Repository would mistakenly say “IP Address” instead of “Identifier (Name, DOB”). (Ticket #209302)
Bug fix: When using the Control Center page to update the database tables to support full Unicode, in some situations the resulting SQL might mistakenly contain a double comma, which would result in SQL errors and prevent the process from completing successfully. (Ticket #209856)
Bug fix: When using Multi-Language Management and using the Right to Left (RTL) setting when there are multiple choice fields with horizontal alignment, the choices might not always display correctly. (Ticket #209612)
Bug fix: In certain scenarios, the Background Data Import cron job might mistakenly crash without finishing. (Ticket #209911)
Bug fix: In certain scenarios when selecting to use the background process for the Data Import Tool, it might not allow the user to upload a CSV data file because it mistakenly thinks that the last field variable in the CSV file is not a real field name. (Ticket #209823)
Bug fix: When taking a survey while using a mobile device, the page would auto-scroll unnecessarily after completing a multiple choice field that has one or more visible fields embedded inside it. In this case, the page should not auto-scroll when the field contains embedded fields. (Ticket #208523)
Bug fix: When a user selects the option “Remove all date and datetime fields” when exporting data, or if that option is automatically imposed upon the user due to having De-Identified data export rights, survey completion timestamp fields would mistakenly not be removed from the resulting data export file. (Ticket #208758)
Bug fix: When a project is in Analysis/Cleanup status and the current user does not have Project Design & Setup privileges, the Project Home page and Project Setup page would mistakenly display a “Modify” button in the yellow section at the top of the page describing if users can modify records or not. This button should only be displayed for users with Design rights. Clicking the button would not actually change anything though, so this issue is more of an aesthetic issue that could cause confusion. (Ticket #107257)
Bug fix: If an unclosed HTML comment (i.e, “<!–” without quotes) exists in user-defined text that is displayed on the page (e.g., field label, survey instructions, a piped value from a Text field), it would mistakenly cause the page content to be truncated, thus preventing the user from seeing any of the page after where the text is located. (Ticket #207897)
Bug fix: A missing LOINC code was added to the CDIS mapping features.
Bug fix: If the URL of another REDCap server exists in user-defined text that is displayed on the page (e.g., field label, survey instructions, a piped value from a Text field), the REDCap version number in the URL would mistakenly be replaced with the REDCap version number of the current server. It should never replace the REDCap version number in any URLs unless the URL corresponds to the current REDCap server. (Ticket #208528)
Bug fix: When using Twilio or Mosio for a survey implemented as an SMS conversation, Yes/No fields and True/False fields would not have their field labels rendered correctly in the conversation. Instead of their field label, it would display “No” or “False”, respectively. (Ticket #209624)
Bug fix/change: The @DOWNLOAD-COUNT action tag documentation has been updated for clarity to explain that if a field with @DOWNLOAD-COUNT also utilizes @inline or @INLINE-PREVIEW and displays an inline PDF that has been uploaded, if a user downloads the file via the inline PDF controls (which are generated by the browser and not by REDCap), the download will not get properly counted via @DOWNLOAD-COUNT. This is to clarify that @DOWNLOAD-COUNT only works when users/participants click the file download link on the page. (Ticket #208354)
Bug fix: If an administrator does not specifically have “Modify system configuration pages” admin rights, the date field on the Cron Jobs page in the Control Center would mistakenly be disabled.
Bug fix: If an inline image was added to text on an instrument via the rich text editor and then the project was later copied, the image would display correctly on the data entry form in the project copy, but it would mistakenly not display when viewing the instrument as a survey in the project copy.
Bug fix: In certain scenarios, a couple fatal PHP errors might occur on survey pages when using PHP 8. (Ticket #210196)

Version 13.8.1 (released on 2023-07-07)

CHANGES IN THIS VERSION:

Bug fix: On certain occasions, the Control Center and/or Configuration Check page might mistakenly display the warning that “Some non-versioned files are outdated”, which might be incorrect and a false positive.
Bug fix: A fatal PHP error might occur when using Duo for two-factor authentication.
Bug fix: A fatal PHP error might occur when attempting to send emails via the Email Users page, thus preventing the emails from being sent.
Bug fix: A fatal PHP error might occur related to CDIS when performing the EHR launch of the REDCap window inside the EHR user interface.

Version 13.8.0 (released on 2023-07-07)

CHANGES IN THIS VERSION:

New feature: Background Data Import
In the Data Import Tool, users may now alternatively import data using an asynchronous background process (as opposed to the existing real-time process). The background process is better for large data files. The background process will email the user after the data file has been fully imported, and the email will note any errors that may have occurred during the import process.
During the background data import process, which is performed by several simultaneous cron jobs, each record will be imported one at a time. If there is any error with a record being imported, none of that individual record’s data will be imported, after which the user will be able to view all the errors with the option to re-download the records/data that failed to import, thus allowing the user to fix the data and attempt to import it again.
Note: The background data import works with the “Reason for Change” project-level feature, which requires a reason for any changes made to an existing record.
The feature is currently only available in the user interface (not in the API), but it may be available for the API in the future.
If the background data import has begun, the user who initiated the import (or an administrator) can cancel the import process at any time. However, any data that was imported by the import process prior to it being canceled will not be undone after it is canceled. All changes made by the process up until cancellation are permanent.
Critical security fix: A Blind SQL Injection vulnerability was found on data entry forms and survey pages, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. This bug affects all known REDCap versions.
Critical security fix: A PHP Deserialization Remote Code Execution vulnerability was found in which a malicious user who is logged in could potentially exploit it by manipulating an HTTP request to a specific CDIS-related page while manipulating a certain CDIS-related cookie in a specific way. If successfully exploited, this could allow the attacker to remotely execute arbitrary code on the REDCap server. This vulnerability exists in REDCap 13.0.1 and higher.
Critical security fix: A Blind SQL Injection vulnerability was found when calling certain API methods, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by entering specially-crafted data into a Text field, changing the field to a File Upload field, and then calling the Delete File or Import File API method. This bug affects all known REDCap versions.
Major security fix: An SQL Injection vulnerability was found on a MyCap-related page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. In order to exploit this, the user must be logged in as a REDCap user and must also have one or more instruments enabled as MyCap tasks.
Major security fix: A Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way on many pages that output user-defined text onto a REDCap webpage. This bug affects all versions of REDCap.
Bug fix: After unsuspending a user on the Browse Users page on the “View User List By Criteria” tab, the “Display only X users” drop-down would mistakenly get reset. (Ticket #208937)
Bug fix: A new Clinical Data Mart background process would not be scheduled if the current one was taking too long to complete.
Bug fix: PHP 8 related fix for the Data Import Tool. (Ticket #208086)
Bug fix: When using Multi-Language Management with the e-Consent Framework, some text on the e-Consent confirmation screen at the end of the survey was mistakenly not translatable.
Bug fix: When using Multi-Language Management, the language switcher and globe menu would not work on survey return pages when the survey is set up to show a logo and the option to “Hide survey title on survey page when display logo” is turned on. (Ticket #208961)
Bug fix: When using Multi-Language Management on a survey where Google reCAPTCHA is enabled, the Google reCAPTCHA text would mistakenly not be translatable. (Ticket #208797)
Bug fix: PHP 8 related issue on certain MyCap pages in project. (Ticket #208688)
Various fixes and changes for the External Module Framework, including 1) Documented sanitizeFieldName() method, and 2) Miscellaneous security scan & documentation improvements.
Bug fix: In some situations, the survey page might mistakenly throw a fatal PHP error for PHP 8. (Ticket #208147)

Version 13.7.2 (released on 2023-06-23)

CHANGES IN THIS VERSION:

Change: When performing a fresh installation of REDCap, the initial version will be included in the redcap_history_version database table. (Ticket #208590)
Bug fix: When using Multi-Language Management, when uploading a file on the MLM setup page to import translations into an existing language, the merging from file would mistakenly not be performed.
Bug fix: The “Design Checker” for the Clinical Data Mart might mistakenly fail with an error when attempting to fix the structure of a CDM project. (Ticket #207348)
Bug fix: PHP 8 related fixes for CDIS functionality.
Bug fix: When exporting a Project Dashboard as a PDF, some parts of the page that should not be included in the PDF were included.
Bug fix: More compatibility fixes when using Epic Hyperdrive for CDIS in the context of EHR launches.
Bug fix: Related to CDIS, unnecessary steps were removed for the Smart on FHIR OAuth2 process.

Version 13.7.1 (released on 2023-06-08)

CHANGES IN THIS VERSION:

**Major bug fix: **When using Multi-Language Management and uploading a file on the MLM setup page to import translations into an existing language, the process of merging from file would mistakenly not be performed.
Bug fix: When downloading a PDF of an instrument, the PDF would only download in the desired language if it was set to active for MLM in Data Entry mode. It should not require a language to be active in Data Entry mode to allow downloads of PDFs in that language.

Version 13.7.0 (released on 2023-06-08)

CHANGES IN THIS VERSION:

New features: New Multi-Language Management workflow for adding new languages to projects, plus many other improvements.
Improved workflow and user interface for adding new languages to projects.
Project languages can now “subscribe” to system languages (i.e., any changes/additions to UI translations made in the Control Center will automatically be visible in projects).
Several new administrator options to control how new languages can be initialized in projects (independently allow/disallow initialization from system languages, language files, or from scratch). These (global) settings can be overruled on a project by project basis.
Editing/updating of existing languages has been redesigned and split into separate edit (rename, etc.) and update (sync with system languages or import translations from files) dialogs.
Added an option to download (empty - i.e. without data) PDFs of all or individual instruments.
The default setting for the ASI Language Source is not “Language preference field” (instead of “User’s or survey respondent’s active language”).
Many user interface fixes related to the switch to Bootstrap 5 in REDCap 13.4.0.
Bug fix: MyCap push notifications might mistakenly not work when using a proxy for the REDCap web server. (Ticket #207578)
Bug fix: When using Multi-Language Management, the “:value” piping modifier would not mistakenly not work when performing piping on MLM-enabled forms and surveys. (Ticket #207629)
Bug fix: When using date-based or time-based [survey-X] Smart Variables in conjunction with a [X-instance] Smart Variable while also using the “:value” modifier (e.g., [survey-time-completed:my_survey:value][last-instance]), a blank value might mistakenly be returned instead of the expected value. (Ticket #206098b)
Bug fix: When using the Copy Project feature and selecting to copy the reports in a project, the resulting new project’s reports would mistakenly not have the same unique report names. The unique report names of the new project should be exactly the same as the original project. (Ticket #207248)
Bug fix: When piping a data value into the choice label of a multiple choice field on a repeating instrument, the correct data value might mistakenly not get piped correctly when viewing the choice label on a report or in a CSV Labels data export. (Ticket #207193)
Bug fix: When using the Calendar Sync feature, the calendar feed or export might mistakenly be off by one hour for cities in specific time zones. (#206585b)
Bug fix: When importing and exporting user rights or user roles via CSV files on the User Rights page, some user privilege categories (e.g. Alerts & Notifications) might mistakenly not be found in the downloaded CSV user rights/roles files. (Ticket #206747, #207132)
Bug fix: When selecting files in the File Repository and clicking the Move button, the “folder” drop-down list in the dialog would mistakenly display folders that have been deleted. (Ticket #207763)
Bug fix: When viewing multi-page inline PDFs on the e-Consent certification screen on surveys when using certain devices, such as iPads, only the first page of the PDF might be viewable on the webpage. An option is now displayed near the bottom of the e-Consent certification screen on surveys to allow the participant to download and view the PDF in another browser tab if they are using a device that does not support multi-page inline PDFs. (Ticket #205407)
Bug fix: When exporting a project or project data as CDISC ODM/Project XML, a fatal PHP error might occur when using PHP 8. (Ticket #78389)
Bug fix: When using Multi-Language Management, the error dialog displayed when a user enters an invalid choice for an auto-complete drop-down field was mistakenly not available for translation on the MLM setup page. (Ticket #207825)
Bug fix: When using CDIS, the project menu was not hidden in an EHR launch context.
Bug fix: When downloading a PDF of an instrument that contains a Descriptive Text field with an inline PDF attachment, in certain cases the inline PDF might overlap the next field below it when instead it should begin a new page right after the inline PDF. (Ticket #206391)
Bug fix: Piping Smart Variables or field variables into the Data Entry Trigger URL would mistakenly cause “span” HTML tags to be inserted into the URL.
Updates to the External Module Framework: 1) Prevented uncaught exceptions in the PHP error log, and 2) Added system setting support in getSubSettings().

Version 13.6.1 (released on 2023-06-02)

CHANGES IN THIS VERSION:

Change/improvement: CDIS-related tasks now use a new memory monitoring feature to improve system stability by preventing out-of-memory crashes, in which it actively tracks memory usage and stops long-running, memory-intensive background processes when the PHP thread’s memory usage approaches a predefined threshold (75% by default).
Various fixes and changes to the External Module Framework.
Change/improvement: When searching for action tags in the Action Tag list/dialog, any action tags added to the dialog via an External Module would mistakenly not be included in the search as the user types in the search box. (Ticket #207364)
Bug fix: If a user does not have “Add/Edit/Organize Reports” privileges, “Report B” would mistakenly not appear for them on the “My Reports & Exports” page. (Ticket #206987)
Bug fix: When using DDP Custom, dates were not converted to strings in the JSON encoding process for the data web service. (Ticket #206063)
Bug fix: A non-existent CDP-related CSS file would get called on the Online Designer page and thus would throw a silent 404 error in the browser console. (Ticket #207222)
Bug fix: Medication statuses were mistakenly being ignored in CDIS mapping and thus were not being imported from the EHR.
Bug fix: When re-evaluating Alerts & Notifications, in which one or more alerts are recurring, the process might report an incorrect number of alerts that were removed/unscheduled during re-evaluation as a result of the alert’s conditional logic no longer being True. This does not affect any behavior but only the count of alerts that were removed/unscheduled during the re-eval process. (Ticket #206980)
Bug fix: Data entry forms and survey pages might mistakenly crash due to a fatal PHP error in very specific scenarios when using PHP 8. (Ticket #207349)
Bug fix: On the MyCap-enabled project, the Online Designer might mistakenly crash due to a fatal PHP error in very specific scenarios when using PHP 8. (Ticket #207381)
Bug fix: In certain places throughout REDCap where the Logic Editor is used, when modifying the text in the editor, an error might appear saying “Odd number of single quotes exist” (or something similar) when apostrophes, quotes, parentheses, and some other characters are utilized in an “inline comment” (beginning with // or #) in the editor. (Ticket #207092)
Bug fix: When copying the MyCap generated invitation text, which would contain a REDCap version number in the URL of the QR code image, and pasting it onto a webpage in REDCap, such as in the survey completion text or in a field label, the QR code would mistakenly fail to load on the page if that older version of REDCap had been removed from the web server.

Version 13.6.0 (released on 2023-05-25)

CHANGES IN THIS VERSION:

New features for Clinical Data Interoperability Services (CDIS): New additions to the CDIS Configuration page in the Control Center.
Custom Mapping: Institutions can now define their own mappings and specify additional LOINC codes for labs and vitals.
Metadata Download: Users can download CSV files containing metadata for mapping FHIR data to REDCap’s fields. Metadata files are available for DSTU2 and R4 versions.
Custom FHIR Authentication Parameters: This new feature enables administrators to define custom HTML query parameters for the SMART on FHIR authentication process. By allowing institutions to specify key-value pairs along with context information, such as “standalone launch,” “EHR launch,” and “always,” this enhancement provides increased flexibility during authentication. The user interface facilitates the specification of multiple entries, thus granting administrators greater control over the authentication process.
Minor security fix: An SQL Injection vulnerability was found on a MyCap-related page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. In order to exploit this, the user must be logged in as a REDCap user and must also have one or more instruments enabled as MyCap tasks.
Major bug fix: If a REDCap user knows the report_id of a report from another REDCap project to which they do not have access, they could manipulate the URL of a report in one of their own projects by replacing the report_id in the URL with the other project’s report_id and thus be able to view (but not export) all the data from the other project’s report. Note: The user would not be able to access anything else from that other project though. Additionally, the user must be logged in and must have access to at least one project in order to exploit this issue. Bug emerged in REDCap 12.2.0. (Ticket #206894)
Bug fix: When using the Calendar Sync feature, the calendar feed or export might mistakenly be off by one hour for cities in specific time zones. (Ticket #204252, #206585)
Bug fix: If using Multi-Language Management, if a radio or checkbox field exists on an MLM-enabled survey that also has the Enhanced Choice survey option enabled, in which another field on the survey page is embedded inside one of that field’s choice labels, the field would not be successfully embedded on the page but would display an error message saying that that field has been embedded multiple times on the page, which is not true. This bug was supposedly fixed in REDCap 13.5.2, but mistakenly it was not.
Bug fix: If a field has been piped into the min or max validation range of a Text field, in which the piped field does not have a saved value yet, a user attempting to import data will mistakenly get an error stating that the field “should not be greater than the field maximum” or “less than the field minimum”, which would thus prevent the user from importing the data. (Ticket #203219)
Bug fix: When a user attempts to place a production project into draft mode, it might mistakenly just reload the same page with no changes, thus preventing the project from being put in draft mode. This often occurs when multiple users are changing things in the Online Designer near the same time while in production. (Ticket #6346b)
Bug fix: Some project-level features in the Additional Customizations popup were mistakenly not being added to the Project XML file when exporting->importing a project. These include the following features: Enable the Data History popup, Display the Today/Now button, Prevent branching logic from hiding fields that have values, and Require a ‘reason’ when making changes to existing records. (Ticket #206575)
Bug fix: When using the “Copy existing choices” feature for multiple choice fields in the Edit Field popup in the Online Designer, it would mistakenly strip out all HTML in the choice labels. (Ticket #206644)
Bug fix: When uploading an Instrument Zip file that contains survey settings, in which the survey theme of the survey does not exist on the current REDCap server, the upload would hang and never finish. Now, if the survey theme does not exist on the current REDCap server, the default survey theme will be used instead. (Ticket #206167)
Bug fix: When viewing the App Data Dumps tab on the REDCap Mobile App page and clicking an “Included Records” button, it would mistakenly not display the list of records from the data dump file. Bug emerged in REDCap 13.4.0.
Bug fix: When viewing the REDCap Mobile App’s “App Data Dumps” page and clicking the “Import Data from File” button for a specific data dump file, it would mistakenly throw a fatal PHP error on the page when using PHP 8. (Ticket #137777b)
Bug fix: Fixed compatibility issue when using Epic Hyperdrive for CDIS in the context of EHR launches. It addresses a known issue where the cookie samesite policy conflicts with Hyperdrive. By detecting the Hyperdrive user agent, REDCap disables the samesite policy, ensuring seamless integration and functionality.
Bug fix: When an administrator uses the “Auto-fill” link on a survey with the “Enhanced Choices” option enabled, it might mistakenly fail to work for some checkboxes and radio button fields. (Ticket #206769)
Bug fix: CDIS-related processes might fail in specific cases due to PHP 8 incompatibility.
Bug fix: A missing LOINC code was added to the CDIS mapping features.
Bug fix: When deleting scheduled survey invitations on the Survey Invitation Log using the “Delete all selected” button, it might crash with a fatal PHP error if deleting only one participant at a time when using PHP 8.

