Headline

CVE-2022-24127: REDCap Change Log - Eastern Virginia Medical School (EVMS), Norfolk, Hampton Roads

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ProjectGeneral/edit_project_settings.php in REDCap 12.0.11. This issue allows any user with project management permissions to inject arbitrary code into the project title (app_title) field when editing an existing project. The payload is then reflected within the title tag of the page.

2 years ago

CVE

Open in Source

#sql #xss #csrf #vulnerability #web #ios #mac #windows #google #microsoft #amazon #linux #nodejs #js #git #java #php #rce #perl #ldap #pdf #aws #acer #oauth #auth #ruby #chrome #firefox #sap #ssl

REDCap Change Log

Version 12.2.10 (released on 2022-04-08)

CHANGES IN THIS VERSION:

Major bug fix: Some contexts that employ a user rights check might mistakenly throw a fatal PHP error in some specific cases when using PHP 8.0 or 8.1. (Ticket #125951)

Version 12.2.9 (released on 2022-04-08)

CHANGES IN THIS VERSION:

Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way as user-defined text in various places. (Ticket #125900)
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it on the Data Quality page and Data Comparison Tool page by inserting HTML tags and/or JavaScript event attributes into the name of a record. (Ticket #125952)
Improvement/change: The Multi-Language Management setup page is slightly less restrictive now while in production status. For example, users may now export language configurations while in production even when not in draft mode.
Improvement/change: If any suspended users have access to a project, the User Rights page will display a button to easily show/hide suspended users on the User Rights page. Initially, all suspended users will be displayed, but if the button is clicked, then all suspended users will remain hidden on the User Rights page of *any* project until the button is clicked again. (Ticket #75652)
Bug fix: Several actions on the Multi-Language Management setup page were mistakenly not getting logged on the Logging page. (Ticket #125513)
Bug fix: When using Multi-Language Management, the piping of choices in a drop-down field works inside the same instrument but mistakenly does cross-pipe into different instruments in the same project. (Ticket #125546)
Bug fix: When using Multi-Language Management, the text for the “Duplicate Value” warning popup was mistakenly not available to be translated. (Ticket #125557)
Bug fix: When using Twilio telephony services for surveys, U.S. phone numbers having the area code “534” would mistakenly not work for SMS or voice calls unless the number has a “1” prepended to it. (Ticket #125591)
Bug fix: The API documentation for the “Delete User” method mistakenly had “dags” as a parameter when instead it should have said “users” as the parameter name. (Ticket #125497)
Bug fix: For full compatibility with all stats packages during a data export, the syntax file for data exports that contain a field with a blank field label will have the field variable name used in place of the field label. (Ticket #125436)
Bug fix: If the Secondary Unique Field is enabled and also has the @HIDDEN action tag, the AJAX call to check the uniqueness of its value might mistakenly get triggered if the field is the first field on a data entry form. (Ticket #125020)
Bug fix: If Twilio is enabled at the system-level, the phone number fields would mistakenly not be displayed on a user’s Profile page unless Two-Factor authentication was enabled on the system. Even when not using Two-Factor, it will now display the phone number fields on the Profile page when Twilio is enabled in order to allow users to use their account-associated phone numbers for outgoing Alerts & Notifications via Twilio. (Ticket #124440)
Bug fix: An HTTP 500 error might occur in some cases when using PHP 8.1 if the database connection fails to the REDCap database server. This requires a replacement of the non-versioned file “redcap_connect.php”.
Bug fix: When a user clicks the “Erase all data” button or if deleting all records while moving the project to production, the log entries listed on the Email Logging page would mistakenly not be deleted during this process. It now properly deletes all items on the Email Logging page in both of these cases. (Ticket #125656)
Bug fix: Some contexts that employ a user rights check might mistakenly throw a fatal PHP error in some specific cases when using PHP 8.0 or 8.1. (Ticket #125914, #125923)
Bug fix: If a user selects a record from the drop-down list on the Logging page to filter by record, it might mistakenly display non-record related events on the page, such as events related to creating/editing/deleting user roles in the project. (Ticket #124825)
Bug fix: If a calc or @CALCTEXT field on a non-repeating instrument has a cross-form calculation that utilizes a calc/@CALCTEXT field from a repeating instrument, the calc/@CALCTEXT field on the non-repeating instrument would mistakenly not get triggered or calculated when performing manual data entry on a survey page or data entry form, although it would get calculated correctly when running Data Quality rule H. (Ticket #125456)

Version 12.2.8 (released on 2022-04-01)

CHANGES IN THIS VERSION:

Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the URL on the API Tokens page in the Control Center and also on the API page in a project.
Security improvement: REDCap now automatically enables HSTS (HTTP Strict Transport Security) headers if the REDCap web server is using SSL. This will help protect against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.
Minor security fix: Updated the Guzzle library due to a security vulnerability reported for that package. (Ticket #125337)
Improvement: Concurrent user checks have now been added to the Multi-Language Management setup page to prevent multiple simultaneous users from affecting each others’ work while on the page.
Bug fix: Minor issue with Medication data being pulled from the EHR using a CDIS service.
Bug fix: When using Twilio for surveys in a project, in which a participant is taking a survey and clicks the “Save & Return Later” button followed by clicking "Send survey link", an error would mistakenly be thrown if the preferred contact mode for the participant was set to SMS_INVITE_WEB (i.e., send the survey link via SMS). The phone number would mistakenly be used instead of a valid email in the “from” property of the email. (Ticket #124472)
Bug fix: When using PHP 8.0+ and an API Supertoken is used in the API to retrieve the REDCap version, an error would be thrown. (Ticket #124562)
Bug fix: The “RemoveTempAndDeletedFiles” cron job might mistakenly fail in certain cases with a fatal PHP error if using WebDAV as the File Storage method for REDCap. (Ticket #124802)
Bug fix: When using Multi-Language Management, if the @LANGUAGE-CURRENT-X action tag was used on a drop-down field, branching logic would mistakenly not fire after the value was changed. (Ticket #124748)
Bug fix: The Survey Queue’s UI text would mistakenly not display the translated text when using Multi-Language Management. (Ticket #124855)
Bug fix: When searching for users on the Browse Project page, typing the letter “b” might mistakenly cause HTML to be displayed in the auto-complete output. (Ticket #124935)
Bug fix: The @LANGUAGE-SET action tag would mistakenly not get applied when the corresponding survey field is prefilled from a url parameter. (Ticket #124976)
Bug fix: Using the datepicker widget on a survey page or data entry form might allow users to bypass the field validation on the field if immediately switching to using the datepicker widget on another field on the page. (Ticket #124909)
Bug fix: In some specific scenarios, such as when symlinks exist in the file system on the REDCap web server, the System Statistics page in the Control Center might mistakenly throw a fatal PHP error or be real slow when making the AJAX request to obtain the web server space usage. (Ticket #124710)
Bug fix: Apostrophes that occur in the output of Smart Variables like [user-role-label], [user-dag-label], and [record-dag-label] would mistakenly not get escaped and thus cause JavaScript errors to occur when used in calculated fields. (Ticket #125187)
Bug fix: Fixed typo in @READ-ONY action tag description.
Bug fix: Leading/trailing pipe characters “|” in the choice option column of an uploaded data dictionary would mistakenly create empty/null multiple choice options. (Ticket #125166)
Bug fix: IP addresses in IPv6 format for users would mistakenly get logged as NULL in the redcap_log_view database table. (Ticket #124944)
Bug fix: When using the @CALCDATE action tag with PHP 8.0+, the correct value may be seen as calculated on the survey page or data entry form, but the value may mistakenly get erased upon saving the page afterward. (Ticket #124619)
Bug fix: When a field is embedded and is a required field, the field’s value might mistakenly not get saved when submitting a survey page or data entry form if the field also has an @HIDDEN action tag.
Bug fix: When a field contains the @IF action tag and also contains other non-action tag text inside the Field Annotation text, it might cause the @IF action tag not to get interpreted correctly. (Ticket #124974)

Version 12.2.7 (released on 2022-03-10)

CHANGES IN THIS VERSION:

Bug fix: When using Multi-Language Management, the text of field validation errors and their associated names/labels displayed in the error popup would mistakenly not be displayed in the translated language.
Bug fix: If an administrator is impersonating a user via the “View Project as User” feature, the admin would mistakenly see all Project Bookmarks on the left-hand menu when instead they should only see the Project Bookmarks that the user being impersonated should see. (Ticket #124021)
Bug fix: Permission-related issues for certain directories on the REDCap web server could lead to fatal PHP errors for some functions throughout REDCap that attempt to list files in specific directories.
Bug fix: A fatal PHP error might occur in certain situations when a participant is submitting a survey while using PHP 8.0+ on the web server. (Ticket #124146)
Bug fix: If a user uses the syntax [field:value] in logic or a calculation, even though this is not correct syntax for logic/calcs (because it is implied that only the raw value should ever be used), it is allowed for compatibility reasons. However, while this syntax works for calculated fields on the same page, it would mistakenly not work for data imports, nor would it work for cross-instrument or cross-event calculations. This syntax will now work in all contexts. (Ticket #124182)
Bug fix: When clicking a table header to sort the column in a DataTables table on any particular REDCap page, the up/down arrow icon in the column header would mistakenly disappear due to a CSS error. (Ticket #124177)
Bug fix: If a field has the @HIDDEN, @HIDDEN-FORM, or @HIDDEN-SURVEY action tag, it would fail to hide the field if the field is embedded in another field on the page.
Bug fix: 18 Laboratory fields and their associated LOINC codes were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.
Bug fix: Line breaks are mistakenly not preserved in the equation of a calculated field when saving the field via the Online Designer. (Ticket #124341)
Bug fix: When piping a datetime field into the min/max validation range check for another datetime field, if the fields being used as the min or max exist on the same page, it would mistakenly throw an out-of-range error if the datetime fields are in MDY or DMY format. Note: This issue does not occur for date fields but only for datetime or datetime w/ seconds fields. (Ticket #124222)

Version 12.2.6 (released on 2022-03-03)

CHANGES IN THIS VERSION:

Improvement: When scrolling down the page in the Online Designer when adding/editing fields, an up-arrow image will appear at the bottom right of the page that (when clicked) will quickly scroll the page back to the top.
Major bug fix: When a user is assigned to a Data Access Group and is attempting to import a record whose record name is the same as an existing record that belongs to another DAG, if the “force record auto-numbering” setting is not enabled as an option during the import process, the user would mistakenly be allowed to import the data with the record name as-is, thus overwriting data to the existing record that does not belong to their DAG. (Ticket #123593)
Bug fix: When using Multi-Language Management, there are scenarios when a form/survey is set to only a subset of languages (but not including the fallback), in the case of a missing translation, the default language would mistakenly be applied instead of the fallback language.
Change/bug fix: Performance improvements and improved cron job management for CDIS-related activities, especially the CDP Auto-Adjudication process.
Bug fix: If the “Email Logging” feature has been disabled at the system level, the Email Logging link on the left-hand project menu would mistakenly still be displayed. (Ticket #123563)
Bug fix: When Multi-Language Management is enabled for a specific instrument, and a user/participant fails to enter a value for all required fields, the “Some fields are required” popup would mistakenly fail to be displayed on the page after the page is reloaded. (Ticket #123641)
Bug fix: When using Multi-Language Management, the matrix field floating/stick headers would mistakenly not appear in the desired translated language. (Ticket #123704)
Bug fix: When a Smart Chart uses a unique report name as a parameter, in which a checkbox field is utilized in the Smart Chart and the report has the checkbox option “Combine checkbox options into single column…” checked, the resulting Smart Chart would not be displayed correctly. (Ticket #123574)
Bug fix: When viewing the Training Videos page while not logged in to REDCap, the tables and icons on the page would be displayed, but the text on the page would mistakenly appear invisible. (Ticket #123751)
Various bug fixes for Multi-Language Management.
Bug fix: A participant could inject some JavaScript code into their browser’s console that would allow them to bypass the Required Field check (specifically for drop-down fields only), thus mistakenly allowing them to complete the survey page or complete the whole survey without actually entering a value for such drop-down fields. (Ticket #123585)

Version 12.2.5 (released on 2022-02-25)

CHANGES IN THIS VERSION:

Improvement: Sub-sections on the “Help & FAQ” page can now be accessed via hyperlinks near the top of each section. Previously there was a drop-down for this, which was slightly slower. Having sub-section links near the top of the page should make it faster for users to jump to a specific section.
Improvement: The Multi-Language Management setup page now displays a download option for each instrument under the Forms/Surveys tab to allow users to export->import the translations for that single instrument to another project that has the same instrument with the same fields and variable names.
Improvement: The Multi-Language Management setup page now displays the Default text above (rather than below) the input text box for each translatable item. This reversal appears to be more intuitive for users as they translate each element.
Improvement: In the “Compose Survey Invitations” dialog on the Participant List page, the Actions drop-down for auto-selecting checkboxes for participants in the participant list now contains a new option: "Check Not Responded and Partial Response".
Change: Minor updates to CDIS-related settings: 1) Updated the text of the automatic message sent to the user via REDCap Messenger when a CDIS cron job has no FHIR tokens that it can use for a specific project, and 2) When a CDIS automatic message is sent to the user via REDCap Messenger, in order to prevent possibly hundreds or thousands of messages from clogging up the user’s Messenger inbox, it now deletes all previous messages of the same type except for the last one.
Bug fix: In some specific scenarios while using PHP 8.0 or 8.1, the System Statistics page in the Control Center might mistakenly throw a fatal PHP error when making the AJAX request to obtain the web server space usage. (Ticket #123238)
Bug fix: If some branching logic, conditional logic, or calculations have incorrect syntax in a specific way, depending on the logic/calculation itself, it could result in a fatal PHP error when being processed. (Ticket #123229)
Bug fix: When using the Smart Variable [stats-table] in the content of an outgoing email (i.e., survey invitation or alert), the table would mistakenly be missing all the styling applied to it when viewed in the REDCap application. (Ticket #123207)
Bug fix: When using the Smart Variable [stats-table] in the content of an outgoing email (i.e., survey invitation or alert), the “Export table” link that is normally displayed below the table might mistakenly get included in the email body, which might occasionally cause the link to be removed from the email message by the email client or might cause the entire email message to be flagged as spam and therefore not received by the recipient.
Various fixes and updates for the External Module Framework.
Bug fix: When multiple choice fields have choice values of “0” and "00", and a record has either choice selected and saved on an instrument, if that instrument is then exported as a PDF with data, both choices would mistakenly appear checked as seen in the PDF. (Ticket #123282)
Bug fix: When using Twilio telephony services for surveys, U.S. phone numbers having the area code “667” would mistakenly not work for SMS or voice calls unless the number has a “1” prepended to it. (Ticket #123291)
Bug fix: When using a Custom Record Label that contains Smart Variables but not field variable names, the Custom Record Label would mistakenly not display at all in certain places where the record name is displayed. (Ticket #123187)
Bug fix: The Multi-Language Management setup page would mistakenly fail to load/display any fields on the instrument-level translation tab if a multiple choice field on the instrument contained zero choices. (Ticket #123371)
Bug fix: When exporting data via the user interface, API, or REDCap::getData(), depending on the structure of a project, an error might mistakenly be returned due to hitting the PHP memory_limit threshold and thus throwing a fatal PHP error. This was due to REDCap’s internal batch process, which is completely transparent to the user, having too large a value for the size of a given batch.
Bug fix: When the “Filter by records in a DAG” drop-down filter has been selected on the Logging page, and the user then clicks the “Export all pages using current filters” button at the top of the page, the DAG filter would mistakenly not be applied in the resulting CSV export file. (Ticket #123472)
Bug fix: When a project is being created via a Project XML file, and the Secondary Unique Field in the XML file is a calculated field or a @CALCTEXT field, which are not allowed to be set as the Secondary Unique Field, it would mistakenly set the field as the Secondary Unique Field when creating the project. In this case it will now instead unset the Secondary Unique Field setting for the newly created project. (Ticket #123099)
Bug fix: The Multi-Language Management feature would mistakenly display Yes/No or True/False field choices as blank labels when viewing a survey page or instrument for a given translated language. (Ticket #123371b)
Bug fix: When using the Field Finder feature on the Codebook page, some random JSON might mistakenly appear in the search results in certain cases when UTF-8 encoded text is used in field labels.
Bug fix: Resolved issues where UTF-8 encoded text in field labels gets truncated and displayed in various places throughout REDCap, in which it would sometimes mistakenly display a black-diamond-with-question-mark character at the point of truncation in the label.
Bug fix: The logged event “Change participant invitation preference” (when using Twilio) would mistakenly not be tied to the record name when filtering the logging results by a specific record. (Ticket #123515)

Version 12.2.4 (released on 2022-02-21)

CHANGES IN THIS VERSION:

Improvement: When using Multi-Language Management, in which some of the Default language text has changed since the text was translated, the new “Review Changed Items” dialog on the MLM page will now display an “Export” option to export as JSON or CSV all the translated items that need to be reviewed and/or retranslated.
Improvement: If the Multi-Language Management feature is disabled for a project, it will now show a red notice at the top of the MLM page.
Major bug fix: When using Multi-Language Management, system-provided languages could not be successfully imported and/or might cause issues downstream, such as displaying all User Interface items mistakenly in the “Review Changed Items” dialog.
Bug fix: In some specific scenarios when using PHP 8.0 or 8.1 with some longitudinal project, the Online Designer might mistakenly crash with a fatal PHP error. (Ticket #123103)
Bug fix: When piping field variables into the value of a @PLACEHOLDER action tag, if the Multi-Language Management feature is enabled on that particular instrument, some HTML tags might mistakenly appear inside the placeholder text for that field.
Bug fix: When using Multi-Language Management and changing an enumerated value (e.g., choices, Action Tags), the “reference change tracker” was wrongly highlighting some items on the page.
Bug fix: When a Secondary Unique Field is designated in a project while its two display-related checkbox sub-options are left unchecked, then when viewing a data entry form for an instrument that was completed via survey (as opposed to via data entry form), the value and/or label of the SUF would mistakenly be displayed at the top of the data entry form. (Ticket #123127)

Version 12.2.3 (released on 2022-02-18)

CHANGES IN THIS VERSION:

CDIS NOTICE: If you are actively using any CDIS service (Clinical Data Pull or Clinical Data Mart), please be aware that this upgrade might take longer than usual (possibly 10-30+ minutes if you have several projects using CDIS) due to some back-end database changes related to CDIS. If you are not using CDIS, this upgrade will be fairly fast, as usual.
Minor security fix: A vulnerability was discovered where malicious user could potentially exploit it by manipulating an HTTP request for the project Calendar page popup, in which some minimal amount of data from the calendar event could be exposed to a REDCap user for a project to which they do not have access.
Improvement: The Codebook now contains a “Field Finder” to allow users to quickly search for a field by keyword or phrase in the field label or by variable name. Also, the gray “Instrument Name” rows in the table will float at the top of the page while scrolling so that it is always apparent the instrument to which a field belongs. Additionally, when scrolling down the page, an up-arrow image will appear at the bottom right of the page that (when clicked) will quickly scroll the page back to the top.
Improvement: When using Multi-Language Management, it will now display a list of possible issues to users when entering the page if any elements have been modified since they have been translated. For example, if a field label is translated, and then a user modifies the Default language text via the Online Designer, the MLM page will display a warning in a popup dialog that will ask the user to confirm that the current translation is okay or else to provide a new translation to match the updated Default text. This will help notify users about potential issues with their translations to keep them updated if they are still modifying the Default language text in the project.
Improvement: Piping can now be performed inside the value of the @PLACEHOLDER action tag - e.g., @PLACEHOLDER="[first_name] [last_name]".
Change/improvement: Two new LOINC codes added to CDIS mapping.
Various fixes and improvements for the External Module Framework.
Bug fix: A new system-level configuration setting was added to the User Settings page in the Control Center to allow admins to select the default instrument-level user access that gets set for all project users’ Data Viewing Rights and Data Export Rights whenever a new instrument is created while in production status. The available options are “No Access” (default) and "View & Edit/Full Data Set". Many administrators have noted that the sudden change in REDCap 11.3.0 for default instrument-level user access for new instruments while in production has caused quite a lot of confusion for users and has thus greatly increased the support workload of administrators. Despite being a new system-level option, this is considered a bug fix because it serves to restore continuity with previous versions by allowing admins (if desired) to revert the behavior back to the way it behaved in pre-11.3.0 versions. (Ticket #120976)
Bug fix: Fixed some inaccurate instructional text at the top of the “Help & FAQ” page.
Bug fix: When processing REDCap logic, in some specific instances with specific logic, which may also be dependent upon PHP version, a fatal PHP error might occur and might crash the page. (Ticket #122418)
Bug fix: When using Multi-Languagement Management and defining a Fallback language that is different from the Default language, any User Interface text on a survey page or data entry form might mistakenly be displayed in the Fallback language when the Default language has been selected as the display language.
Bug fix: If an external module utilizes the “redcap_pdf” hook while the system-level “redcap_pdf” hook (in the hook functions file) is also being utilized to perform custom tasks on the server, the results returned from the EM PDF hook would mistakenly not get utilized downstream. (Ticket #122775)
Various fixes and improvements for Clinical Data Interoperability Services, including the following:
- Improved logs for all FHIR interactions with the EHR system.
- Better error messages for all CDIS apps.
- Mapping helper link in the CDIS panel (only for users allowed to use it).
Bug fix: The datepicker widgets used for the time window search on the Email Logging page in a project would mistakenly not stay visible in certain cases when trying to use them. (Ticket #122811)
Bug fix: The URL for the example Login Page logo used on the REDCap Install page mistakenly pointed to a non-existent image/URL.
Bug fix: When attempting to send outgoing emails (e.g., survey invitations, alerts), if the email subject is left empty, it might prevent the email from sending successfully.
Bug fix: In certain situations with longitudinal projects, the Form Display Logic might mistakenly not function correctly to enable/disable the right instruments. (Ticket #122974)
Bug fix: When creating a longitudinal project via a Project XML file, the form-event mapping might mistakenly not get saved during the project creation process.
Bug fix: When exporting and then importing a Project XML file to create a new project that has some Form Display Logic defined, if the project is longitudinal and has some Form Display Logic conditions that references an instrument on "[All Events]", those Form Display Logic conditions might mistakenly not get saved during the project creation process.
Bug fix: When viewing the table of user privileges on the User Rights page, the Data Viewing Rights column would mistakenly display "Hidden (No Access)" for any users that have “View & Edit” rights along with the “Edit survey responses” checkbox checked for one or more instruments. If the “Edit survey responses” checkbox is not checked, it would correctly display “View & Edit” in the table.
Bug fix: When editing an existing report that has fields selected via the drop-down lists in Step 3 (Filters), then the user clicks the “Use advanced logic” link, then the user clicks the "Use simple logic (choose fields from list)" link, then if they select a field in the first filter field drop-down (which has no field selected), it would mistakenly not display a new field/row immediately below that row. Thus, the user is not able to add more than one filter field for the report in this scenario unless they save the report and reload it to edit it again. (Ticket #18065)

Version 12.2.2 (released on 2022-02-11)

CHANGES IN THIS VERSION:

Improvement: Each tab on the “Help & FAQ” page now has a drop-down list of subsections that, when selected, will auto-scroll the webpage down to that subsection on the page.
New feature: When using the survey setting “Save a PDF of completed survey response to a File Upload field”, users can now optionally set this feature to store the translated version of the PDF if the Multi-language Management feature is being utilized for the survey. This can be enabled by checking the “Store the translated version of the PDF” checkbox below the “Save a PDF…” setting on the Survey Settings page for the desired survey. (Ticket #121955)
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the values of Text Box and Notes Box fields that are piped somewhere else on the same page as where the field exists. This does not occur if they are piped into a different instrument, different event, or elsewhere in the project.
Bug fix: A field’s question text on a survey page might mistakenly not get recognized by certain screen reading software, especially if the survey has the “enhanced radio buttons and checkboxes” setting enabled. (Ticket #121765)
Bug fix: When attempting to upload a data dictionary with calculated fields or @CALCTEXT fields that contain Smart Variables inside their calculation, REDCap might mistakenly return an error message saying that the Smart Variables are not real variables, thus preventing the user from uploading the data dictionary.
Bug fix: In some edge cases when viewing the user table on the User Rights page, a user might mistakenly not have Data Export Rights for any instruments prior to modifying their privileges. In this case, it will simply revert them to having No Access export rights.
Bug fix: Too many Google services were mistakenly included during the recent bundling of the Google PHP API Client Services library, thus causing REDCap’s resulting code to bloat unnecessary by an extra 15,000 files.
Bug fix: The contents of the email sent to a participant after clicking the “Save & Return Later” option in a survey were mistakenly not translatable via the Multi-language Management feature.
Bug fix: When adding a field to a project in production while in draft mode, an incorrect error message is displayed if the field is being added below a section header. (Ticket #122044)
Bug fix: A fatal PHP error might be thrown in very specific instances when using PHP 8.0+. (Ticket #122182)
Bug fix: Users that have “No Access” data export rights for a given instrument would mistakenly not be able to download a PDF with no data for that instrument either on the Online Designer or at the top of a data entry form when viewing the instrument.
Bug fix: A fatal PHP error may occur on the Online Designer page for PHP 8.0+ in certain situations. (Ticket #122108)
Bug fix: The table displaying user privileges on the User Rights page might mistakenly display incorrect counts under “Data Export Rights” and “Data Viewing Rights” due to some instruments having been deleted or orphaned.
Bug fix: Resolved some potential upgrade issues occurring with SQL queries failing in some particular situations when upgrading to REDCap 11.2.0 or higher. (Ticket #121952)
Bug fix: When a project has record auto-numbering enabled, and a user creates a record, renames it, and then deletes it, the next record to be created would mistakenly not have the same record name as the one deleted (assuming no other records had been created during the interim). It is assumed that the next record would have the same name as the deleted one. (Ticket #122090)
Bug fix: When piping the value of a MDY or DMY formatted date or datetime field into the min or max validation range attribute of another date or datetime field, in which the field being piped exists on a different instrument or event, the out-of-range error message would fail to display to the user when the value is out of range and would thus result in a JavaScript error. (Ticket #121964)
Bug fix: When adding hyperlinks into a field label, survey instructions, etc., in which the hyperlink URL contains “on” and also “=” somewhere inside it, the URL might mistakenly get mangled when output on the page in which “onXXXXX=” will be replaced with the word "replaced=". (Ticket #121691)
Bug fix: For date-validated Textbox fields that utilize the @FORCE-MINMAX action tag with “today” as the min or max range value, it might be possible to bypass the min/max range check if users/participants use the datepicker widget a specific way, such as clicking the calendar icon to open the datepicker but then click the submit button on the page.
Bug fix: When uploaded files are being copied on the server (e.g., when copying a project containing Descriptive Text fields with file attachments), if the file somehow can’t be found or accessed on the server, it would throw a fatal PHP error in PHP 8.0+. (Ticket #122496)
Bug fix: When required fields are left empty on a data entry form that is submitted, thus displaying the required fields popup, and then the page is refreshed, it would mistakenly keep displaying the required fields popup to the user even when the required fields might have been given values in the interim. (Ticket #122480)
Bug fix: When using [survey-date-completed] or similar Smart Variables inside the conditional logic for Automated Survey Invitations, it might cause the page to crash when submitting a survey or data entry form, resulting in a fatal PHP error. (Ticket #122473)
Bug fix: If an instrument is exported as a PDF with data, in which the instrument contains slider fields that display the slider value next to it, the slider’s value displayed in the box next to the field in the PDF would mistakenly always be normalized to be between 0 and 100, rather than displaying the literal value as-is. (Ticket #122035)
Bug fix: Data Quality rule F might mistakenly return false positives for fields that exist on repeating instruments in a longitudinal project, especially when the field’s instrument is also utilized as a non-repeating instrument in another event. (Ticket #121343)
Bug fix: When running PHP 8.0+, the Stats & Charts page might fail with a fatal PHP error if number/integer fields somehow contain non-numeric values. (Ticket #122604)
Bug fix: When upgrading to REDCap 11.4.1 or higher, the SQL upgrade script might mistakenly crash with an error on a certain query. (Ticket #122565)
Bug fix: When using Multi-Language Management and translating a survey that has Stop Actions, the User Interface text for the title of the Stop Action popup (i.e., “End the survey?”) would mistakenly not appear in its translated form. (Ticket #122644)
Bug fix: When importing the JSON or CSV language file for Multi-Language Management, labels might mistakenly not get updated to their translated form for option choices for some multiple choice fields. (Ticket #122636)
Bug fix: Some text was changed in the Tableau section of the “Other Export Options” tab on the “Data Exports, Reports, and Stats” page because it could be confusing to users if certain institutions have special licensing and/or policy with regard to the installation of Tableau. (Ticket #122618)
Bug fix: If a user is assigned to a Data Access Group, the “Select a previously sent email” drop-down list in the “Compose Survey Invitations” popup on the Participant List page would mistakenly not filter out previously-sent emails pertaining to records that belong to other DAGs. (Ticket #122495)
Bug fix: If more than 500 instances of the @IF action tag are used for a field, whether nested or used in parallel, all the @IFs listed after the 500th @IF would mistakenly not get processed, thus causing the @IFs not to function correctly on the field.
Bug fix: The “Break the Glass” feature in Clinical Data Pull (CDP) was mistakenly not able to perform a successful login for the user, thus was not able to break the glass for a record.
Bug fix: When creating a new project using a Project XML file with an API super token, in some particular use cases depending on the exact setup of the project and its data, the API request might mistakenly crash or might not complete the process if any record data exists inside the Project XML file. (Ticket #121579)
Bug fix: Clicking a slider field to initialize it would mistakenly not immediately trigger its value to be piped if the slider is piped elsewhere on the same page. It would only pipe if the slider’s value was modified after its initialization. (Ticket #122704)
Bug fix: A warning message would mistakenly be returned when attempting to upload a data dictionary containing checkboxes with a dot/period in a checkbox choice coded value, in which that checkbox choice was being referenced in a calculation or branching logic. Notes: Dots/periods are allowed in a checkbox choice code. (Ticket #122581)
Bug fix: When uploading a file for a File Upload field via the API Import File method, the resulting logged event on the project logging page would only display the field name when it should instead display the field_name and back-end edoc ID value for the file in the logged event description. This was changed because it was inconsistent with the logging produced when uploading a file via the user interface. (Ticket #122272)
Bug fix: Text Box fields with the @SETVALUE action tag would always display the red bar on the side of the field (regardless of the value) when instead the red bar should only be displayed when the saved value is different from the displayed value.

Version 12.1.1 (released on 2022-01-10)

CHANGES IN THIS VERSION:

Major bug fix: The new "Time (HH:MM:SS)" field validation might not have been stored correctly (and thus would not work successfully) if you previously upgraded to REDCap 12.1.0.
Major bug fix: Some installations (depending on MySQL/MariaDB version) might mistakenly have a database structure issue involving the table “redcap_log_view_requests” after upgrading to REDCap 12.1.0. (Ticket #120622)
Bug fix: The field drop-down for the “Designate a Secondary Unique Field” setting in the “Additional Customizations” popup on the Project Setup page would mistakenly not include some Textbox fields (notably those with no Action Tags or Field Annotation).
Bug fix: When using Smart Variables that utilize the parameters “:fields” or “:instrument” in a calculated field or @CALCTEXT field, if the user is entering data on a form or survey, the calculation might mistakenly not get updated if fields used inside the Smart Variable exist on a different instrument or event.
Bug fix: For certain server configurations, the REDCap cron job might mistakenly crash due to a floating point precision issue when creating a timestamp. This occurrence is fairly rare. (Ticket #120688)
Bug fix: When using certain Smart Variables inside a calculation or @CALCTEXT field, a calculation error message might mistakenly appear on the data entry form or survey page and thus would prevent calculations from occurring on that page. (Ticket #120660)
Bug fix: When a report contains data from a repeating instrument and/or repeating event, in which the report’s checkbox setting “Include the repeating instance fields (redcap_repeat_instrument, redcap_repeat_instance) in the report and data export?” is not checked, viewing the Stats & Charts page for the report would display the charts and tables correctly unless a user selects a Live Filter for the report, in which it would mistakenly cause all/most tables and charts not to display at all on the page. (Ticket #120408)

Version 12.1.0 (released on 2022-01-07)

CHANGES IN THIS VERSION:

New feature: Conditional logic for Survey Auto-Continue - When enabling Survey Auto-Continue on the Survey Settings page for a survey, users may now optionally specify conditional logic to determine whether or not the auto-continue should be applied. As such, REDCap will auto-continue to the next survey *only* if the conditional logic is TRUE or if the logic textbox has been left blank. This new option can be used as a simpler alternative to the Survey Queue, which can require more complex instrument-event level configurations for longitudinal projects.
New feature: Dynamic min/max range limits for fields - Instead of using exact values as the minimum or maximum range of Textbox fields (e.g., “2021-12-07”), you may now also use “today” and “now” as the min or max so that the current date or time is always used. These can be used to prevent a date/time field from having a value in the past or in the future. Additionally, you can now pipe a value from another field into the field’s min or max range setting - e.g., [visit_date] or [event_1_arm_1][age]. This can help ensure that a Textbox field (whether a date, time, or number) has a larger or smaller value than another field, regardless of whether the field is on the same instrument or not.
New action tag: @FORCE-MINMAX - The action tag @FORCE-MINMAX can be used on Textbox fields that have a min or max validation range defined so that no one will not be able to enter a value into the field unless it is within the field’s specified validation range. This is different from the default behavior in which out-of-range values are permissible. Note: @FORCE-MINMAX is also enforced for data imports to ensure the value is always within the specified range.
New field validation: "Time (HH:MM:SS)" - This new time-based field validation (unique name “time_hh_mm_ss”) will be added automatically and enabled by default during the upgrade process. This validation forces users/participants to enter a time value that contains the hour, minute, and second components. It also includes the usage of the “Now” button and the timepicker popup widget, both of which are displayed next to the field on the survey page or data entry form. Note: Fields with this field validation can be utilized inside the datediff() function. (Thanks to the Field Validation Committee for this addition.)
Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way as user-defined text in various places.
Minor security fix: If a field contains integer values (e.g., Textbox, Radio, Drop-down) for a record, and then the field is changed to be a File Upload field, viewing a data entry form or a report that contains that field might (depending on the pre-existing integer value of the field) mistakenly expose the filename of files that have been uploaded to other File Upload fields, including possibly those from other projects. Users are not able to download these uploaded files or view their contents, but can view the filename of the file on a data entry form or a report.
Minor security fix: A Blind SQL Injection vulnerability was found on the Cron Jobs page in the Control Center, in which a malicious user could potentially exploit it by manipulating an HTTP request on that page.
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the URL on the API Tokens page in the Control Center and also on the API page in a project.
Major bug fix: In a longitudinal project with Data Access Groups, importing data via the “Import Records” API method for an existing record that is assigned to a DAG, in which the API parameters format="json" and overwriteBehavior="overwrite" are used, if the JSON data being imported contains a non-blank value for the “redcap_data_access_group” field for one event while another event of data (for the same record) does not contain the “redcap_data_access_group” field at all in the JSON, REDCap would mistakenly perceive the absent “redcap_data_access_group” field as a blank value and thus would un-assign the record from the DAG (due to the overwriteBehavior="overwrite" parameter being used). When this occurs, the DAG unassignment event would also not get logged on the project Logging page.
Improvement: For projects using the Clinical Data Interoperability Services (CDIS), a new observation category “social history” was added for both CDM and CDP projects, thus allowing them to import this new type of EHR data into REDCap.
Improvement: New CDIS panel on the left-hand project menu to display information and links that are relevant to projects using either Clinical Data Pull or Clinical Data Mart.
Change: When using the Auto-adjudication feature in a Clinical Data Pull (CDP) project, in which it has been set to notify the user via REDCap Messenger whenever a record has been auto-adjudicated by the system, REDCap now automatically deletes all previous auto-adjudication Messenger threads for this project for the user. In previous versions, the user might receive thousands of Messenger notifications, which could cause REDCap itself to become sluggish for the user. Now it only keeps the latest notification for the user.
Various updates and changes to the External Module Framework, including a slight change to the EM link on the left-hand project menu (i.e., the “External Modules” link was replaced with “Manage” further down the project menu).
Change: In the database backend, the “redcap_log_view” database table will be renamed to “redcap_log_view_old”, and an empty replacement table (named “redcap_log_view”) will be created in its place. The old table and its contents will no longer be used in the application except for very specific, seldom-used functionality (e.g., viewing Page View events on a project’s Logging page). The new table will have a slightly different structure, such as a BIGINT primary key (instead of INT) and better/more indexes to improve query performance for the table. The retiring/renaming of the old table should not have any effect on plugin/hook/module developers unless you are performing direct queries on the “redcap_log_view” table to pull information from months or years in the past, in which case you would want to also query the “redcap_log_view_old” for such information. Note: During the upgrade process, the last 30 minutes worth of activity from redcap_log_view will be automatically transferred to the new table in order to maintain continuity within the application for before and after the upgrade, especially if the system is not taken offline during the upgrade.
Bug fix: Drop-down fields using the auto-complete option would cause the webpage to be slow/laggy when typing a value into the field’s textbox or when clicking the down-arrow button for the field to view the full list of choices if the field has hundreds or thousands of choices defined. This slowness was due to the auto-complete feature not being set up correctly in the underlying JavaScript. Note: Clicking the down-arrow button for an auto-complete drop-down with 1000+ choices when the field has no value will now display a notice next to the field that the full list of choices cannot be displayed and instead encourages the user to type a value to search all options.
Bug fix: When referencing a Smart Variable inside conditional logic (e.g., Data Quality rules, ASI logic) in which the Smart Variable is appended with a colon+parameter while also being prepended with a unique event name (e.g., [event_1_arm_1][survey-date-completed:form_1]), the logic might fail to be successfully evaluated. This could cause Data Quality rules to throw an error or could cause survey invitations for ASIs not to get sent in specific cases. (Ticket #120543)
Bug fix: When a multi-page survey contains required fields that exist on pages after page 1, in some specific scenarios it might mistakenly display the “Some fields are required!” prompt for fields on later pages after submitting the first page. Note: The participant would still be allowed to continue to the next page after the initial submission of page 1. (Ticket #120518)

Version 12.0.7 (released on 2021-12-28)

CHANGES IN THIS VERSION:

Security improvement: Any third-party (i.e., external service) API keys/secrets that are currently stored in the redcap_config database table via a System Configuration page in the Control Center (e.g., AWS S3 secret key, Twilio Auth Token for two-factor authentication) will now have its value stored in encrypted format in the redcap_config table instead of being stored as plain text. This will occur automatically and transparently after upgrading. This will prevent anyone from obtaining these keys/secrets if they view the contents of the redcap_config table.
Minor security fix: Updated “Axios” third party JavaScript package due to reported vulnerabilities.
Change: The dialog that is displayed when editing a field’s branching logic in the Online Designer, in which one or more fields have the exact same branching logic as the current field, contains different text to better explain what clicking “Yes” will do.
Bug fix: When using specific configurations of the Survey Queue while running a specific PHP version on the REDCap web server (PHP 8.0 or 8.1?), it might cause the survey page to suddenly crash with a fatal PHP error after completing a survey. (Ticket #120211)
Bug fix: A calculation error would occur (displaying the error popup) on a survey page or data entry form if the @CALCDATE action tag is used on an MDY or DMY formatted date or datetime field, in which the first parameter of @CALCDATE contains an if() function where the first field used inside the if() is not a date or datetime field. (Ticket #119510)
Bug fix: When an Ad Hoc calendar event is viewed in the calendar popup in a longitudinal project, it would mistakenly display the instruments designated for the first event in the Data Entry Forms list inside the calendar popup. Ad Hoc events should not display any forms in the calendar popup. (Ticket #120224)
Updates and various fixes for the External Module Framework, such as the following: Fixed multiple issues with survey & NOAUTH CSRF protection, Added support for hidden subsettings, Improved log display performance, and Added project IDs to error emails.
Bug fix: [scatter-plot] Smart Charts might not display their x-axis in correct numeric order for slider fields or some other fields with numeric data. Additionally, for this same situation [line-chart] Smart Charts might mistakenly display their x-axis as a categorical-type display rather than a linear-type display. (Ticket #120214)

Version 12.0.6 (released on 2021-12-23)

CHANGES IN THIS VERSION:

Change/improvement: New CDIS setting - “Identity provider (optional)” - If specified on the Clinical Data Interoperability Services page in the Control Center, the identity provider will be used in the OAuth2 authorization process to identify the server that will exchange the FHIR access token with REDCap. This setting should only be set if the real FHIR base URL of the EHR system is different from the one specified on this page (e.g., the EHR system is behind a proxy).
Bug fix: If database table structure issues exist, in which REDCap provides the SQL to fix the issue, the generated SQL might fail when executed on some versions of MySQL/MariaDB if the SQL contains queries to drop Primary Keys that are being used as Foreign Keys in other tables. The generated SQL now includes queries to drop the Foreign Key before dropping the Primary Key, and then also the SQL to re-add the Foreign Key after fixing the Primary Key.
Bug fix: When using Clinical Data Pull or Clinical Data Mart and utilizing the “Break the Glass” feature, an authentication error might occur when attempting to use one’s credentials to break the glass of a patient record, specifically when using LDAP authentication.
Bug fix: When using the “:value” modifier when piping a field value while also referencing the unique event name and an X-instance Smart Variable (e.g., [c_hmcadrc_visit_re_arm_1][cog_behav_status:value][last-instance]), the label of the multiple choice field option mistakenly might get piped instead of the value of the selected choice. (Ticket #119879)
Bug fix: Depending on the naming conventions of the records in the project, the records in the record drop-down list on the “Add/Edit Records” page might appear slightly out of order if Record Auto-Numbering was enabled after non-numerical record names had already been created in the project.
Bug fix: The @RICHTEXT action tag would mistakenly not work on survey pages. (Ticket #119996)
Bug fix: When making a call to REDCap::saveData() or to the “Import Records” API method to import record data for records that have been assigned to a Data Access Group, if the data being imported is for a longitudinal event that currently has no data for the record, then the project’s Logging page might mistakenly denote the record as being created during the import process, despite the fact that the record already exists and has data in other events. In some very rare cases, this might additionally cause the record to get unassigned from its current DAG with no logging to indicate that this happened.
Bug fix: Fields with the @CALCDATE or @CALCTEXT action tags could mistakenly be chosen as the Secondary Unique Field in the project, although this should not be allowed because it could cause the field not to perform its calculation correctly, especially if the field exists on a repeating instrument/event. As calc fields have never been allowed for use as the Secondary Unique Field, neither should @CALCDATE or @CALCTEXT fields. (Ticket #119773)
Bug fix: Fields with the @CALCTEXT action tag might mistakenly (in specific situations) return an incorrect result if values with leading zeros are utilized in the equation, in which the value “007” would be returned as "7". This would mostly occur when evaluating radio or drop-down fields that have leading zeros for one or more choice codes but do not have any choice codes that contain letters. (Ticket #120024)

Version 12.0.5 (released on 2021-12-17)

CHANGES IN THIS VERSION:

New feature: New design for the “Help & FAQ” page.
New Smart Variable: [event-number] - The current event’s ordinal number as listed on the Define My Events page that denotes the order of the event within a given arm. (Ticket #70973)
Improvement/change: The Define My Events page now displays a new column to display each event’s Event ID number. Also, the Smart Variable corresponding to each column in the table on the Define My Events page (e.g., [event-number], [event-label) are displayed in small gray text below the header text in the table to help users more easily learn where the values of those Smart Variables originate. (Ticket #115791)
Improvement: When using OAuth2 Azure AD Authentication, you may now specify a different AD attribute whose value determines the REDCap user’s username. By default, it uses the AD attribute "userPrincipalName", which often resolves to the user’s email address. The Security & Authentication page has a new drop-down setting to allow admins to alternatively specify the AD attribute "samAccountName", which would resolve to something like "pharris", for example. This provides an option if the institution prefers not to use a user’s email address as their REDCap username. Note that this setting does not change the Azure AD login name, which is still the user’s email address / userPrincipalName. Administrators may want to select the samAccountName to help retain account usernames when transitioning from LDAP to Azure AD, or if samAccountName is considered an immutable (and thus more reliable) user ID at your institution.
Change: Although REDCap sets the cookie “samesite” attribute to “Lax” by default, the “samesite” attribute can be overridden by adding the following line of code in the REDCap database.php file on the web server: $GLOBALS[‘cookie_samesite’] = "None"; // Possible values: "None", "Lax", or "Strict".
Bug fix: After a participant clicks the “Save & Return Later” button on a survey and then attempts to send themselves the survey link for returning, the resulting confirmation dialog titled “Email sent!” would mistakenly have the word “undefined” inside the dialog rather than the correct stock language text "The email was successfully sent to:". (Ticket #119438)
Bug fix: Various JavaScript-driven messages displayed on data entry forms and survey pages would mistakenly display “undefined” instead of the correct text.
Bug fix: REDCap now automatically sets mysqli_report to OFF for better compatibility with PHP 8.1, which defaults this setting to MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT. Without setting this, PHP might fail with a fatal error whenever a query to MySQL fails, but this only occurs for certain configurations of PHP 8.1.
Bug fix: Typo in Shibboleth authentication settings in the Control Center.
Bug fix: When using OAuth2 Azure AD Authentication, the usernames set on the Security & Authentication page for Primary Admin and Secondary Admin were case-sensitive. They are now case-insensitive so that the admin usernames can be entered in any case and will still work.
Bug fix: When using certain versions of MySQL or MariaDB, the Easy Upgrade or Automatic Upgrade features might mistakenly not be allowed, in which REDCap might think that the REDCap MySQL user does not have “DROP” privileges for the database. (Ticket #119577)
Bug fix: If records are named a specific way in a project, they might appear out of order when displayed in certain contexts, such as if the record list spans multiple pages on the Record Status Dashboard. (Ticket #119189b)
Bug fix: When uploading an allocation file on the Randomization page, it might mistakenly allow the user to upload multiple allocation files while on the same page. This should not be allowed. (Ticket #119640)
Bug fix: When using the Multi-language Management feature to translate the choice labels of Yes/No and True/False fields, those choice labels would mistakenly not appear translated in downloaded PDFs of an instrument (both with and without data).
Bug fix: If a “<>” operator is used in a field’s Field Annotation/Action Tags, then the operator would mistakenly not be displayed in the Codebook. (Ticket #119705)
Bug fix: In situations where slider fields should be disabled on a data entry form (e.g., user has read-only Data Viewing Rights for the instrument), sliders could mistakenly become editable on the page if clicked. Note: Since the user cannot submit the page in this situation, it does not affect data, but can be confusing. (Ticket #119760)
Bug fix: When utilizing [aggregate-X] Smart Variables in a calculated field or @CALCTEXT field, if the user is entering data on a form or survey, the calculation might mistakenly not get updated if fields used inside the [aggregate-X] Smart Variable exist on a different instrument or event. However, the calc/@CALCTEXT field would get correctly updated when running Data Quality rule H or when performing a data import.
Bug fix: An error message would mistakenly be displayed when attempting to pipe a field variable into the “Redirect to a URL” textbox on the Survey Settings page.
Change: Added user’s REDCap username to the email subject for REDCap Messenger email notifications to help distinguish them if the same primary email address is used for multiple users.
Bug fix: The cron job that sends email notifications for REDCap Messenger might mistakenly send multiple emails repeatedly to users. (This is an additional fix to the same bug fix from one month ago.)
Bug fix: When using the Data Resolution Workflow, the DRW dialog would mistakenly not allow the user to reassign the data query to another user if the data query had been opened immediately after the field’s data value had been "Verified". (Ticket #119758)

Version 12.0.4 (released on 2021-12-10)

CHANGES IN THIS VERSION:

Change/improvement: A link to the “Language File Creator/Updater” page was added to the Control Center’s left-hand menu in the Administrator Resources section.
Change/improvement: When printing a report, the “Number of results returned” and “Total number of records queried” counts are now included in the printout of the page.
Bug fix: The “RTL” dialog on the Multi-Language Management page in the Control Center would mistakenly be empty instead of having the appropriate text.
Bug fix: A PHP fatal error would be thrown when attempting to edit a field in the Online Designer if using PHP 7.2. (Ticket #118919)
Bug fix: When using newer versions of MySQL or MariaDB, the Easy Upgrade or Automatic Upgrade features might mistakenly fail in certain instances if the REDCap MySQL user does not have “REFERENCES” privileges for the MySQL database. (Ticket #119033)
Bug fix: When pulling EHR data from the Conditions R4 endpoint for Clinical Data Pull or Clinical Data Mart, the condition’s date value might mistakenly fail to get imported into the REDCap project.
Changes and various bug fixes for the External Module Framework, including the following: Included cron start & end times in the cron log, Improved unit testing & psalm scanning (of the framework itself), and Improved performance of the “Logs” page.
Bug fix: The variable name displayed for fields on the Codebook page would mistakenly display a square bracket after the branching logic instead of before it. (Ticket #119302)
Bug fix: If a user is in a Data Access Group, the Participant List would display an incorrect count of how many visible participants are in the Participant List, and it might show some pages of the Participant List as being empty. (Ticket #119056)
Bug fix: If records are named a specific way in a project (e.g., ABC-1, ABC-2), they might appear out of order when displayed in certain contexts, such as if the record list spans multiple pages on the Record Status Dashboard. (Ticket #119189)
Bug fix: If a calculated field is using a datediff() function with a datetime field and with “today” as the first two parameters, it would mistakenly throw an error on the page that a calculation error exists. (Ticket #119049)
Bug fix: When sending an SMS via Twilio, in which the Twilio API returns the error message "violates a blacklist rule", the survey invitation log would mistakenly not flag this error correctly with reason_not_sent = ‘PARTICIPANT OPTED OUT’ but instead would revert to the default reason_not_sent of 'ERROR SENDING SMS’.
Bug fix: If HTML tags are used inside the Custom Labels for Repeating Instruments, whenever the dialog is reopened to edit the Custom Labels for Repeating Instruments, the HTML tags will have been automatically removed. It should not remove the HTML tags that have been already saved. (Ticket #119244)
Bug fix: When clicking the “export” link to download the results after running Data Quality rule A or B, it would be impossible to determine which field had the missing value for a given row/record if more than one field had a missing value for the whole set of results exported. To remedy this issue, the export file no longer lists each variable name as a separate column (like other DQ rules) but instead has a new “field” column that will list the variable name of the field with the missing value in each row. (Ticket #119276)
Bug fix: When upgrading to REDCap 12.0.0 or higher and when the Form Render Skip Logic external module is being utilized for one or more projects, the upgrade script to auto-migrate all the FRSL settings into the new Form Display Logic feature might be slightly incorrect for some FRSL configurations (only affecting longitudinal projects). If the FRSL checkbox setting “Restrict this rule to specific events” is not checked but one or more events have been selected (which is not expected), the resulting behavior from the Form Display Logic would cause the form to be disabled for the selected event, whereas the FRSL module beforehand would disable the form on every event. The auto-migration script now has been changed to match the behavior of the FRSL module for this particular misconfiguration of the FRSL module. (Ticket #118353)
Change: For new REDCap installations, the global setting “Minimum number of data points required to display Smart Charts, Smart Tables, or Smart Functions” has been changed from “11” to “5” since the previous default value was regarded as too conservative by many. For existing installations, this value can easily be changed on the User Settings page in the Control Center and additionally can be overridden for any project via the Edit A Project’s Settings page.
Bug fix: When displaying Smart Charts on a public Project Dashboard, in which the chart is grouped via a secondary field, in some specific cases where data is missing for the first field in the chart but not for the grouping field, the chart might mistakenly get displayed (instead of displaying the message "[INSUFFICIENT AMOUNT OF DATA FOR DISPLAY]") even when it does not meet the minimum data point criteria. (Ticket #119348)
Bug fix: Custom Data Quality rules whose logic utilizes fields from repeating instruments might mistakenly return results that are duplicates or not relevant, such as displaying the base/non-repeating instance when all the fields in the logic exist on a repeating instrument. (Ticket #72996)

Version 12.0.3 (released on 2021-12-03)

CHANGES IN THIS VERSION:

Major bug fix: When the “Enable support for Survey Auto-Continue” option is checked in the Form Display Logic setup dialog, the feature might mistakenly fail to evaluate the logic correctly during the Survey Auto-Continue process. Thus, it could cause some surveys to get skipped unintentionally.
Improvement/change: When using Multi-Language Management on a survey, the current language name is now displayed next to the globe icon at the top right of the survey page so that participants more intuitively understand what the current language is and to click it to change the language.
Improvement/change: The Online Designer now denotes whether a field on the instrument contains embedded fields inside its label, choices, notes, etc. by displaying a blue box saying "Contains embedded fields", similar to the green “Field is embedded elsewhere on page” boxes for embedded fields themselves. This will provide users with visual cues to know when and where field embedding is occurring.
Improvement: The Design Checker feature for Clinical Data Mart now has improved descriptions of changes that will be made, including the severity of the design issue.
Bug fix: When using vertical sliders on forms/surveys, the “Change the slider above to set a response” text would have a translucent background that might mistakenly cover part of the text field displaying the number value. (Ticket #118330)
Bug fix: When using the Sponsor Dashboard or Browse Users->View User List By Criteria pages and clicking the “Time of latest password reset” link on the page, the resulting error message might be confusing if the user selects users in the table in which none of those select users log in via Table-based authentication (assuming the system authentication is LDAP+Table or Shibboleth+Table). More text has been added to the error message to inform the user that at least one Table-based authentication user must be selected in order to perform this action. (Ticket #118200)
Bug fix: If an admin has “Modify System Configuration Pages” admin rights but does not have “Access to all projects and data with maximum user privileges” admin rights, then if the system was taken offline, the admin would mistakenly not be able to restore the system back to online status. (Ticket #118540)
Bug fix: The “Save your changes?” prompt that is displayed when attempting to leave a Data Entry Form via closing the current window/tab might mistakenly cause a JavaScript error rather than displaying the prompt.
Bug fix: When using Missing Data Codes for an embedded field with the “:icons” parameter set (e.g., {field1:icons}), the list of Missing Data Codes would fail to display after clicking the “M” icon for the embedded field. (Ticket #118636)
Bug fix: When using Missing Data Codes for an embedded field with the “:icons” parameter set (e.g., {field1:icons}), in which the field is a Radio Button field, if the user clicks the “reset” link to reset the value of the field, it would mistakenly throw a JavaScript error. It would still correctly remove the value of the field and reset it, but it would appear to the user as if it did not.
Bug fix: The Smart Variables [survey-time-completed] and [survey-date-completed] might not get evaluated correct when used in Survey Queue conditional logic. (Ticket #118452)
Bug fix: When attempting to save a custom Record Status Dashboard in a non-longitudinal project, in which one or more instruments are selected for the “Select instruments” option, it would fail to save the selected instruments, thus resulting in displaying all instruments on the custom dashboard instead of only the selected ones.
Change: To the right of the REDCap/PHP/MySQL versions listed at the top of the main Control Center page, a “copy” icon was added to allow administrators to easily copy those that version information text so that they may paste them elsewhere, such as when posting a question or bug report on REDCap Community.
Bug fix: When a multi-arm longitudinal project does not have “arm 1” defined but has higher-numbered arms defined, it can cause certain things not to work correctly, such as branching logic, calculations, or action tags.
Change: In the “Add Field"/"Edit Field” dialog in the Online Designer, it is no longer possible to tab into the Action Tags text box. This was changed because users found it a bit jarring for the Logic Editor dialog to automatically display as they are tabbing through the fields inside the “Add Field"/"Edit Field” dialog.
Change: Light gray square brackets are now displayed around the variable name for each field on the Data Dictionary Codebook to aid users when searching for a specific field on the page (because it may sometimes be hard to find a field on the page if it is used in lots of branching logic or calculations).
Bug fix: When attempting to do a fresh install of REDCap on PHP 8.0, the install page might mistakenly crash with a blank white page.
Bug fix: When a public survey is completed and the “Save & Return Later” feature is not enabled for the survey, references to the survey link via the Smart Variable [survey-link] might mistakenly allow participants to return to the completed survey when instead it should prevent them and thus display the “Thank you for your interest, but you have already completed this survey” message. This could cause further confusion if a participant attempted to download a file for a File Upload field on that survey, in which it would prevent them from downloading it (via an error message); however, this might be confusing since the participant could access the survey page (via this bug) but not the downloadable file on the survey. (Ticket #118314)

Version 12.0.2 (released on 2021-11-29)

CHANGES IN THIS VERSION:

Change: The Control Center now recommends using PHP 7.4, 8.0, or 8.1, which are the only currently supported versions of PHP (by the PHP Team).
Bug fix: The “Add/Edit Records” page would display a green button with the incorrect text “Add new record for the arm selected above” for projects that do not have multiple arms. The button instead should say "Add new record".
Bug fix: When upgrading from a version prior to REDCap 11.4.1, the upgrade SQL script might mistakenly fail when dropping an index on the `redcap_user_roles` table.
Bug fix: When copying a project where Twilio is enabled, the various Twilio configuration settings would mistakenly not get copied. Note: The Twilio feature will still be disabled in the newly created project. (Ticket #118265)
Bug fix: When using a Project Bookmark as an "Advanced Link", the API call that should return the various parameters (e.g., username, project_id) would mistakenly default to “xml” as the return format when instead it should default to “csv” if the “format” API parameter is not provided in the API request.

Version 12.0.1 (released on 2021-11-23)

CHANGES IN THIS VERSION:

Major bug fix: When using Twilio SMS or Voice Call functionality on a survey, field labels or section headers might mistakenly not get included in the SMS message or Voice Call message unless one or more languages have been defined and are active on the Multi-Language Management page.
Bug fix: When using Twilio SMS or Voice Call functionality on a survey, the choices for some multiple choice fields would mistakenly not appear in the correct translated language when one or more languages have been defined and are active on the Multi-Language Management page.
Bug fix: When using Twilio SMS or Voice Call functionality on a survey, the survey instructions and completion text might mistakenly not appear in the correct translated language when one or more languages have been defined and are active on the Multi-Language Management page.
Bug fix: Some rare adaptive PROMIS instruments that contain checkbox or textbox field types (e.g., PROMIS Sexual Function v2 Brief Profile (Female)) would crash in certain instances and prevent the participant from completing the survey whenever a participant attempts to answer a checkbox or textbox field on the survey page.

Version 12.0.0 (released on 2021-11-22)

CHANGES IN THIS VERSION:

New feature: Multi-Language Management
- Summary: Users can create and configure multiple display languages for their projects for surveys, data entry forms, alerts, survey invitations, etc. Users can design data collection instruments and have them be displayed in any language that they have defined and translated so that their survey participants or data entry persons can view the text in their preferred language. This eliminates the need to create multiple instruments or projects to handle multiple languages. NOTE: The MLM feature will not auto-translate text, but provides tools so that users may easily translate them themselves.
- Usage: When entering data on a data entry form or survey, users and participants will be able to choose their language from a drop-down list or buttons on the page to easily switch to their preferred language for the text displayed on the page. This feature allows users to translate all text related to the data entry process, both for surveys and for data entry forms. Even various survey settings and email text can be translated. For users on data entry forms, if a language is selected, that selection is stored in the user’s user account settings internally (in the REDCap backend database), whereas a survey participant’s selected language will be stored in a cookie in their web browser as a way to remember their language preference if they return in the future (and also to maintain their selected language from page to page). The language can be pre-selected for a participant, if desired, using the “Language preference field” setting on the MLM page in the project or via the @LANGUAGE-FORCE action tags (seen below).
- User Rights: Users must have Project Design/Setup privileges in a project in order to see the link to the Multi-Language Management page on the left-hand menu.
- System-level Configuration: The MLM feature can be completely disabled at the system level, if desired, via the MLM page in the Control Center (on the Settings tab). On this page in the Control Center, admins can optionally seed any User Interface (i.e., stock language) translations for the entire REDCap installation, in which users could import any activated User Interface translations into their project. This will only import the User Interface elements (since those are universal to each project), but it can be a big time saver to prevent the user from having to translate those common elements in their project. These can be imported via the Create New Language process in a project (or via the Edit Language setting also).
- Note: The MLM feature works seamlessly with SMS messages sent via Twilio. Additionally, the MLM feature works with the e-Consent Framework, in which the archived PDF of the participant’s consent form will be stored in the File Repository in the same language in which the participant took the survey.
- Note: When a project is in production, the MLM page and all translations can only be modified when the project is in Draft Mode. So if the user desires to make edits or additions to their translations, they must first enable Draft Mode via the Online Designer, and then return to the MLM page to make translation changes while in Draft Mode. When the drafted changes are approved, their translation changes made while in Draft Mode will automatically be approved together with them.
- New Action Tags for Multi-Language Management
  1. @LANGUAGE-CURRENT-FORM - Allows you to capture the currently used language in projects where multilingual data is enabled on data entry forms. The @LANGUAGE-CURRENT-FORM action tag can be used on fields of type ‘Text Box’ (no validation), and 'Drop-down List’, or ‘Radio Buttons’ (these need to have choices whose codes correspond to the IDs of the defined languages - e.g., ‘en’). This action tag is only active on data entry forms and will always, when possible, set the field’s value to the currently active language.
  2. @LANGUAGE-CURRENT-SURVEY - Same as @LANUGAGE-CURRENT-FORM, but works only on survey pages. For multi-page surveys, @LANGUAGE-CURRENT-SURVEY needs to be used on a field of each page where capture of the language is relevant (e.g. for performing branching).
  3. @LANGUAGE-FORCE - When used on a field, the data entry form or survey on which the field is located will be rendered in the specified language (which must have been set up using the Multi-Language Management feature). The format must follow the pattern @LANGUAGE-FORCE="???", in which the ID of the desired language should be inside single or double quotes - e.g., @LANGUAGE-FORCE="de". Piping is supported - e.g., @LANGUAGE-FORCE="[field_name]". When the language is forced successfully (i.e., it exists and is active), the language selector is hidden. Using this together with @LANGUAGE-CURRENT-FORM/SURVEY on the source field for @LANGUAGE-FORCE may be used to ‘lock in’ a user to their selected language.
  4. @LANGUAGE-FORCE-FORM - Same as @LANGUAGE-FORCE, but the effect is limited to data entry forms (i.e. this does not affect surveys).
  5. @LANGUAGE-FORCE-SURVEY - Same as @LANGUAGE-FORCE, but the effect is limited to surveys (i.e. this does not affect data entry forms).
  6. @LANGUAGE-SET - When used on a Drop-down or Radio Button field only, this action tag will allow the field’s value to control the currently shown language (in the same way as switching the language via the buttons at the top of the page). Tip: When used in a survey, this field could be prepopulated (and thus auto-selected) by embedding a participant’s language ID in the survey URL itself (for details, see the FAQ’s “How to pre-fill survey questions” section).
- Thanks to Günther Rezniczek for all his work to help us build the new Multi-Language Management feature.
New feature: Form Display Logic
- Form Display Logic is an advanced feature that provides a way to use conditional logic to disable specific data entry forms that are displayed on the Record Status Dashboard, Record Home Page, or the form list on the left-hand menu. You might think of it as 'form-level branching logic’. Form Display Logic can be very useful if you wish to prevent users from entering data on a specific form or event until certain conditions have been met. The forms will still be displayed on the page, but they will be disabled in order to prevent users from accessing them. Below you may define as many conditions as you want. A form may be selected in multiple conditions, but if so, please note that the form will be enabled if at least one of the conditions is met. The Form Display Logic does not impact data imports but only operates in the data entry user interface to enable/disable forms. Additionally, Form Display Logic is not utilized by the Survey Queue at all but can affect the behavior of the Survey Auto-Continue feature if the checkbox for it is enabled in the setup dialog. The Form Display Logic setup can be found by clicking the “Form Display Logic” button at the top of the instrument list in the Online Designer.
- This feature serves as the official integration of the Form Render Skip Logic external module created by Philip Chase and his team. Thanks to them for their work on this module. Note: When upgrading REDCap to v12.0.0 or higher, if the Form Render Skip Logic is installed and is being used by any projects, all the configuration settings for the module will automatically be translated into the new Form Display Logic settings format, after which the external module will be disabled for each project and also for the entire system (since it will no longer be needed). This all happens automatically during the upgrade.
New feature: Design Checker for the Clinical Data Mart (CDM) - The “Data Mart Design Checker” is a new tool available in the Data Mart fetch page that will report any issue related to the design of the current Data Mart project. Based on the most recent Data Mart XML template available in REDCap, the tool will check, list, and fix any of these issues: missing forms, variables, revisions, or section headers, the lack/presence of repeatability in a form, variables included in the wrong form, etc. An administrator or a user with Project Setup/Design privileges can use the tool to review and automatically fix all reported issues. This tool will mainly be utilized when users have modified the structure of an existing Data Mart project or if new forms and data types have been added to the Data Mart feature itself since the users initially created their Data Mart project.
Improvement: Errors displayed in the Survey Invitation Log when sending SMS or Voice Calls via Twilio will now display the full error message returned by Twilio’s API to provide the user with more information regarding why the SMS/Voice Call failed to send successfully.
Major bug fix: When a field is embedded on a multi-page survey, in which the embedded field’s parent field is used in branching logic on a later page, the embedded field’s value might mistakenly get erased when a later survey page is submitted if the embedded field is set as a Required field. (Ticket #117620)
Bug fix: The cron job that sends email notifications for REDCap Messenger might mistakenly send multiple emails repeatedly to users. (Ticket #97084b)
Bug fix: The x-axis of a [scatter-plot] Smart Chart would mistakenly not display in the correct sorted fashion. (Ticket #117202b)
Bug fix: Clicking the “Today” or “Now” button for a date or datetime field, respectively, would mistakenly add the green highlighted background to the field if that field is embedded. Embedded fields should never get highlighted as green like regular fields do. (Ticket #105242)
Bug fix: When using the “Copy multiple fields” feature in the Online Designer, on some occasions the process might mistakenly fail for some fields selected and would display them on the page as fields with empty variable names. (Ticket #117339)
Change: The text for the “Example code” link at the bottom of the API Playground was modified for clarity. (Ticket #117797)
Bug fix: When using specific PHP versions, the Clinical Data Pull (CDP) service might mistakenly throw a fatal PHP error when attempting to fetch data from the EHR. (Ticket #117953)
Change: When drafted changes are auto-approved in a production project, the “Changes Were Made Automatically” dialog now provides extra text reminding the user that if any new instruments were just added, by default no users in the project have access to any newly created instruments. Thus they might need to grant users access to the new instruments.
Bug fix: When creating a new project or copying an existing one, the users that are initially granted access to the project would mistakenly not get logged as having been added to the project on the project logging page, thus making it very difficult for an auditor to determine exactly when and by whom the initial users had been given access.
Bug fix: A fatal PHP error would occur that prevented an administrator from creating a Data Mart project on behalf of a user. (Ticket #117929)
Bug fix: When using the Data Resolution Workflow in a project, the Resolve Issues page would mistakenly display data queries for fields that exist on instruments to which the user does not have data viewing privileges. (Ticket #118026)
Bug fix: If a value is piped into a Descriptive Text field which is itself embedded in another field, then in some specific instances the Descriptive Text field’s label would mistakenly not get embedded but only the piped value would get embedded. (Ticket #117925)

Version 11.4.4 (released on 2021-11-12)

CHANGES IN THIS VERSION:

Improvement: New parameter “repeat_instance” was added to the API method “Export PDF file of Data Collection Instruments” to allow users to export a PDF of an instrument for a specific repeating instance of a repeating instrument/event. (Ticket #117182)
Change/improvement: When a survey participant partially completes a survey that has the Save & Return Later feature enabled, and an email is then sent to the participant to remind them to finish their survey later, instead of sending that email from the system-level “Email Address of REDCap Administrator” (as in previous versions), the “From” email address of the “Survey partially completed” email will be set to the sender’s address from the most recent survey invitation received by the participant. This will create more consistency and will reduce confusion for participants when attempting to reply back to the email, as has been a problem in the past.
Bug fix: For certain server configurations, the REDCap cron job might mistakenly crash due to a floating point precision issue when creating a timestamp. This occurrence is fairly rare. (Ticket #117186)
Bug fix: The x-axis of a [scatter-plot] Smart Chart would mistakenly not display in the correct sorted fashion. (Ticket #117202)
Bug fix: If a user has many conversations (e.g., hundreds or more) listed in their REDCap Messenger window, every page of REDCap would load slowly for them, even if Messenger is closed when the page loads.
Bug fix: If the setting “Allow survey respondents to view aggregate survey results?” has been disabled at the system level in the Control Center, then a user entering a URL into the “Redirect to a URL” option on the Survey Settings page in a project would cause an unrelated error message to mistakenly appear and would prevent the user from adding/modifying the “Redirect to a URL” option. (Ticket #117399)
Bug fix: If a calculation, branching logic, or conditional logic contains exponents in which the base number’s value is negative, it might mistakenly not return any value at all - e.g., ([number1])^(1/3) where the value of “number1” is "-8". (Ticket #117456)
Bug fix: In calculations or branching logic, the special function isinteger() would mistakenly only return True if the value came from an integer- or number-validated Textbox field. (Ticket #117447)
Bug fix: When saving some custom text for the settings “Custom text to display at top of Project Home page in project” or “Custom text to display at top of all Data Entry pages in project” on the “Edit A Project’s Settings” page in the Control Center, it would mistakenly display a lot of extra line breaks on the project page where the custom text would be rendered. (Ticket #117403)
Bug fix: Upgraded the JavaScript libraries Backbone.js and Underscore to their latest version since they were both outdated. (Ticket #117462)
Bug fix: When using Azure AD authentication, the logout process in REDCap would mistakenly not take the user to the Azure AD logout page, thus not actually logging out the user fully. (Ticket #117166)
Bug fix: When initializing a project in the REDCap Mobile App in which the project contains an SQL field, if the query for the SQL returns only one column (rather than two columns), the drop-down would mistakenly not display correctly on the data entry form in the REDCap Mobile App. (Ticket #107409b)
Change: The explanation text for the “Re-evaluate Automated Invitations” process was modified to improve clarity with regard to how the re-evaluation process works. (Ticket #116807)
Bug fix: When performing the Import Records API method with the data format set as “csv” in which the data being imported was obtained from a data export via the user interface (not via the API) in CSV Raw format, the API would return a field validation error message or might save the imported value with an extra space prepended to it if the original value that was exported for that field began with a specific CSV Injection character, such as -, @, +, or =. The data import API process now removes the extra space character at the beginning of the value when this specific scenario is detected in order to preserve the original value of the field. (Ticket #117546)

Version 11.4.3 (released on 2021-11-05)

CHANGES IN THIS VERSION:

Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way as user-defined text in various places.
Change/improvement: A button to open the Codebook page as a floating popup window was added inside the Logic Editor popup to allow users to easily find and reference fields they want to use in their logic while in the editor.
Improvement/change: The underlying business logic of REDCap’s cron job processing methods have been changed so that long-running cron jobs will not block other jobs from running at their scheduled time.
Bug fix: Typo in “SFTP/WebDAV-only settings”
Bug fix: Fixed issues with regard to users adding a secondary/tertiary email address on their Profile page. (Ticket #116375)
Bug fix: When viewing the Survey Queue page when it is displaying repeating surveys for a record, if some instances of the repeating survey are missing or were deleted, it would mistakenly display them in the queue with a “Begin Survey” button next to them. It should instead only display a button to create a new instance after the last current instance for the survey. (Ticket #116534)
Bug fix: Some files that were uploaded to a REDCap Messenger conversation might mistakenly not download correctly and might appear corrupt when opened after being downloaded.
Bug fix: If a project is in production and collecting data via surveys, and then it is moved to Draft Mode, after which a user downloads an Instrument Zip file in the Online Designer for one of the project’s survey and then re-uploads the same Instrument Zip file, all existing survey responses would get disconnected from the original survey, thus losing all their survey completion timestamps and changing all the survey links for the existing records in the project. Bug emerged in REDCap 11.2.0. (Ticket #116940)
Bug fix: PHP compatibility issue with PHP 8 on the Online Designer might cause the page to crash with a fatal error. (Ticket #117020)
Bug fix: When creating a new conversation in REDCap Messenger, it would mistakenly fail to open the new conversation in the user interface immediately after being created.
Bug fix: When using the Data Resolution Workflow and entering data on a data entry form, the floating button that says “Save and then open data resolution pop-up” would mistakenly be displayed next to every embedded field inside a block of embedded fields when the cursor is placed in the field, even when the embedded field does not have a data query opened for it. The button should only appear next to fields that have an open query. (Ticket #116987)
Bug fix: Smart Charts (e.g. bar-chart, pie-chart, donut-chart) that display multiple choice labels that contain multibyte characters, in which the labels are 13 or more characters in length, might have those multibyte characters mistakenly get garbled and thus not appear correctly in the chart. (Ticket #117103)

Version 11.4.2 (released on 2021-10-29)

CHANGES IN THIS VERSION:

Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way as user-defined text in various places.
Minor security fix: To improve the overall security of the application, the SameSite attribute of all cookies created by REDCap now has a value of “Lax”, whereas in previous versions it was set to “None”.
Minor security fix: To prevent a Session Fixation attack, session IDs are now regenerated upon every successful login by a user.
New feature: A new Cron History table was added to the bottom of the Cron Jobs page in the Control Center to allow administrators to have more visibility regarding when certain cron jobs are run and for how long, including cron jobs for external modules. The table includes a date field to easily adjust the window of time by date.
Improvement: If using Amazon S3 or Azure Blob Storage for the system-level File Storage Method, the same file storage method may also be used for the following system-level settings: 1) ‘File Upload’ field enhancement: Password verification & automatic external file storage, 2) Record-level Locking Enhancement: PDF confirmation & automatic external file storage, and 3) e-Consent Framework: PDF External Storage Settings (for all projects). These three settings will each utilize a different bucket/container than the system-level file storage method where all other REDCap files are stored (as a means of keeping them separate from the other files). These settings are often utilized for compliance with 21 CFR Part 11 and similar regulations. The addition of the S3/Azure options will be helpful when already running REDCap on AWS/Azure. The bucket/container where the files will be stored for these three options may be set for each near the bottom of the Modules/Services Configuration page in the Control Center.
Bug fix: The optional settings for the Protected Email Mode feature would mistakenly not get copied to a new project when using the Copy Project page. Additionally, those settings would also not get added to a Project XML file if the project were exported and then re-created in REDCap via Project XML.
Bug fix: When instruments are added from the REDCap Shared Library to a production project in Draft Mode, after the changes have been approved, all users would mistakenly have full “View/Edit” Data Viewing privileges to the new instrument. By default, users should initially have “No Access (Hidden)” privileges to newly added instruments.
Change: The email that users receive from an administrator that has just approved their production changes now reminds them that the default Data Viewing Rights for any newly added instruments will be 'No Access (Hidden)'.
Bug fix: When an administrator processes and commits a user’s draft mode changes for their production project, the “Project Changes were Approved” email confirmation sent back to the user would mistakenly have its From address as the admin’s email when it should instead be the general "Email Address of REDCap Administrator". (Ticket #116368)
Bug fix: When calling the “Export Records” API method with parameters type=eav and format=csv, the API might mistakenly output survey fields incorrectly if exportSurveyFields=true in the API request. Additionally, it might mistakenly output the “redcap_event_name” and “redcap_repeat_instance” CSV columns in certain cases when those columns are not relevant and should not be output. (Ticket #115862)
Bug fix: Fixed a compatibility issue for logged IP addresses in some server environments in which some load balancers/proxies/WAFs would unexpectedly add the port number to the HTTP_X_FORWARDED_FOR header that ultimately gets used as the client’s IP address. (Ticket #116486)
Bug fix: The Online Designer might mistakenly display a comma after some action tags listed in pink below a given field that has action tags.
Bug fix: The page on a survey that is displayed after a participant has clicked the “Save & Return Later” button would display text and contents that mistakenly did not completely conform to the survey theme of the current survey. (Ticket #116613)
Bug fix: Using the “:record-name” parameter in the [stats-table] Smart Variable would mistakenly not limit the descriptive stats displayed in the table to the currently viewed record but would instead display the stats for all records in the project. (Ticket #116546)
Bug fix: Using the @IF action tag on a field in which @IF is nested more than twice would mistakenly cause it not to get parsed correctly and thus might cause the wrong action tags to be implemented for the field. (Ticket #116535)

Version 11.4.1 (released on 2021-10-22)

CHANGES IN THIS VERSION:

New feature: Auto-adjudication for Clinical Data Pull (CDP) projects - As an extension of the existing “Instant Adjudication” feature for CDP projects, any projects with Instant Adjudication enabled can optionally enable the Auto-adjudication feature on the CDP Setup page in a project. Once enabled, if any records in the project have data that has already been pulled from the EHR and are awaiting adjudication, they will be adjudicated automatically by a cron job process that checks every 5 minutes. This allows the data to follow into the project automatically and prevents the need for a user to manually adjudicate data or to click the Instant Adjudicate button. Similar to the Instant Adjudication setting, only users with CDP Setup/Mapping privileges can enable the Auto-adjudication setting.
New feature: Admins can set or change a user’s sponsor on the “View User List By Criteria” tab on the Browser Users page in the Control Center. An administrator can click the “Set or change user’s sponsor” button on the page and then select another user in the system to become their new sponsor. This feature works for any users that currently have a sponsor or that do not have a sponsor.
Improvement: “Google Cloud Storage using API Service Account” as new file storage option - To store REDCap’s edoc files via Google Cloud Storage, this option can be selected in the File Upload Settings page in the Control Center. An additional option exists to organize files by REDCap project ID when storing them in Google Cloud. (Thanks to Andy Martin and his team for this contribution.)
Improvement: New CDIS setting - Admins now have the option to use the CA bundle from REDCap or the verification provided by the webserver for HTTPS connections.
Improvement: New option for Protected Email Mode - Users may now upload a custom logo that they wish to be displayed on the webpage and in emails utilizing the Protected Email Mode. This feature is supplementary to the existing custom text option for Protected Email Mode. This option is located in the Protected Email Mode section of the Additional Customizations popup on the Project Setup page.
Minor security fix: When displaying a fatal PHP error to REDCap administrators, the full file path of the PHP file is no longer exposed and output on the page, but instead it only outputs the local path from the REDCap webroot in the PHP error message. This prevents inadvertently exposing some of the file/folder structure of the web server.
Bug fix: The “Returning?” popup that appears near the top right of a survey page would display text and contents that mistakenly did not conform to the survey theme of the current survey. (Ticket #115314)
Bug fix: Fixed issue with database issue detection script regarding a key for the redcap_user_roles table. (Ticket #115587)
Fixed typo in @IF documentation
Bug fix: Some explanatory text not displayed for the “Allow normal users to edit their primary email address on their Profile page” setting on the User Settings page.
Bug fix: The @IF action tag might not work correctly when the currently viewed record has not been saved/created yet.
Bug fix: The @IF action tag might not work correctly when the True or False part of the IF has two single or double quotes. (Ticket #115731)
Bug fix: The smart variable [line-chart] might mistakenly display plain text data on the x-axis if a Textbox or Notesbox field is used as the x-axis field. (Ticket #115818)
Bug fix: In some very specific cases when using PHP 8, the upgrade module might mistakenly not load due to a fatal PHP error. (Ticket #115680)
Change/improvement: The HTML tags “video” and “source” can now be used in user-defined labels throughout REDCap. (Ticket #16057)
Bug fix: Returning ‘false’ from the redcap_email hook method in an external module would mistakenly not prevent emails from being sent.
Change: When viewing an individual email on the Email Logging page, it now logs the record name, event_id, and instrument name (when applicable) in the redcap_log_view database table.
Bug fix: When a repeating instrument has data entered on multiple repeating instances, and then afterward the instrument is made to no longer be repeatable, the Data History popup would mistakenly display the history for all repeating instances for that field (including the ones that have now been orphaned), rather than for only the first instance. (Ticket #115308b)
Bug fix: The jSignature JavaScript library used for “signature” field types was mistakenly reverted to an earlier version of the library that was sometimes not compatible with a stylus. (Ticket #115607)
Bug fix: When using the Twilio telephony services in a project and utilizing the “Designate a phone number field” setting, in certain situations it might fail to display the record name of the participant in the Survey Invitation Log. (Ticket #115206)
Bug fix: When appending the Smart Variable [current-instance] to a field variable in branching logic or a calculation on an instrument that is not a repeating instrument and not on a repeating event in the current context, it might mistakenly not evaluate the branching logic/calculation correctly on the data entry form or survey page. (Ticket #115585)
Bug fix: When viewing a survey via a private/unique survey link (i.e., not via a public survey link), in which the survey is set to “offline” and has field variables piped into its custom offline message, it would mistakenly not pipe the data successfully in the offline message. (Ticket #116092)
Bug fix: When exporting a PDF of an instrument containing data, if a drop-down or radio field in the PDF has a choice coded as “0” in which the field’s saved value is not currently "0", the resulting PDF might mistakenly show both the “0” choice and the saved choice as being selected. This appears to only occur in certain versions of PHP 7. (Ticket #115505)
Bug fix: When the enhanced checkbox option has been enabled on a survey in which a checkbox on the survey utilizes the @NONEOFTHEABOVE action tag, if the checkbox is embedded in another field on the page, the enhanced buttons would mistakenly not behave/display correctly for the checkbox when selecting the “None of the Above” choice or if another option is clicked while the “None of the Above” choice is already selected. Note: This does not affect the data being saved correctly for the checkbox but affects only the displaying of the enhanced buttons; thus it could be confusing for the survey participant. (Ticket #115891)
Bug fix: When using the [survey-link] or [survey-url] Smart Variables in a project in which a literal instance number is appended to it (e.g., [survey-link:my_survey][2]), it might mistakenly return the link/URL of the first instance instead of the correct repeating instance.
Bug fix: When using a Smart Chart, Smart Table, or Smart Function that has a unique report name appended to it, anytime a REDCap page would display the output of the chart/table/function, it would mistakenly log an individual “Data export” event on the Logging page for every chart/table/function having a unique report name.

Version 11.4.0 (released on 2021-10-11)

CHANGES IN THIS VERSION:

New action tag: @IF - Allows various action tags to be set based on conditional logic provided inside an @IF() function - e.g., @IF(CONDITION, ACTION TAGS if condition is TRUE, ACTION TAGS if condition is FALSE). Simply provide a condition using normal logic syntax (similar to branching logic), and it will implement one set of action tags or another based on whether that condition is true or false. For example, you can have @IF([yes_no] = ‘1’, @HIDDEN, @HIDE-CHOICE=’3’ @READ-ONLY), in which it will implement @HIDDEN if the ‘yes_no’ field’s value is ‘1’, otherwise, it will implement the two action tags @HIDE-CHOICE=’3’ and @READ-ONLY. If you wish not to output any action tags for a certain condition, set it with a pair of apostrophes/quotes as a placeholder - e.g., @IF([my_radio]=’1’, @READONLY, ‘’). You may have multiple instances of @IF for a single field. You may also have multiple nested instances of @IF() inside each other. Both field variables and Smart Variables may be used inside the @IF condition. The @IF action tag is also evaluated for a given field when downloading the PDF of an instrument/survey, in case there are any PDF-specific action tags used inside of @IF(). Note: The conditional logic will be evaluated only when the survey page or data entry form initially loads; thus the action tag conditions will not be evaluated in real time as data is entered on the page.
New feature: Protected Email Mode
- Users can enable the Protected Email Mode on any project on the Project Setup via the Additional Customization dialog. This setting prevents identifying data (PHI/PII) from being sent in outgoing emails for alerts, survey invitations, and survey confirmation emails.
- If enabled, either A) all alerts, survey invitations, and survey confirmation emails or B) those whose email body is attempting to pipe data from Identifier fields will be affected, in which it will not send the full email text to the recipient but will instead send a surrogate email containing a link that leads them to a secure REDCap page to view their original email. If someone is accessing an email in the Protected Email Mode for the first time (or for the first time in the past 30 days), it will send a security code to their inbox that will allow the recipient to view any protected emails for up to 30 days on that same device. The Protected Email Mode is similar to Microsoft Outlook’s “sensitivity label” feature.
- When enabled in a project, user’s may specify custom text/HTML to display at top of the sent email and web page where the original email is viewed. This will allow users to also display logos/images pertaining to their project or institution.
- This feature can be disabled in all projects via a global setting on the Modules/Services Configuration page in the Control Center.
New feature: Email Logging page
- This is a new project page that contains a search interface to allow users with User Rights privileges to search and view ALL outgoing emails for that project (also includes searching and viewing of SMS messages if using Twilio services).
- This feature can be disabled in all projects via a global setting on the Modules/Services Configuration page in the Control Center.
- “Re-send email” feature - When viewing an individual email after performing a search on the page, a “Re-send email” button will be displayed in the dialog to allow users to re-send the email. Note: If the original email contained email attachments, the attachments will not be included in the email that is re-sent.
- Only users with User Rights privileges in the project may access the page, and additionally they must opt-in and agree to a disclaimer before being able to view the page. The following text will be presented to the user before accessing the page: “Before viewing and accessing this page, you must first agree that you understand the following important information and conditions. This page is only accessible by users having User Rights privileges in this project. The Email Logging feature allows users to search and view *all* outgoing emails related to this project, and this includes being able to view all aspects of any given email (i.e., the recipient(s), sender, subject, message body, attachment names). If you are using anonymous surveys in this project, keep in mind that viewing this page and the emails displayed therein might inadvertently cause anonymous survey responses to be identifiable/de-anonymized. Additionally, if the project is using Data Access Groups, you will be able to view the emails related to all DAGs in this project (and thus possibly any data piped into the body of those emails). If you understand and agree to these conditions, click the button below. Please note the act agreeing to this disclaimer will be documented on the project Logging page.”
Improvement: New "Banned IP Addresses’’ page in the Control Center allows administrators with "Manage User Accounts’’ privileges to add or remove IP addresses to/from the blocklist of banned IP addresses for the REDCap installation. The IP addresses listed on that page are IPv4 or IPv6 addresses that have been blocked manually using that page or have been banned automatically via the Rate Limiter feature (enabled on the General Configuration page in the Control Center).
Improvement: When using the ‘’Reason for Change’’ feature in a project, a new button is displayed underneath each “reason for change” textbox on the Data Import Tool summary page. Users can simply click the button to copy the text to all other “reason for change” textboxes on the page, thus saving lots of time of having to add text to each individually. This feature is the integration of Luke Steven’s “Copy Change Reason” external module, which will be automatically disabled at the system-level when upgrading to (or past) REDCap 11.4.0 to prevent any conflicts.
Improve: New data export option - Export blank values for gray instrument status
- All instrument complete status fields having a gray icon can be exported either as a blank value or as "0"/”Incomplete”. In previous versions, they could only be exported as “0”. By default, they are now exported with a value of “0”, but this option can be changed via a drop-down option in the “Advanced data formatting options” section of the data export dialog.
- When exporting the Project XML file with both metadata & data, the option to export gray instrument status as a blank value will be preselected by default, whereas in other data export contexts (e.g. My Reports & Exports page), the option to export them as “0” will be preselected by default.
- The API method “Export Records” has a new optional parameter “exportBlankForGrayFormStatus” that can accept a boolean (true/false) with default value = false, and it functions the same as its equivalent data export option in the user interface.
- Note: Exporting gray instrument statuses as blank values is recommended if the data will be re-imported into REDCap. For example, when users export a Project XML file for a project and then create a new project with it, all the gray instrument status icons will be preserved in the new project, whereas in previous versions they were all converted into red status icons.
Improvement: New option “Allow normal users to edit their primary email address on their Profile page” on the User Settings page in the Control Center. This setting will be enabled by default, but an admin can disable it if they wish to prevent any users from modifying their primary email address for their user account.
Improvement: The developer methods REDCap::getSurveyLink() and REDCap::getSurveyQueueLink() now have an optional parameter “project_id” that (when provided) allows one to call the method outside of that target project’s context. If project_id is not explicitly provided, then the methods must still be called within their target project’s context.
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way as user-defined text on the Project Setup page.
Major bug fix: When a repeating instrument has data entered on multiple repeating instances, and then afterward the instrument is made to no longer be repeatable, then any new data entered on that data entry form for fields that already have data on other instance might mistakenly get stored in the wrong repeating instance (i.e., get orphaned in the “redcap_data” database table) and thus would fail to be seen when reloading the form again. (Ticket #115308)
Improvement/change: New LOINC codes were added for CDIS-related functionality.
Change: All CDIS-related features and functionality now utilize a centralized set of assets in the code, rather than each feature having only their own private set of assets. This change reduces the entire size of the REDCap code by half, thus saving lots of space on the REDCap web server.
Various updates and fixes for the External Module Framework, such as the following: PID parameter safety improvements, Documentation updates, Prevented unnecessary errors from the Portable UTF-8 library’s auto-redirection, Increased the setting lock timeout, and Fixed a getSafePath() case with absolute paths.
Bug fix: When a user creates a new alert, the “Email From” address is now validated on the server side to ensure it is valid and belongs to a user in the project (or belongs to an administrator, if the current user is an admin that is not a user in the project).
Bug fix: The green label “Field is embedded elsewhere on page” mistakenly doesn’t show up for SQL fields on the Online Designer (Ticket #114889).
Bug fix: For some REDCap installations, the redcap_new_record_cache database table might have an incorrect table collation.
Bug fix: When clicking any of the “All…” buttons at the top of the Data Quality page to execute multiple data quality rules, some rules might randomly return an error message by mistake. Bug emerged in REDCap 11.3.4 Standard. (Ticket #102636)
Bug fix: For surveys that have a “Size of survey text” setting set to “Large” or "Very Large", any slider fields on the survey page that display their number value to the right might mistakenly display the value textbox as too narrow in certain situations. (Ticket #114920)
Bug fix: When using the @CALCDATE action tag with certain values entered for the date/datetime field used in the calculation, it might cause the page to unexpectedly crash with a fatal PHP error when running PHP 8. (Ticket #114831)
Bug fix: The API Tokens page in the Control Center would mistakenly not display the “Last Used” timestamp for some users displayed in the tables on the page. Also, some AJAX calls that load the drop-down lists on the page might fail in certain cases. Additionally, the “Manage API tokens by Project” drop-down would mistakenly not display its full list of options when the page initially loads but only fully loads after an option is selected from it. (Ticket #114834)
Bug fix: When uploading a CSV file of Automated Survey Invitations in the Online Designer, any datetimes set for the “Send on exact date/time” setting (including reminders) might mistakenly not get saved correctly. (Ticket #115024)
Bug fix: Page-view information for plugins and external modules were mistakenly not getting stored in the redcap_log_view table and thus such information was not being displayed on the MySQL Dashboard page in the Control Center.
Bug fix: The feature that detects database structure issues might mistakenly create false negatives in specific cases where a database table’s collation isn’t correct, thus allowing the issue to go unnoticed.
Bug fix: The “Manage All Project Tokens” tab on the API page in a project might mistakenly fail to load the table of users.
Bug fix: When using [aggregate-X] Smart Functions in branching logic or calculations, an error message might mistakenly display on the page saying that errors exist if any of the [aggregate-X] functions return a blank value. (Ticket #115235)

Version 11.3.4 (released on 2021-09-23)

CHANGES IN THIS VERSION:

Improvement: When executing many data quality rules at once, the total time to finish all the rules occurs 3X faster. Instead of running only one rule at a time in a serial fashion, REDCap now executes three rules simultaneously when clicking the "All", "All except A&B", and “All custom” buttons at the top of the Data Quality page.
Improvement: SQL fields can now be used in the following Smart Charts: bar-chart, pie-chart, and donut-chart. (Ticket #107115)
Improvement: SQL fields can now be used as Live Filters in reports. (Ticket #8791)
Bug fix: When using a Text Box field with date, time, datetime, or datetime w/ seconds validation as the x-axis field for a [scatter-plot] Smart Chart, the chart would mistakenly not display the data correctly. (Ticket #107721)
Change: Added the “Microsoft Authenticator” mobile app as a two-factor authentication method that is equivalent to using the “Google Authenticator” mobile app.
Change: When viewing a report while using a mobile device, it will no longer enable the floating table headers or floating first column automatically for the report table. This was changed because the floating headers/column made it difficult to view parts of a report while on a mobile device with a small screen.
Bug fix: Slider fields that have HTML inside the slider labels might mistakenly not display correctly in a downloaded PDF of an instrument.
Bug fix: When using the @DOWNLOAD-COUNT action tag on fields displayed on a report, if the download trigger field exists on that same report, then attempting to download the file would cause a JavaScript error on the page.
Bug fix: If a field is used as a Live Filter in a report, in which some values for that field contain spaces or other characters that might get URL-encoded, it would mistakenly cause the Live Filter not to return any values in the report.
Bug fix: The real-time logic validator in the Logic Editor popup might mistakenly fail and would return a false positive saying that the logic is invalid if the logic contains certain Smart Variables, such as [record-name].
Bug fix: When using the API Playground and selecting certain drop-downs, such as the Forms drop-down list, they might mistakenly result in an error from the API. This only affects the API Playground and does not affect the API in general. (Ticket #114563)
Bug fix: When a user has been assigned to multiple Data Access Groups via the DAG Switcher, the User Rights page would mistakenly not correctly display how many DAGs to which they are assigned if the user’s username contained a capital letter when they were added to the project. (Ticket #114550)

Version 11.3.3 (released on 2021-09-17)

CHANGES IN THIS VERSION:

New API method “Rename record” and new developer method REDCap::renameRecord() allows users/developers to rename a record in a project. For multi-arm longitudinal projects where a record might exist on multiple arms, the $arm number can be specified to rename the record only on the specified arm, otherwise by default it will rename the record in all arms in which it exists.
Change: Renamed the “My Profile” page to "Profile".
Change/improvement: Added “ICD-10 Australian Modification” to the list of parsed coding systems in the Condition resource for Clinical Data Interoperability Services (both CDP and Data Mart).
Bug fix: Clicking the download link for a File Upload field that is utilized in another field’s @DOWNLOAD-COUNT action tag would mistakenly not trigger calculations or branching logic on the page.
Bug fix: When performing cross-form/cross-event calculations (via data entry forms and surveys) or auto-calculations (via data import) - including both calc fields and @CALCTEXT fields - in a longitudinal project, in some cases the calculated value would mistakenly be saved in events that currently have no data. Calculated fields should only operate and save a value in events that already contain data. (Ticket #113972)
Bug fix: When using the eConsent Framework for one or more surveys in a project, the PDF Survey Archive tab in the File Repository might mistakenly not display the “Download All” button unless at least two records exist in the project. Additionally, the drop-down filter to view “only eConsent files” would mistakenly display zero records after being selected if fewer than three records exist in the project. (Ticket #114091)
Bug fix: When using the Double Data Entry module, instead of seeing the correct colored form status icons, a user that is DDE person 1 or 2 would mistakenly see all gray status icons for instruments on the Record Status Dashboard and on the left-hand menu while viewing a record. (Ticket #114068)
Bug fix: Conditional logic used for a survey in the Survey Queue might mistakenly not evaluate correctly in specific cases, such as when using certain Smart Variables (e.g., [record-dag-name]). (Ticket #114181)
Bug fix: When using the [survey-link] or [survey-url] Smart Variables in a longitudinal project in which a literal instance number is appended to it (e.g., [event_1_arm_1][survey-link:my_survey][2]), it would mistakenly always return the link/URL of the first instance instead of the correct repeating instance.
Bug fix: When piping a datetime- or time-validated Text Box field on the same page as where the field itself is located while using the “:ampm” piping parameter, it might mistakenly pipe the value as-is instead of converting it to the AM/PM format. Additionally, it might mistakenly pipe the literal text “undefined:NaNam” if the field’s value is set as blank/null in real time while on the page. (Ticket #114247)
Bug fix: The Custom Application Links page in the Control Center might crash due to a PHP compatibility error when using PHP 8.0. This might also occur when downloading the User-DAG Assignments CSV file on the User Rights page. (Ticket #114292)
Bug fix: Downloading the User-DAG Assignments CSV file on the User Rights page might produce an incorrectly structured CSV file. (Ticket #114292)

Version 11.3.2 (released on 2021-09-10)

CHANGES IN THIS VERSION:

Improvement: The Project Revision History page now displays icons next to each production revision and snapshots, and after being clicked, will display options to compare that revision/snapshot with any other revision/snapshot in the project. (This feature represents the integration of the “Data Dictionary Revisions” external module created by Ashley Lee at BC Children’s Hospital Research Institute).
Improvement: When using the eConsent Framework in a project, the “PDF Survey Archive” tab on the File Repository page now displays a “Download all” button that will download all PDF files displayed on the page in a single zip file. Additionally, there is a record filter drop-down list and a “file type” drop-down list, which distinguishes between general “PDF Auto-Archiver” PDFs and “eConsent Framework” PDFs. Note: If a user is in a Data Access Group, they will only be able to download and filter on records in their DAG.
Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way as user-defined text in various places.
Bug fix: Fix for PHP 8 compatibility issue when entering data on a repeating instrument in specific cases. (Ticket #113507)
Bug fix: When creating a new instrument via the Online Designer, the “Close” button in the success dialog would mistakenly say “Close2” instead. (Ticket #113587)
Bug fix: The discrepancy result for Data Quality rules A and B would mistakenly display fields that exist on instruments for which the current does not have Data Viewing Rights. (Ticket #113589)
Bug fix: If a checkbox field contains an invalid/stale value (i.e., not a currently existing choice) in the database backend, and then a Missing Data Code is saved for the field via a data entry form, both the invalid/stale value and the missing data code value will stay stored in the backend, and the data entry view mistakenly will not show that a missing data code has been saved for the field. (Ticket #113763)

Version 11.3.1 (released on 2021-09-03)

CHANGES IN THIS VERSION:

New feature: “DAG Switcher” API method - When using the DAG Switcher functionality in a project, this method allows users to move themselves in and out of a Data Access Group at will using the API just as they would do the same thing in the user interface (assuming they have been assigned to multiple DAGs on the DAG Switcher page).
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the URL for the project Logging page.
Change: All cookies created on the client side (JavaScript) will now have the same “SameSite” and “Secure” attributes as cookies created on the server side (PHP). This helps improve general security.
Bug fix: When using the Clinical Data Interoperability Services, specifically the CDP Field Mapping page, some translated mappable fields might not display correctly on the page and would mistakenly be garbled.
Bug fix: If the user clicks the “Piping” or “Smart Variables” help buttons inside the “Add new alert” dialog on the Alerts & Notifications page, and then the user hits their ESC key on their keyboard, it would mistakenly close the “Add new alert” dialog (i.e., the dialog on the bottom) rather than the dialog on the top. (Ticket #112745)
Bug fix: When using the “Save a PDF of completed survey response to a File Upload field” feature, the resulting PDF that gets saved to the File Upload field would mistakenly hide (not display) any fields in the PDF containing the @HIDDEN or @HIDDEN-SURVEY action tag. In that particular PDF export, only fields with @HIDDEN-PDF should be hidden (not displayed) in the PDF. (Ticket #113197)
Bug fix: For projects with Data Access Groups, users that are not currently assigned to a DAG would mistakenly not see the DAG filter drop-down displayed on the Logging page. That drop-down should normally be displayed for users not assigned to a DAG. (Ticket #113188)
Bug fix: When using Duo as a Two Factor Authentication option, it would mistakenly initiate the Duo 2FA process before the user even selects the Duo option from the list of choices to use when logging in. (Ticket #113193)
Bug fix: When deleting an instance of a repeating event on the Record Status Dashboard, it might still cause that empty event instance to be displayed in reports and data exports. (Ticket #17859b)
Bug fix: Due to a fatal PHP error when using certain versions of PHP, attempting to upload a signature on a survey or data entry form would mistakenly fail. (Ticket #113234)
Change: Any multi-select drop-downs that are enhanced using the Select2 JavaScript library (e.g., the “Email To” field when creating/editing an alert) now display a down arrow on their right edge to better indicate that they are a clickable drop-down list.
Bug fix: Real-time piping (i.e., performed via JavaScript after the page has already loaded) might mistakenly truncate the piped text in certain cases where a “<” character is used in the piped field’s value. (Ticket #113237)
Change: The REDCap Install page now returns a notice to anyone who accesses it that the page is no longer functional or available if it detects that REDCap has already been fully installed.
Bug fix: If the File Version History feature was disabled at the system level but was still enabled for an individual project (according to the value of that setting in the redcap_projects database table), the feature might mistakenly function in some capacity in the user interface within the project but might cause issues for other features on the page. If this feature is disabled at the system level, it should by default also be disabled in all projects. (Ticket #113131)
Change: In all outgoing emails, the “font-size” attribute for the “body” tag is no longer explicitly defined in the HTML of the email. This should have little (if any) effect on the appearance of emails sent from REDCap.
Bug fix: On the Alerts & Notifications page, some alert settings might mistakenly not get saved when changed on an existing alert. (Ticket #113363)
Bug fix: When editing a user’s privileges on the User Rights page, the expiration date text box might mistakenly not display the full date because the text box is too narrow. (Ticket #113357)
Bug fix: When the Table-based authentication setting “Force users to change their password after a specified number of days” has been enabled while also using Two Factor Authentication, it might mistakenly display the “Password will expire soon” popup warning on top of the 2-step login, in which clicking the “Change my password” button might cause issues with the 2-step login process for the user. It now still displays the popup dialog, but it functions now more as an information-only warning to let users know that they need to change their password as soon as they finish the login process. (Ticket #113393)
Bug fix: When deleting a file for a Signature field or File Upload field on a data entry form or survey page, it was mistakenly deleting the file in the backend database when the user clicked the “Remove file” link when it should instead only be deleting the file after they click “Remove file” *and also* then save the page via a Save button. This fix makes it consistent with how files are saved when uploaded, in which the add/delete action is finalized only when the Save button is clicked on the page. (Ticket #113058)
Bug fix: The email test on the Configuration Check page might mistakenly fail and display a false negative for certain email server configurations despite the fact that emails are able to be sent successfully out of REDCap in all other places in the application.
Bug fix: When the “URL shortening service” setting is disabled on the Modules/Services Configuration page in the Control Center, it would still mistakenly display the option to create a custom/short URL for public reports and public project dashboards. It should not be displayed as an option in those places when disabled at the system level. (Ticket #112895)
Bug fix: When viewing the draft mode changes for a production project, any field with branching logic that is being modified might mistakenly get truncated or display incorrectly on the page if the branching logic contains "<>". (Ticket #113237b)
Bug fix: When navigating in a project on a mobile device, in which the user has been assigned to multiple Data Access Groups via the DAG Switcher, the blue toolbar at the top of the page for switching DAGs would mistakenly not be visible. (Ticket #113459)
Bug fix: In a longitudinal project, Data Quality rules A and B might mistakenly not return a discrepancy when a field is missing a value in which the field’s branching logic contains a Smart Variable and also does not have a unique event name or X-event-name prepended to all the field variables used in the rule logic. (Ticket #111474)

Version 11.3.0 (released on 2021-08-27)

CHANGES IN THIS VERSION:

New action tag: @RICHTEXT - Adds the rich text editor toolbar to a Notes field to allow users/participants to control the appearance (via styling and formatting) of the text they are entering into the field.
New API methods
- Delete User - Remove a specified user from a project.
- Export User Roles - Returns a list of user roles, including their role name, unique role name, and privileges, from a project.
- Import User Roles - Allows one to create new roles (specifying their role name and privileges) or edit the role name and privileges of existing roles.
- Delete User Role - Deletes a specified user role from a project.
- Export User-Role Assignment - Returns a list of project users and what user role to which they are assigned.
- Import User-Role Assignment - Allows one to assign, reassign, or unassign one or more users to/from a user role in a project.
New features: New drop-down options on the User Rights page to allow users to perform the tasks listed below using a CSV file in the user interface.
- Upload users and their privileges
- Download users and their privileges
- Upload user roles and their privileges
- Download user roles and their privileges
- Upload user role assignments
- Download user role assignments
New developer method: REDCap::deleteRecord() - Plugin/hook/module developers may utilize this new method to delete entire records from a project or to delete the data from a specified instrument, event, or repeating instrument/event for specific records.
Improvement: More options/parameters for the API Delete Record method - Users can now specify instrument, event, and/or repeat_instance to delete the data from a specified instrument, event, or repeating instrument/event for the records specified in the API request. In previous versions, the only option was to delete the entire record.
Change/improvement: When an administrator is reviewing a user’s submitted production changes for Draft Mode on the “Project Modification Module” page and then clicks the “Compose confirmation email” button in the blue “Administrator Actions” box, the email template displayed in the dialog now contains clearer wording to help users better understand how to respond. This helps make the production change process faster and more efficient.
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way as user-defined text in REDCap Messenger.
Change: If new instruments are created in a project while in production status, all users and user roles will no longer automatically get full “View & Edit” rights to that instrument for their Data Viewing Rights but instead will receive "No Access (Hidden)" rights by default for new instruments. When in development status, the instrument-level rights still defaults to “View & Edit” for new instruments. This change helps improve security when a project is in production to ensure that users do not accidentally gain access to data that they should not see if new instruments are still being added to the project. (Ticket #54096)
Change/improvement: When viewing the Record Status Dashboard in which one or more repeating instrument tables are displayed at the bottom of the page, if any of the tables were collapsed on a previous visit of the page, the page will load much faster, especially for records containing hundreds or more repeating instances.
Bug fix: Some email addresses that are entered into the value of a Text or Notes field might mistakenly not get converted into a clickable “mailto” link when viewed on a report.
Bug fix: When exporting and importing a Project XML file, the Survey Queue setting “Keep the Survey Queue hidden from participants?” (if enabled) would mistakenly not get enabled in the new project created from the XML file.
Bug fix: When calling the Export Records API method and providing the “fields” parameter, in which the parameter’s value only contains the variable names of one or more Descriptive fields in the project, it would mistakenly return data for all fields instead.
Bug fix: When using the DDP Custom feature, required parameters (i.e., user, project_id, redcap_url) were mistakenly not being sent to the custom metadata web service.
Bug fix: Fields with the @DEFAULT action tag might mistakenly not get prefilled with the default value on the page if any fields on that same instrument contain saved data and have the @CALCDATE or @CALCTEXT action tag. (Ticket #110331)
Bug fix: If the “Save & Return Later” feature is enabled for a survey in a project that also has the “Survey Login” feature enabled, if a participant clicked the “Save & Return Later” button on a public survey, it would mistakenly display information about a Return Code, which is actually not needed and is confusing because it is inaccurate.
Bug fix: If a user is requesting that an administrator generate an API token for them, it would mistakenly not log the admin’s action of generating the token. Technically, the action was being logged but was just not available on the Logging page in the project for which it was requested.
Bug fix: When using multiple action tags together on a single field, in which the action tags have values inside single quotes or double quotes (e.g., @NONEOFTHEABOVE=’1,2,3’ @HIDECHOICE=’4’), the action tags might mistakenly not get parsed correctly, thus causing them not to function correctly in some cases. (Ticket #113018)
Bug fix: When the project-level setting “Prevent branching logic from hiding fields that have values” is enabled, it might cause an error popup to appear on survey pages when a field with a value is trying to be hidden by branching logic. (Ticket #113054)

Version 11.2.6 (released on 2021-08-20)

CHANGES IN THIS VERSION:

Improvement: On the External Modules page in a project, users with appropriate privileges may now import and export the configuration settings for any module that is enabled in the project. This feature functions as a convenience by allowing users to easily migrate the configuration settings of one or more modules to another project that has the same module(s) enabled.
Improvement: If a user is not assigned to a Data Access Group in a project, the user will now see a new "[No assignment]" option in the “Displaying Data Access Group” drop-down list on the Record Status Dashboard, in which selecting that option will display only records that have not been assigned to any DAG.
Change/improvement: “Previous instrument” and “Next instrument” buttons were added at the top right of the Online Designer field-view page to allow easier navigation between instruments. (Ticket #101057)
Minor security improvement: Removed the usage of the PHP function “mt_rand” in the source code, and replaced it with the more cryptographically secure PHP function "random_int".
Bug fix: When copying a project, it mistakenly does not copy the Data Entry Trigger URL into the new project. (Ticket #112269)
Bug fix: When a project has the setting “Delete a record’s logging activity when deleting the record?” enabled on the Edit A Project’s Settings page, it would mistakenly not display the checkbox option to allow users to additionally delete a record’s logging when deleting the record itself via the Record Home Page. (Ticket #112239)
Bug fix: When downloading a CSV export of various things in REDCap (e.g., Notification Log export, Data Access Groups export), it might fail to add a BOM (Byte Order Mark) to the CSV file if the file contained UTF-8 characters. The Byte Order Mark is required to open UTF-8 encoded CSV files correctly in certain spreadsheet applications, such as Microsoft Excel. (Ticket #112239)
Bug fix: If all the discrepancies of any Data Quality rule have been excluded, it would mistakenly not display the “view” link next to the rule (even though it returns “0” results) after the rule had finished running. It is necessary to still display the “view” link so that users can click it in order to view the exclusions inside the dialog. (Ticket #112294)
Bug fix: When clicking “Cancel” inside the Logic Editor dialog, it might mistakenly revert the value of the text box being modified to the value of another text box that was previously edited via the Logic Editor while on that same page. (Ticket #101200b)
Bug fix: When exporting and then importing an instrument via the Instrument Zip file in the Online Designer, in which the instrument is enabled as a survey, it might fail to import the instrument in the zip file successfully. (Ticket #112346)
Bug fix: Any generated zip files would mistakenly fail upon creation and thus return an empty zip file when using Google Cloud Storage as the File Storage Method (as defined on the File Upload Settings page in the Control Center).
Bug fix: The developer method REDCap::getSurveyQueueLink() would mistakenly always return NULL.
Bug fix: Multiple blank rows in the table displayed on the survey queue page might mistakenly take up too much room on the page. (Ticket #110914)
Bug fix: When a survey is set to “Auto-continue to next survey” in the Survey Termination Options on the Survey Settings page while the other survey setting “Prevent survey responses from being saved if the survey ends via Stop Action?” is set to "Do NOT save the survey response…", the survey would mistakenly continue to the next survey if the participant triggered the survey to end via a Stop Action.
Bug fix: When viewing the data entry form for a survey-enabled instrument, if the Compose Survey Invitation dialog is opened on the page, then closed, and then opened again without refreshing the page, the rich text editor in the dialog would mistakenly not be initiated anymore. (Ticket #96574)
Bug fix: Custom Application Links (which are to be displayed on the left-hand project menu) were mistakenly only visible to users with User Rights privileges in the project. (Bug #112651)

Version 11.2.5 (released on 2021-08-13)

CHANGES IN THIS VERSION:

Improvement/change: Any HTML used in the value of a Text field or Notes field will no longer be escaped on a report (i.e., displayed as-is) but instead the HTML will be interpreted on the report to allow for the styling of text on the page. This means that while previous versions would have displayed the text value “Word” literally as “Word” (without quotes) on a report, it now instead displays “Word” as bolded text on a report. Note: This does not affect data exports or any pages other than reports.
Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into user-defined text. (Ticket #112003)
Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by uploading a malicious file to a File Upload field on a survey page or data entry form, and then trick someone into executing the file by providing them with a URL of specific end-point in the application in which to navigate.
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the user-defined URL of a Project Bookmark. (Ticket #112021)
Bug fix: When clicking the “Re-evaluate Alerts” button on the Alerts & Notification in a longitudinal project in which an alert is set to be triggered when an instrument status is complete and when the specified conditional logic is true, it would cause alerts to get triggered on events where the logic is true but where the instrument status is not complete. (TiBug fix: If a malicious user knows how to manipulate some AJAX requests for REDCap Messenger, they might be able to post messages to Messenger threads to which they do not belong, including the ability to post to the General Notifications channel while not being an administrator.cket #111866)
Bug fix: Fixed typo in email-related error message. (Ticket #112126)
Bug fix: Fix for PHP 8 error message when viewing contributors of a survey response. (Ticket #112144)
Bug fix: Logic (including branching logic, conditional logic, and calculations) might not get parsed correctly and thus might return an incorrect result if Smart Variables are used in the logic and also while an element in the logic has a blank value that appears on the left side of an equals sign - e.g., [user-dag-name] = ‘vanderbilt’ (assuming [user-dag-name] is blank). (Ticket #112010)
Bug fix: When survey participants attempt to download a file belonging to a File Upload field while on a survey page, it might mistakenly display the error message "NOTICE: This file is no longer available for download". Bug emerged in the previous version of REDCap.
Bug fix: If a calculated field is utilizing a date and datetime value that are used together in the same datediff() function, if the date value happens to be today’s date, it might return an incorrect value (typically a value of “0”). (Ticket #112183)
Bug fix: When a project is not using “Default Encoding” for “Character encoding for exported files” on the Edit Project’s Settings page, calling the API Export PDF method might mistakenly return a corrupt, unopenable PDF file. (Ticket #112035)
Bug fix: The Text-To-Speech functionality on survey pages did not work on mobile devices, iOS, or in the Safari web browser in previous versions. It should now work successfully for all platforms and browsers. (Ticket #111739)
Bug fix: The Smart Variable [bar-chart] might mistakenly mislabel the groupings in a bar chart that uses color grouping using a multiple choice field if there are no records that have a value for a specific choice for the multiple choice field. For example, if a grouping field has choices "One", "Two", and "Three", in which no records in the project have “Two” selected, then the resulting bar chart might mislabel all the "Three"s as "Two".

Version 11.2.4 (released on 2021-08-06)

CHANGES IN THIS VERSION:

Bug fix: When downloading a Descriptive field attachment while on a survey page, it might mistakenly return an error message and prevent the participant from downloading the file.
Bug fix: When downloading a file for a File Upload field or an attachment for a Descriptive field, in which that file is being counted via the @DOWNLOAD-COUNT action tag on another field, the download count would not get successfully incremented for the @DOWNLOAD-COUNT field when the file is downloaded on a survey page (as opposed to on a report or data entry form).
Bug fix: When downloading a file for a File Upload field or an attachment for a Descriptive field, in which that file is being counted via the @DOWNLOAD-COUNT action tag on another field, it might mistakenly attempt to save the incremented value to a non-existent record (as seen in the logging) when the file is downloaded on a public survey that has not been saved yet (i.e., the record does not yet exist).

Version 11.2.3 (released on 2021-08-06)

CHANGES IN THIS VERSION:

New action tag: @DOWNLOAD-COUNT - The @DOWNLOAD-COUNT action tag provides a way to automatically count the number of downloads for a File Upload field or a Descriptive field attachment. It can be used on a Text field or Notes field so that its value will be incremented by ‘1’ whenever someone downloads the file for either a File Upload field or a Descriptive field attachment. The variable name of the File Upload field or Descriptive field whose downloads are to be counted should be provided inside the @DOWNLOAD-COUNT() function. For example, the Text field ‘my_download_count’ might have its action tag defined as @DOWNLOAD-COUNT(my_upload_field), in which ‘my_upload_field’ is the variable of a File Upload field. Whenever the file is downloaded on a data entry form, survey page, or report, the value of the field with this action tag will be incremented by '1’. If that field has no value or has a non-integer value, its value will be set to '1’. NOTE: The download count field must be in the same context as the File Upload field or a Descriptive field. This means that in a longitudinal project the two fields must be on the same event, and in a repeating instrument context, they must be on the same repeating instrument.
Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into a field’s value on a data entry form or survey page.
Change/improvement: The Configuration Check page now checks to ensure that the “Email Address of REDCap Administrator” on the General Configuration page has a valid email entered. Without an email entered there, some features might not work correctly.
Change: Updated setup instructions zip file for Clinical Data Interoperability Services by including a new CDIS Manual (PDF) in the zip file.
Bug fix: When a PDF of a survey response is sent in a confirmation email after completing a survey, saved via the survey setting “Save a PDF of completed survey response to a File Upload field”, or saved via the e-Consent Framework in the File Repository, it would mistakenly not store the survey version of the PDF (containing the survey title and instructions) but instead would store the data entry form version of the PDF.
Bug fix: When editing the value of the Secondary Unique Field in a longitudinal or repeating instance context, it might mistakenly log the change extra times unnecessarily. (Ticket #110740)
Bug fix: Making a call to the Import Records API method when importing zero records might cause an Out of Memory error. (Ticket #110761)
Bug fix: When using Internet Explorer 11, clicking on a slider field or matrix of fields might mistakenly cause the screen to scroll to the top of the page. (Ticket #111202)
Bug fix: When using Internet Explorer 11, trying to expand/collapse a project folder on the My Projects page would fail to work due to a JavaScript issue. (Ticket #111553)
Bug fix: The REDCap cron job named “AlertsNotificationsSender” might unexpectedly crash for PHP 8 in certain circumstances. (Ticket #110702)
Bug fix: Since Twilio limits SMS messages to 1600 characters, to prevent errors from being returned from a failed request to Twilio for very long text messages, REDCap now automatically breaks an SMS into multiple parts if it exceeds the 1600 character limit. (Ticket #110440)
Bug fix: When making API data imports without any data being imported (i.e., blank or missing value for the “data” API parameter), it might behave erratically and cause a PHP error. It now correctly returns the error message "No data was provided". (Ticket #110761)
Bug fix: After copying a user role, a text box would mistakenly appear on the User Rights page below the instruction text.
Bug fix: When exporting a PDF of an instrument with the character encoding set as Japanese (SJIS), for certain server configurations or PHP versions it might crash with a fatal PHP error. (Ticket #111593)
Bug fix: When editing a user role in a project that contains Data Access Groups, it would mistakenly display the “Assign To DAG” drop-down list in the dialog, which should not be displayed when editing roles.
Bug fix: When a project contains repeating events in which a report has filter logic to filter out specific repeating instances (e.g., [current-instance] <> “” and [current-instance] = [first-instance]), the report might mistakenly display no results or incorrect results when there is actually data to display. This does not affect repeating instruments but only repeating events. (Ticket #110896)
Change: Added clarifying text regarding the behavior of a non-active Automated Survey Invitations in the ASI dialog in the Online Designer. (Ticket #111182)
Bug fix: In a project using Twilio telephony services, any Automated Survey Invitations or manually-scheduled invitations that utilize the “Use participant’s preference” option for the Invitation Type might mistakenly append the survey link to the message of the survey invitation, even when that is not desired. It now no longer appends the survey link automatically but instead sends the invitation using only the literal text defined by the user. (Ticket #111484)
Bug fix: When a user’s account expires after the account expiration time has passed, the email sent to the user to notify them of this might be slightly incorrect and might mention user sponsors even if the user does not have a sponsor. The user sponsor related language was removed in that case.
Bug fix: The offline survey message that is defined on the Survey Settings page would mistakenly not perform any piping when being displayed on an inactive survey. (Ticket #111707)
Bug fix: Fields with the @HIDDEN-PDF action tag would mistakenly be displayed in the PDF download of the instrument when using the PDF download option "Send to printer: select ‘Save as PDF’ for Printer/Destination". (Ticket #111718)
Bug fix: If a calculated field in a longitudinal project has a cross-event calculation that contains an [X-event-name] Smart Variable, the calculation might mistakenly not get triggered when entering data on a form, survey, or via a data import.
Bug fix: When using Twilio SMS or Voice Call services on a survey that has only one field that is a Descriptive field, it would mistakenly ask the Form Status complete question at the end of the survey. (Ticket #111799)
Bug fix: When calling the surveyLink API method in which a space exists (not necessarily intentionally) at the beginning or end of the “record” parameter passed in the API request, it might cause the space(s) to mistakenly get stored in some parts of the database where the record name is stored, thus causing the Survey Login feature not to work for that particular record anymore. (Ticket #111002)

Version 11.2.2 (released on 2021-07-16)

CHANGES IN THIS VERSION:

Improvement: New piping parameter “:ampm” - When piping a time, datetime, or datetimes w/ seconds Text field, appending “:ampm” to the variable name (e.g., [visit_time:ampm]) will display the time in am/pm format (e.g., 4:45pm, 10:35am) instead of military time.
Improvement: Ability for admins to configure the required password length and password complexity for user accounts when using Table-based authentication. These settings will default to requiring a 9-character password that must contain lowercase letters, uppercase letters, and numbers (but does not require any special characters. The following new controls have been added to the “Additional Table-based Authentication Settings” section of the Security & Authentication page in the Control Center.
- Password Minimum Length - any length between 6 and 99 characters
- Password Complexity options
  1. Requires both letters and numbers
  2. Requires lowercase and uppercase letters and numbers
  3. Requires lowercase and uppercase letters with either numbers or special characters
  4. Requires lowercase and uppercase letters, numbers, and special characters
Bug fix: When making a report “public” and when viewing the report via its public link afterward, the check that ensures Identifier fields do not exist in the report would sometimes mistakenly fail to detect Identifier fields in the report.
Bug fix: After making a report "public", if the report was made to be no longer public, it would mistakenly still display the report when viewing it via the public link. Instead it should display only an error message on that page (until the report has been made public again).
Bug fix: If a public report contains the record ID field while the Custom Record Label or Secondary Unique Field is enabled in the project, REDCap would fail to prevent the report from being shown via the public link if any of the fields used in the Custom Record Label or Secondary Unique Field are Identifier fields. (Ticket #110288)
Bug fix: The "Download metadata & data (XML)" button on the Other Functionality page would fail to work correctly due to a JavaScript error.
Bug fix: When exporting a PDF of an instrument with data, any slider fields that have a custom range defined (i.e., anything other than 0-100) would mistakenly not be displayed correctly in the PDF and might appear as if the slider has a different value. (Ticket #110391)
Bug fix: When a user is assigned to a Data Access Group while using record auto-numbering in a project, if the user attempts to schedule a record via the Scheduling page, it would mistakenly not generate the new record name correctly (i.e., with the DAG ID number appended to the end) when creating the new record.
Bug fix: Download links for File Upload fields on surveys might mistakenly still be active and might allow participants to download the file if they still have the download link (e.g., clicking on the link [my_file:link] piped inside an email). The download link is correctly no longer active if the survey or project is inactive, but it would mistakenly be active if the survey response has been completed while the survey in general is still active. This has been changed so that it will now return an error message if someone follows the download link after the survey response has been completed and is no longer active anymore (i.e., no one can return to the survey response to modify it). (Ticket #110442)
Bug fix: When creating a user role in a project that contains Data Access Groups, it would mistakenly display the “Assign To DAG” drop-down list in the dialog, which should not be displayed when creating roles.
Bug fix: When assigning a user to a user role on the User Rights page while not also assigning them to a Data Access Group at the same time in the popup, it would fail to email the user even if the “Notify user via email?” checkbox is checked in the popup. (Ticket #110339)
Bug fix: Any HTML tags used in field labels and elsewhere in a project might mistakenly get stripped out when a project is exported as a Project XML file. (Ticket #110503)
Bug fix: Time-validated text fields would mistakenly not be formatted correctly in the “informat” and “format” statements in the resulting SAS syntax file when exporting data to SAS. This appears to occur only when Missing Data Codes are being utilized in the project. (Ticket #110278)

Version 11.2.1 (released on 2021-07-09)

CHANGES IN THIS VERSION:

Major bug fix: If using the AWS S3 file storage option, a fatal PHP error would occur when uploading or downloading documents, including on the Configuration Check page. (Ticket #110210)

Version 11.2.0 (released on 2021-07-09)

CHANGES IN THIS VERSION:

New feature: Ability to make reports accessible at a public link
- Summary: When editing a report, users can now set a report as “public” and can obtain a public link to the report if they have User Rights privileges in the project. When a report is public, this means that all data in the report will be fully accessible (with no authentication required) to anyone with the public link to the report.
- In order to make a report public, all the following must be true:
  - The user must have User Rights privileges in the project or be a REDCap administrator.
  - The report cannot have any Identifier fields in it.
  - The user is required to view the report during their current REDCap session.
  - The user must agree to and check off the following statements: 1) I understand that making this report “public” means that all data in the report will be fully accessible to anyone with the public link to the report, and 2) I understand that I am responsible if any private, sensitive, or identifying data in the report is exposed to persons who should not have access to such data.
- The behavior of how reports are made public can be controlled at the system level near the bottom of the User Settings page in the Control Center using the setting “Allow reports to be made 'public’?”. Admins may completely disallow reports to be made public (although admins will still have this ability to do so). But if enabled, they may choose to allow users to make reports public on their own or enable the To-Do List approval process by which an admin will need to approve their request to make a given report public (similar to the same system level approval process for Project Dashboards being made public).
- Once a report has been made public, its configuration cannot be modified while it is public (users cannot add new fields, modify filter logic, etc.). In order to modify a public report, the user will need to make it no longer public, then make their changes, and then make it public again.
New Smart Variables
- [event-id] - (longitudinal only) The event id number of the current event.
- [survey-access-code:instrument] - The Survey Access Code of the specified survey for a given record/event/instance. The format must be [survey-access-code] or [survey-access-code:instrument], in which ‘instrument’ is the unique form name of the desired instrument. This can be used simply as [survey-access-code] inside the content of a survey invitation, in which ‘instrument’ is assumed to be the current survey instrument.
- [survey-return-code:instrument] - The Survey Return Code of the specified survey for a given record/event/instance in order to allow a participant to return to a completed or partially completed survey response when using the ‘Save & Return Later’ survey feature. The format must be [survey-return-code] or [survey-return-code:instrument], in which ‘instrument’ is the unique form name of the desired instrument. This can be used simply as [survey-return-code] inside the content of a survey invitation, in which ‘instrument’ is assumed to be the current survey instrument.
- [user-role-id] - The Role ID of the user role to which the current user is assigned (blank if not assigned to any user role). This value is auto-generated for each user role. NOTE: This value is not just unique for all roles within the project but is also unique across all REDCap projects. Thus, if the project and its user roles are copied, the Role IDs of the user roles in the resulting copy will be different from the ones in the original project.
- [user-role-name] - The unique role name of the user role to which the current user is assigned (blank if not assigned to any user role). This value is auto-generated for each user role. NOTE: This value is only unique for roles within the project. Thus, if the project and its roles are copied, the new project will retain the same unique role names, which allows you to utilize the unique role names in conditional logic, calculations, branching logic, etc. that will not break when the project is copied.
- [user-role-label] - The name/label of the user role to which the current user is assigned (blank if not assigned to any user role). This value is defined by the user that creates the user role.
New Action Tag: @MAXCHOICE-SURVEY-COMPLETE - Similar to @MAXCHOICE but only counts choices on completed survey responses (does not count data entered as data entry only or on partial responses). Causes one or more specified choices to be disabled (i.e., displayed but not usable) for a checkbox, radio button, or drop-down field after a specified amount of records have been saved with that choice for completed survey responses only.
New feature: Tableau Data Export- Extract all records into Tableau via the REDCap API.
- This feature enables Tableau (v10.0+) users to connect Tableau to a REDCap project using an API token. Project data can be exported on demand and be available for use within Tableau to produce summaries and visualizations. The Other Export Option page in any given project has instructions to export project data into Tableau.
- NOTICE: It is required for a user to have an API token generated for the project in order to use this feature.
New feature: MailGun Email API Integration
- As an alternative for sending outgoing emails from REDCap (rather than using the standard settings in PHP.INI to send them natively from the web server), you may use MailGun, which is a third-party paid service that can send emails on behalf of REDCap.
- The option can be configured on the General Configuration page in the Control Center. You merely have to provide the API key and domain name for your MailGun account, and it will begin using the MailGun Web API to send *all* emails going out of REDCap.
New feature: Project-level setting “Prevent branching logic from hiding fields that have values”
- This setting can be enabled by any project user with Project Setup/Design privileges in the Additional Customizations popup on the Project Setup page.
- This setting affects both data entry forms and surveys. If it is not enabled (default), then whenever a field is to be hidden by branching logic on a data entry form, it will always ask the user if they wish to hide the field and erase its value, whereas on survey pages it will automatically erase the value of the field being hidden without displaying the confirmation prompt, which has always been the default behavior for surveys. If this setting is enabled, the branching logic behavior will change so that fields with values will not cause the ‘Erase the Value of the Field?’ confirmation prompt to ask the user if they wish to keep the value or hide the field, and instead fields with values will not be hidden by branching logic and will stay visible. Thus they will be exempt from branching logic. This will prevent data from being erased as it normally does if fields are hidden by branching logic.
- When a field should be hidden by branching logic but is not hidden because it has a value, an icon will be displayed on the field to indicate this to the user.
- This project-level setting is included in the API Export Project Info method as “bypass_branching_erase_field_prompt”. The REDCap Mobile App will soon have this same functionality, but it will only work if the REDCap server is on REDCap 11.2.0 or higher.
- The name of Data Quality rule F has been slightly changed when this setting is enabled from “Hidden fields that contain values” to “Fields that contain values that should be hidden”.
Improvements for report display and/or data exports- When creating/editing a report, the “Additional report options” section in Step 2 now contains the new options below:
- For projects that have repeating instruments and/or repeating events, the repeating fields that are automatically added (e.g., redcap_repeat_instrument and redcap_repeat_instance) can now be excluded from the report and data export. These fields are displayed by default in reports/exports.
- Users may choose to display the field label, variable name, or both (default) in the header of a report. Note: This is only used when viewing reports and thus is not applicable for exports since there already exist options for choosing raw vs label format in data exports.
- Users may choose to display the field label, raw data value, or both (default) for multiple choice fields in the data displayed in a report. Note: This is only used when viewing reports and thus is not applicable for exports since there already exist options for choosing raw vs label format in data exports.
Improvement: If the value of a Text field or Notes field contains a URL or email address, the URL or email address will be converted into clickable link and mailto link, respectively, when viewing the data in a report.
Improvement: More detailed logging descriptions on the Logging page for report-related logged events, such as mentioning the report name and report ID.
Improvement: When users download an Instrument ZIP file for a given instrument in the Online Designer, the zip file now includes all survey settings for the instrument if the instrument has been enabled as a survey, including various files (e.g., survey logo, confirmation email attachment). The downloaded Instrument ZIP can then be uploaded into any project to transfer both the fields and all the survey settings.
Improvement: In the Online Designer, the “Custom text to display at top of survey queue” now utilizes the rich text editor to make it easier to style the custom text.
Change: PHP 7.2.5 is now the new minimum PHP version that is required for running REDCap. Note: All versions of PHP 8 are currently supported.
Major bug fix: Fields embedded inside radio button and checkbox choices would fail to appear on data entry forms and survey pages. (Ticket #109836)
Bug fix: When uploading a CSV file of events on the Define My Events page for a longitudinal project that has the Scheduling module enabled, it would mistakenly not add the events in the order in which they appear in the CSV file. (Ticket #108552)
Bug fix: When clicking a table header on the My Projects page, the projects inside any collapsed Project Folders would disappear on the page until the page was reloaded. (Ticket #107547)
Bug fix: When clicking on a collapsed Project Folder on the My Projects page, it might mistakenly open multiple Project Folders. (Ticket #108579)
Bug fix: HTML styling on radio button and checkbox choices would mistakenly get removed on a survey page or data entry form.
Bug fix: Using the Smart Variable [aggregate-count] for checkboxes would mistakenly not return any value. It now returns the number of total checkboxes that have at least one checkbox option checked for the field, which is consistent with how [stats-table] behaves for checkboxes.
Bug fix: Referencing the record ID field in the Smart Variable [stats-table] would not return any values for that row in the table.
Bug fix: The cron job that sends email notifications for REDCap Messenger might mistakenly send multiple emails repeatedly to users. (Ticket #97084)
Bug fix: When importing alerts via a CSV file on the Alerts & Notifications page, the “Ensure logic is still true” setting would mistakenly not get set correctly during the upload if it was already disabled/unchecked for an existing alert and then was being enabled/checked in the CSV upload.
Bug fix: Depending on a user’s number format preference as defined on their My Profile page, certain Smart Functions (e.g., [aggregate-sum:field]) might fail to work successfully in calculations and branching logic. (Ticket #109994)
Bug fix: The survey setting “Save a PDF of completed survey response to a File Upload field” would mistakenly display Signature fields in the drop-down list when it should exclude those. (Ticket #110071)
Bug fix: The [bar-chart] Smart Variable would fail to display any data in the chart when used with a checkbox field. (Ticket #109370)
Change: Added a dark gray line above the Custom Application Links section (if used) on the project left-hand menu to help differentiate the Custom Application Links from REDCap’s built-in application page links.
Bug fix: When the Secondary Unique Field is enabled in a project in which a data import is being performed with values for that field, it would mistakenly allow duplicate values to be imported for the Secondary Unique Field if the same value exists multiple times within the data file being imported. (Ticket #109791)