Version 13.5.4 (released on 2023-05-22)

CHANGES IN THIS VERSION:

Major bug fix: Due to an unexpected issue with the deployment of 13.5.3, some fixes from 13.5.2 mistakenly did not get included in 13.5.3. Thus, 13.5.4 will stand as a replacement for 13.5.3.

Version 13.5.3 (released on 2023-05-19)

CHANGES IN THIS VERSION:

Major bug fix: When a participant completes the first page of a multi-page survey, it might mistakenly create a duplicate record that contains only the responses submitted on the first survey page. This does not affect single-page surveys. (Ticket #206613)
Major bug fix: When a participant clicks the “Save & Return Later” button on the first page of a multi-page public survey, and then returns to complete the survey later, it might mistakenly not update the original create but would instead create a duplicate record containing the values submitted on the last survey page. This does not affect single-page surveys. (Ticket #206623)

Version 13.5.2 (released on 2023-05-19)

CHANGES IN THIS VERSION:

Improvement/change: Improvements to the usability of “Email Users” page in the Control Center. Previously, the page featured buttons for selecting user groups and a separate “search” input field for table filtering. Now the buttons' functionality has been modified to filter the table directly, just like the “search” input, allowing admins to quickly filter the table by clicking on the buttons, and subsequently select all or specific users from the displayed list. This new behavior simplifies the user selection process, providing a more intuitive experience, and enabling efficient user filtering.
Major bug fix: If a field is required and is embedded in the choice label of a multiple choice field on a multi-page survey, in which the field itself has branching logic and is also used in the branching logic or calculation of another field on a separate survey page, the field’s value might mistakenly get erased when submitting a survey page where the field does not exist but where the field is used in a branching logic or calculation.
Change: All errors in the redcap_error_log database table that are more than 30 days old will be automatically removed (to free up space) via a routine cron job.
Bug fix: Fixed issue with the “Navigate to page” feature when navigating to the Multi-Language Management page in the Control Center.
Bug fix: A JavaScript error would mistakenly get thrown on the Alerts & Notifications page when creating an alert. This may or may not cause other issues on the page.
Bug fix: A JavaScript error would mistakenly get thrown on the survey page after clicking the Save button on a multi-page survey, which might cause some things not to work on the survey. (Ticket #206073)
Bug fix: A JavaScript error would mistakenly get thrown on the Survey Settings page, but this would not affect anything on the page.
Bug fix: If using Multi-Language Management, the translated choice labels for Yes/No and True/False fields would mistakenly not display correctly on the Codebook page. (Ticket #206001)
Bug fix: When using an [X-instance] Smart Variable with other survey-related Smart Variables while using PHP 8, it might cause a fatal PHP error if no repeating instances exist yet for the targeted repeating instrument/event. (Ticket #206098)
Bug fix: When creating or editing a report, pressing the Enter key while in any text input (e.g., the Value text box in Step 3) would mistakenly cause the “List of users with access” popup to display. (Ticket #204875)
Bug fix: The login page for “Shibboleth & Table-based” authentication might not display the Shib and Table-based login options correctly. Bug emerged in REDCap 13.4.0. Bug was supposedly fixed in REDCap 13.4.3 and 13.4.9 but mistakenly was not. (Ticket #204025)
Bug fix: When a non-REDCap user receives a Send-It download link via email for a REDCap installation that is using a directory-based authentication method (e.g., Shibboleth), the recipient would never be able to download the file because it would mistakenly always require them to log in as a REDCap user.
Bug fix: If using Multi-Language Management, the same field could mistakenly be embedded multiple times on the same page when embedded via MLM translations. (Ticket #206370)
Bug fix: If using Multi-Language Management, if a radio or checkbox field exists on an MLM-enabled survey that also has the Enhanced Choice survey option enabled, in which another field on the survey page is embedded inside one of that field’s choice labels, the field would not be successfully embedded on the page but would display an error message saying that that field has been embedded multiple times on the page, which is not true.
Bug fix: When opening a data entry form or survey page in certain versions of iOS in Mobile Safari or in Internet Explorer, the page would never fully load due to a JavaScript error. This bug was supposedly fixed several versions earlier but mistakenly was not. (Ticket #202806c)
Bug fix: When downloading the Project XML file for a project, in some circumstances the process might fail with a fatal PHP error when using PHP 8. (Ticket #206404)
Bug fix: If a survey has “Save & Return Later” enabled and allows participants to return without needing a return code, but it does not allow them to return if the survey has already been completed, then in certain circumstances after a participant completes a public survey in this case, in which they have a unique survey link back to their response (e.g., from an email), they would mistakenly be allowed to modify their completed response. (Ticket #206154)

Version 13.5.1 (released on 2023-05-12)

CHANGES IN THIS VERSION:

Major bug fix: When using PHP 8, if any Custom Application Links have been created and thus appear on a project’s left-hand menu, it would cause every project page to crash with a fatal PHP error. (Ticket #205890)
Bug fix: Fixed issue with the “Navigate to page” feature when navigating to the Multi-Language Management page in the Control Center.

Version 13.5.0 (released on 2023-05-11)

CHANGES IN THIS VERSION:

Major security fix: A Cross-site Scripting (XSS) vulnerability was discovered in a file download process in which a malicious user could potentially exploit it by inserting HTML/XML tags and/or JavaScript in a very specific way into an SVG file that is then uploaded into a File Upload field or as a Descriptive Text field attachment, and then having a logged-in REDCap user attempt to download that file using a specially crafted URL. This bug affects all versions of REDCap.
Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way on many pages that output user-defined text onto a REDCap webpage. This bug affects all versions of REDCap.
New feature: @INLINE-PREVIEW action tag - When this action tag is added to File Upload fields or Description Text fields, a preview button will be displayed next to the field on survey pages and data entry forms if the uploaded file is an image or PDF file. Clicking the preview button will immediately display the image/PDF inline on the page, after which it can be closed again, if desired. This allows users/participants to view the file without having to download it to their local device.
Improvement: Inline image support (via Descriptive Text field, INLINE or INLINE-PREVIEW action tag, or the “:inline” piping parameter) now works for SVG and WEBP image files.
Improvement: The “Contact REDCap Administrator” link/button on the left-hand project menu now supports the piping of Smart Variables in its URL if using the “Alternate URL for Contact REDCap Admin links…” setting, which is located on the General Configuration page in the Control Center. Note: Data entry specific Smart Variables (e.g., record-name, event-name) cannot be piped; only high-level project/user-related Smart Variables can be piped (e.g. project-id, user-email).
Improvement: All fatal PHP errors will now be logged in the “redcap_error_log” database table to aid REDCap administrators in tracking down the cause of certain PHP errors. On pages that do not disclose any details (for security reasons) about a fatal PHP error when it occurs, such as on surveys and when the user is not an administrator, the generic error message now adds the following text in small font: “REDCap Admins Only: Details of the error may be obtained by running the database query below. select error from redcap_error_log where error_id = X”, which can assist administrators in reporting the error.
Improvement: If using Azure AD authentication (either Endpoint V1 or V2), you may now specify the tenant GUID on the Security & Authentication page, whereas in previous versions “common” was always used as the tenant value. This provides greater flexibility for those using Azure AD. (Ticket #121604)
Improvement: When viewing an inline PDF (whether via Descriptive Text field, INLINE or INLINE-PREVIEW action tag, or the “:inline” piping parameter), a PDF resizer option will appear immediately below the embedded PDF, allowing users to adjust the vertical size of the PDF displayed on the page. Clicking the center button on the resizer will set the PDF to be the full height of the browser.
Improvement/change: When EHR data that is fetched in a Clinical Data Pull (CDP) context is too big to be stored in the database, it will truncate the data and add the prefix “--- DATA TOO LARGE, TRUNCATED ””, which could happen when a patient has many medications, allergies, or conditions, for example.
Change: Survey completion timestamp fields will no longer return errors when a user attempts to import them via data import. Instead, they will merely return a warning, and their value will be ignored during the import process.
Bug fix: When using Multi-Language Management, the language switcher button displayed at the top of data entry forms would not be positioned correctly when compared to other buttons right next to it.
Bug fix: When using MyCap, the MyCap “getStudyImages” API test would mistakenly fail if the project has been copied or created via Project XML upload, in which the images zip file was not getting stored in the back-end database.
Bug fix: When using Multi-Language Management, snapshots would be created for all projects when approving DRAFT mode, even when MLM was not in use (no languages). Now a snapshot is made only when MLM is active (not disabled) AND there is at least one language defined. Additionally, there was no automatic snapshot taken when projects are moved to production initially. Now a snapshot is taken automatically (same rules as for DRAFT).
Bug fix: When opening a data entry form or survey page in certain versions of iOS in Mobile Safari or in Internet Explorer, the page would never fully load due to a JavaScript error. This bug was supposedly fixed two versions earlier but mistakenly was not. (Ticket #202806b)
Bug fix: When utilizing the “Include PDF of completed survey as attachment” option in the Confirmation Email section on the Survey Settings page for a survey that is using the e-Consent Framework, the PDF consent form that is attached to the email would mistakenly not include the e-Consent Type in the filename of the PDF. It should have listed the e-Consent Type as part of the filename for the email attachment.
Bug fix: When viewing an open conversation in REDCap Messenger, the “Actions” drop-down would mistakenly not open when clicked. Bug emerged in REDCap 13.4.0.
Bug fix: When performing randomization on a record, a JavaScript error might mistakenly occur, which would cause calculated fields on the current page not to be recalculated post-randomization. (Ticket #205428)
Bug fix: When using Multi-Language Management, the Survey Login page text might mistakenly not get translated. (Ticket #205427)
Bug fix: The DAG Switcher API method would mistakenly always return the message “ERROR: Invalid DAG” even when the API is being called correctly. Bug emerged in 13.1.27 LTS and 13.4.11 Standard. (Ticket #205557)

Version 13.4.13 (released on 2023-05-04)

CHANGES IN THIS VERSION:

Medium security fix: A Blind SQL Injection vulnerability was found on a MyCap-related page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. In order to exploit this, the user must be logged in as a REDCap user and must also have one or more instruments enabled as MyCap tasks. (Ticket #205078)
Medium security fix: A vulnerability was found in the “Save & Return Later” feature on survey pages, in which a malicious user could potentially exploit it by manipulating an HTTP request in a specially-crafted way that would allow them to email themselves the private survey link of another survey participant. If return codes are not required to return to the survey, using brute force methods the attacker might be able to view sensitive data that survey participants have entered. However, if return codes are required, then the attacker will not be able to view any survey responses. (Ticket #205081)
Major bug fix: The Project Setup->Other Functionality page might mistakenly crash due to a fatal PHP error when using certain versions of PHP 8.
Major bug fix: When using Multi-Language Management and saving MLM translations on the MLM setup page, all Action Tag translations and all choice label translations for multiple choice fields would be permanently lost upon save. Bug emerged in the previous release. (Ticket #205076, #205146)
Bug fix: When downloading the Project XML file for a project, in some circumstances the process might fail with a fatal PHP error when using PHP 8. (Ticket #204965)
Bug fix: For CDIS-related FHIR calls specifically to Epic, the FHIR coding systems have been updated to reflect the Epic FEB23 update.

Version 13.4.12 (released on 2023-05-03)

CHANGES IN THIS VERSION:

Critical security fix: A Blind SQL Injection vulnerability was found on survey pages, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request to the survey end-point in a specially-crafted way.
Improvement: More options for the new “Navigate to page” feature for administrators: 1) Admins can now navigate to Control Center pages via typing “cc”, 2) Help is context sensitive (project links are disabled and “cc” prefix is removed while in the Control Center), 3) Destinations in the popup are now clickable links (project links are not clickable when viewed on a Control Center page), 4) Holding CTRL while pressing ENTER or clicking a link will open in a new tab, and 5) External Module related pages support the EM framework’s alternate /external_modules/ directory location, if being used.
Bug fix: Hovering over the “view list” links to view scheduled/sent alerts on the Alerts & Notifications page would mistakenly not display anything. Bug emerged in REDCap 13.4.0 (Standard).
Bug fix: When using the [form-link] or [survey-link] Smart Variable with Custom Text while also having the [new-instance] Smart Variable appended to it, it would mistakenly return a blank string instead of a survey link.
Bug fix: Fixed more issues related to error checking for the Imagick PHP extension check on the Configuration Check page.
Bug fix: When exporting a PDF of a survey response in some specific ways, it might mistakenly return the word “ERROR” instead of outputting the PDF. Bug emerged in REDCap 13.4.9. (Ticket #204340)
Bug fix: If some Smart Variables are used in a calculation or conditional logic, in which the evaluation of the calculation/logic results in a blank/empty string (i.e., after applying the current context and the current data during the logic evaluation process), an incorrect value might be returned from the calculation/logic. For example, this could cause calculated fields and Data Quality rule H not to function as expected. (Ticket #203945)
Bug fix: When using Multi-Language Management, fields on a data entry form that are piped on the page would mistakenly disappear from the page immediately after the form has loaded. (Ticket #204372)
Bug fix: When using Multi-Language Management, the Form Complete status field on data entry forms would mistakenly not change to the correct translated text when switching languages on the page while using iOS. (Ticket #203189b)
Bug fix: When opening a data entry form or survey page in certain versions of iOS in Mobile Safari, the page would never fully load due to a JavaScript error. (Ticket #202806, #204332)
Bug fix: When a Survey Base URL is defined in the Control Center and a survey participant clicks the “Close survey” button after completing a survey, if the survey had been opened in the participant’s browser from outside of REDCap, such as clicking a link in an email, in which the browser will not let the webpage close the tab but instead falls back to displaying the “You may now close this tab/window” message on the page, the participant would mistakenly not be taken to a URL beginning with the Survey Base URL but would instead be taken to the non-survey Base URL defined in the Control Center, which could be confusing to the participant. (Ticket #204422)
Bug fix: When attempting to upload Alerts & Notifications via CSV file, if the “email-to” field contains the value [survey-participant-email], REDCap would mistakenly return an error message saying the value isn’t valid when it actually is. (Ticket #201256)
Bug fix: When using Multi-Language Management, in certain cases an error would occur when attempting to import MLM settings via CSV or JSON files, thus preventing the upload from completing.
Bug fix: If proxy server settings have been provided on the General Configuration page in the Control Center, those settings would mistakenly fail to be used by the internal MyCap API check on the MyCap Configuration Check page and thus could result in a false positive saying that issues exist.
Bug fix: When using Multi-Language Management and using the eConsent Framework, the footer of the eConsent PDF, when displayed at the end of a survey, would mistakenly not have its text translated by MLM. This issue was supposedly fixed in the previous version but mistakenly was not. (Ticket #204669)
Bug fix: When a user tries to send a MyCap announcement to their MyCap participants, the Announcement dialog would always mistakenly close before a message can be added. (Ticket #204571)
Bug fix: When using Multi-Language Management on a survey, the Font Resize buttons might mistakenly not display text for the correct/selected language when hovering over the buttons. Bug emerged in REDCap 13.4.0.
Bug fix: When clicking inside the “Deactivate” and “Permanently Delete” dialogs on the Alerts & Notifications page, the dialog would mistakenly close. In addition, the Cancel buttons were also not working in the dialogs. Bug emerged in REDCap 13.4.0. (Ticket #204799)
Bug fix: The Email Users page in the Control Center might become unusable and/or lock up when attempting to select users to email when lots of users (thousands or tens of thousands) exist in REDCap. (Ticket #203947)
Bug fix: The wrong language variable is used for the WebDAV file server check on the Configuration Check page. (Ticket #204838)
Bug fix: The Share->Copy Link functionality might stop functioning for files in the File Repository if attempting to perform the functionality in a specific way more than once while on the page. (Ticket #204876)
Bug fix: When utilizing the “Include PDF of completed survey as attachment” option in the Confirmation Email section on the Survey Settings page for a survey that is using the e-Consent Framework, the PDF consent form that is attached to the email would mistakenly have REDCap’s back-end stored filename as the PDF filename rather than the intended user-friendly version of the filename. Additionally, the consent PDF was mistakenly not listed by name in the logged details of the event on the Logging page.

Version 13.4.11 (released on 2023-04-27)

CHANGES IN THIS VERSION:

Critical security fix: A PHP Deserialization Remote Code Execution vulnerability was found in which a malicious user who is not logged in could potentially exploit it by manipulating an HTTP request to a survey page while uploading a specially crafted file. If successfully exploited, this could allow the attacker to remotely execute arbitrary code on the REDCap server. This vulnerability exists only in the following REDCap versions: LTS 13.1.11 through 13.1.26 and Standard Release 13.3.0 through 13.4.10.
Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in a file download process in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way into an HTML file that is then uploaded into a File Upload field or as a Descriptive Text field attachment, and then having a logged-in REDCap user attempt to download that file using a specially crafted URL.
Major bug fix: Partially completed one-page surveys might mistakenly behave as if the participant has not started the survey if they return to the partially completed survey after having entered some data. (Ticket #204003)
Major bug fix: When a survey participant opens a public survey under certain conditions, such as when multiple participants are using the same device, the survey page (and/or subsequent pages) might mistakenly get populated with the previous participant’s responses, thus allowing participants to see data they should not. This fix reverts functionality from Ticket #142376 (from REDCap 13.4.3 Standard and 13.1.19 LTS) that attempted to gracefully recover a participant’s session if they used their browser’s BACK button on a survey as a means of returning to a previous survey page. (Ticket #204164)
Improvement: When viewing PDF attachments on Descriptive Text fields on a data entry form or survey, in which the PDF is set to be displayed inline, the PDF frame is now adjustable at the bottom so that its vertical size may be modified by the user/participant for better viewing.
Improvement: Searching has now been added in the Action Tags popup and Smart Variables popup to allow users to find content faster in those popups.
Bug fix: When publishing a MyCap configuration in a project, some chart fields might not get stored correctly in the config and thus might affect participants using the MyCap mobile app on iOS.
Bug fix: When using Multi-Language Management, the @LANGUAGE-FORCE action tag (if being used on a field) would mistakenly not work as expected.
Bug fix: When using DUO as an option for two-factor authentication, the 2FA process would mistakenly redirect users to the REDCap home page after a successful login rather than redirecting them to the current page they were originally on. (Ticket #203337)
Bug fix: The “Field Finder” on the Codebook page might mistakenly display some HTML in the search results if the user begins the search with the letter “c”.
Bug fix: When using Duo two-factor authentication, the REDCap login page might mistakenly be blank when using Mobile Safari on an iOS device. (Ticket #203626)
Bug fix: If the first column of the Record Status Dashboard table is a sticky/floating column (because the table is very wide), the column’s background color might mistakenly be transparent instead of a solid color, thus causing the table to look strange. (Ticket #203655)
Bug fix: When using Multi-Language Management and using the eConsent Framework, the footer of the eConsent PDF, when displayed at the end of a survey, would mistakenly not have its text translated by MLM.
Bug fix: Fixed issues related to error checking for the Imagick PHP extension check on the Configuration Check page. (Ticket #203313b)
Bug fix: Requests to the survey end-point that contained “__passthru” and “route” in the URL would mistakenly not get logged in the redcap_log_view table.
Bug fix: When using Multi-Language Management, some browsers might attempt to auto-translate part of the webpage when viewing a page translated via MLM. Such a browser action will now be prevented in order to allow the form or survey to be viewed exactly how the user intended. (Ticket #203925)
Bug fix: When viewing a Public Project Dashboard on PHP 8, the page might mistakenly crash due to a fatal PHP error. (Ticket #203634)
Bug fix: DDP Custom might mistakenly fail to pull and display data correctly due to internal field-mapping issues.
Bug fix: Some “popover” help text on various pages would mistakenly not display when a user’s cursor hovers over them. Bug emerged in REDCap 13.4.0 (Standard).
Bug fix: Fixed an issue with the auto-adjudication setting related to the use of email addresses in a CDIS project, in which it was causing the email addresses not to be fetched from the EHR.
Bug fix: During the MyCap EM to REDCap migration process, the migration popup was displaying the wrong “number of tasks” if there are any inadequately-enabled tasks on the EM side.
Bug fix: If the unique group name of a Data Access Group happens to be an integer and also happens to be the same value as the Group ID number of another DAG in the same project, users would mistakenly not be able to utilize the DAG Switcher if they attempt to move in and out of the DAG whose Group ID number matches the unique group name of another DAG. (Ticket #204033)
Bug fix: When using “&new” in a survey URL of a repeating survey, in which the URL also contains extra URL parameters for the purpose of survey pre-filling, those extra parameters would mistakenly be lost and thus will not be pre-filled after redirecting the participant to a not-yet-created repeating survey instance. (Ticket #204113)
Bug fix: When using Multi-Language Management, some browsers might attempt to display a popup to ask the user if the page should be auto-translated by the browser. In the previous version, the auto-translate action is now prevented, but this new fix now prevents the translation popup from displaying altogether in order to reduce confusion for users/participants when using MLM. (Ticket #203925b)
Bug fix: If the dates used together in a datediff() function or in a @CALCDATE action tag do not have the same date format, the resulting error message would mistakenly mention “Since the DATEFORMAT parameter was not provided as the fourth parameter in the equation, ‘ymd’ format was assumed”. The date format parameter is a legacy feature and is no longer used or needed, so that specific part of the error message has been removed in these cases. (Ticket #204213)

Version 13.4.10 (released on 2023-04-20)

CHANGES IN THIS VERSION:

Major bug fix: When copying a project and all its records, any fields that have no action tags (i.e., have nothing in the Field Annotation) would mistakenly have their value converted into a MyCap participant code for all records/events. Additionally, some repeating instance data might get orphaned or not get copied over correctly. (Ticket #203436)
Bug fix: The MyCap mobile app might mistakenly crash in certain situations on the About page if the About page’s image for the app is stored incorrectly in the project’s MyCap configuration.
Bug fix: The Control Center’s Configuration Check page might mistakenly display an incorrect message that the Imagick PHP extension is not installed correctly when in fact the issue was that Ghostscript was not installed correctly on the server. (Ticket #203313)

Version 13.4.9 (released on 2023-04-19)

CHANGES IN THIS VERSION:

**Critical security fix: **A Remote Code Execution vulnerability was found in the process whereby files are uploaded via File Upload fields and via the Data Import Tool, in which a malicious user could potentially exploit it by manipulating an HTTP request while uploading a specially crafted file on the Data Import Tool page, on a data entry form, or on a survey page. If successfully exploited, this could allow the attacker to remotely execute arbitrary code on the REDCap server. This vulnerability exists in all versions of REDCap.
Critical security fix: An Insecure Direct Object References (IDOR) vulnerability was found, in which a malicious user could potentially exploit it by manipulating an HTTP request in a specially crafted manner on a survey page. This could allow the attacker to export PDFs containing data of individual survey participants (potentially containing sensitive/private information). Any valid survey link (including a public survey link) could be used and manipulated in order to export a PDF containing data for any record within the project to which the survey link belongs.
Major security fix: A Blind SQL Injection vulnerability was found on the Alerts & Notifications page, in which a malicious user could potentially exploit it by manipulating an HTTP request on that page or indirectly via the survey page.
Medium security fix: A Path Traversal vulnerability was found in a specific endpoint relating to the Clinical Data Pull feature, in which a malicious user could potentially exploit it by manipulating an HTTP request on a specific CDP page.
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by entering an HTML “iframe” tag in a carefully crafted manner into the value of a text field on a form or survey. Additionally, that text field’s value must be piped to another place on that same page in order to exploit it. This bug exists in all versions of REDCap, both LTS and Standard Release.
Improvement: New “Go to project page” feature for administrators only will appear on the top navbar (when not inside a project) and on the left-hand menu when inside a project. Entering the PID of a project and hitting Enter/Tab will navigate the admin directly to the project. Additionally, if the PID is followed by a specific 1-3 letter abbreviation, they can navigate to a specific page within the project - e.g., “181 an” to go to the Alerts & Notifications page in PID 181. To go to a specific record on the Record Home Page, also enter the record number - e.g., “34 rhp 999” to view record 999 on the Record Home Page of PID 34.
Change/Improvement: When a participant attempts to log in to a survey via the Survey Login feature, the attempt is now logged, in which the following things are recorded in the project logging: 1) whether the login attempt was a success or failure, 2) the project fields being utilized in the login attempt, and 3) the context (e.g., the record, survey, and event).
Bug fix: Long-running CDIS-related cron jobs might mistakenly prevent External Module cron jobs from running at their expected interval.
Bug fix: When two administrators are viewing the Multi-Language Management page in the Control Center at the same time, the second person to navigate there will not be able to view the page while the first person is still viewing it due to a fatal PHP crash. Bug emerged in the previous version. (Ticket #202782)
Bug fix: When using the “Compare” feature for data dictionaries and/or snapshots on the Project Revision History page, on certain occasions it would not perform the comparison correctly and thus would display incorrect results.
Bug fix: Due to various API changes in the third-party web service used by the Field Bank feature, the Field Bank would no longer return any results if a user searched for a field in the Field Bank dialog in the Online Designer. This affects REDCap versions 10.7.0 and higher.
Bug fix: When copying a MyCap-enabled project that contains records, in which the records are also being copied, the process would fail to copy the records into the MyCap Participant List in the new project. The records would get copied correctly but mistakenly not added to the MyCap Participant List.
Bug fix: When an administrator uses the “Auto-fill” link on a data entry form or survey, it might mistakenly fail on Text fields that lack field validation. Bug emerged in the previous version. (Ticket #202933)
Bug fix: If the two authentication settings “Number of failed login attempts…” and “Amount of time user will be locked out after having failed login attempts…” on the Security & Authentication page somehow have non-integer values, it could cause the REDCap login page to crash with a fatal PHP error when using PHP 8. (Ticket #202976)
Bug fix: After renaming a record in a longitudinal project and using the Form Display Logic feature, the Record Home Page might mistakenly give a fatal PHP error when using PHP 8. (Ticket #203014)
Bug fix: The DAG Switcher table might mistakenly display a bunch of up/down arrows below the table header row due to a CSS issue.
Bug fix: When using Multi-Language Management on form or survey, the choice label from radio button fields that are inside a matrix would fail to pipe successfully if on the page. (Ticket #201392)
Bug fix: CDIS-related bug that could cause issues when refreshing a user’s FHIR access token, in which the format of the date used to check for expiration was wrong.
Bug fix: When using Twilio telephony services for surveys, U.S. phone numbers having the area code “986” would mistakenly not work for SMS or voice calls unless the number has a “1” prepended to it. (Ticket #203044)
Bug fix: When clicking any of the table headers for the project list table on the My Projects page, it would mistakenly hide all the projects in the list except for those in the “Unorganized Projects” folder. Additionally, if any project folders were previously open, the user would find that all project folders had been closed after reloading the page. (Ticket #203046)
Bug fix: The login page for “Shibboleth & Table-based” authentication might mistakenly display both the Shib and Table-based login options under the Shib login tabs when using more than one Shibboleth login option. Bug emerged in REDCap 13.4.0. (Ticket #200919b)
Minor changes and improvements for the External Module Framework: 1) Prevented hidden settings from being stripped out of getSubSettings() calls, and 2) Added the isAuthenticated() method.
Bug fix: When using Multi-Language Management, the @LANGUAGE-FORCE action tag might not work as intended under specific conditions. (Ticket #202553)
Bug fix: When using an [aggregate-X] Smart Variable in a calculation or any kind of conditional logic or branching logic, in which the value returned for the [aggregate-X] Smart Variable is greater than “999”, the logic might mistakenly not function as expected. (Ticket #203063)
Bug fix: When using Multi-Language Management on a data entry form, the MLM language switcher drop-down displayed on the form might mistakenly be obscured and/or not visible while using certain iOS devices. (Ticket #203189)
Bug fix: The link to the Training Videos on the login page would be incorrect in some situations. (Ticket #203245)
Bug fix: When an adaptive or auto-scoring survey that has been downloaded from the REDCap Shared Library is not the first instrument in the project and is set to “Redirect to a URL” on the Survey Settings page, the survey participant would mistakenly not be redirected to the defined URL after completing the survey. (Ticket #203316)

Version 13.4.8 (released on 2023-04-12)

CHANGES IN THIS VERSION:

Major security fix: A Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way on any page that outputs user-defined text, such as field labels, survey instructions, etc. This bug allows anyone to inject the “script” tag on any page that outputs user-defined text. In addition, the HTML “s” strikethrough tag can no longer be used as an allowed HTML tag, but instead it is preferred that users use the HTML “strike” tag as an equivalent replacement if users are hand-coding HTML on a page. This excludes the usage of the strikethrough button in the rich text editor, which is unaffected by this issue. This bug does not affect any LTS versions. Bug emerged in REDCap 13.4.3 Standard.
**Major bug fix: **The Simultaneous User Check, which ensures that two users cannot modify the same record/event/form/instance on the same project was mistakenly not working and would never display the warning to prevent users from being on the same instrument at the same time for a given record. Bug emerged in REDCap 13.2.0 (Standard). LTS is not affected by this bug.
Change/improvement: HTML “strike” strikethrough tags are now allowed in user-defined text, such as field labels, survey instructions, etc.
Bug fix: Several missing LOINC codes were added to the CDIS mapping features.
Bug fix: A CDIS-related database query could throw a fatal error when computing information for a DataMart revision.
Bug fix: When using MyCap, records might not appear in the MyCap Participant List if they were created while the MyCap feature was disabled in the project, after which MyCap was later enabled. (Ticket #202374)
Bug fix: The “Auto-fill Form” link for administrators to use on forms and surveys would mistakenly insert the wrong value for specific field validations, such as Number (1 decimal place), Number (comma as decimal), and other number types. (Ticket #202401)
Bug fix: When loading the first page of a multi-page public survey, in which no records exist in the project yet, the survey page might display a “REDCap crashed” error when running PHP 8. (Ticket #202648)
Bug fix: When downloading a PDF of an instrument that contains a Descriptive Text field with an inline PDF attachment, in certain cases an extra empty page might appear in the resulting PDF right before where the inline PDF is rendered. (Ticket #202598)
Bug fix: When using the Smart Variable [stats-table] and limiting its data via appending a unique report name, in which the report itself returns zero results, the stats table would mistakenly display statistics for all records in the project. (Ticket #201751)
Bug fix: The warning popup that is displayed when a user attempts to download a data dictionary when one or more of the instruments in the project have been imported from the REDCap Shared Library, in which the user must first agree to the Shared Library’s Terms of Use, was mistakenly not being displayed when users also perform the following other relevant actions: download an instrument zip file, download a Project XML file, or copy the project.

Version 13.4.7 (released on 2023-04-07)

CHANGES IN THIS VERSION:

Change/improvement: Some performance improvements and minor changes for the Unicode Transformation page, such as the exclusion of specific database table columns since they do not need to be transformed.
Bug fix: If the REDCap database table structure has utf8mb4 collation while REDCap’s database connection is configured to use utf8[mb3], both the db_character_set and db_collation values in the redcap_config database table will be modified to ensure that the character set is aligned. This fix will occur during the upgrade process and will also be added to the Unicode Transformation page.
Change/improvement: When a cron job crashes and sends an email to the REDCap administrator, the email now includes a full stack trace of the error.
Bug fix: When piping a field variable that has an [X-event-name] Smart Variable prepended to it while also having an [X-instance] Smart Variable appended to it, it might mistakenly return a blank value rather than piping the correct value. (Ticket #142932)
Bug fix: When a @CALCTEXT field contains an if() function that has a plus sign ( ) inside of single quotes or double quotes, the resulting text would mistakenly have the text “*1 1*” replacing every plus sign. This would occur when viewing a @CALCTEXT field on a data entry form or survey but not via server-side calculation methods, such as Data Quality rule H. (Ticket #141653)
Change: Improved memory management for several CDIS-related processes, especially those performed by the cron job.
Bug fix: The modal dialog displayed when attaching a file via the rich text editor might not look correct because some CSS styles were mistakenly missing for certain elements in the dialog.
Bug fix: Some users that are accessing a CDIS project might find that project pages might take a very long time to load. This only affects certain users on CDIS projects, but it is unknown which users might be affected by this.
Bug fix: The tables that list the choices for multiple choice fields on the Codebook page were mistakenly missing some of their borders.
Bug fix: If using Multi-Language Management, the MLM “Change Language” tooltip might not display the correct mouseover text due to issues with Bootstrap 5. Related, the position and spacing of the language selector on data entry forms was off also.
Bug fix: If using Multi-Language Management, the @LANGUAGE-CURRENT-FORM action tag was working on (completed) surveys viewed on data entry pages, which should never have been the case.
Bug fix: The new instance button for repeating instruments on the Record Home might mistakenly not be disabled when the form icon is disabled by Form Display Logic.