Version 11.1.4 (released on 2021-06-30)

CHANGES IN THIS VERSION:

Bug fix: If a field’s value is being piped on the same data entry form or survey page where the field itself is located, if that field is being hidden by branching logic, in which the user clicks “Okay” to the “Erase value” prompt to hide the field and erase its value, the piped value seen on the page would mistakenly not get changed/reset during this process but would instead retain the previous value of the field. (Ticket #108756)
Bug fix: When viewing Report A or B, the built-in Live Filter for the Record ID field would display a list of all records in the project, which might crash the user’s browser if tens of thousands or more records exist. To prevent this, it now only displays the first ten thousand record names in the Live Filter drop-down, similar to how the Data Quality page behaves.
Bug fix: A fatal PHP error might occur on some pages related to CDP or Data Mart for certain versions of PHP. (Ticket #108971)
Various fixes and improvements for the External Module Framework
Bug fix: If the headers of a matrix of fields are displayed as floating/sticky on a data entry form or survey page, the floating headers would mistakenly disappear (at least until the user scrolls the page again) whenever branching logic gets triggered or if the “Reset” link for radio buttons are clicked. (Ticket #109434)
Bug fix: The video link for Smart Charts/Functions/Tables in the Smart Variables dialog mistakenly pointed to the Project Dashboard video.
Bug fix: When exporting data to a stats package (e.g., SAS) in which some multiple choice fields contain “<” in a choice label, the resulting syntax file might be mangled, truncated, and/or incorrect. Also, that choice label with “<” may not display correctly on the Data Dictionary Codebook page. (Ticket #109571)
Bug fix: When importing data in standard XML format via the API, some fields that have a blank value in the XML file might cause the data import to fail. (Ticket #109293)
Bug fix: When using the Scheduling module for a project that has record auto-numbering disabled, it is possible that a record could mistakenly be created twice if one user creates the record via data entry at the same time that another user creates the record via the Scheduling module. (Ticket #109287)

Version 11.1.3 (released on 2021-06-18)

CHANGES IN THIS VERSION:

Improvement: Reports A and B now have built-in Live Filters: 1) the record ID field, 2) a list of all events (if the project is longitudinal), and 3) a list of all Data Access Groups (if the project contains DAGs and the current user is not assigned to a DAG).
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the URL of a specific endpoint.
New videos: Added two new videos for Project Dashboards and Smart Charts/Functions/Tables on the Training Video page, Project Dashboards page, and Smart Variable popup documentation.
Change: Small change to add clarity to the text of Step 1A when creating/editing an alert on the Alerts & Notifications page.
Bug fix: A PHP error would mistakenly occur in the redcap_connect.php file if the binlog_format setting for MySQL/MariaDB has been enabled on the General Configuration page in the Control Center. (Ticket #108667)
Bug fix: When exporting data to SAS in which the export contains some Ontology Text fields that have a dash in the raw value for some records in the export, it would prevent the data from being successfully loaded into SAS. Now when creating SAS formats for character variables in the resulting SAS syntax file, the values will be wrapped in single quotes for greater compatibility (unless all the values/options are numerical for the field).
Bug fix: Calendar events that had no time set (i.e., only had the date set) but were scheduled or attached to a record would mistakenly not be ordered by record name when displaying the events of a given day on the Calendar page. (Ticket #108688)
Bug fix: If a “bar-chart” Smart Chart utilizes multiple fields and also references a report via its unique report name, if the order of the fields defined in the Smart Chart is different than the order of the fields as they appear in the report, the bar chart would mistakenly not display correctly. (Ticket #108709)
Bug fix: When a project is in draft mode, the Online Designer would mistakenly allow users to modify the variable name of matrix fields that exist live in production (i.e., not just in draft mode), which should not be allowed because it could inadvertently cause fields to be deleted via renaming. (Ticket #108705)
Bug fix: Smart Charts and Smart Tables would mistakenly display HTML tags inside the chart/table if any HTML tags exist in the choice labels or field labels for the fields being utilized in the chart/table.
Bug fix: Smart Charts with long field labels or long choice labels might cause text to overlap on themselves or might show only the label ending and not the beginning, which is due to a limitation in the ChartJS library used to generate the charts. Such labels are now truncated to fit better in the chart by using an ellipsis in the middle of the label for optimal display.
Bug fix: When using the background fetch method for fetching EHR data via the Clinical Data Mart service, it no longer sends the user an email when the process has finished but instead sends a message via REDCap Messenger. This has been changed because it could be possible that any error messages sent inside the email might contain Medical Record Numbers. So sending the notification via Messenger is more secure.
Bug fix: When a REDCap server uses the HTTP_X_FORWARDED_FOR header for a user’s IP address, in which the IP actually contains multiple IPs delimited with commas (often because a load balancer is being utilized), it now instead just uses the first IP address in the list rather than the whole value, which was causing a blank IP address to be recorded in REDCap’s logging for users in this particular case.
Bug fix: In very specific cases where data has been imported into an instrument (but not for the form status complete field) and no user has entered data for that instrument via the data entry form or survey page yet, the form status icon might mistakenly display as a gray color instead of as red on the Record Home page or Record Status Dashboard. (Ticket #108183)
Bug fix: If using “LDAP” or “LDAP & Table-based” authentication, any user containing an apostrophe in their LDAP username would cause JavaScript issues to occur for an administrator on the Browse Users page when performing certain actions, such as changing their 2FA code expire time, suspending/unsuspending the user, or deleting the user account from the system. (Ticket #79647d)

Version 11.1.2 (released on 2021-06-11)

CHANGES IN THIS VERSION:

Improvement: New alternative PDF print option in the “Download PDF” drop-down at the top of data entry forms, in which there is a new PDF export choice: "This data entry form with saved data (send to printer: select “Save as PDF” for Printer/Destination)". This will produce a much improved browser-based print option to print/save the webpage as a PDF that serves as a suitable alternative to the existing server-side PDF rendering options, which can sometimes be very limited and inaccurate (e.g., when representing field embedding). Note: This “Print to PDF” does correctly hide fields that have the @HIDDEN-PDF action tag.
Change: Due to concerns about sending identifying information from REDCap in outgoing emails, Survey Notification emails will no longer include the Participant Identifier in the email body (if a Participant Identifier was entered in the Participant List for a given participant).
Bug fix: Smart Charts, Tables, and Functions that have a unique report name or “user-dag-name” as a parameter were mistakenly not using the impersonated user’s username and DAG when an administrator uses the “View project as user” tool, thus mistakenly utilizing all data in the project for the Smart Chart/Table/Function instead of just the data from that user’s DAG. (Ticket #108017)
Bug fix: Some FHIR metadata fields were mistakenly not being displayed in Clinical Data Pull (CDP) mapping page if using FHIR v2 (DSTU2).
Bug fix: When a user or admin is clicking the “Yes, move to production status” button in the Move To Production dialog in a development project, it would mistakenly not disable the button after being clicked, which might cause confusing pop-up messages to appear if the button was clicked again before it finished processing. (Ticket #108321)
Bug fix: When using the Data Resolution Workflow and assigning a user to a data query, the Messenger notification would mistakenly fail if the user chose to notify the other user of their assignment via Messenger. Thus they would not be notified. (Ticket #108335)
Change: When setting the 2-step login controls for a given project on the “Edit a Project’s Settings” page, it now displays a popup warning if an admin attempts to set both settings to “Yes” (because they are not compatible). (Ticket #108326)
Bug fix: When importing or deleting a file via the API Import File or Delete File methods, it would mistakenly allow users to import files even when the entire record is locked or when the record/event/instrument/instance is locked for that file upload field. (Ticket #108399)
Bug fix: When an alert has an email address set for the setting "Email to send email-failure errors", in certain situations (such as when running the “Re-evaluate Alerts” process) it would mistakenly send the email failure notification for *all* alerts in the project instead of just the ones that have an email address defined for the “Email to send email-failure errors” setting. This could result in some users receiving many more emails than expected when an alert fails to send successfully. (Ticket #85030)
Bug fix: Fields that are embedded inside other embedded fields might not fully have their data piped in the field’s label when viewed in a downloaded PDF of an instrument but might still display some field variables inside braces/curly brackets. (Ticket #108310)
Bug fix: In certain cases where a backslash (\) is used in a data value that gets piped (e.g., text that contains “p\0.0233”), it might cause the data to get piped recursively many times and mistakenly output a mangle mess of text. (Ticket #108451)
Bug fix: When selecting the Export Records method in the API Playground, if one or more values were selected for the Fields, Forms, or Records parameter, and then they were deselected to have no selections for them, the API request would return an error after clicking the Execute Request button on the page. (Ticket #108526)
Bug fix: When clicking the “Delete data for THIS FORM only” button at the bottom of a data entry form, if the record currently exists in multiple arms and the form data being deleted is the only data in the current arm for the record, it would mistakenly delete the record from the arm in addition to removing the form data (although the record would still exist in other arms). This would not cause any data loss, technically, but the user would have to recreate the record in that arm again.

Version 11.1.1 (released on 2021-06-04)

CHANGES IN THIS VERSION:

Improvement: The Easy Upgrade process should now take much less time to complete due to the implementation of a faster unzipping method used when extracting the source code files on the server from the REDCap upgrade zip file that was downloaded. (Note: This faster Easy Upgrade process may not be seen in this upgrade but in the upgrade after this one.)
Security Improvement for the External Module Framework
- Cross-site Request Forgery (CSRF) protection is now available for module pages/endpoints in framework version 8. If a module has a “framework-version” value of “8” or higher in the module’s config.json file, then a valid redcap_csrf_token parameter will now be required on all POST requests (unless manually set as exempt), but will be automatically added behind the scenes in many cases.
- NOTE: If a module is on a framework version lower than 8 (or if the framework-version is not defined in config.json), then that module does not have CSRF protection. So every module currently available in the REDCap Repo or otherwise will have to be updated in order to gain this CSRF protection feature. Thus, action is required by the module creator to add this security protection.
- Many module pages where the REDCap page headers are included will not require any changes because the redcap_csrf_token parameter will automatically be added to static forms and jQuery post() method calls. In this case, updating “framework-version” to “8” in config.json is all that is required for adding CSRF protection.
- The redcap_csrf_token POST parameter will need to be added to dynamically generated forms, jQuery ajax() calls, non-jQuery javascript requests, and POST requests on pages where the REDCap headers are not included. In those cases, the $module->getCSRFToken() method should be used to set the value of the redcap_csrf_token POST parameter. All POST requests made by module code should be tested before releasing a module update for this framework version.
- For the very small number of pages where CSRF tokens should not be required (like custom APIs), pages can be omitted from CSRF checking by adding them to config.json as follows (similar fashion to no-auth-pages). See the Configuration Example module for an example. Do NOT abuse this feature by using it in cases where you should be using CSRF tokens: { "no-csrf-pages": [ “some-page” ] }
Bug fix: When importing a file via the File Import API method in which the file exceeds the maximum allowed file size, it would return an error message that mistakenly referenced the max upload size of the server instead of the max upload size that is manually set for File Upload fields for the project, which might be a different value than the server maximum.
Bug fix: If an error popup for a calculation or branching logic appears immediately when a survey page or data entry form initially loads (due to syntax errors in the branching/calculation), the stock language in the error message itself would mistakenly say “undefined” instead of actual text. However, this would not occur if the error message was displayed later on after the page had already loaded.
Bug fix: Certain example plugins that are included in an initial installation of REDCap would mistakenly display PHP errors if they are accessed without a “pid” parameter in their URL. (Ticket #107782)
Bug fix: Fixed error that prevented data from being saved in DDP Custom projects
Bug fix: When using the “Select instruments/events” option for a custom record status dashboard, it would mistakenly not limit the dashboard to those instruments/events. (Ticket #107785)
Bug fix: The “Preview Message by Record” feature on the Alerts & Notifications page would mistakenly not work when selecting a record from the drop-down list.
Bug fix: The horizontal line on which users/participants write their signature was mistakenly not displaying in the “add signature” dialog on forms/surveys.
Bug fix: The “Export Records” and “Export Reports” API method would mistakenly use the system-level default CSV delimiter (set on the User Settings page) when performing an API CSV export in “flat” format instead of correctly outputting a comma as the default CSV delimiter whenever the “csvDelimiter” parameter has not been defined in the API request. (Ticket #108082)
Bug fix: When copying a project or creating a new project using a project template, it would mistakenly not copy over the project-level settings below (Ticket #108151):
- Delete a record’s logging activity when deleting the record?
- Auto-delete all Data Export Files in the File Repository that were created more than X days ago?
- Exempt the project from 2-step login?
- Always force 2-step login in this project for EVERY login session?
- Double Data Entry module
- Date Shifting De-Identification Option: Date Shift Range
- Enable/disable the Shared Library for this project?

Version 11.1.0 (released on 2021-05-28)

CHANGES IN THIS VERSION:

New feature: More clinical data available via FHIR R4 endpoints for CDIS - The CDIS services Clinical Data Pull and Clinical Data Mart can now utilize version 4 (called “R4”) of the FHIR web services from their local EHR system. The new R4 endpoints include the existing data that could be pulled in earlier versions as well as the following: Adverse Events, Core Characteristics (Observation), Encounters, and Immunizations. Note that “Adverse events” are only available for “research” projects where an IRB number is specified, in which the project’s IRB number corresponds to the “Study ID” value from the EHR interface for a particular study (which is often the same as the study’s IRB number).
Improvements: Other FHIR/CDIS additions
- Clinical Data Mart
  1. A new template is used for new DataMart projects when REDCap is set to use R4, including new forms for Encounters, Immunizations, Core Characteristics, Adverse Events.
  2. New option to fetch data in a background process and receive an email when completed.
  3. MRNs can be searched and fetched individually on the Clinical Data Mart page.
- Epic institutions using the “legacy” app on the Epic App Orchard will be notified on the CDIS Control Center page with info about how to upgrade to the new R4 enabled version.
- While on the CDIS Control Center page, changing the FHIR client ID will now automatically remove all existing FHIR access tokens stored in the backend. Note: This will not impact any data but will require each CDIS user to perform a standalone launch again or else launch REDCap via the CDP embedded window in the EHR interface before they can begin to pull data again from the EHR.
- The FHIR statistics in the Control Center now displays CDP instant adjudication.
New feature: Fields that are “sql” field type (Dynamic Query - SQL field) now work in the REDCap Mobile App. In previous versions, they were not functional at all in the mobile app. Now when a project is loaded into the mobile app, any “sql” fields will be converted into static drop-down fields in the app. If new choices get dynamically added to the sql field on the server afterward, the project will need to be loaded again in the mobile app to obtain those choices for the sql field. (Ticket #107409)
New feature: Import/export alerts via CSV file on Alerts & Notifications page - Users may export and import alerts to the same project or another project using a CSV file. If updating an existing alert, the unique alert ID must be included in the CSV file to identify the alert that the user wishes to modify. If the unique alert ID is left blank in the CSV file being uploaded, it is assumed that the user wishes to create a new alert.
New feature: Reorder alerts on Alerts & Notifications page - In the options menu for any given alert, a user can select an alert to be moved to another position on the Alerts & Notifications page. When this is done, it notifies the user that moving the alert will in most cases cause the alert numbers to be renumbered for many existing alerts (since they are numbered based on their order). However, their alert title and unique alert ID will not change during this process.
Improvement: If using Twilio for SMS/Voice Call verification for Two Factor Authentication, there is now a new alternative phone number field on the Security & Authentication page for providing a number only to be used for the Voice Call option for 2FA. This is useful if you are in a country where a single phone number cannot be used for both voice calls and SMS. If the new field is left blank, then the existing number will be used for both SMS and voice calls, but if this new field is utilized, its value will be used for the 2FA voice call option while the first number will only be used for the 2FA SMS option. (Ticket #99563)
Major bug fix: If a project has randomization enabled and is using strata fields, if one or more strata fields exist on a survey instrument, and the survey containing the strata field(s) is opened after the record has been randomized, the strata fields would mistakenly not be disabled/readonly on the survey page but could be edited, which can cause major issues with a randomized project. It is expected that the strata fields should be disabled/readonly (whether on the data entry form or survey page) after the record has been randomized.
Change/improvement: The To-Do List page now contains a “PID” column to display the project ID of the project for which the user request belongs.
Change: For certain processes in which administrators perform an action that causes an email to be sent to a user (e.g., creating new Table-based users, rejecting/resetting a user’s draft mode changes, and various requests from user sponsors via the Sponsor Dashboard), the email to the user would come from the admin processing the request or performing the work. Whereas many other similar tasks would send an email with the From address as the “Email Address of REDCap Administrator” value instead (which might be different from the current user). To make things more consistent now among these admin-related tasks, in all cases these emails will have their From address be the "Email Address of REDCap Administrator". (Ticket #88651)
Change/improvement: If the REDCap database connection needs to use a specific value for the MySQL/MariaDB “binlog_format” setting that is different from the value set in the MySQL configuration file, it can now be set on the General Configuration page to MIXED, STATEMENT, ROW, or “Use system default setting” (default). It is recommended to leave this with the default setting unless you absolutely know you need to change this and are intentional about it. This will provide greater compatibility with MySQL clusters, etc. (Ticket #107202b)
Change: Updates and new content for the Help & FAQ page.
Bug fix: When copying a project dashboard, the popup dialog might mistakenly display the name of the wrong dashboard.
Bug fix: When accessing an invalid link for a public project dashboard, it would mistakenly not display any error message.
Bug fix: When creating a custom link for a public project dashboard, it might mistakenly show a success message even when the custom link returns an error because it has already been taken.
Bug fix: When a project has a very large number of arms, it may prevent the Record Status Dashboard from displaying data properly, and might also prevent the background “record list cache” process from completing successfully. (Ticket #107502)
Bug fix: In server environments with PHP error reporting enabled, it would display a deprecation notice regarding the constructor of the PEAR Log class. (Ticket #55557b)
Bug fix: When unlocking an instrument using the Unlock button at the bottom of a form, any fields with the @READONLY or @READONLY-FORM action tag would mistakenly become editable. (Ticket #107549)
Bug fix: The <caption> HTML tag was mistakenly not allowed in field labels, survey instructions, and all places that display user-defined text on a webpage. (Ticket #107664)

Version 11.0.5 (released on 2021-05-24)

CHANGES IN THIS VERSION:

Major bug fix: Reverted the following change from REDCap 11.0.4 (Standard) because it cause major parts of REDCap not to work anymore for some server configurations: "REDCap now sets “SESSION binlog_format=MIXED” for every connection in MySQL to provide greater compatibility with MySQL clusters (Ticket #107202)". (Ticket #107335)
Bug fix: When a project is in Analysis/Cleanup mode, and a user wishes to set the project data to be read-only/locked, the popup dialog for doing this mistakenly has the wrong text for the dialog buttons.
Bug fix: Most of the stock language used for displaying errors for calculations and branching logic were mistakenly not abstracted and therefore were not translatable into a non-English language for a project. (Ticket #106976)
Bug fix: When using a Project XML file to create a project, it would mistakenly display an error that the record ID field could not be found in the XML file, which is not true. Bug emerged in REDCap 11.0.4.

Version 11.0.4 (released on 2021-05-21)

CHANGES IN THIS VERSION:

Change: If the setting “Allow normal users to add or modify events and arms on the Define My Events page for longitudinal projects while in production status?” on the User Settings page is set to "Yes", then in any longitudinal projects that are in production status, normal users will no longer be able to modify the name of an existing arm or event. Since renaming an event or arm can have drastic downstream consequences, such as if the unique event/arm name is used in any calculations, branching logic, report filters, or other conditional logic throughout the project, users are now prevented from renaming events and arms in this case as an extra safety net. If a user attempts to rename an event or arm, it will now display an informational message letting them know that they should contact an administrator to complete that task for them.
Bug fix: When using the Survey Queue in a longitudinal project, there are some scenarios where the queue might mistakenly not process the conditional logic correctly for a survey in the queue, thus causing it to return an empty queue or omit some surveys from being displayed in the queue. (Ticket #106801)
Bug fix: PHP 8 compatibility error when viewing some custom record status dashboards. (Ticket #107055)
Bug fix: When using the Data Resolution Workflow in which a normal user is attempting to delete a file attachment that has been uploaded to an opened data query, it would mistakenly display an error message every time. Instead it should display a message letting them know that only administrators are allowed to delete files attached to data queries. (Ticket #106984)
Bug fix: PHP 8 compatibility error when using Two Factor Authentication. (Ticket #103721)
Change: REDCap now sets “SESSION binlog_format=MIXED” for every connection in MySQL to provide greater compatibility with MySQL clusters. (Ticket #107202)
Bug fix: PHP 8 compatibility error when using the DAG Switcher. (Ticket #107209)
Bug fix: PHP 8 compatibility error that occurs in some specific cases when viewing the Record Status Dashboard. (Ticket #107225)
Bug fix: When a project contains repeating events in which a report has filter logic to filter out specific repeating instances (e.g., [current-instance] <> “” and [current-instance] = [first-instance]), the report might mistakenly display no results or incorrect results when there is actually data to display. This does not affect repeating instruments but only repeating events.
Bug fix: When a radio button field that is part of a matrix is embedded on a data entry form or survey page, the radio button’s “reset” link would mistakenly not get embedded along with its associated field. Thus there would be no way to reset a matrix radio field that is embedded. Now the “reset” link appropriately gets moved to be immediately below its associated embedded radio field.
Bug fix: To prevent Microsoft Outlook Safe Links from submitting surveys and junk data on its own, REDCap survey pages now block all POST requests that originate via the IP address range 52.147.217.*, in which it immediately returns an error message. This is in addition to a recent fix that protected surveys from Safe Links coming from another IP range (40.94.*.*).
Bug fix: When REDCap is sending a large amount of email notifications from REDCap Messenger, such as when there is a General Notification or System Notification, if the cron job process for sending the emails takes too long, it may mistakenly get run several times, resulting in users receiving the same email notification several times. (Ticket #107208)

Version 11.0.3 (released on 2021-05-14)

CHANGES IN THIS VERSION:

Major bug fix: When using an Adaptive or Auto-Scoring instrument downloaded from the REDCap Shared Library, in which that survey was set to use “Enhanced radios and checkboxes” via the Survey Settings page, the survey would not function and would not allow participants to submit their responses unless the survey was reverted to no longer using "Enhanced radios and checkboxes".
Bug fix: The Survey Link Lookup page in the Control Center would fail when using a new survey link that has a 16 character length hash. (Ticket #106907)
Bug fix: When a survey participant is taking a specific Adaptive or Auto-Scoring instrument (such as “NIH TB Hearing Handicap Age 65+”) downloaded from the REDCap Shared Library that contains an initial descriptive text field (i.e., it has no choices to choose from), the survey would not function and would not allow participants to submit their responses. Note: This only affects 3 or 4 total Adaptive or Auto-Scoring instruments in the entire REDCap Shared Library.
Bug fix: If a report contains filter logic containing around 900 or more field variables, the report might mistakenly return 0 results instead of the appropriate results. REDCap cannot parse more than 900 or so field variables in logic due to a limitation in PHP. If more than 900 field variables are used in a report’s filter logic and it causes PHP to crash, REDCap will provide a helpful error message in this case to inform the user that there is either a syntax error in the filter logic or that it is too long and needs to be shortened. (Ticket #106834)

Version 11.0.2 (released on 2021-05-14)

CHANGES IN THIS VERSION:

Change/improvement: A new database configuration check was added to the Configuration Check page that looks at the value of the optimizer_switch’s “rowid_filter” setting to make sure that it is set to OFF in the MySQL configuration file. Having that setting turned on can cause certain issues when running REDCap. (Ticket #103092)
Change/improvement: Added four new redcap_log_event database tables for new projects to improve server performance when REDCap is querying logging data for a project. Note: This will not improve performance when querying the logging records of existing projects but only applies to projects created after upgrading to v11.0.2 or higher.
Change: The alphanumeric hash that exists in all survey links has been increased in length from 10 to 16. Any new survey links created will have a 16 character length hash.
Bug fix: If a data export takes a long time and the user is away from the computer so long that the auto-logout dialog displays on the page, the auto-logout dialog would mistakenly be displayed underneath the “Exporting data” popup, thus preventing the user from seeing it and preventing the auto-logout process from occurring. (Ticket #106545)
Bug fix: When not using record auto-numbering in a project while viewing the Add/Edit Records page or Record Status Dashboard, if a record name is hand-entered in a different case than in which it was saved (e.g. “abc” vs “ABC”), it might cause issues on the Record Home page, such as not displaying Custom Labels for Repeating Instruments. (Ticket #106559)
Bug fix: When viewing a custom Record Status Dashboard in a project that has Double Data Entry enabled, the custom dashboard’s “sort by” setting (if utilized) would mistakenly not sort the dashboard’s records correctly for any user that has the DDE #1 or #2 designation. (Ticket #105030)
Bug fix: When REDCap is reporting its general stats to the consortium, it would mistakenly fail to send them in some cases where the URL ended up being more than 2000 characters long.
Bug fix: A survey theme’s background color might mistakenly not get applied to a radio/checkbox matrix on the survey page, thus displaying part of the matrix in the wrong color. Bug emerged in the previous version. (Ticket #106712)
Bug fix: If the system-level setting for setting Project Dashboards as “public” is set to "Yes, but an administrator must approve the request", that feature would not work correctly and would mistakenly allow normal users to set their dashboards as public without the approval process. (Ticket #106813)
Bug fix: If the system-level setting for setting Project Dashboards as “public” is set to "Yes, but an administrator must approve the request", if a normal user clicks the “Copy” button to copy a dashboard that has been set as public, it would mistakenly set the newly created dashboard as public also. In this situation, it should set it not to be public, and a user would need to edit the newly created dashboard and click the “Set as public” setting to put in a new request for an admin to approve this new dashboard to be public. (Ticket #106813b)
Bug fix: Clicking the “Enable color-blind accessibility” on public Project Dashboards would fail to work. (Ticket #106901)
Bug fix: The chart legend was mistakenly not being displayed for the Smart Charts scatter-plot, line-chart, and bar-chart when using a grouping field for them. (Ticket #106543)
Bug fix: The setting "Designate an email field for communications (including survey invitations and alerts)" on the Project Setup page would mistakenly be disabled and not usable unless the project has the setting “use surveys in this project?” enabled, which is not correct since the designated email setting can be used for more than just surveys.