Version 13.4.6 (released on 2023-04-03)

CHANGES IN THIS VERSION:

**Major bug fix: **Reverted the bug fix in Ticket #142759, which sought to provide server-side checking to prevent @READONLY fields from having their data values modified through the client side (e.g. JavaScript). This has been reverted because there appear to be too many scenarios in which this server-side checking was blocking legitimate data entry and thus some data was not getting saved properly. Most of these scenarios occurred when using certain action tags together with @READONLY, as described in Ticket #202226 (i.e., @CALCTEXT, @CALCDATE, @DEFAULT, @SETVALUE), but other scenarios, such as when performing survey pre-filling (via URL parameters or via POST requests) for @READONLY fields, could not easily be incorporated into the server-side checking. Therefore, the server-side checking for @READONLY fields (added to REDCap 13.1.20 LTS and 13.4.4 Standard) has been removed/reverted because it was preventing legitimate data entry on forms and surveys in various scenarios.

Version 13.4.5 (released on 2023-04-01)

CHANGES IN THIS VERSION:

Major bug fix: Opening a data entry form when using PHP 8 would crash the page with a fatal PHP error on certain occasions. Bug emerged in the previous version.
Change: When using the Unicode Transformation page, if a database table’s row_format is COMPACT, it will now add ROW_FORMAT=DYNAMIC to the SQL transformation script so that this does not need to be done separately (can be time-consuming on its own).

Version 13.4.4 (released on 2023-03-31)

CHANGES IN THIS VERSION:

Bug fix: If using MySQL 8 for the REDCap database, admins might see false positives for the database structure check in the Control Center, in which it might mistakenly say “Your Database Structure is Incorrect” when it is actually correct. Bug emerged in the previous version. (Ticket #202144)
Bug fix: Fields that have a @READONLY action tag could have their data value modified on a survey page or data entry form by manipulating the webpage via JavaScript or via the web browser’s developer console. (Ticket #142759)
Various CDIS-related fixes

Version 13.4.3 (released on 2023-03-31)

CHANGES IN THIS VERSION:

Major bug fix: If a user calls the “Export Records” API method and explicitly provides the “fields” API parameter as a comma-delimited text string (instead of an array), the API might mistakenly export the data for all project fields, including data for fields for which the API user does not have data export rights. (Ticket #200812)
Improvement: “Postal Code (UK)” was added as a new field validation. After upgrading, an administrator will need to enable it on the Field Validation Types page in the Control Center. (Ticket #201961)
Improvement/change: If a participant returns to the first page of a multi-page survey (e.g., by clicking the Previous Page button or returning via their Return Code), the survey instructions can be viewed again by clicking the “View survey instructions” link at the top of page

In previous versions, the survey instructions could never be viewed again after the survey had been started (i.e., the first page had been submitted). (Ticket #201430)

Improvement: When using the Google/Microsoft Authenticator option for two-factor authentication in REDCap, users will be able to enroll using their Google/Microsoft Authenticator app the very first time they log in to REDCap via 2FA, in which the enrollment QR code will be displayed there the first time they log in via 2FA. This allows institutions to utilize the Google/Microsoft Authenticator option for REDCap without necessarily having to offer the less secure Email option, which is often the fallback/default for when users initially log in via 2FA. In previous REDCap versions, users would have to use a 2FA option other than Google/Microsoft Authenticator the first time they logged in via 2FA. So this behavior change provides a more secure way to offer 2FA. (Ticket #141099)
Improvement/change: The main Control Center page now displays a warning if REDCap recognizes that your web server and cron job are using different PHP.INI files, as this can sometimes cause undesired side effects.
Change/improvement: HTML “s” strikethrough tags are now allowed in user-defined text, such as field labels, survey instructions, etc.
Bug fix: When following the directions on the page “Updating your REDCap Database Tables to support full Unicode”, the process might mistakenly fail due to certain MySQL/MariaDB errors occurring when attempting to convert certain characters to utf8mb4 via the UPDATE queries provided on the page. If you have attempted to use this page previously and had to stop due to these errors, then after upgrading, we recommend you try it again using the new SQL provided on that page.
Bug fix: Small fixes for the page “Updating your REDCap Database Tables to support full Unicode”.
Bug fix: The Configuration Check page had several checks that would mistakenly fail due to language strings not being escaped. This bug was introduced in the previous version. This issue was supposedly fixed in REDCap 13.4.2, but mistakenly it was not. (Ticket #201609)
Bug fix: Custom Survey Queue Text might mistakenly have many unnecessary line breaks, thus causing the text to have large, empty gaps. (Ticket #201330)
Bug fix: When user privileges are edited or when users are added to a project via the CSV file upload on the User Rights page, it would mistakenly not log the individual events of each user being edited or added, respectively. (Ticket #200514)
Bug fix: When the survey expiration date is saved in YMD date format on the first save of the Survey Settings page, the date format is corrupted and not saved correctly. (Ticket #201743)
Bug fix: If a participant is taking a multi-page public survey and uses their browser’s Back button to go back to the first survey page, then then afterward continues forward again on the survey, it would mistakenly create a duplicate response/record in the project (Ticket #142376)
Bug fix: Vertically-aligned checkboxes (and some other elements as well) might not display correctly (or might be invisible) on survey pages while using an RTL (right-to-left) translated language via Multi-Language Management. (Ticket #201476, #200785)
Bug fix: When taking an adaptive or auto-scoring survey that was imported from the REDCap Shared Library while the Survey Queue is being utilized, the Survey Queue might mistakenly fail to be displayed at the end of the survey or (if using auto-start) the next survey in the queue would fail to begin automatically. (Ticket #201816)
Bug fix: When taking an adaptive or auto-scoring survey that was imported from the REDCap Shared Library while the Survey Queue is being utilized, clicking the Survey Queue icon at the top right of the survey page might mistakenly not display the Survey Queue.
Bug fix: Floating matrix headers on data entry forms (but not on surveys) would mistakenly move too much to the right side of the page while floating.
Bug fix: If an alert is set to be triggered during a data import, in which it will send an alert for each new repeating instance of a repeating instrument, the alert would mistakenly fail to get triggered if the imported value of the “redcap_repeat_instance” field is literally “new” rather than an integer. (Ticket #200445)
Bug fix: If the record ID field has any kind of field validation, the validation would mistakenly fail to be enforced when renaming the record on the Record Home Page. (Ticket #200101)
Bug fix: The “Save & Mark Survey as Complete” button on data entry forms might mistakenly be displayed in situations in which it should not. (Ticket #142863)
Bug fix: The process that checks for errors in the REDCap database structure might have reported false positives if REDCap is running on newer MariaDB versions (10.3.37 , 10.4.27 , 10.5.18 , 10.6.11 , 10.7.7 , 10.8.6 , 10.9.4 , 10.10.2 , 10.11.0 ), in which the “SHOW CREATE TABLE” query in these newer MariaDB versions excludes a column’s charset and collation if the column matches the default charset/collation of the table.
Bug fix: When creating a new project via the MyCap project template, the project creation process would mistakenly update the baseline date setting configuration before updating the project configuration, thus causing some things to be out of sync with regard to MyCap settings in the project in certain cases.
Bug fix: When using an ontology service (e.g., BioPortal) on a Text field, the cron job that sends Alerts and Automated Survey Invitations might mistakenly crash with a fatal PHP error if the field’s value is piped into the email body of the Alert or ASI. (Ticket #201928)
Bug fix: The login page for “Shibboleth & Table-based” authentication might mistakenly display both the Shib and Table-based login options under the Shib login tab. Bug emerged in REDCap 13.4.0. (Ticket #200919)
Bug fix: When uploading a CDISC ODM XML file of data on the Data Import Tool page, in certain situations while using PHP 8, the page could crash with a fatal PHP 8 error. (Ticket #200728)
CDIS-related changes/improvements:
Created DTO (data transfer objects) for CDIS mapping to improve the code’s reliability, readability, and maintainability.
Implemented the ability to include additional parameters in CDIS mapping using a specific syntax.
CDIS-related bug fixes:
Resolved an issue where an error during FHIR authentication prevented the complete log from being displayed.
Fixed a bug where fhir_identity_provider, a CDIS setting, was not given proper priority during the FHIR authentication process.
Addressed a bug where the “next” page of a bundle containing too many entries could have no reference to the FHIR resource, resulting in a logging error.
Bug fix: Some project-level pages would mistakenly appear too wide and would display a horizontal scrollbar when they should not. (Ticket #202024)
Bug fix: When composing an invitation for a repeating survey on the Participant List page, the Compose Invitations dialog would mistakenly pre-check the checkbox of participants in the dialog’s participant list in which the participant row represents a placeholder for a not-yet-existing repeating instance of the survey. In this case, users might not wish to send an invitation to these placeholders, but they exist there in the participant list just in case they do wish to invite them. So leaving them pre-checked when the Compose dialog opens could cause users to mistakenly send another repeating survey invitation to the participant when the user did not intend to do that.
Bug fix: When two users are simultaneously on the same data entry form in a project about to create a new record, in which both users have been assigned the same tentative record name prior to the record being created, if the second user to click Submit is also locking the instrument, the second user’s record would skip a number in the record creation sequence (e.g., user 1 creates record “101” while user 2 creates “103” instead of “102”) while also mistakenly not locking the second user’s new record. (Ticket #201814)
Bug fix: When a repeating instrument for a record has an instance 2 but not an instance 1 saved, the left-hand instrument menu might mistakenly display a gray status icon for the repeating instrument (as if no instances exist) when viewing other instruments within the record. (Ticket #202054)

Version 13.4.2 (released on 2023-03-24)

CHANGES IN THIS VERSION:

**Major bug fix: **When appending “&new” to the end of a survey URL for a repeating survey, it would mistakenly not redirect to the next not-yet-created repeating instance of the survey but would instead display the message that the survey had been completed.
Bug fix: When using Duo two-factor authentication, REDCap would mistakenly not honor when a user checked the checkbox to not prompt for the MFA login again for 7 days. (Ticket #201444)
Bug fix: When clicking the Check All button on the Email Users page in the Control Center, if some text had been entered into the Search filter beforehand, every user would mistakenly be selected rather than just the visible users in the table. This could cause the email to go to all users instead of just specific ones.
Bug fix: When the REDCap API has been disabled at the system level, the Tableau Export option on the “Other Export Options” page would mistakenly still appear. (Ticket #200248)
Bug fix: When copying a project or creating a project from a template, the creator of the project would mistakenly not have “Alerts & Notifications” privileges. (Ticket #201585)
~~Bug fix: The Configuration Check page had several checks that would mistakenly fail due to language strings not being escaped. This bug was introduced in the previous version. (Ticket #201609)~~

Version 13.4.1 (released on 2023-03-24)

CHANGES IN THIS VERSION:

**Medium security fix: **A Cross-site Scripting (XSS) vulnerability was discovered on survey pages in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way into the survey URL in order to pre-fill a Text field on the page, in which the field must have the @DEFAULT action tag and must also be piped somewhere on the current page. (Ticket #201503)
Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in the File Repository in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way inside the “comment” text of an uploaded file. (Ticket #200457)
Minor security improvement: The “Clickjacking Prevention” feature is now always automatically enabled on the Password Recovery page (when using “Table-based” or “X & Table-based” authentication).
**Improvement: **New option for Form Display Logic: “Hide forms that are disabled”. When enabled, all forms that are disabled will also be hidden (not visible) on the Data Collection menu and on the Record Home Page.
Improvement: The text for the setting “Require a ‘reason’ when making changes to existing records” is now available for translation on the Multi-Language Management page.
**Improvement: **The Database Query Tool page in the Control Center now has a text box to easily filter database tables in the table list.
Bug fix: The borders of table cells for tables created by the rich text editor might mistakenly be invisible when they have been set to be displayed with a border.
Bug fix: The admin-only “auto-fill” button on surveys and data entry forms might not be located in the correct position on the page after resizing the webpage.
Bug fix: The survey auto-continue feature might mistakenly not work with PROMIS computer adaptive test (CAT) surveys but instead would just display the text “Thank you for your interest, but you have already completed this survey”. (Ticket #200757, #200621)
Bug fix: Some matrix headers might mistakenly disappear when scrolling down on a survey or data entry form.
Bug fix: Some dialog popups on MyCap-related setup pages might mistakenly close when clicking inside them.
Bug fix: When using Multi-Language Management, the proper language would not get used for the e-Consent PDF in certain situations (Ticket #200944).
Bug fix: When using Multi-Language Management, the survey acknowledgement page might not show the appropriate language.
Bug fix: When using Multi-Language Management, the image upload and file attachment modals might not work on the MLM setup page.
Bug fix: When a PDF file is attached to a Descriptive Text field and is set to display inline, it might not always get positioned in the correct place in the resulting PDF that is generated.
Bug fix: When a PDF file is attached to a Descriptive Text field and is set to display inline, the inline PDF might be displayed with too low a resolution inside the resulting PDF that is generated. Its resolution has been increased from 120 DPI to 200 DPI to make it more readable. (Ticket #200582)
Bug fix: When a PDF file is attached to a Descriptive Text field and is set to display inline, the inline PDF might mistakenly be too large for the page and might run off the page if more than one or two lines of text exist for the Descriptive Text field’s field label. The resulting PDF that is generated will instead begin the inline PDF on a new page by itself in this scenario. (Ticket #200582b)
Bug fix: The onhover action of the gear icons on the User Activity Log page in the Control Center would mistakenly not work and would not display the project title, as expected. (Ticket #200729)
Bug fix: When clicking inside the “Preview message by record” dialog on the Alerts & Notifications page, the dialog would mistakenly close.
Bug fix: In a classic/non-longitudinal project, when navigating directly to a data entry form prior to choosing a record (via the form list under “Hide data collection instruments” on the left-hand menu), the page would mistakenly be too narrow.
Bug fix: Small tweaks and fixes for the page “Updating your REDCap Database Tables to support full Unicode”.
Bug fix: Piping in a survey’s Survey Completion Text would always fail to work. (Ticket #200909)
Bug fix: Floating matrix headers on survey pages and data entry forms might mistakenly move all the way to the left side of the page while floating.
Bug fix: The footer (gray box) at the bottom of all project pages might mistakenly not appear in the correct position but might be too far left. (Ticket #200912)
Bug fix: In some situations, a required field that is embedded inside another required field hidden by branching logic might mistakenly not be able to have its value removed when a user deletes the value and then clicks Save on a survey or data entry form. The value would reappear again if the page was reloaded.
Change: Reworded the “Tip for min/max limits” text in the Online Designer for greater clarity.
Bug fix: In some rare scenarios when a participant submits the first page of a public survey, the page might result in a “too many redirects” error, thus preventing the user from completing the survey. (Ticket #200351)
Bug fix: When composing a survey invitation, in which the Smart Variable [survey-link:instrument] or [survey-url:instrument] is used (i.e., with an instrument name) inside the body of the invitation, the dialog titled “Invitation text is missing [survey-link] variable” would mistakenly appear when it should not. (Ticket #200914)
Bug fix: When submitting the first page of a public survey, in which an MDY or DMY formatted date/datetime field was submitted, the survey might mistakenly display the “invalid values entered!” dialog saying that the field’s submitted value was incorrect, which is not true.
Bug fix: Several missing LOINC codes were added to the CDIS mapping features.
Change: Hundreds of phrases and words of static text were abstracted in the REDCap code to allow them to be translated via the Language Updater. (Thanks to Hugo Potier for all his help with this task.)
Bug fix: Fixed typo in Multi-Language Management logEvent() method. This does not seem to affect anything though.
Bug fix: When embedding a matrix field and using the “:icons” notation, the balloon and history icons would mistakenly not be displayed for the embedded matrix field.
Bug fix: If a horizontally-aligned checkbox is embedded inside the choice label of another checkbox that is vertically-aligned, the first checkbox of the embedded field might mistakenly not be visible. (Ticket #201393)

Version 13.4.0 (released on 2023-03-10)

CHANGES IN THIS VERSION:

New feature: Mosio SMS Services
REDCap has the capability to send SMS text messages for surveys and for Alerts & Notifications by using a third-party web service named Mosio (www.mosio.com). In this way, users can invite a participant to take a survey by sending them an SMS message, in which the data would be collected in REDCap directly from their phone without having to use a webpage. There are two ways REDCap currently works with Mosio: 1) Surveys “ Sending survey invitations and also sending questions and getting replies via text message, and 2) Alerts - Sending one-way Alerts & Notifications via text message.
The Mosio Two-Way Text Messaging (SMS) Services work exactly the same as the current Twilio functionality, with the exception of the Voice Call features. Mosio can only send and receive SMS messages. If a user wishes to switch a project from using Twilio to using Mosio, the only thing that needs to be done is for them to get a Mosio account and API key, then disable Twilio and enable Mosio in their REDCap project using their API key. That’s all that needs to be done to migrate from Twilio.
If you wish to disable the Mosio functionality at the system-level so that users do not see the feature on the Project Setup page, an administrator may do so on the Modules/Services Configuration page in the Control Center (similar to the Twilio settings there).
For more information and to get a Mosio account, visit https://www.mosio.com/redcap. Mosio specializes in research communications automation, helping researchers improve engagement, adherence, and data collection in studies. The service is both HIPAA and 21 CFR Part 11 compliant and willing to sign BAAs.
Change: The Internet Explorer web browser is no longer supported in REDCap.
Change: The third-party package named Bootstrap that is embedded inside REDCap has been upgraded from Bootstrap 4 to Bootstrap 5. Most external modules should be unaffected by this change since most of the deprecated Bootstrap 4 classes and conventions have been backported into this version to make the transition as seamless as possible.
Major bug fix: If the Automatic Upgrade (blue button on the Upgrade page), Easy Upgrade, and/or Auto-Fix options are available in your REDCap installation (regardless of whether you have actually used those options or not), it could be possible for someone that is not logged in to REDCap to directly access the upgrade page of an older version sitting on the web server (e.g., https://…/redcap_v11.1.0/upgrade.php) and click the blue Upgrade button for the Automatic Upgrade, which would mistakenly revert the system back to that version. Note: Doing this would not run any other SQL but only the few queries that change the “redcap_version” in the redcap_config database table (and a couple of other minor things). If either the Automatic Upgrade or Easy Upgrade option is available on your system, then it is recommended that you additionally go and remove EVERY ugprade.php file that exists inside all previous REDCap version folders. This is just a one time thing, and is not necessary to do in the future. (Ticket #200338)
Change: Replaced all hard-coded links to REDCap Community pages to point to the new REDCap Community website hosted on the Vanderbilt REDCap server. Previous links pointed to the old AnswerHub site.
Change: The project PID was added to the email subject of all “Request to Move Project to Production” emails that are sent to REDCap administrators. (Ticket #76956)
Bug fix/change: Inline PDF attachments on Description Text fields were mistakenly not being rendered as inline in PDF exports.
Last year when the inline PDF feature was added for attachments on Description Text fields, in which in previous REDCap versions only images could be displayed as an inline attachment on the web page and in the exported PDF file, the feature was mistakenly not fully implemented because the PDF attachment was not rendered inline inside the resulting exported PDF file for a form or survey. To fix this, any PDF attachments that are set to be displayed as inline on a Descriptive Text field will now correctly be rendered as inline in the PDF of the form/survey in order to be consistent with how inline images have always been treated in PDFs.
Additionally, the ImageMagick PHP extension is required for this fix to work. It is a common but not universal PHP extension. A new check has been added to the Configuration Check page to detect if this extension has been enabled on the REDCap web server, and if not, the page will provide a link with instructions for installing it, if desired.
NOTE: If administrators wish to disable this setting so that inline PDF attachments are not rendered as inline inside the PDF files, they may disable this functionality at the system level on the Modules/Services Configuration page in the Control Center.
Bug fix: When the min or max validation range of a date- or number-formatted Text field contains certain Smart Variables, the min/max range check might mistakenly not work on a form or survey due to a JavaScript error. (Ticket #143298)
Bug fix: When a user deletes all the data in a single event for a record (in the UI or via the API), the resulting logged event seen on the Logging page would mistakenly note that it happened to the first event instead of to the specified event.
Bug fix: When the Record ID field has the @HIDDEN-PDF action tag, the field would mistakenly not get hidden in the downloaded PDF when clicking the PDF option “This data entry from with saved data (via browser’s Save as PDF)” while on a data entry form. (Ticket #111718b)
Bug fix: While the ability of individual projects to have their own authentication method was removed in REDCap 13.1.2, this setting was mistakenly not removed from the Edit Project Settings page (in which changing its value on that page does nothing to affect anything). (Ticket #200379)
Bug fix: When copying a MyCap-enabled project, it would mistakenly copy the MyCap tasks into the new project, even when the MyCap copy option is not checked.
Bug fix: When migrating a project using the MyCap external module to begin using the native MyCap feature, the migration process might mistakenly not process certain MyCap tasks correctly that were not adequately enabled in the MyCap EM.
Bug fix: The Smart Variables [survey-time-started], [survey-date-started], [survey-time-completed], [survey-date-completed], [survey-duration], [survey-duration-completed] might mistakenly return the value for record “1” in a project (if record “1” exists) when these Smart Variables are used in a calculated field, @CALCTEXT field, or branching logic on the first page of a public survey. These would, however, work correctly if used in a field label, choice label, etc., if used on a non-public survey, or if used on survey page 2 or higher of a public survey.

Version 13.3.4 (released on 2023-03-03)

CHANGES IN THIS VERSION:

Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in the @CALCTEXT action tag in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way inside the text of the @CALCTEXT action tag.
Minor security fix: An SQL Injection vulnerability was found on the Database Activity Monitor page, in which a malicious user could potentially exploit it by manipulating an HTTP request on another page while an administrator views the Database Activity Monitor page.
Change: HTML “style” tags are now allowed in user-defined text, such as field labels, survey instructions, etc.
Change/improvement: On the Calendar page, the year selection drop-down list now extends to 10 years in the future by default, and if the year is changed via the drop-down, the drop-down’s option will extend to 10 years in the future of either the current year or the selected year (whichever is largest). (Ticket #143067)
Bug fix: Several missing LOINC codes were added to the CDIS mapping features.
Bug fix: When REDCap is sending a confirmation email to a survey participant after completing a survey, it might mistakenly cause a fatal PHP error on the page. (Ticket #143145)
Bug fix: When piping a File Upload field with “:link” or “:inline” in the body of outgoing emails (e.g., alerts, ASIs), the piping would mistakenly not be successful under certain circumstances. (Ticket #143158)
Bug fix: The Stats & Charts page might mistakenly crash in certain situations due to a fatal PHP error when using PHP 8. (Ticket #143019b)
Bug fix: When using Multi-Language Management, in which an Automated Survey Invitation has been translated, the ASI might mistakenly not be sent in the desired language when there are conflicting things (or none) dictating what the language should be for the ASI. To prevent this issue regarding language ambiguity in ASIs, a new MLM setting had to be added to allow users to define the language source of a given ASI at the survey level (but not at the survey-event level), in which users may choose the “Language preference field” or “User’s or survey respondent’s active language” as the ASI Language Source on the MLM setup page. (Ticket #143119)
Bug fix: When using Multi-Language Management, in which an Automated Survey Invitation has been translated, the ASI might mistakenly be sent out in the fallback language in some cases. (Ticket #143119b)
Bug fix: Any HTML tags used inside the equation of a @CALTEXT field would mistakenly not display correctly in the View Equation popup on data entry forms. (Ticket #143228)
Bug fix: An issue specific to PHP 8.1 might cause some features of the Clinical Data Mart to crash with a fatal PHP error.
Bug fix: When using comments in calculations or logic, if the comment contained a quote or apostrophe, it would mistakenly get included in the check to ensure that there is always an even number of quotes/apostrophes in the calculation/logic. This would sometimes throw an error and prevent users from being able to add or edit the calc/logic. (Ticket #143367)
Bug fix: Large configurations for Multi-Language Management might mistakenly get truncated in the database when saved. The configuration columns in the MLM database tables were increased to handle this. (Ticket #143355)
Bug fix: The embedded PDF on the e-Consent certification page of a survey with the e-Consent Framework enabled would mistakenly look squished (have incorrect dimensions) when taking the survey on an iPad. (Ticket #143212)
Bug fix: In some cases after a participant has completed a survey, if they return to the survey using a private survey link (i.e., not a public survey link) while the survey has “Save & Return Later” disabled, the participant might mistakenly be allowed to modify the existing survey response. (Ticket #143400)

Version 13.3.3 (released on 2023-02-24)

CHANGES IN THIS VERSION:

Major bug fix: On public surveys where the participant fails to enter a value for a required field on the first page of the survey, in which the survey page has dozens or hundreds of fields, the survey page might mistakenly crash with an HTTP 414 error (URL Too Long) after being submitted, thus preventing the participant from completing the survey. Bug emerged in REDCap 13.1.11 (LTS) and 13.3.0 (Standard). (Ticket #142829)
Bug fix: The Azure AD (V1) authentication was mistakenly displaying “samAccountName” as an option to use for “AD attribute to use for REDCap username” when instead it should have been using “onPremisesSamAccountName”. (Ticket #134789)
Bug fix: When re-evaluating an Automated Survey Invitation for a repeating survey that has been set up with a repeating ASI, the re-evaluation process might report that some invitations were scheduled when they were not.
Bug fix: In some cases, images that were added via the rich text editor to a project dashboard, to custom text on a report, or to survey components (instructions, questions, etc.) would mistakenly not display on the public version of the dashboard, on a public report, or on the survey, respectively, unless the person viewing it was currently logged in as a REDCap user. (Ticket #142302)
Bug fix: If Automated Survey Invitations have been set up for a survey, in which some invitations have already been scheduled for a record, if the survey instrument gets marked as “Complete” via normal save operations on the data entry form (with the exception of clicking the “Save & Mark Survey as Complete” button), the scheduled invitations would mistakenly get automatically deleted. They should only get deleted if the survey has been completed via the survey page or by a user clicking the “Save & Mark Survey as Complete” button on the data entry form. Bug emerged in REDCap 9.3.7. (Ticket #142989)
Bug fix: When creating a Table-based authentication user or when adding a user to a project, if the username that was entered contained illegal characters, the error message would fail to note that the @ symbol is allowed in usernames. (Ticket #142999)
Bug fix: The Stats & Charts page might mistakenly crash in certain situations due to a fatal PHP error when using PHP 8. (Ticket #143019)
Bug fix: When using Duo two-factor authentication, if the system is set to “Offline”, it would mistakenly prevent administrators from successfully logging in via Duo 2FA. (Ticket #143003)
Bug fix: The admin detection on survey pages might mistakenly fail in certain situations and thus fail to display the “Auto-fill survey” link at the top-right of a survey page whenever an administrator is viewing the survey.
Bug fix: When piping instance-related Smart Variables into the email text of a survey’s Confirmation Email, the resulting piped text might mistakenly not be formed correctly. For example, appending [new-instance] to the [survey-link] Smart Variable, in which survey-link contains custom display text, would output the survey URL instead of the survey link with the custom text. (Ticket #143059)

Version 13.3.2 (released on 2023-02-17)

CHANGES IN THIS VERSION:

Bug fix: When a record is correctly assigned to a Data Access Group, it might not appear to be assigned to its DAG while viewing the Record Status Dashboard, the Add/Edit Records page, and reports if data values for the record somehow got stored incorrectly in the backend redcap_data table in multiple/mixed cases (e.g., “101a” vs “101A”). Un-assigning and then re-assigning the record back to its original DAG might fix this issue temporarily, but the bug would arise again whenever the project’s internal “Record List Cache” was cleared/rebuilt. (Ticket #141329, #142544) NOTE: If the issue still exists after the upgrade, click the “Clear the Record List Cache” button on the Project Setup->Other Functionality page.
Bug fix: When exporting CSV files in various places throughout REDCap, the process might mistakenly fail for PHP 8 under specific unexpected conditions.
Bug fix: The cron job used for the Clinical Data Mart or Clinical Data Pull might mistakenly fail due to the user ID being used instead of the username when creating a new instance of the job.
Bug fix: Over 20 missing LOINC codes were added to the CDIS mapping features.
Bug fix: The “resources” link in the MyCap informational dialog on the Project Setup page mistakenly pointed to the wrong URL. (Ticket #142514)
Bug fix: The CSV file upload for importing Automated Survey Invitations (ASIs) in the Online Designer would mistakenly fail with an error if the user’s preferred CSV delimiter was not set to “comma” via their user profile. (Ticket #142555)

Version 13.3.1 (released on 2023-02-10)

CHANGES IN THIS VERSION:

Change/improvement: Added a new internal service check to the Configuration Check page that checks REDCap’s ability to make server-side HTTP calls to its own survey end-point. For some server/network configurations, this kind of HTTP call was failing silently and causing some survey pages to timeout sporadically. This check will help administrators become aware of this issue if it exists.
Bug fix: When performing certain actions in the File Repository, such as uploading files, an error message would mistakenly be displayed afterward saying that there is a DataTables warning. Bug emerged in REDCap 13.3.0 (Standard).
Bug fix: When using the page “Updating your REDCap Database Tables to support full Unicode”, some REDCap installations (depending on their specific database configuration) might experience a few minor SQL errors during the unicode transformation process.
Bug fix: The “System Statistics” page in the Control Center did not display the label correctly for the count of projects utilizing the Clinical Data Pull feature.
Bug fix: Data values imported for a patient’s “birth-sex” via FHIR using the Clinical Data Operability Services might mistakenly get converted into an incorrect value (“UNK”) in some specific cases. (Ticket #141976)
Bug fix: If using the e-Consent Framework with the setting “Allow e-Consent responses to be edited by users?” enabled, users with edit privileges would mistakenly be prevented from modifying the data on the consent form via a data import. (Ticket #140846)
Bug fix: The Survey Queue page might crash due to a fatal PHP error when using PHP 8. (Ticket #142125)
Bug fix: When using the @RICHTEXT action tag on a Notes field, changing the text in the editor (i.e., the field’s value) might mistakenly not trigger calculations or branching logic accordingly. (Ticket #142127)
Bug fix: When using the rich text editor to translate a survey’s survey instructions on the Multi-Language Management setup page, any images uploaded via the rich text editor would mistakenly not load when viewing the translations on a survey page (that is, unless the person viewing the survey is a REDCap user and is currently logged in to REDCap). (Ticket #141658b)
Bug fix: If a user that has “read-only” user privileges for a specific instrument is viewing the Data History of a File Upload field on that instrument, the “Delete” link next to each file/revision would mistakenly be displayed in the Data History popup. Users with read-only instrument-level privileges should not be able to delete older revisions of a File Upload field. (Ticket #141709)
Bug fix: If a repeating instrument has been enabled as a survey, but the survey setting “(Optional) Repeat the survey” has not been enabled on the Survey Settings page, then when viewing the participant list, a placeholder instance might mistakenly not be displayed in the participant list to represent a not-yet-taken instance of the repeating survey. There should always be at least one untaken placeholder instance displayed for each record in the participant list for repeating surveys because this allows users to open a new instance of the survey or email the participant a link to that new survey instance. (Ticket #141545)
Bug fix: When creating/editing a report, the explanatory dialog for Step 3’s “Show data for all events for each record returned” checkbox was outdated and mistakenly did not mention anything about the setting’s usage in projects containing repeating instruments/events. (Ticket #141953)
Bug fix: When the “Text-To-Speech” feature is enabled on a survey, the speaker buttons would mistakenly not appear next to the field labels of fields in a matrix, thus preventing participants from utilizing the feature there. (Ticket #141787)
Bug fix: In very specific situations where a field is a required field and is embedded in another field, in which the container field is hidden by an @HIDDEN action tag while the field embedded inside it also has an @HIDDEN action tag, the user would mistakenly get prompted by the Required Field dialog for a hidden embedded field if the container and/or embedded fields have @HIDDEN-SURVEY while on a data entry form or if they have @HIDDEN-FORM while on a survey page. (Ticket #142212)
Bug fix: If a whole record has been locked or if a data entry form has been locked for a given record, any survey participant who happened to have opened their survey prior to the record/instrument being locked would mistakenly still be able to submit and save their survey response, and as a result, possibly overwrite any existing data on the locked record/form. (Ticket #139555)
Bug fix: When downloading a data dictionary or an instrument zip file, any Dynamic Query (SQL) fields that contain “\\n” in their SQL query would mistakenly have the text “\\n” replaced with “|” in the resulting downloaded file. (Ticket #141734)

Version 13.3.0 (released on 2023-02-02)

CHANGES IN THIS VERSION:

New feature: Administrators will now see an “Auto-Fill Form” or “Auto-Fill Survey” button at the top right of forms and surveys, respectively. Clicking the button will auto-fill all visible fields on the entire instrument. This is to help with testing or troubleshooting data collection.
New feature: Embedding file attachments in text & emails
Users may now attach one or more files into the text of a survey invitation, an alert, or a field label on a form/survey, among other things, by clicking the file attachment (paperclip) icon in the rich text editor and then by uploading a file from their local device.
This feature is available for every rich text editor *with the exception* of non-project pages (e.g., the Email Users page) and also any field with the @RICHTEXT action tag.
If administrators wish to disable the ability to embed attachments in text via the rich text editor, they may disable this functionality at the system level on the Modules/Services Configuration page in the Control Center. Note: This setting operates independently from the other setting “File Repository: Users are able to share files via public links” (found on the File Upload Settings page in the Control Center); thus, even if public file sharing has been disabled globally, users can still upload file attachments via the rich text editor so long as its associated setting has been enabled globally.
Note: All files uploaded via the rich text editor will be represented in the text of the editor as a public file-sharing link, which allows the file to be downloaded in any context (e.g., on surveys, on authenticated REDCap pages, and in public areas like emails and public dashboards). This means that if anyone has possession of this link, they will be able to download the file (at least, until the file has been deleted). All files uploaded via the rich text editor will be automatically stored in a special “Miscellaneous File Attachments” folder in the File Repository where they can be accessed and/or deleted, if necessary. If any such file is deleted from the “Miscellaneous File Attachments” folder in the File Repository, the associated download link for the file will cease to be active and thus will become a dead link wherever it has been used.
Improvement: A new “preformatted code block” button was added to the toolbar of all rich text editors.
New feature: New one-way messaging system for Clinical Data Interoperability Services (CDIS) that is designed to provide secure communication to users who are utilizing asynchronous CDIS processes, such as background data pulling via a cron job. This new system has been developed to address the need for a secure means of communication outside of REDCap Messenger, particularly for messages that contain protected health information (PHI). Emails were not a viable option for these types of messages, as they do not provide the necessary level of security to protect PHI from unauthorized access. The system utilizes encryption techniques to ensure the confidentiality and integrity of all messages exchanged.
Bug fix: When using comment lines inside the Field Annotation for a @CALCTEXT field, Data Quality rule H would mistakenly not perform the calculation successfully. (Ticket #141558)
Various updates and fixes for the External Module Framework.
Bug fix: Fixed PHP 8 related error when an administrator tries to hide the blue Easy Upgrade box in the Control Center. (Ticket #141539)
Bug fix: When using “now” as the min/max for a date field or using “today” as the min/max for a datetime field, the validation range check would mistakenly not detect an out-of-range value. (Ticket #141646)
Bug fix: When using the rich text editor to translate a label on the Multi-Language Management setup page, the image icon was mistakenly missing from the editor’s toolbar interface, thus preventing users from uploading alternative images into the translated text.
Bug fix: When using the rich text editor to translate a label on the Multi-Language Management setup page, any images uploaded via the rich text editor would mistakenly not load when viewing the translations on a survey page (that is, unless the person viewing the survey is a REDCap user and is currently logged in to REDCap). (Ticket #141658)
Bug fix: When a survey participant enters data on a public survey, in which some required fields are left blank, it is possible for the participant to re-submit the page in the browser (via the browser Back/Reload button) and thus cause duplicate records to be created. This can especially happen for certain browsers, such as Mobile Safari on iOS devices, when minimizing the browser and then re-opening the browser later. (Ticket #141012)

Version 13.2.5 (released on 2023-01-27)

CHANGES IN THIS VERSION:

Improvement: Comment lines can be added to calculations and logic to serve as annotations to explain various parts of the logic/calc. Thanks to GÃ¼nther Rezniczek for helping add this new feature.
Improvement: When setting up the Survey Queue or an individual Automated Survey Invitation, the survey drop-down for the “When the following survey is completed” setting in the dialog now has a built-in search feature to easily find a specific survey in a long list. Additionally, if the survey title does not match the instrument title, the drop-down list will also display the user-facing form name for the survey, which should help users find the right survey quicker in certain cases.
Bug fix: In some cases, images that were added via the rich text editor to a project dashboard would mistakenly not display on the public version of the dashboard unless the person viewing it was currently logged in as a REDCap user.
Updates for the External Module Framework, including: 1) Added arguments allowing $module->getProjectsWithModuleEnabled() to return projects in analysis/cleanup status and with completed dates, and 2) Miscellaneous scan script updates and unit test updates.
Bug fix: When creating a project using the MyCap project template included in REDCap, in some cases the resulting project might result in errors when a participant loads the project on their MyCap mobile app.
Bug fix: A fatal PHP error might occur for PHP 8 on a project using the Clinical Data Pull feature, in which a user clicks the “Delete data for THIS FORM only” button at the bottom of a data entry form. (Ticket #141230)
Bug fix: When using Clinical Data Pull and launching the CDP REDCap page embedded inside of Epic Hyperspace (this does not affect other EHRs but only Epic), the embedded page would not function correctly due to incompatibilities with Internet Explorer, which is the embedded browser utilized by Hyperspace. This bug emerged in the previous REDCap version.
Bug fix: When exporting a project’s data to SAS, in which the project is using Missing Data Codes and also the exported data set contains Text or Notes fields, the resulting SAS syntax file might mistakenly be missing an underscore at the end of the variable name for the “format” attribute for the Text and Notes fields. (Ticket #103142)
Bug fix: The replacement function utf8_encode_rc() for PHP’s utf8_encode() might prevent certain users from logging in successfully, in which this ultimately is caused by certain unknown web server configurations. (Ticket #140393)
Bug fix: When using the Randomization page while a project is in production status, a REDCap administrator is unintentionally able to erase the randomization model of the project, which should only be allowed while in development status (even for admins). The “Erase randomization model” button will now stay disabled for everyone when a project is in production. (Ticket #141286)
Bug fix: If a required field’s field label contains a lot of HTML, in which the field value is left empty when submitting a survey page or data entry form, the “Some fields are required” dialog that is displayed would mistakenly not look correctly on some occasions due to the HTML in the label. To prevent this issue and to make the field label more readable, the required field dialog will now strip all HTML from the field label when displaying it. (Ticket #141262)
Bug fix: Bug fix: When MyCap is enabled in a project, on some rare occasions when migrating a project using the MyCap external module, the process might fail due to an SQL error. (Ticket #138168b)
Bug fix: Importing data for a patient’s race via Clinical Data Interoperability Services (CDIS) might mistakenly fail in cases where the patient has more than one race listed in the EHR.
Bug fix: When a user is viewing the field drop-down for the Data Search feature on the Add/Edit Records page in a project that has more than 20K records, the note text in the first option of the field drop-down would mistakenly be truncated, thus preventing the user from being able to read it. (Ticket #141317)
Bug fix: When uploading a CSV file of user privileges on the User Rights page, the “lock_records” privilege would mistakenly return an error if its value is set to “2”, which is a valid value. (Ticket #141141)
Bug fix: When changing an existing alert from sending “immediately” and “every time” to sending not immediately (e.g., “Send on next X at time Y”) without explicitly clicking the “Just once” radio option in Step 2B after doing so, these changes made to Step 2 would mistakenly not get saved when saving the alert. (Ticket #140491)

Version 13.2.4 (released on 2023-01-20)

CHANGES IN THIS VERSION:

Improvement: When using the built-in MyCap feature, users can now explicitly define the title of the project as seen by participants in the MyCap Mobile App. A new button has been added near the top of the “MyCap App Design” to allow users to set the project title that is displayed in the app. If not defined, it will default to using the user-facing title of the REDCap project, which was how it behaved in previous versions of REDCap.
Major bug fix: In certain situations where survey invitations get scheduled for a repeating Automated Survey Invitation, in which the record’s data is later modified, the repeating invitations that were scheduled might mistakenly get unscheduled. (Ticket #140851)
Major bug fix: If a user is creating a new record on a data entry form, in which record auto-numbering is enabled in the project and the form is submitted by the user with a required field that has no value, if the project’s internal Record List Cache (a secondary list of records in the database for improving performance) had not been built yet or was recently cleared (which is done automatically by REDCap internally), the user submitting the form might trigger the Record List Cache building process, which might inadvertently create multiple identical records instead of just creating the one record.
Bug fix: If a checkbox field has a large amount of choices, thus causing the checkbox options to become a scrollable box, the overall height of the scrollable box would mistakenly be too short on surveys that have the “Enhanced radio buttons and checkboxes” feature enabled. Since the enhanced radios/checkboxes are much larger than regular radios/checkboxes, the scrollable area has been made twice as tall in these cases in order to provide a less confusing user experience to survey participants.
Bug fix: The Multi-Language Management page in the Control Center might incorrectly denote a translated language as being 100% complete when it is only 99.9% complete. (Ticket #140724)
Bug fix: Various issues related to checkbox fields with many options, such as displaying a horizontally-aligned checkbox field as too wide in Firefox. Also, the new feature added in the previous version that would cause a long list of checkbox options to become scrollable has now been completely removed since so many users complained about it being problematic for them. (Ticket #140759)
Bug fix: When piping a Notes field that has the @RICHTEXT action tag, the HTML formatting in the field’s value might mistakenly not render correctly on the page, especially if the value contains HTML tables. (Ticket #140910)
Bug fix: When a datetime field is using “now” as the min or max validation range, and the user clicks the “Now” button next to the field after having been on the page for more than one minute, the “out of range” popup would mistakenly display.
Bug fix: When using Multi-Language Management, if some slider fields do not have their slider label values translated, it could cause some parts of the survey page or data entry form not to display all its translated text successfully. (Ticket #140871)
Bug fix: Some LH-aligned radio buttons might mistakenly cause the page to be too wide if a radio choice label is very long. Unfortunately, the only way to fix this issue fully is to revert a change in the previous version that improved the text wrapping of the choice labels of horizontally-aligned checkbox fields.
Bug fix: If a survey participant clicks the “Save & Return Later” button on a survey, which has no survey title (i.e., it was left blank), the email sent to the participant might be slightly confusing because it displays only two double quotes where the survey title should be. It now displays slightly different text if the survey title has not been defined.
Bug fix: If a project title contains some UTF-8 encoded characters, the project title would mistakenly display as garbled when viewing it on the My Projects page on a mobile device. (Ticket #140814)
Bug fix: If a repeating Automated Survey Invitation has reminders enabled, the Survey Invitation Log might mistakenly display a bell icon and number (representing a reminder) next to a recurring invitation that is not actually a reminder.
Bug fix: When using the Randomization page and downloading an example allocation table in Step 2, for certain randomization models, the CSV file produced may become too large to be processed, which might throw an error, and/or it might take an abnormally large amount of time to output the CSV file. To prevent these situations, the example allocation tables now will only output a maximum of 50,000 rows regardless of the randomization model set up in the project. (Ticket #140909)

Version 13.2.3 (released on 2023-01-13)

CHANGES IN THIS VERSION:

Bug fix: If a Project Template has Form Display Logic, new projects created from that Project Template would mistakenly not have the Form Display Logic settings copied over. (Ticket #140489)
Bug fix: If REDCap is using an external file storage method (e.g., AWS S3, Azure Blob Storage) for storing all files in the system, the Project Revision History’s version comparison feature would mistakenly fail, and it would result in a fatal PHP error when using PHP 8. (Ticket #140551)
Bug fix: If a participant email address contains one or more capital letters and is added manually to the Participant List multiple times, the Participant List would mistakenly fail to display a number and parentheses immediately before the email address on each row (e.g., “1) <rob@aaa.com>") to help differentiate the multiple instances of the same email address. (Ticket #140466)
Bug fix: When using Duo two-factor authentication, some important debugging information would mistakenly not get output to the page when an error occurred, in which it prevented admins from effectively troubleshooting certain network-based configuration issues that could cause Duo not to work dependably for users.
Bug fix: If a checkbox field has a large amount of choices, it could cause the field to mistakenly take up a disproportionate amount of the survey page or data entry form, thus resulting in a bad user experience. In this case now, the whole list of checkbox options will instead become scrollable so that the checkbox field does not become too unwieldy while still allowing the user to see all the choices.
Bug fix: Checkbox fields that are horizontally-aligned might mistakenly have a choice’s checkbox and its label appear on two different lines due to text wrapping. Instead, an individual choice’s checkbox and label now no longer wrap to the next line but instead stay together on the same line. (Note: This fix does not apply when viewing a form/survey on a mobile device.)
Bug fix: In very specific situations where a field is a required field and is embedded in another field, in which the container field is hidden by an @HIDDEN action tag while the field embedded inside it does not have an @HIDDEN action tag but does have a @DEFAULT action tag, the default value added to the embedded field via the @DEFAULT action tag would mistakenly not get saved when saving the page.
Bug fix: Various fixes related to issues with using Duo two-factor authentication, including issues caused by the use of a proxy with the REDCap web server. (Ticket #140186, #137099)
Bug fix: Clicking the “View Equation” link for a @CALCTEXT field on a data entry form or survey page while the project is in production status but not in draft mode would mistakenly display an error message instead of displaying the calculation. (Ticket #140645)
Bug fix: When downloading a CSV file of either users or user roles on the User Rights page, the form-level viewing rights and form-level export rights in the CSV file might mistakenly contain instruments that have been deleted from the project. (Ticket #140668)
Bug fix: If PDF files had been stored in the File Repository’s “PDF Survey Archive” folder, after which the Auto-Archiver and/or e-Consent Framework had been disabled for all surveys in the project, the “PDF Survey Archive” folder would mistakenly no longer be visible in the File Repository, thus preventing users from accessing previously-saved files. That folder will now be displayed if the Auto-Archiver and/or e-Consent Framework is enabled or if any files already exist in the folder. (Ticket #140435)

Version 13.2.2 (released on 2023-01-06)

CHANGES IN THIS VERSION:

Bug fix: In certain situations in which REDCap or an External Module executes a specific parameterized query to the database, the query might mistakenly fail due to an “illegal mix of collations”.
Bug fix: Unless using the latest version of the REDCap Mobile App, a @CALCTEXT field might mistakenly not function correctly in the Mobile App if its calculation contains multiple nested IF() statements.
Bug fix: When a participant is viewing their survey queue, if they click the “Get link to my survey queue” button and then click “Send” to email the survey queue link to themselves, the Email Logging page would mistakenly not associate the email with a record in a project when searching for emails on that page. This can make it very difficult to find this email via the Email Logging page. In the future, this action will associate the email with a specific record on the Email Logging page.
Bug fix: A SQL query might mistakenly not get formatted correctly and thus might fail when CDIS is sending a notification to a user via REDCap Messenger regarding the completion of an asynchronous CDIS task.
Bug fix: The “How do I format the equation?” link in the “Edit Field” dialog in the Online Designer would mistakenly open the wrong question on the “Help & FAQ” page.
Bug fix: If a user assigned to a Data Access Group views a report that has DAG filtering imposed via “Step 3: Additional Filters” in the report settings, in which the user’s DAG is not one of the selected DAGs of the Additional Filters, the report might mistakenly display some records from the user’s DAG when instead it should not return any records in the report. A similar behavior might also occur for a user that is not assigned to a DAG when viewing the same report, but instead occurring when using the DAG Live Filter to select a DAG that is not one of the selected DAGs of the Additional Filters. (Ticket #140302)

Version 13.2.1 (released on 2022-12-29)

CHANGES IN THIS VERSION:

Major bug fix: If using AAF authentication or any of the “X & Table-based” authentication methods (excluding “LDAP & Table-based”), the login process might not function correctly and might appear as if the authentication has mistakenly reverted to only “Table-based” authentication. Bug emerged in REDCap 13.2.0 (Standard). (Ticket #140065)
Bug fix: Certain Font Awesome icons might mistakenly not display correctly on survey pages.

Version 13.2.0 (released on 2022-12-29)

CHANGES IN THIS VERSION:

New feature: “Azure AD & Table-based” authentication method - The “Security & Authentication” page contains a section of custom settings for using the Azure AD authentication method in REDCap. All the existing Azure AD settings apply to this new authentication method, with the addition of a new custom button text for the “Azure AD” button on the login page.
Important change: New option displayed on the Configuration Check page to update the REDCap database tables to support full Unicode. REDCap installations that were initially installed using a version prior to REDCap 8.5.0 will have an older, legacy type of database collation/encoding and charset (character set). If your REDCap installation is affected, it is *highly* recommended that you follow the steps detailed on the page that is linked on the Configuration Check page in order to update your database. Please note that this is NOT an urgent issue, but it is something we recommend you address sooner rather than later since your current database collation and charset (UTF8 or UTFMB3) have been deprecated in the latest versions of MySQL/MariaDB and thus will eventually be removed altogether in future versions of MySQL/MariaDB. The full process of updating your database tables may take many minutes or possibly hours to run all the pertinent SQL to convert both the table structure and table data. Please follow the instructions on that page carefully, and make sure you perform a database backup before starting the process. (Thanks to Tony Jin for his help with this effort.)
Important change: Dropped support for PHP 7.2. Only PHP 7.3.0 and higher are now supported in REDCap.
Bug fix: The user privilege for “Alert & Notifications” was mistakenly not getting copied for project users when using the “Copy Project” feature while electing to copy the current users into the new project. (Ticket #140023)
Bug fix: The Cron Jobs page in the Control Center might crash with a fatal PHP error for certain versions of PHP if the “exec” function is disabled in PHP as a “dangerous” function on the REDCap web server. (Ticket #140034)

Version 13.1.4 (released on 2022-12-28)

CHANGES IN THIS VERSION:

Improvement: The “Help & FAQ” page has been updated with new content (thanks to the FAQ Committee).
Bug fix: When the system-level setting “Allow reports to be made ‘public’?” has been set to “No”, administrators are still allowed to make reports public, which is expected; however, when anyone attempts to view the report using the public link, it displays an error saying that it cannot be displayed. Anyone with the public link should be able to view the report. (Ticket #132901b)
Bug fix: When testing a calculation using the “Test calculation with a record” drop-down for a calculated field in the “Edit Field” popup on the Online Designer, there are certain situations where the process might mistakenly crash with a fatal PHP error when using PHP 8. (Ticket #139955)
Bug fix: If the value of a Text or Notes field contains an email address that is immediately followed by a line break/carriage return, the email address would mistakenly not get converted into a “mailto” link properly when displayed on a report. (Ticket #139960)
Bug fix: The user privilege for “Alert & Notifications” was mistakenly not getting copied for project users when using the “Copy Project” feature while electing to copy the current users into the new project. (Ticket #140023)
Bug fix: Text describing that piping can now be used in the URL of a Data Entry Trigger and the URL of an external video for a Descriptive Text field was mistakenly not added in the previous version. It has now been added in order to inform users that piping can be used in these places now.