Version 11.0.1 (released on 2021-05-07)

CHANGES IN THIS VERSION:

Improvement: The Smart Charts [pie-chart] and [donut-chart] now display the percentage value on top of each colored slice in the chart.
Improvement: On the Calendar page when viewing the “View/Edit Calendar Event” popup for a calendar event that is attached to a record, the popup now displays a “View Record Home Page” link next to the record name to allow the user to easily navigate to the record.
Major bug fix: Alerts & Notifications that are set to be sent via SMS or Voice Call would mistakenly not get sent whenever the alert is triggered. Bug emerged in REDCap 10.6.18 LTS and 11.0.0 Standard. (Ticket #106260)
Bug fix: When viewing the public URL of a project dashboard, the dashboard’s project_id would mistakenly not get passed to the redcap_every_page_before_render hook.
Bug fix: The wrong language is mistakenly used in the Smart Variable documentation for the “:no-export-link” Smart Table parameter. (Ticket #106023)
Bug fix: When using the wizard on the Project Dashboard creation page, it might mistakenly insert the unique report name for the wrong report into Step 4 when selecting an option in the report drop-down in Step 3. (Ticket #106013)
Bug fix: Smart Charts that are “bar-chart” type with the “:bar-vertical” parameter would mistakenly have the field label displayed on the Y-axis when instead it should be located on the X-axis for vertical display. (Ticket #106017)
Bug fix: On surveys that have Enhanced Radio & Checkboxes enabled, in which radio fields are embedded inside checkbox labels or checkboxes are embedded inside radio labels (or other variations of these), some of the options might mistakenly not be selected after clicking on them. (Ticket #105880)
Bug fix: When using the “:inline” piping parameter on a File Upload field that has a PDF file uploaded to it, the PDF would fail to successfully embed on the page and would mistakenly display a bunch of HTML in its place. (Ticket #105462)
Bug fix: The External Service Check for the NML Field Bank service was mistakenly missing on the Configuration Check page. (Ticket #106086)
Bug fix: When using the Designated Phone Field with the Twilio telephony services for surveys, the participant’s record ID might mistakenly not be displayed on the Survey Invitation Log in certain cases. (Ticket #49955)
Bug fix: When creating a new Table-based authentication user on the “Create single user” page in the Control Center, it is possible to create a user without entering a value for their username. That should not be allowed. (Ticket #106103)
Bug fix: Smart Charts that are “bar-chart” type and use a second field for grouping might mistakenly display the wrong counts in the chart if there exist any blank values for the grouping field, or it might mismatch the counts for the wrong grouping category in certain scenarios. (Ticket #106017)
Bug fix: When using the “Move to Production status” public survey for “Custom Surveys for Project Status Transitions” when users are not allowed to move projects to production on their own but must request an administrator do so on their behalf, if the user failed to select the radio button asking “Keep existing data or delete?” in the dialog pop-up and then they completed the public survey afterward, the “Working…” progress message would appear and never go away, thus preventing the request from being submitted correctly. (Ticket #106173)
Bug fix: When the datediff cron job is running for Alerts & Notifications that contain datediff+today/now in their conditional logic, the cron job might mistakenly take a long time to complete (or might time out) because the record list cache has not been created yet for the projects for which the cron job is processing. To prevent the cron job from taking too long and possibly timing out, it will attempt to build the record list cache in real time for each project it is processing. This may mean that initial attempts of the cron job may still take a long time, but later instances of the cron should be much faster.
Bug fix: When the datediff cron job is running for Automated Survey Invitations that contain datediff+today/now in their conditional logic, the cron job might mistakenly take a long time to complete (or might time out) because the record list cache has not been created yet for the projects for which the cron job is processing. To prevent the cron job from taking too long and possibly timing out, it will attempt to build the record list cache in real time for each project it is processing. This may mean that initial attempts of the cron job may still take a long time, but later instances of the cron should be much faster.
Change: The REDCap cron job now automatically resets a project’s record list cache if the project has had some activity in the past week and if its cache is more than 5 days old. In previous versions, it would only reset the cache if the project had some activity in the past week when its cache was more than 3 days old. This was changed because the cache is more stable in recent versions and doesn’t require being reset quite as often.
Bug fix: When using the survey setting “Time Limit for Survey Completion” in which a user clicks the clock icon for a participant in the Participant List in order to modify their Link Expiration time, clicking the “Expire it now” button in the dialog would mistakenly fail to do anything because of a JavaScript error. (Ticket #106167)
Bug fix: When a text field is embedded inside a checkbox field, clicking inside the text box mistakenly causes its parent checkbox to become unchecked. (Ticket #105001b)
Bug fix: When launching the Clinical Data Pull embedded window inside an EHR user interface, it might mistakenly say that the current web browser is not compatible.
Bug fix: In some cases, upgrading to REDCap 11.0.0 mistakenly did not load the new project template that illustrates Project Dashboards, etc. If that project template is missing, it will automatically be added when upgrading to 11.0.1. (Ticket #105976)
Bug fix: If a field is using the @CALCDATE action tag that references a field variable as the second parameter, if that second parameter field has a blank value, the @CALCDATE calculation might return an incorrect value when instead it should be returning a blank value. This only occurs on the server-side (PHP) processing of @CALCDATE when a form/survey is being saved, and does not occur with the client-side (JavaScript) version of the function. This means that while the value looks blank when viewing a data entry form or survey page, the incorrect value would be seen on reports, data exports, or wherever the @CALCDATE field is being piped. (Ticket #106243)
Bug fix: If using a survey-level designated email field, in certain cases the Participant Email displayed in the Survey Invitation Log might mistakenly be blank or might display the project-level designated email field instead. Bug emerged in REDCap 10.6.18 LTS and 11.0.0 Standard.
Bug fix: When a survey invitation is sent to a participant via a Twilio SMS message, viewing the message afterward in the Survey Invitation Log would mistakenly display extra text (e.g., "-- To begin the survey, visit…") appended to the message that did not actually get sent to the participant in the SMS message. Additionally, when viewing an SMS message in the Survey Invitation Log, it would mistakenly display any URLs in the message as clickable links instead of correctly displaying them as non-clickable URLs, which is more accurate to how they are seen by the recipient. (Ticket #104997)
Bug fix: When a project has been set up with Automated Survey Invitations and is using the Designated Email Field, the Public Survey Link page might mistakenly display the red box saying "WARNING: The designated email field does not exist on the first survey", which might not be true if a survey has been orphaned (created in the past but then later removed) in which the survey had one or more ASI’s set up for it.
Bug fix: Dots/periods have been allowed in checkbox codings since REDCap 9.9.0, but the data dictionary import process would still mistakenly display an error message saying that this is not allowed, which is not correct. (Ticket #106375)
Bug fix: When a project is using Twilio for sending survey invitations, and an Automated Survey Invitation is set to “use participant’s preference” for the invitation type/delivery method, then any participant whose delivery preference is “email” would mistakenly receive the expected email body text but with extra text appended to it (e.g. “Please take this survey. You may open the survey…”). In many cases, this means that the email body is duplicated in the email, which is not desirable. (Ticket #102953)
Bug fix: When editing a field in the Online Designer and using different background colors or text colors in tables added via the rich text editor, a survey theme’s color might mistakenly override a table row’s or table cell’s background/text color when viewing the field on a survey page. (Ticket #106340)
Change/improvement: The green highlight background color will no longer appear when a user/participant puts focus on or clicks on a field that is embedded inside another field on a data entry form or survey. From now on, it will only highlight the field with green for non-embedded fields. This should improve the user experience when many fields are embedded in the same table row on the page in which the green highlight would highlight all of them (sometimes making the entire page green), which is often not desirable.
Bug fix: For certain projects, unique report names were mistakenly not being generated for some or all reports in the project. (Ticket #106366)

Version 11.0.0 (released on 2021-04-30)

CHANGES IN THIS VERSION:

New feature: Project Dashboards
- INTRO: Project Dashboards are pages with dynamic content that can be added to a project. They can utilize special Smart Variables called Smart Functions, Smart Tables, and Smart Charts (described below) that can perform aggregate mathematical functions, display tables of descriptive statistics, and render various types of charts, respectively. User access privileges are customizable for each dashboard, and anyone with Project Design privileges can create and edit them. A Wizard is provided on the Project Dashboard creation page to help users easily construct the syntax for Smart Functions, Smart Tables, or Smart Charts, and a basic list of helpful examples is also included. Example dashboard: https://redcap.link/dash1
- Setting project dashboards as “public”
  1. If enabled at the system-level (described in detail below), any project dashboard can be enabled as “public”, which means it can be accessed at a unique URL that does not require any authentication. Making a dashboard public is useful if you wish for people to view it without having to be REDCap users or log into REDCap. Public dashboards are simply standalone pages that can be viewed by anyone with a link to them.
  2. Users can opt to create a custom/short url (via the https://redcap.link service) for any project dashboard that is enabled as “public”.
  3. System-level setting to allow/disallow public dashboards (on the User Settings page in the Control Center) - By default, normal users will be able to set any project dashboard as public. If you do not want users to do this or even know about this feature, you can completely disable it on the User Settings page. Alternatively, it can be set to “Allow public dashboards with admin approval only”. If set to allow public dashboards after approval by an admin, the admin will receive the request from the user via the To-Do List page (and via email, if the email notification setting is enabled on the To-Do List page), and after the admin approves the request, the user will receive an email regarding the response to their request.
- Setting to control data privacy on public dashboards and other public pages
  1. The User Settings page in the Control Center has a setting to define the “Minimum number of data points required to display data for any Smart Charts, Smart Tables, and Smart Functions on a *public* project dashboard, survey queue, or survey page”. By default, it is set to a value of “11”. While only aggregate data is displayed in Smart Charts, Smart Tables, and Smart Functions, if any of these utilize very few data values, it might pose a threat to an individual’s data privacy if these are being displayed on *public* dashboards and other public pages (i.e., where authentication is not used).
  2. If someone is viewing a public page that has Smart Charts, Smart Tables, and Smart Functions that utilize data that does not meet the minimum data point requirement, instead of displaying the chart/table/number on the page, it will instead display a notice saying “[INSUFFICIENT AMOUNT OF DATA FOR DISPLAY]” with a pop-up note with details about the minimum data requirements.
  3. Project-level override: While this behavior is controlled by a system-level setting, the system-level setting can be modified by an administrator via a project-level override for any given project on the “Edit A Project’s Settings” page.
  4. Note: This setting does not get used when viewing project dashboards inside a project (i.e., at a non-public URL).
- PDF export: Each project dashboard can be exported as a one-page PDF file.
- Dashboard cache: To prevent server performance degradation, each project dashboard will have its content cached (stored temporarily) automatically for up to 10 minutes at a time rather than generating its content in real time every time the dashboard is loaded. It will note at the top right corner of the dashboard page when the dashboard content was last cached. If a user is viewing the dashboard inside a project (i.e., not via a public dashboard link), they have the option at the top right to “Refresh” the dashboard at will, which will refresh/generate its content in real time. Note: The refresh option will only be displayed on the page when the dashboard content is at least 30-seconds old.
New feature: Smart Functions
- Smart Functions are aggregate mathematical functions that are utilized as Smart Variables. The following Smart Functions exist: [aggregate-min], [aggregate-max], [aggregate-mean], [aggregate-median], [aggregate-sum], [aggregate-count], [aggregate-stdev], and [aggregate-unique]. Each represents the mathematical functions minimum, maximum, mean/average, media, sum, count, standard deviation, and unique count, respectively. Each must have at least one field attached to it that follows a colon - e.g., [aggregate-mean:age]. Multiple fields may be used in each one, which will perform the function over all the data values of all the fields. By default, the functions will utilize all data values for all records in the project. To limit the data values being utilized to a subset of the total project data, see the Smart Variable documentation on how to apply filters, such as attached unique report names, DAGs, and other parameters
- Note: When using [aggregate-count:record_id], in which “record_id” in this example represents whatever the variable of the Record ID field is, it performs a special count that does not literally count the number of data values but instead returns a count of the total number of records in the project. This is a quick way to display the total record count of the project.
- Smart Functions can be used anywhere in a project where piping is allowed, and can even be used inside calculations, branching logic, and other conditional logic (report filters, alert conditions, etc.).
New feature: Smart Tables
- Smart Tables are tables displaying aggregate descriptive statistics in which the results of any or all of the following stats functions can be displayed for one or more fields: minimum, maximum, mean/average, media, sum, count, standard deviation, count of missing values, and count of unique values.
- Smart Tables are represented with the Smart Variable [stats-table], which accepts as a parameter the variable names (comma delimited) of all the fields to be displayed as separate rows in the table. There is no limit to the number of fields that can be used. For example, [stats-table:field1,field2,field3].
- By default, all available columns will be displayed in the table and are as follows: Count, Missing, Unique, Min, Max, Mean, Median, StDev, Sum. To display only a subset of the columns, you may provide any of the following designations (comma-separated) that represent a specific column in the table: count, missing, unique, min, max, mean, median, stdev, sum. For example, [stats-table:field1,field2,field3:mean,max].
- By default, each stats table will have an "Export table (CSV)" link displayed immediately below it to allow users to download the table as a CSV file. But if users wish to hide the export link, they can simply attach “:no-export-link” to the Smart Variable, which will cause the link not to be displayed. For example, [stats-table:field1,field2,field3:no-export-link].
- Smart Tables can be used anywhere in a project where piping is allowed.
New feature: Smart Charts
- Smart Charts are various aggregate plots and charts utilized as different Smart Variables. The following plots are available for use: bar charts, pie charts, donut charts, scatter plots, and line charts. These are all represented by the following Smart Variables, respectively: [bar-chart], [pie-chart], [donut-chart], [scatter-plot], and [line-chart]. These Smart Variables accept one or more field names and also other optional parameters, as described below for each.
- Bar charts - Displays a bar chart for a single multiple choice field. It can optionally perform color grouping if a second field (multiple choice only) is provided. The fields must be comma-separated. For example, [bar-chart:field,grouping-field:parameters]. Bar charts have optional parameters that can be applied to alter their appearance. By appending the parameter “:bar-stacked” when two fields are used, the bars in the chart will appear stacked on top of each other rather than side by side. By default, bar charts are displayed with their bars going horizontally, but by appending the parameter “:bar-vertical”, the orientation will be changed to display vertically instead.
- Pie charts - Displays a pie chart for a single multiple choice field. For example, [pie-chart:field:parameters].
- Donut charts - Displays a donut chart for a single multiple choice field.Note: A donut chart is essentially the same as a pie chart but with the center removed. For example, [donut-chart:field:parameters].
- Scatter plots - Displays a scatter plot of one number/date/datetime field for the x-axis and a second field (number field only) for the y-axis. (If a second field is not provided, a random value will be assigned for the y-axis.) It can optionally perform color grouping if a third field (multiple choice only) is provided. All fields must be comma-separated. For example, [scatter-plot:x-axis-field,y-axis-field,grouping-field:parameters].
- Line charts - Displays a line chart of one number/date/datetime field for the x-axis and a second field (number field only) for the y-axis. It can optionally perform color grouping if a third field (multiple choice only) is provided. All fields must be comma-separated. Note: A line chart is essentially the same as a scatter plot except with dots connected with a line. For example, [line-chart:x-axis-field,y-axis-field,grouping-field:parameters].
- Color blindness accessibility: Pie charts and donut charts have the ability for the user to enable color blindness accessibility, via a gray link displayed immediately below each chart, in which it overlays different patterns onto the colored pieces of the chart to make each color more distinct for many types of color blindness. This option to enable color blindness accessibility is stored in a secure cookie on the user’s device and will be used to remember this choice anytime a pie/donut chart is displayed on any page for any REDCap project for that REDCap server.
- The colors displayed in each chart/plot are preset and are not modifiable.
- Smart Charts can be used anywhere in a project where piping is allowed *except* for inside the body of outgoing emails.
Optional parameters for Smart Functions, Smart Tables, and Smart Charts
- There exist various optional parameters that can be used with Smart Functions, Smart Tables, and Smart Charts to either filter the data used in them (e.g., via a unique report name) or to change their appearance (e.g., bar-vertical). See the descriptions for each below, which are all documented in the Smart Variables documentation.
- :R-XXXXXXXXXX Unique Report Name - For Aggregate Functions, Charts, and Tables, filter the data being used by appending a Unique Report Name. Next to each report on the ‘My Reports & Exports’ page is its unique report name, which has 'R-' following by alphanumeric characters. By default, all Aggregate Functions, Charts, and Tables will use the values of all records in the project, but if a unique report name is appended to any of them, only data from that specific report will be used. Using a report as a surrogate to filter data is a very useful technique of performing complex filtering logic for Aggregate Functions, Charts, and Tables.
- :record-name “record-name” - For Aggregate Functions, Charts, and Tables, filter the data being used to the *current record* by using the literal value 'record-name’. Note: This parameter will only work in a context where a single record is being viewed/accessed, such as on a survey page, data entry form, etc. This parameter can be used with any of the other parameters except unique report names.
- :event-name “event-name” - For Aggregate Functions, Charts, and Tables, filter the data being used to the *current event* (longitudinal projects only) by using the literal value 'event-name’. Note: This parameter will only work in a context where a single record/event is being viewed/accessed, such as on a survey page, data entry form, etc. This parameter can be used with any of the other parameters except unique report names.
- :unique-event-names Unique Event Names - For Aggregate Functions, Charts, and Tables, filter the data being used to specific events (longitudinal projects only) by providing an event’s unique event name (found on the Define My Events page). You may use one or more unique event names (comma-separated). Note: This parameter can be used with any of the other parameters except unique report names.
- :user-dag-name “user-dag-name” - For Aggregate Functions, Charts, and Tables, filter the data being used to the records assigned to the *current user’s Data Access Group* by using the literal value 'user-dag-name’. Note: This parameter will only work in a context where an authenticated user belongs to a project and has been assigned to a DAG in the project (this excludes survey pages and public project dashboards). This parameter can be used with any of the other parameters except unique report names.
- :unique-dag-names Unique DAG Names - For Aggregate Functions, Charts, and Tables, filter the data being used to the records assigned to specific Data Access Groups by providing a DAG’s unique group name (found on the Data Access Groups page). You may use one or more unique DAG names (comma-separated). Note: This parameter can be used with any of the other parameters except unique report names.
- :bar-vertical “bar-vertical” - Display a bar chart with the bars going vertically instead of horizontally (the default) by using the literal value 'bar-vertical’. Note: This parameter can be used with any of the other parameters.
- :bar-stacked “bar-stacked” - Only for bar charts using two fields, display the bar chart with the bars stacked on top of one another for each choice. Whereas the default view is that the bars of each field are displayed side by side to show the color grouping. To enable this, use the literal value 'bar-stacked’. Note: This parameter can be used with any of the other parameters.
- :no-export-link “bar-stacked” - Only for bar charts using two fields, display the bar chart with the bars stacked on top of one another for each choice. Whereas the default view is that the bars of each field are displayed side by side to show the color grouping. To enable this, use the literal value 'bar-stacked’. Note: This parameter can be used with any of the other parameters.
NOTE: Using Smart Functions/Tables/Charts elsewhere in a project - While project dashboards are an excellent place to use Smart Functions, Smart Tables, and Smart Charts, it is important to know that Smart Functions/Tables/Charts can actually be used *almost anywhere* in a project, such as on data entry forms, on survey pages, and in report instructions (to name a few). You can use Smart Functions/Tables/Charts anywhere that piping can be used. Click the green “Smart Variables” button on the Project Setup page to learn more about them. Note: The only place that Smart Charts cannot be used is inside the body of outgoing emails.
NOTE: Smart Functions/Tables/Charts do not yet work in the REDCap Mobile App; however, it is planned that they eventually will (to a certain degree).
NOTE regarding permissions for Smart Functions/Tables/Charts:
- DAG permissions (i.e., filtering out records not assigned to the current user’s DAG) are NOT applied by default to Smart Charts/Tables/Functions but are only applied when the Smart Chart/Table/Function utilizes a unique report name as a parameter (thus mimicking the natural DAG-filtering behavior of reports themselves) OR when the Smart Chart/Table/Function utilizes the “user-dag-name” parameter. This means that if a user is assigned to a DAG and views a project dashboard with the Smart Chart [scatter-plot:weight], for example, the plot will display data for ALL records in the project and not just the user’s DAG. To limit the plot to just data in the user’s DAG, it could be changed to [scatter-plot:weight:user-dag-name] in this case.
- Smart Charts/Tables/Functions that utilize a unique report name as a parameter for data filtering purposes will still function and display normally even if the user does not have explicit access to view that specific report referenced as a parameter.
New feature: CSV Delimiter as a user-level preference - The My Profile page now has a new user preference to allow a user to set their own preferred CSV delimiter (e.g., comma, semi-colon) that will be used as the delimiter character in all CSV file downloads throughout REDCap, such as data dictionary import/export, event import/export, user rights import/export, etc. This setting is not used by data imports and exports because those already have a way to specify the CSV delimiter manually. The system-level default value for this user preference can be set on the User Settings page in the Control Center, in which all new users created afterward will have their user-level preference set with this system-level default value. To modify all existing users’ preference after upgrading (if your users would not want a comma delimiter), it will require running an “update” query in the database, such as this: UPDATE redcap_user_information SET `csv_delimiter` = ‘;’ ;
Improvement: Report “description” text now utilizes the rich text editor. Additionally, users may perform piping into a report’s description, such as project-level Smart Variables, including Smart Charts, Smart Functions, and Smart Tables.
Improvement: New option for Project Templates called “copy records”, which will copy any existing records in the template to the new project created from the template. This option can be enabled for any new or existing Project Templates.
Improvement: A new Project Template was added to illustrate new features in 11.0+. The new template is named “Project Dashboards, Smart Functions, Smart Tables, & Smart Charts”.
Change/improvement: The Logic Editor popup is now utilized when editing the “Action Tags/Field Annotation” text box in the Online Designer. (Ticket #103007)
Bug fix: When exporting data via the Export Records API method as type=eav, it would mistakenly fail to include the value of the redcap_event_name field (and would export it as blank/null) if the project is longitudinal and the exported data format is XML or JSON. Bug emerged in REDCap 10.6.16 (LTS) and 10.9.3 (Standard). (Ticket #105673)
Bug fix: When attempting to use the Easy Upgrade on an AWS Quick Start deployment of REDCap, the upgrade process may fail due to “\r” characters in the upgrade shell script. (Ticket #103939)
Bug fix: When creating a project via a Super API Token, the API call would fail due to a fatal PHP error, thus preventing the project from being created. Bug emerged in REDCap 10.6.16 (LTS) and 10.9.3 (Standard).
Bug fix: When importing data (via Data Import Tool, API, or REDCap::saveData), all records would mistakenly have spaces trimmed off the beginning and end of every value being imported. This would prevent the data from being imported as-is. It now no longer trims whitespace off of the beginning and end of data values during data imports.
Bug fix: On certain occasions, an alert that is triggered may mistakenly send an email to the “Email to send email-failure errors” recipient multiple times (instead of just once) or may send it to that recipient when it is not supposed to.
Bug fix: A field using the @CALCTEXT action tag would mistakenly return a blank value whenever it should be returning a value of 0. (Ticket #105128)
Bug fix: When using the concat() function in a @CALCTEXT field, the calculation might mistakenly fail if certain characters such as “+” are utilized inside the concat() function. (Ticket #105445)
Bug fix: When a text box field is embedded inside a checkbox field on a survey that is using Enhanced Checkbox/Radio Fields, the checkbox would be unable to be selected. (Ticket #97954)
Bug fix: When a checkbox field is embedded inside a checkbox field, it would mistakenly check the first sub-checkbox whenever checking the parent checkbox. (Ticket #97954)
Bug fix: When a radio field is embedded inside a checkbox field, several things would function incorrectly when clicking on the labels of the radio fields or their “reset” link. (Ticket #105001)