Version 13.1.3 (released on 2022-12-22)

CHANGES IN THIS VERSION:

Major bug fix: An error would occur when enabling External Modules on PHP 7, thus preventing modules from being successfully enabled. Bug emerged in REDCap 13.1.2 (Standard).

Version 13.1.2 (released on 2022-12-22)

CHANGES IN THIS VERSION:

Improvement: Users may now pipe Smart Variables or field variables into the Data Entry Trigger URL.
Improvement: Users may now pipe Smart Variables or field variables into the External Video URL for Descriptive Text fields.
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered on the User Rights page where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way inside a CSV file when importing user privileges or user roles on that page.
Change: PHP 8.2 is now supported in REDCap. Note: The release notes of REDCap 13.1.0 (Standard) mistakenly noted that PHP 8.2 was supported in REDCap 13.1.0, which was only partially true because PHP 8.2 was not yet supported by the External Module Framework, which is a part of REDCap.
Change: REDCap no longer supports individual projects having their own authentication method that is different from the system-level authentication method. Going forward, every project will automatically assume the same authentication method of the system as defined on the “Security & Authentication” page in the Control Center. (Note: The “auth_meth” column name in the “redcap_projects” database table has not been removed in order to be backward compatible with any custom scripts that might be specifically querying that column in an SQL query.)
Improvement: When setting up an alert, Step 2’s sub-section “When to send the alert?” now contains the new drop-down choice “the day (beginning at midnight) that the alert was triggered” in the sub-option “Send the alert X days Y hours Z minutes before/after [drop-down]”. This new choice in the drop-down allows users to schedule the notification based on the day the alert was triggered and provides greater control and precision with regard to when exactly the notification will be sent. For example, if this new drop-down option is selected along with setting it to “send the alert 1 day 8 hours after:”, this will cause the notification to be scheduled to be sent at exactly 8:00am the next morning. In previous versions, it was not possible to get this level of precision for the notification send-time based upon the alert trigger-time unless you used a date field’s value as a reference. (Note: This new option is very similar to the one added for Automated Survey Invitations in REDCap 12.5.0.)
Improvement: When exporting the project logging via CSV file or via API, the record name is now included as a separate column/attribute “record” in the resulting output if the logged event is record-centric (and if not, the record value will be left blank). (Ticket #132246)
Improvement: The on/off switches on the Multi-Language Management setup page now have green/red coloring to more clearly denote their on/off state. (Ticket #139703)
Various changes and improvements for the External Module Framework:
PHP 8.2 is now supported.
Added the methods $module->disableModule(), $module->isSuperUser(), and $module->escape().
Added the allow-project-overrides and project-name setting options.
New feature to hide external modules from non-admins in the list of enabled modules in a project.
Made the scan script warn when system hooks are used.
Miscellaneous scan script improvements.
Fixed a bug where escaped HTML displays in field list values.
Change/improvement: The Database Activity Monitor page now specifies if a specific request is an instance of the REDCap cron job.
Change/improvement: When a user creates, edits, copies, or deletes a report, the logged event of this specific action now contains the list of all fields in the report. This improves the granularity of the audit trail for reports. (Ticket #139193)
Bug fix: In very specific cases when a report is set to only display the record ID field, in which the report has filter logic that contains fields on a repeating instrument/event, the resulting report might mistakenly include grayed out columns that correspond to the fields (or to the form status fields of the fields' instrument) that are used in the filter logic. (Ticket #139584)
Bug fix: Users with instrument-level locking privileges could inadvertently bypass locking controls and modify data on a locked data entry form if they have another browser tab open of that same data entry form before it was locked, and then saved that form within 30 seconds of locking the form in the other tab. (Ticket #139555)
Bug fix: If Two-Factor Authentication is enabled in REDCap, and a user is using Clinical Data Pull, in which they are viewing a REDCap window specifically inside Epic Hyperspace, a JavaScript error might be displayed on the page. Bug was introduced in REDCap 12.5.7. (Ticket #139775)
Bug fix: If a project is created using a Project XML file, in which the XML file contains public reports, the unique public report link/hash of any public reports in the original project would mistakenly get duplicated and attributed to the newly created project. This would not cause any noticeable problems for the user because the public report link would always point to the original project and not to the new project created.
Bug fix: When using the Clinical Data Mart, a patient’s Medical Record Number (MRN) might get stored as an empty string in the FHIR logs table, thus causing the Data Mart to crash.
Bug fix: REDCap might fail with a fatal PHP error on various pages when using PHP 8 under very specific conditions. (Ticket #139416)
Bug fix: If a user shared a public link to a file in the File Repository, that public link would still be functional and active even after an administrator has disabled the “File Repository: Users are able to share files via public links” setting in the Control Center. (Ticket #139899)
Bug fix: The @IF action tag would mistakenly not function correctly for fields in PDF exports. For example, @IF([field]="”, @HIDDEN-PDF, “") would not function correctly to show/hide the field in the resulting PDF export.

Version 13.1.1 (released on 2022-12-16)

CHANGES IN THIS VERSION:

Improvement: Descriptive Text fields can now have inline PDF attachments that display as an embedded PDF on the page (rather than just displaying a download link).
Change: HTML tags are no longer stripped out of Project Dashboard titles as displayed in the “My Project Dashboards” list on the left-hand menu or on the Project Dashboards page. Additionally, the title of Project Dashboards are no longer limited to 150 characters.
Bug fix: The “Data Collection Strategies for Repeating Surveys” informational dialog would mistakenly not open.
Bug fix: A fatal PHP error would occur when using DDP Custom in a project for PHP 8. (Ticket #138771b)
Bug fix: When using MyCap in a project and with a Custom Participant Label that utilizes the piping of fields (rather than selecting a single field from the field drop-down list), the Custom Participant Label would mistakenly not be displayed on the MyCap Participant List page.
Bug fix: If a user is adding an external video URL to a Descriptive Text field, in which they mistakenly paste some Embed HTML or an invalid URL into the field’s video URL attribute, if REDCap doesn’t recognize it as a Vimeo or YouTube link, REDCap might mistakenly try to output the text directly onto the page as-is without verifying that it is a valid URL. (Ticket #139291)
Bug fix: When using the date/time picker widget to select a value for a date or datetime field on a survey page or data entry form, and then later on the same page the user uses the time picker on a “Time (HH:MM)” or “Time (HH:MM:SS)” validated field, after selecting the value for the Time field, the page would mistakenly scroll back to the last date/time field on that page where the date/time picker was used, which could be very confusing and disorienting to the user. (Ticket #139201)
Bug fix: The Standalone Launch process for Clinical Data Interoperability Services might mistakenly fail for some server configurations due to a duplicate slash ("/") in the link to the page.
Bug fix: When a user performs a data export containing fields from an instrument for which they have “De-identified” data export rights, and the user selects the de-id option to “Shift all dates” (rather than “Remove all date and datetime fields”) in the export dialog, the date fields would not be date shifted but would mistakenly be completed removed from the resulting exported data set. Bug emerged in REDCap 12.2.0. (Ticket #139392)
Bug fix: When a user creates a new project, either as an empty project or using a Project XML file, the project creator’s user rights would mistakenly be missing the “Alerts & Notifications” privilege.
Bug fix: When using Clinical Data Pull, in which a user is accessing an embedded REDCap page inside of Epic Hyperspace, some parts of the page might mistakenly not work due to JavaScript errors.
Bug fix: A field with the @CALCTEXT action tag, in which the calculation contains text strings with line breaks, might mistakenly cause calculation errors to appear on the page and prevent the @CALCTEXT from working.
Bug fix: Some calculations or branching logic might mistakenly fail to work and would display an error if they are substantially long. Bug emerged in the previous version. (Ticket #127140)
Bug fix: Surveys that are set to use Comic Sans as the font for the survey text would mistakenly not display correctly when viewing the survey on iOS devices. (Ticket #95086)
Bug fix: In very specific situations where a field is a required field and is embedded in another field, in which both fields have branching logic, if the container field is hidden by branching logic while the field embedded inside it has branching logic that evaluates to True (meaning that the embedded field would otherwise be visible if the container field itself were visible), REDCap would mistakenly display an error saying that the embedded field is required and thus needs a value, which is incorrect since the embedded field is not even visible on the page. (Ticket #139582)
Bug fix: When piping a field value for a field on a repeating instrument/event, in which the piped value originates from another repeating instance (e.g., [field][previous-instance]), the current instance’s value might mistakenly be piped instead of the value from the desired instance. (Ticket #139581)
Bug fix: When an image is embedded (via the rich text editor) in an email for a survey invitation or alert, in which the Protected Email Mode is enabled in the project, the page where the recipient would view their email in REDCap might mistakenly not display the embedded image on the page but would show a broken image placeholder. (Ticket #139648)
Bug fix: If a user uploaded a Project XML file for a Clinical Data Mart project, it would mistakenly enable the Data Mart feature in the newly created project even when the CDM feature is disabled at the system level. This would cause some errors to occur in the project. (Ticket #139577)

Version 13.1.0 (released on 2022-12-09)

CHANGES IN THIS VERSION:

New feature: Redesign of the File Repository
Overview: The File Repository page has been redesigned to make it easier to store, organize, and share the files in your projects.Users now have the ability to create folders and sub-folders to help organize their files more effectively. If using Data Access Groups or user roles, users may optionally limit access to a new folder so that it is DAG-restricted and/or role-restricted. Uploading multiple files is much faster with a new drag-n-drop feature that allows for uploading dozens of files at a time. Sharing files is better too, in which users may obtain a public link to conveniently share a file with someone. New API methods also exist that allow users to upload, download, and delete files programmatically using the API. Additionally, the File Repository has a new built-in Recycle Bin folder that makes it easy to restore files that have been deleted. Users can upload as many files as they wish. There is no limit. Additionally, there is no limit to how many folders and sub-folders that can be created (or how deep that they can be nested within other folders).
Sharing: Files can be shared via Send-It or using a public link. If you do not want users to be able to share files using the public link functionality, this may be disabled on the File Upload Settings page in the Control Center. Once disabled, users will only be able to share files using Send-It.
File storage limit: Admins may optionally set a file storage limit that applies to all projects so that users cannot upload too many files in an abusive fashion. The value can be set in MB on the File Upload Settings page in the Control Center. There is also a project-level override for the file storage limit on the Edit Project Settings page for any given project. Note: Files in the starred folders (e.g. Data Export Files, e-Consent PDFs, Recycle Bin) do not count toward the overall file space usage of the project.
Recycle Bin: Files that are deleted from the File Repository will be put in the Recycle Bin folder where they will be kept for up to 30 days before being permanently deleted. Any file in the Recycle Bin can be restored back to its original location (so long as doing so does not surpass the project’s file storage limit, if enabled). Administrators can “force delete” any file in the Recycle Bin, which deletes it immediately and permanently.
New API methods for the File Repository: 1) Create a New Folder in the File Repository, 2) Export a List of Files/Folders from the File Repository, 3) Export a File from the File Repository, 4) Import a File into the File Repository, and 5) Delete a File from the File Repository.
Security improvement: Restricted file types for uploaded files - At the bottom of the “Security & Authentication” page in the Control Center, administrators may now provide a list of all disallowed file types/extensions (e.g., exe) in order to prevent users from uploading files of these types into REDCap (often for security purposes). When set, this setting will be applied to all places throughout REDCap where users are allowed to upload files.
Improvement: The “Alerts & Notifications” page now has its own separate user privilege. Previously, only users with “Project Design and Setup” privileges could access the Alerts & Notifications page. Now, users must explicitly be given “Alerts & Notifications” privileges in order to access the Alerts & Notifications page. Note: During the upgrade to REDCap 13.1.0 or higher, any users with “Project Design and Setup” rights will automatically be given “Alerts & Notifications” rights in order to keep continuity with their current access to the Alerts & Notifications page.
Improvement: For OpenID Connect authentication, the Response Mode (response_mode) authorization parameter can now be explicitly set in the OIDC authentication settings on the “Security & Authentication” page in the Control Center. This will allow admins to choose between “query (default)” and “form_post” for the response_mode OIDC setting.
New method for plugins/hooks/modules: REDCap::getFile - Returns an array containing the file contents, original file name, and mime-type of a file stored in the REDCap system by providing the file’s doc_id number (the primary key from the redcap_edocs_metadata database table).
New method for plugins/hooks/modules: REDCap::addFileToField - Attaches a file to a File Upload field for a specified record when provided with the doc_id of an existing file from the REDCap system.
Improvement: New setting added to the User Settings page in the Control Center: “Notify the REDCap admin via email when a new account is created (excluding Table-based user accounts)?” When enabled, this setting can be used to notify admins whenever new users enter the system. Table-based users are not included because their accounts are created by an administrator. (Ticket #133382)
Improvement: New setting added to the User Settings page in the Control Center: “Send a “welcome” email to new users when they create a REDCap account (excluding Table-based user accounts) - i.e., when they log in the first time using an external authentication method?”. The “welcome” email will consist of the following stock text: “You have successfully created an account in REDCap at https://your-redcap-server.edu/. Your REDCap username is “USERNAME”. Please note that REDCap does not manage your password. If you have difficulty logging in, you should contact your local IT department. Welcome to REDCap!”.
Improvement: When importing User Role assignments via CSV file uploads on the User Rights page or via the API, if the project contains Data Access Groups, users can now be assigned to a DAG during the User Role assignment import process by providing an extra parameter named “data_access_group” with a valid unique DAG name. This will allow users to be added to the project, assigned to a role, and assigned to a DAG all at the same time. Additionally, when exporting User Role assignments via CSV file or via the API, the “data_access_group” attribute will be exported for each user if the project contains DAGs (to be consistent with the Import User-Role Assignment format). (Ticket #119192)
Change: PHP 8.2 is now supported in REDCap.
Change/improvement: When importing User Role assignments via CSV file uploads on the User Rights page or via the API, users can now be assigned to a role if they do not currently have access to the project. In previous versions, only existing project users could not be assigned to a role via CSV file or via API. (Ticket #119192)
Major bug fix: A malicious user could potentially delete a file uploaded into a project to which they do not have access by manipulating an HTTP request on the Alerts & Notifications page in another project. (Ticket #138873)
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered on the Project Modifications page (where an admin would view a user’s Draft Mode changes) where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way in a field’s Field Label, Choice Labels, or Field Notes. (Ticket #139108)
Change/improvement: When setting the designated email field on the Project Setup page or when setting the survey-level designated email field on the Survey Settings page, if the selected field is utilized in more than one event and/or is utilized on a repeating instrument or repeating event, a warning message will be displayed in a yellow box immediately below the email field drop-down to inform the user that any update to the field on any event or repeating instance will change the value of the field in ALL events and repeating instances. This should help provide more transparency to users who might get confused by the fact that the field’s value gets updated in all places if the designated email field is located in more than one context in the project. (Ticket #131999)
Bug fix: When both randomization and MyCap are enabled on a project, users would be unable to enable any instrument as a MyCap task in the Online Designer (excluding active tasks that were imported).
Bug fix: A fatal PHP error would occur when using DDP Custom in a project for PHP 8. (Ticket #138771)
Bug fix: A fatal PHP error would occur when certain Data Quality rules when using PHP 8. (Ticket #131294b)
Bug fix: The REDCap Mobile App page mistakenly noted that the mobile app does not support Field Embedding, which is no longer true. That warning message has been removed.
Bug fix: If one or more fields in a project utilize the @IF action tag, the REDCap Mobile App page would mistakenly fail to display a warning at the top of page to explain that the @IF action tag is not supported by the mobile app and thus fields with @IF might not function in the mobile app the same as they do on survey pages and data entry forms.
Bug fix: A couple REDCap pages that are served as AJAX requests via JavaScript mistakenly had their “Content-Type” header set as “text/html” when instead it should have been “application/json”, which was causing these requests not to be loaded successfully in the REDCap user interface in certain server/network environments.
Bug fix: If a user on a data entry form clicks the PDF download option called “This survey with saved data (via browser’s Save as PDF)”, if some fields on the page have been modified but not yet saved, REDCap will display a confirmation to the user to ensure that they understand that the resulting PDF will not contain only saved data values but instead may contain both saved and yet-to-be-saved values. (Ticket #138777)
Bug fix: Language ID and display names on the MLM “Usage” page in the Control Center could mistakenly be mismatched in some cases. (Ticket #138808)
Bug fix: The MLM “Usage” page in the Control Center would mistakenly fail to render HTML special characters in project titles. (Ticket #138887)
Bug fix: If an external module calls a randomization-related method in a project that does not have randomization enabled, it might throw a fatal PHP error for PHP 8. (Ticket #138756)
Bug fix: Multi-line text used inside single quotes or double quotes in the @CALCTEXT action tag might mistakenly have some words mistakenly replaced in the resulting text if they look like JavaScript or PHP operators (e.g., “or”, “and”). (Ticket #138785)
Bug fix: When using certain text or HTML inside the text of the @CALCTEXT action tag, the output value of the field might mistakenly be missing some spaces if text elements in the @CALCTEXT contained leading or trailing spaces. Additionally, text used in @CALCTEXT that contains HTML or single/double quotes might mistakenly get mangled and not display correctly on the page for the @CALCTEXT field. (Ticket #138396)
Bug fix: When using the Survey Auto-Continue feature, in which a participant clicks a survey link of an already-completed survey and is redirected 20 times through a bunch of subsequent already-completed completed surveys, some browsers might mistakenly display a “too many redirects” error to the participant instead of properly redirecting them to the next unfinished survey. (Ticket #138914)
Bug fix: A malicious user could potentially view a deleted message in REDCap Messenger by manipulating the parameters and/or query string of an HTTP request performed by Messenger. Only administrators should be allowed to view deleted messages in the Messenger interface. (Ticket #138873)
Bug fix: A malicious user could potentially delete or edit a REDCap Messenger message, even when the user did not create the message and is not an administrator, by manipulating the parameters and/or query string of an HTTP request performed by Messenger. (Ticket #138859)
Change: Added full support for parameterized queries in REDCap’s db_query() function.
Change/improvement: Added a new option $project_id parameter for the developer method REDCap::getSurveyReturnCode().
Bug fix: When using the AAF authentication method, the PHP method User::updateUsernameForAaf() mistakenly would not update all the database tables that contain a “user” or “username” column. Four tables were missing from the list. Thus, some database tables would not get updated when the method is called. (Ticket #138396)
Bug fix: When creating a new project via a Project XML file, if the project is longitudinal and utilizes the Survey Queue and/or Automated Survey Invitations, the Survey Queue and ASI settings might mistakenly not get added from the XML file when the project is created. (Ticket #139035)

Version 13.0.2 (released on 2022-12-02)

CHANGES IN THIS VERSION:

Improvement: MLM Usage Page - A new “Usage” tab will be displayed on the Multi-Language Management page in the Control Center that will display a list of all projects using MLM and in what ways they are utilizing MLM, such as the number of languages in the project (and how many are active) and whether the following MLM options apply to the given project: Deactivated by user, Enabled by admin, Deactivated by admin, and Debug mode turned on.
Major bug fix: Several PHP 8 related issues for MyCap would sometimes prevent data from syncing correctly back to the REDCap server from the MyCap mobile app.
Major bug fix: When using certain external authentication methods, survey pages might sometimes mistakenly time out if the project’s internal Record List Cache (a secondary list of records in the database for improving performance) had not been built yet, which is done automatically by REDCap internally. This would cause an internal API call to fail when it is made inline while loading survey pages, thus causing the survey page not to load. This was supposedly fixed in version 12.4.13 LTS and 12.5.6 Standard Release, but mistakenly was not. (Ticket #104761b)
Change/improvement: The path to the web server’s PHP error log file is now listed at the bottom of the main Control Center page. This information will be useful to help admins locate their web server’s error log, which can sometimes be difficult to find.
Bug fix: The calendar feed might mistakenly provide incorrect times of calendar events for certain geographical regions that do not observe Daylight Saving Time. (Ticket #130176)
Bug fix: When using the Clinical Data Pull, temporal fields were mistakenly not displayed in the CDP mapping table because REDCap metadata was incorrectly removed from the settings payload.
Bug fix: When using Clinical Data Pull, when launching from the EHR context, the button “Show record in project” would mistakenly not work if the record name was non-numeric.
Bug fix: Typo on OpenID Connect’s login screen. (Ticket #138381)
Bug fix: When exporting a project as a Project XML file, the export process might mistakenly fail with a fatal PHP error for PHP 8. (Ticket #138389)
Bug fix: When creating a new project where a user selects a project template but then chooses to upload a Project XML file, REDCap might get confused about which option was selected and behave unexpectedly, such as creating the project without granting access to the initial user. (Ticket #138361)
Bug fix: When a calculated field uses the datediff() function, in which the first parameter is literally “today” while the second parameter is a datetime field, the calculation might mistakenly return a blank value. (Ticket #138033)
Bug fix: In some specific circumstances, the Data Import Tool might mistakenly crash due to a fatal PHP error for PHP 8. (Ticket #138527)
Change: The “Break the Glass” feature for Epic in CDIS has been updated to automatically refresh any expired BTG token. Previously, BTG tokens were short-lived and did not refresh, thus causing some issues with users.
Bug fix: Dozens of REDCap pages that are served as AJAX requests via JavaScript mistakenly had their “Content-Type” header set as “text/html” when instead it should have been “application/json”, which was causing these requests not to be loaded successfully in the REDCap user interface in certain server/network environments.
Change: Added an MLM-related note at the top of the survey page where participants enter their survey access code. The note mentions that the language choices seen on that particular page might not necessarily be available on the survey that they are able to enter after entering their access code.

Version 13.0.1 (released on 2022-11-23)

CHANGES IN THIS VERSION:

Improvement: When setting up repeating Automated Survey Invitations, users can now set the repeating interval value as a number with a decimal (in previous versions, the value could only be an integer). This will allow users to approximate the interval of a monthly repeating ASI as 30.44 days since it is currently not possible for repeating ASIs to be scheduled on exactly the same day and time each month. To help users, a note has been added in the repeating survey section of the ASI setup dialog to inform them how to approximate a month as 30.44 days. (Ticket #136957)
Major bug fix: Regarding Multi-Language Management, if the system-level setting “Require admin activation of multi-language support in projects” is disabled, the “Multi-Language Management” left-hand menu link would mistakenly not be visible to normal users unless one or more MLM languages had already been created in the project. Bug emerged in REDCap 13.0.0.
Improvements for CDIS
- Expiration indicator for the “Break the Glass” feature: The new Break the Glass workflow uses tokens that expire in an hour from their creation. The interface will now show if a token is expired.
- Delete button for the “Break the Glass” feature: Users can remove entries from the list of Break the Glass protected patients using a button.
Improvement: A link to the Codebook page was added inside the Add/Edit Field dialog on the Online Designer. This will allow the user to open the Codebook in a new tab without having to close the dialog to do so. (Ticket #138300)
Bug fix: When using repeating Automated Survey Invitations, a record’s Record Home Page might mistakenly say that there are upcoming scheduled invitations that will be sent in the next 7 days despite the fact that they are actually scheduled to be sent more than 7 days later. This only involves repeating ASIs that have been scheduled.
Bug fix: When entering a value for the “Domain allowlist for user email addresses'' setting on the User Settings page in the Control Center, it would mistakenly not allow top-level domains to be entered if they contain more than 4 characters (e.g., vanderbilt.health). It now appropriately allows top-level domains up to the maximum 63 characters. (Ticket #104291)
Bug fix: Using the “Break the Glass” feature in CDIS might mistakenly fail if the user has no access token.
Bug fix: The “Mapping Helper” feature in CDIS might mistakenly not appear or be usable in Data Mart projects.
Bug fix: When using the “Mapping Helper” feature or CDP Mapper for CDIS, some things might not load correctly because of some HTML needing to be escaped first in the resulting JSON.
Bug fix: If the RemoveTempAndDeletedFiles cron job happens to be running at the same time as the Easy Upgrade process is extracting a new REDCap version, on certain server configurations the cron job might mistakenly delete some of the REDCap files being deployed in the new version, thus leaving the new REDCap version directory missing some critical files. (Ticket #137910)
Bug fix: Bar charts and pie charts might mistakenly be displayed on Public Dashboards despite having an insufficient amount of data to display (based on the setting “Minimum number of data points required to display Smart Charts, Smart Tables, or Smart Functions on a *public* Project Dashboard…"). (Ticket #137411) * Bug fix: When performing field embedding on a survey page or data entry form, the page might crash due to a fatal PHP error if the project has a very large amount of fields.
Change: Slight tweak in the SQL queries used on the project Logging page to make the page load faster for older projects. (Ticket #138200)
Bug fix: When MyCap is enabled in a project, clicking the [?] link to the right of the green Publish button at the top of the Online Designer would mistakenly display an empty dialog when viewing/editing the fields in an instrument (but it looks correct when viewing the instrument list in the Online Designer). (Ticket #138146)
Bug fix: When MyCap is enabled in a project, on some rare occasions when migrating a project using the MyCap external module, the process might fail due to an SQL error. (Ticket #138168)
Bug fix: When viewing the MyCap Participant List, in which a baseline date is being used, the baseline date value seen in the table for each participant would mistakenly be displayed in the wrong date format or would appear mangled. (Ticket #138166)
Bug fix: When renaming an instrument in the Online Designer and then immediately creating a new instrument right after the renamed instrument, the new instrument might mistakenly get relocated to the first-instrument position after being created, and the record ID field might mistakenly get relocated to another position. Bug emerged in REDCap 13.0.0.
Bug fix: For a repeating Automated Survey Invitation that has conditional logic and has the “Ensure logic is still true” checkbox checked, if a record has invitations scheduled for the repeating ASI, and the ASI’s conditional logic no longer evaluates as True for the record, the repeating invites will stop sending (as expected), but the repeating invites would mistakenly still be displayed on the Survey Invitation Log. This would give the false impression to the user that those invitations will be sent when, in fact, they will not. (Ticket #134780)

Version 13.0.0 (released on 2022-11-17)

CHANGES IN THIS VERSION:

New feature: Integration of the MyCap External Module
- Introduction: MyCap is a participant-facing mobile application (on iOS and Android) used for data collection and the automated administration of active tasks (activities performed by participants using mobile device sensors under semi-controlled conditions). All data collected in the MyCap app is automatically sent back to the REDCap server as soon as internet connection is available (i.e., it can also be used for offline participant data collection). MyCap is a no-code solution for research teams conducting longitudinally-designed projects or projects with frequent participant contact. MyCap also facilitates participant engagement and retention by providing quick access to project staff and two-way communications (e.g., messaging and announcements) within the app. MyCap is available on any iOS device (iOS v11.0 ) and any Android device (Android v8.0 ). For more information about MyCap, check out the MyCap website, publication, resources, and a list of MyCap use cases.
- System-level settings: The MyCap feature will be enabled globally by default after upgrading or installing REDCap, but it can be disabled (so that no users see the option in their projects) on the Modules/Services Configuration page in the Control Center. That page also contains a setting where, assuming MyCap is enabled globally, an admin can set it so that 1) users can enable MyCap in their projects on their own, or 2) users will need to click a button in their project to send a request requiring admin approval to enable MyCap in the project.
- Project-level settings: The ability to enable or request to enable MyCap in a project will be in the Main Project Settings section at the top of the Project Setup page. There is an informational dialog there that can be opened that contains helpful links to many resources, including the MyCap website, the MyCap Help document (a detailed 16-page instruction manual on setup and usage), and three videos.
- Project Utilization: Utilizing MyCap in a project consists of two main parts: 1) design, and 2) managing participants. The design portion is where users can enable instruments as MyCap tasks, import active tasks, and design the look and feel of the MyCap app (as the participant sees it). These things pertaining to design are performed in the Online Designer and thus require “Project Design and Setup” rights. The participant portion requires a new user right “Manage MyCap Participants” that appears on the User Rights page after MyCap has been enabled in a project. Having this privilege, a user will have access to the “MyCap Participant Management” page on the left-hand menu. This page will allow users to view, invite, and message their MyCap participants. In many ways, it is very similar to the “Survey Distribution Tools” page when using surveys.
- External Module Migration: If users have been using the MyCap external module, there is an upgrade path to import all the MyCap EM settings into the built-in MyCap feature. In projects with the MyCap EM enabled, users will see a “Migrate to REDCap” button on the left-hand menu, which opens a dialog with plenty of information about the new built-in MyCap feature. As the dialog will note, users themselves cannot perform the migration, but a REDCap admin must do so for them. The migration is fast and only requires a couple button clicks, after which it will disable the MyCap EM in the project. Note: Currently, the MyCap EM is planned to be supported only until June 2023, so it is recommended that users using the EM attempt to fully migrate well before that time.
- Smart Variables and Action Tags: Several new Smart Variables and Action Tags can be used with MyCap, some of which are a required, integral part of how users invite participants and also how MyCap imports data into a project. See the documentation for Smart Variables containing the prefix “mycap-” and Action Tags containing the prefix “@MC-”.
- Stats: System-level MyCap statistics can be seen on the System Statistics page in the Control Center.
Improvement: New Multi-Language Management option to require admin activation of multi-language support in projects
- Administrators may now change the behavior of the Multi-Language Management feature so that project users cannot view or use MLM in a project until a REDCap administrator has first enabled it explicitly in that project.
- This behavior can be changed on the Settings tab on the Multi-Language Management page in the Control Center where it says “Require admin activation of multi-language support in projects”. Note: Enabling that system-level setting will not affect any projects where multi-language support is already enabled (either because it had previously been enabled explicitly by an admin or there is at least one language already set up).
- Additionally, the following new admin-only options have been added to the Settings tab on the MLM setup page in each project, in which these options only appear to admins and only when the system-level setting has been set where only admins may enable MLM:
  1. “Enable multi-language support for this project” - Allows users with Project Setup and Design rights to see the MLM menu link and to use the MLM setup page.
  2. “Disable and hide multi-language support for this project” - Turning on this option will hide the MLM menu link and prevent access to Multi-Language Management for users even when there are languages defined. This overrides the Enable option above.
Improvement for the External Modules Framework: New “Developer Tools” section & “Module Security Scanning” link on the Control Center -> External Modules -> Manage page.
Change/improvement: New and improved workflow and user interface for the “Break the Glass” feature when using Clinical Data Interoperability Services (CDIS) with Epic.
Change: As a convenience, when deleting a conversation in REDCap Messenger, the user is no longer prompted to enter the word “delete”.
Change/improvement: A new check was added to the Configuration Check page to detect if the Zlib PHP extension has been installed on the REDCap web server. (Ticket #137725)
Change/improvement: The path to the web server’s PHP.INI configuration file is now listed at the bottom of the main Control Center page (below the date of the last REDCap upgrade). This information will be useful to help admins locate their web server’s config file, which can sometimes be difficult to find.
Change/improvement: On the Alerts & Notifications page, users are now able to copy deactivated alerts. In previous versions, alerts could not be copied until they were first reactivated.
Bug fix: Certain versions of MariaDB do not output the “COLLATE” portion of a database table’s column definition in the results of a “SHOW CREATE TABLE” query, thus causing false positives to display in the Control Center that say that the “database structure is incorrect”. (Ticket #137551, #137575, #137321)
Bug fix: For some web server configurations, the server’s session “garbage collection” might mistakenly not run or might not run very often, thus causing the redcap_sessions database table to become overly bloated. The garbage collection process is now run manually via a cron job to ensure this task gets performed regardless of server configuration. (Ticket #137675)
Bug fix: When more than ten completed surveys are displayed in a participant’s Survey Queue, the “all surveys completed” row might appear in the wrong place in the table. (Ticket #137550)
Bug fix: An error message would be seen by a REDCap admin attempting to approve an External Module Activation Request for a user. (Ticket #137672)
Bug fix: For some users, the My Projects page might be unusually slow to load due to a change in REDCap 12.5.17 (Standard) that removed the usage of AJAX requests on the page. To fix this performance issue, the change from 12.5.17 has been reverted back to the old behavior.
Bug fix: When a user not assigned to a Data Access Group filters the results on the Logging page by DAG, the page might crash with an error if no users are currently assigned to that DAG in the project. (Ticket #137764)
Bug fix: When viewing the REDCap Mobile App’s “App Data Dumps” page, in which a data dump file could not be found on the server for unknown reasons, it would mistakenly throw a fatal PHP error on the page for PHP 8. (Ticket #137777)
Bug fix: When using REDCap::saveData() in a plugin, hook, or external module, in which the “dataLogging” parameter is passed to the method as FALSE, the record list cache (i.e., the back-end secondary list of records) would mistakenly fail to get updated during this process. This means that if new records are being created via REDCap::saveData() with dataLogging=FALSE, those records would appear not to have been created until an admin clicked the “Clear the Record List Cache” button, after which the records would finally appear in the project, such as on the Record Status Dashboard, reports, and the Add/Edit Records page. (Ticket #137836)