Version 10.9.4 (released on 2021-04-22)

CHANGES IN THIS VERSION:

Minor security fix: A Cross-site Scripting (XSS) vulnerability and Cross-site Request Forgery (CSRF) vulnerability were discovered where a malicious user could potentially exploit them on two specific Control Center pages.
Bug fix: When upgrading to REDCap version 10.9.2 from a version lower than 10.5.0, the REDCap Messenger system notification that announces the @SETVALUE action tag was mistakenly still referring to it by its previous name (@PREFILL).
Bug fix: The description of the @SETVALUE action tag mistakenly mentioned that it makes the field read-only, which is incorrect. (Ticket #105072)
Bug fix: When a @CALCTEXT field is used in a longitudinal project, in which its value gets set but all other fields on its instrument do not have a value saved, a red form status icon would mistakenly be displayed for its instrument on the Record Home page and Record Status Dashboard. The status icon should instead remain gray in this case even when calc fields and @CALCTEXT fields have a value. (Ticket #105061)
Bug fix: PHP 8 compatibility error in LDAP authentication code. (Ticket #105100)
Bug fix: If questions are being prepopulated on a survey using the @DEFAULT action tag, in which those fields are also being piped to other places on that same survey page, then the piping would mistakenly not occur when the survey page loads but only after one of the piped fields’ values are modified on the page. Bug emerged in REDCap 10.9.3. (Ticket #105220)
Bug fix: If a record is deleted via the Delete Record API method, and then another record is created later having the same record name, the Data History popup for a given field would mistakenly list the logged events from the previously-existing record when instead it should not. (Ticket #105144)
Bug fix: If using the :inline piping parameter for a File Upload field when uploading an image file to the field while the piping location exists on the same page, deleting the image from the File Upload field via the “Remove file” link would mistakenly not remove the inline image that is piped on the page until the page is reloaded. (Ticket #105106)
Bug fix: If submitting a public survey, and the record ID field is referenced in the equation of a calculated field located on another instrument, the calculated field’s value would mistakenly not get saved. (Ticket #105178)
Bug fix: If using Twilio telephony services for surveys, in which the “Control each participant’s invitation preference using a multiple choice field” option is enabled and references a field that exists on an instrument that is not enabled as a survey, then modifying that field’s value on a survey/form would mistakenly not change the participant’s invitation preference as reflected in the Participant List. (Ticket #104907)
Bug fix: When using Twilio telephony services in which multiple projects are using the same Twilio Account SID but have different Twilio phone numbers, some of the Twilio logs on the Twilio website might mistakenly not get erased as they should (REDCap automatically deletes all Twilio logs after each SMS or phone call for privacy purposes).
Bug fix: If a repeating survey has one repeating instance of the survey that has been locked at the instrument level, then if another repeating instance (that is not locked) of that same survey is opened, it would mistakenly display an error to the participant saying that the response has been locked, which is not true.
Bug fix: When using the Data Resolution Workflow and viewing an opened query that has not yet been assigned to a user, it would mistakenly not allow you to assign the query to a user. (Ticket #105205)

Version 10.9.3 (released on 2021-04-16)

CHANGES IN THIS VERSION:

New authentication method: Azure Active Directory OAuth2 - REDCap now includes a new authentication method to allow users to authenticate via Microsoft’s Azure AD. This will be especially useful for institutions that are deploying REDCap on the Azure cloud platform. Thanks for Neal Blackburn and Matthew Peterson at Oregon State for their collaboration to help make this new addition possible. For more info on Azure AD and how to set up a client application for REDCap authentication, see https://redcap.link/azuread.
Improvement: When viewing files in the File Repository that are archived from a data export, it now displays the data export details (as seen on the Logging page) for each export listed in the table on the “Data Export Files” tab. This provides more context regarding the contents of the data in the archived export files.
Change: The @PREFILL action tag has been renamed to @SETVALUE, which more accurately captures how it behaves. Some confusion had occurred regarding this action tag’s behavior simply because of its name. This change to the name is backward compatible so that projects already using @PREFILL will still work with its legacy counterpart (i.e., @PREFILL and @SETVALUE will work equivalently), but @SETVALUE will be the preferred name going forward. The description of the @SETVALUE action tag in the Action Tags documentation notes this name change.
Change: Any fields using the @PREFILL/@SETVALUE action tag will no longer be read-only/disabled on survey pages and data entry forms but will be editable. Some users had complained of the read-only attribute as being too restrictive and inflexible, thus preventing some valid use cases. If users wish to make the field read-only, it is recommended they simply add the @READONLY action tag as a means of maintaining the previous read-only behavior.
Change: In many places in the REDCap code where MD5 hashing is performed on non-security-related things, the MD5 function has been replaced with the SHA1 function. (Note: MD5 is never used on any security-related code in REDCap.)
Bug fix: When adding a user to a project by assigning them to a role, if the user’s username contains spaces or apostrophes, the process might break due to a JavaScript error, thus preventing the user from being added to the project and role. Bug emerged in REDCap 10.9.2.
Bug fix: When viewing a “PDF Export with data” logged event on a project’s Logging page, it might mistakenly display "(Event #)" next to the record name when the project is not longitudinal. It should only display the event for that logged event in longitudinal projects. Bug emerged in REDCap 10.9.2.
Bug fix: When generating System Notifications for REDCap Messenger during a REDCap upgrade, it was mistakenly using the PHP constant NOW instead of the MySQL function NOW() in a specific query. For that specific process, it now uses the MySQL function NOW() only when hosting REDCap on Google App Engine, otherwise it uses the PHP constant NOW, as it did in previous versions. Bug emerged in 10.9.2.
Bug fix: When a field with the @PREFILL action tag is being piped somewhere on the same page, the field would mistakenly not have its value piped successfully when the page is loaded. (Ticket #104613)
Bug fix: It was impossible to disable the “Auto logout time” setting (i.e., by setting its value to “0”) on the Security & Authentication page in the Control Center because it would prompt the admin to enter a minimum value of "3". (Ticket #104680)
Bug fix: If a File Upload field is embedded inside a checkbox choice label, in which the File Upload field has branching logic so that it is only displayed when the checkbox next to it is checked, the upload or download process for the File Upload field would mistakenly cause the checkbox to be checked/unchecked, thus causing the issue of hiding the File Upload field while trying to upload/download its file. (Ticket #104664)
Bug fix: When a user attempts to assign a new user to a DAG and user role at the same time on the User Rights page, the pop-up for selecting the DAG and role would mistakenly close immediately after selecting an item from one of the drop-downs. Bug emerged in REDCap 10.9.2 Standard. (Ticket #104655)
Bug fix: In the “Compose Survey Invitations” dialog on the Participants List page, the “Display name” drop-down (when setting the “From” address) would mistakenly be disabled and could not be used. Bug emerged in REDCap 10.9.2. (Ticket #104749)
Bug fix: When performing a data import that contains checkbox fields in which a checkbox has a Missing Data Code previously saved for it, any checkbox options being set to “1” for that field during the data import will mistakenly not remove the existing Missing Data Code from the field. Thus the field ends up with a Missing Data Code and other checked values, which should not happen. Additionally, when viewing the field on a data entry form afterward, the field would mistakenly still appear to have a Missing Data Code. (Ticket #104712)
Bug fix: When an instrument has already been enabled as a survey and it does not have the e-Consent Framework enabled, if a user then navigates to the Survey Settings page and enables the e-Consent Framework for that survey, the “Allow e-Consent responses to be edited by users?” option is mistakenly not checked by default. That option should be checked by default when enabling the e-Consent Framework. (Ticket #104869)
Change: Added a recommendation in the “Configure Twilio Settings” popup to suggest that the users consider adding a field that says, ‘I agree to be contacted by text or phone’ (or something similar) as means of them consenting participants to being contacted by text or phone.
Bug fix: When a matrix checkbox field is embedded on a survey page or data entry form, and another field has branching logic that references that embedded matrix checkbox, the branching logic would fail to work successfully when the trigger checkbox is checked/unchecked. (Ticket #104866)
Bug fix: If an administrator has set a project to be "Offline", users could inadvertently still use the API for that project, which should not be allowed. (Ticket #104931)
Bug fix: Depending on the username or the name of a Data Access Group, the "(+1)" text that signifies the amount DAG Switcher assignments might mistakenly not display next to the user’s current DAG on the User Rights page’s table of users.
Change: Slight change in an SQL query used to generate the Participant List that improves the loading performance of that page. (Ticket #95693)
Bug fix: If a user/participant adds a signature to a Signature field in which they resize the popup to make it larger while signing it, it would result in a larger image being saved that would mistakenly not always fit correctly in an exported PDF of that instrument. (Ticket #104927)
Bug fix: Data Quality rules A and B might mistakenly not display all valid discrepancies for a field if the field’s branching logic contains certain Smart Variables. (Ticket #99077)
Bug fix: When performing an API data export of CSV data in EAV data format, it would mistakenly display the CSV “event” header as “event_id” instead of "redcap_event_name".
Bug fix: When importing data via the API in EAV format (where type=eav) and using the value “new” to perform auto-numbering of the redcap_repeat_instance field, it was mistakenly not returning an error for this. This is not allowed since the “new” value for redcap_repeat_instance cannot be used when type=eav but only for type=flat. This has also been added to the API documentation to inform users of this limitation. (Ticket #104491)
Bug fix: If a user is idle on a data entry form, and the red auto-logout message appears and states that their session has ended, if they attempt to close that browser tab, it would mistakenly display the prompt asking them if they wish to leave the site. It should not display that prompt. (Ticket #104948)

Version 10.9.2 (released on 2021-04-09)

CHANGES IN THIS VERSION:

Improvement: Assign a user to a DAG at the same time as adding the user to the project - Whenever a user is being added to a project via the User Rights page, if Data Access Groups are being utilized in the project, a new option will appear (whether if adding the user with custom rights or if assigning them to a user role) that allows you to assign the user to a DAG at the same time as adding them to the project. This helps prevent a common issue where a newly added user might temporarily have access to the records of *all* DAGs in the project prior to the user being assigned to a DAG immediately after getting added to a project. By making this two-step process a single step, it avoids possible data access issues for users who need to be assigned to a DAG.
Improvement: When exporting a PDF of all record data via the “Other Export Options” page, a copy of the downloaded PDF will now be archived and stored in the File Repository, similar to how other data exports (i.e., CSV, SPSS) are archived. This will help REDCap users keep better track of exactly what data was downloaded by someone when they export a PDF of all records in the project. Note: This does not apply to other PDF exports but only to the “all records” PDF export on the “Other Export Options” page.
Improvement: The project logging page now displays more information for PDF Exports that contain data, such as displaying the record name, event, and instrument for the downloaded PDF.
Change/improvement: When using the “Upload Users (CSV)” option on the User Rights page, it now displays a checkbox option in the dialog to allow the user to optionally send an email notification to all new users being added to the project via this import process. In previous versions, no users would be notified via email if they were added to the project via the “Upload Users (CSV)” option but only if added using other methods.
Improvement: Minor performance improvement when loading the Participant List page, especially for surveys that are not repeating instruments and surveys that do not exist on repeating events.
Change/improvement: There is a new check on the Configuration Check page for Windows web servers only that checks if the REDCap Cron Job’s Scheduled Task is set to "Run a new instance in parallel". If the scheduled task is not set with that setting, then the REDCap Cron Job will not be able to run in parallel to itself, which is often needed. This check merely checks to see if the cron job has been running every minute over the past 3 days, and if there are gaps and it has not been running every minute, this implies that perhaps the Scheduled Task is not set properly to run in parallel.
Change/improvement: The User Access Dashboard now displays “Last logged activity” for each project displayed on that page.
Bug fix: If the body of an alert contains an inline image with a “src” attribute value containing “&file=” followed by an integer, there is a small possibility that an unrelated file that belongs to another REDCap project might get mistakenly attached to the alert that is sent.
Bug fix: The User Access Dashboard was mistakenly displaying projects that have been "marked as completed". Such projects are not accessible by normal users and therefore should not be visible on that page.
Bug fix: When a calc or @CALCTEXT field is used in the calculation of another calc or @CALCTEXT field, depending on the specific arrangement and order of the fields on the page, it could mistakenly cause the field to trigger itself over and over on the webpage, even when just initially loading a survey page or data entry form, in which it will use more and more web browser memory as time passes until the page crashes in the user’s browser after several seconds or minutes. (Ticket #104217)
Bug fix: When using the randomization feature and viewing any data entry form on an already-randomized record, in very specific circumstances the values of some embedded fields on the page might mistakenly not get saved successfully after being modified.
Bug fix: On multi-page surveys, a section header might mistakenly be displayed on the page even though all fields in the section are hidden. (Ticket #66721b)
Bug fix: For every webpage in REDCap, the HTML DOCTYPE declaration and the HTML tag’s “lang” attribute were mistakenly hard-coded as “EN” (English). This was causing issues with regard to browsers assuming that the webpage was always in English, which is not always true. (Ticket #104487)
Bug fix: If a user contains an apostrophe in their username and they attempt to create a new project, the process would fail due to a SQL query error. (Ticket #79647b)
Bug fix: If a user contains an apostrophe in their username and an administrator clicks the “Edit user info” button on the “Browse Users” page when viewing their account, it would mistakenly display an error message saying “User names can only contain letters, numbers, underscores, hyphens, and periods” and would not let them leave the field, thus forcing the admin to refresh the page. (Ticket #79647c)
Bug fix: When using Twilio for survey invitations, if a participant sends an SMS message to the Twilio phone number being used in a REDCap project, it might mistakenly reply back to the participant from a different Twilio phone number if the Twilio account has multiple phone numbers associated with it, in which the other number is associated with another REDCap project that is also using Twilio.
Bug fix: Several places in REDCap were mistakenly still linking to the old Language Center on the REDCap Community site instead of the newer plugin page that now serves as the current Language Library.
Bug fix: When exporting data to SAS, fields that have a number, integer, date, or datetime data type might mistakenly not have their “informat” or “format” syntax set correctly in the SAS syntax file, which could cause warnings or errors when loading the exported data into SAS. (Ticket #96569)
Bug fix: If checkboxes are embedded and they are also piped to other places on the same page, then the piping action would mistakenly not occur in real time if the checkbox’s choice label is clicked. Note: The piping would work correctly if the checkbox element itself is clicked or if the page was saved and reloaded, but it would not act in real time when clicking the label of the checkbox. (Ticket #104317)
Bug fix: The Data Access Group drop-down filter was mistakenly not being displayed at the top of the project logging page for projects that contain DAGs. (Ticket #104574)
Bug fix: If certain user-defined text (e.g., field labels, survey instructions) contain HTML character codes, there is a chance that the HTML character codes might not get parsed correctly when being sanitized for security purposes prior to being displayed on the page. This could cause them not to display correctly on the page or (worst case) cause the page to result in a PHP error if it gets stuck in an infinite loop while processing this text. (Ticket #104583)

Version 10.9.1 (released on 2021-04-02)

CHANGES IN THIS VERSION:

Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in various places in REDCap, such as in survey question text and other user places that store user input.
Improvement: Further performance gains for projects with lots of records (25K+), especially during the process of creating new records via data entry forms and via data imports, which have been known to be slow in the past for large projects.
Change/improvement: The "Phone (North America)" field validation now allows phone numbers that begin with “800” and “811”.
Bug fix: When using the survey feature “Prevent survey responses from being saved if the survey ends via Stop Action?” to prevent responses from being saved, if a one-page survey (which must be the first instrument in the project) contains a required field that is left blank when the survey is submitted, and then the survey later ends via a Stop Action, the saved data on the survey would mistakenly not get deleted when the survey ends.
Bug fix: Fixed a compatibility issue when hosting REDCap using the PHP7 version of Google App Engine.
Bug fix: If a report’s filter logic contains only Smart Variables and no real project fields (e.g., [current-instance] = [first-instance]), the report would mistakenly not return any results for fields that exist on the first instrument if the first instrument is a repeating instrument.
Bug fix: When uploading an Instrument Zip file into the Online Designer, any field variables in the Action Tag/Field Annotation text would mistakenly not get renamed (as they do for calculations and branching logic) if those variables exist on the instrument being uploaded and already exist as variables in the project. (Ticket #102968)
Bug fix: When copying an instrument via the “Choose action” drop-down in the Online Designer, if a matrix of fields has a very long matrix group name, the action might fail and return an error message. (Ticket #103564)
Bug fix: When performing a CSV data import via the Data Import Tool, if the CSV file contains a byte order mark (BOM), it can cause processing issues in certain situations, thus returning an error about not being able to find the Record ID field in the file. To remedy this, the BOM is now always removed (if it exists) before the CSV gets processed during the data import process.
Bug fix: In a longitudinal project that uses Automated Survey Invitations in which a user deletes an entire event via the Define My Events page, any already-scheduled invitations via ASIs would mistakenly remain in the Survey Invitation Log but would no longer be associated with any event (i.e., partial orphaning). This would cause the invitations to still be sent, which is not expected, and thus causes issues because those invitations no longer point to a real survey/event anymore, in which they would display a message to the recipient opening the survey link that they are not a participant for that survey. This has been fixed so that any already-scheduled invitations connected to the deleted event will also get appropriately deleted. (Ticket #103930)
Change: Increased the max execution time for cron jobs to 2 hours (was previously 1 hour) to allow for some long-running cron jobs to finish.
Bug fix: Fixed typo in field label for Twilio-related phone options for Alerts & Notifications on the “Modules/Services Configuration” page in the Control Center.
Change: Removed the “up arrow” and “down arrow” icons used to represent Field Embedding because the arrow was potentially confusing to some users, especially in the Online Designer. (Ticket #103988)
Change: If a user in a project with lots of calc fields and/or lots of records attempts to execute Data Quality rule H in which it ends with an error after running too long or running out of server memory, it will now display the “Fix calcs now” button inside the results dialog (despite the error occurring) to at least allow the user to attempt to fix the calcs little by little even though the initial evaluation process of the calcs has failed.
Bug fix: When deleting a project, due to a SQL query error, the contents of the project logging (e.g., data values that were saved, record names, other record-specific logged events) were mistakenly not being deleted from the log when the project gets officially deleted after 30 days (or if an administrator clicks the “Delete it now” option in the Control Center). (Ticket #103532)

Version 10.9.0 (released on 2021-03-26)

CHANGES IN THIS VERSION:

New feature: Field that maps to a participant’s Twilio delivery preference - When using Twilio for surveys, users can control each participant’s invitation preference automatically using a multiple choice field. If survey participants require using different methods (e.g., email, SMS w/ link, voice call survey) for receiving survey invitations and/or taking surveys, users can select a multiple choice field whose choices represent each survey invitation delivery method. After mapping the invitation preferences to a field, whenever the value of the field is added or modified, the participant’s invitation preference will automatically be changed accordingly. IMPORTANT: The multiple choice codings for the selected field must be defined exactly as delineated below, although their corresponding choice labels can be modified to be whatever text the user desires. Also be aware that if the value of the field that is mapped is set to blank/null, then the invitation preference for the participant will revert to the project’s default invitation preference (as defined in the Twilio configuration on Project Setup). Additionally, if a participant’s invitation preference is modified via the Participant List, that change will also change the value of the mapping field selected above. Mapped field choice options:
- EMAIL, Email invitation
- SMS_INVITE_WEB, SMS invitation (contains survey link)
- SMS_INITIATE, SMS invitation (take survey via SMS)
- VOICE_INITIATE, Voice call (participant receives voice call)
- SMS_INVITE_MAKE_CALL, SMS invitation (contains phone number to call)
- SMS_INVITE_RECEIVE_CALL, SMS invitation (reply via SMS to receive voice call)
New feature: Custom offline message for surveys in offline status- Users can provide custom text that is displayed to participants only when the survey is offline. This custom text will be displayed in place of the default offline text on the survey while the survey is in offline mode. This text can be set at the top of the Survey Settings page.
New feature: Survey-level Stop Action controls (new section on Survey Settings page)
- Alternative survey completion text - Users can optionally set alternative survey completion text that is displayed in place of their standard survey completion text whenever a survey is ended via a Stop Action on any field. This is useful when it doesn’t make sense for non-eligible participants to see the same survey completion text as those who completed the survey fully.
- Prevent survey responses from being saved if the survey ends via Stop Action - Users can optionally choose to prevent submitted responses from being saved as data in the project if the survey ends via Stop Action. This is useful if survey administrators do not wish to keep the data for ineligible participants, for example. This means that if a one-page public survey is started but ends via Stop Action, no data from that response will be saved into the project (i.e., no new record will be created), but it will log this event on the project Logging page (so that users are at least aware of this happening despite no data being saved).
  1. NOTE: If any data has been saved on the survey instrument for a given record prior to the Stop Action being triggered, that data will be deleted from that instrument. For example, if the survey is a multi-page survey in which data has been entered on previous pages prior to triggering the Stop Action, all data collected thus far in that survey will be deleted as if the survey was never taken. Additionally, if the record does not contain data in any other instruments, the entire record itself will be deleted during this process. If data does exist in other instruments, the record will not be deleted.
  2. PRIVACY NOTE: If the option for Data Privacy/GDPR has been enabled in the project, in which it removes the contents of the log for a record that is deleted from the project, then if an entire record is deleted via this particular survey setting via a Stop Action, then all logged data values for the record will be removed from the log as per this project’s data privacy setting.
Improvement: New project-level option for importing email addresses for patients from an EHR via REDCap’s Clinical Data Interoperability Services (CDIS) - When this option is enabled at the system level on the CDIS page in the Control Center, an administrator can then enable this option for any given project via the “Edit A Project’s Settings” page. Once enabled for a project, users will then be able to map the “email address” field in either a Clinical Data Pull or Clinical Data Mart project, thus allowing them to import patient email addresses for the EHR. This option is disabled by default.
Improvement: If a project contains more than 25,000 records, the Logging page will no longer display the record filtering drop-down at the top of the page but instead will display an auto-complete text box to allow the user to enter the record name if they wish to filter the logging by record. This behavior is similar to the “Add/Edit Records” page when not using record auto-numbering if a project contains more than 25,000 records.
Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in various places in REDCap, such as in survey question text and other user places that store user input.
Major bug fix: When using randomization in a longitudinal project in which randomization strata fields exist on a different event than the randomization field, if the values of the strata fields are added or modified during the randomization process, their values would mistakenly not get saved or logged in the correct event, thus orphaning those values. (Ticket #103189)
Major bug fix: If signature image files are being uploaded for Signature fields across multiple REDCap projects simultaneously (within milliseconds of each other), there is a small chance that one of the signature files might mistakenly get associated with a field in another project where someone was adding an image at the same moment. (Ticket #102764)
Bug fix: If a survey participant receives a survey link via email in Microsoft Outlook (in either the desktop client or web version), in which Microsoft Outlook Safe Links has been implemented and has replaced the survey link in the email body, whenever the Safe Link version of the survey link is clicked by the participant, a Microsoft service (located in the IP address range 40.94.*.*) will make a POST request to the survey page about 10-20 seconds after the participant loads it (unbeknownst to them). This service actually submits the survey as if a real person was taking the survey, including submitting values for the survey questions. This means that for public surveys it is submitting false responses like a bot, and for private/unique survey links it is actually submitting the survey for the user, in which the participant is not able to enter their own response if they wait 10-20 seconds before submitting the survey themselves because this service has already completed the survey for them. To prevent this odd behavior by Microsoft Outlook Safe Links, REDCap survey pages now block all POST requests that originate via the IP address range 40.94.*.*, in which it immediately returns an error message.
Bug fix: When record auto-numbering is enabled in a project, the process used to generate new record names is 2-5x slower than it should have been due to some inefficient structuring of SQL queries being used. This fix results in a performance improvement, especially for very active public surveys.
Bug fix: If a project’s “record list cache” is currently being built, which is done automatically via a back-end process, at the same time that new records are being created in the project, it might cause the cache not to be built for many minutes or hours (due to repeated failures while building the cache) if the project has lots of activity, all of which could cause the project to get extremely slow and might affect the performance of the overall system.
Bug fix: In certain situations, such as public surveys being taken by hundreds or thousands of participants in a very short period of time, a project’s “record list cache” (which is built automatically via a back-end process) might mistakenly get reset/reverted, which causes the record auto-numbering mechanism to mistakenly use a very slow SQL query for generating the next proposed record name. This can cause the public survey to get increasingly slow as more participants attempt to take it.
Change: The section for "e-Consent Framework: PDF External Storage Settings (for all projects)" on the File Upload Settings page in the Control Center has been moved to the Modules/Services Configuration page to be more consistent from an organizational standpoint with regard to other similar system-level features that utilize a separate SFTP or WebDAV server for securely storing files outside of REDCap.
Bug fix: If the system’s “Auto logout time” is set to a value of 2 or less, it will cause the user interface to become mostly unusable due to all the auto-logout popups being displayed immediately on every page. The minimum value for “Auto logout time” has been set to “3” on the Security & Authentication page to prevent this issue from occurring. (Ticket #102319)
Bug fix: When a survey participant is taking an Adaptive or Auto-scoring instrument from the REDCap Shared Library, if a survey question contains stem text at the beginning of the question text (e.g., “In the past 7 days”), the stem text was not being as displayed sufficiently separated from the rest of the question text. Certain validated instruments require that they be more separated.
Bug fix: When building a list of participants on the Participant List, a database query on that page was suboptimal and was causing the page to load slowly for some projects. That query has been modified to be faster.
Change: For convenience, a hyperlink to the To-Do List was added inside the blue box at the bottom of the Project Modification Module page where an administrator reviews the drafted changes before approving/rejecting them.
Bug fix: If a project contains File Upload fields but no records have any files uploaded to those fields, a user can click the ZIP icon on the Other Export Options page to download a "ZIP file of uploaded files (all records)", in which it will correctly state a notice that there are no files to download. However, if during that same session the user goes and uploads a file and returns to download the ZIP of all files again, it will mistakenly still say there is nothing to download, which is incorrect. If they log out and log back in again, this issue goes away. (Ticket #103117)
Bug fix: A SQL query was slow and inefficient when determining if the “FHIR Statistics” link should be displayed on the Control Center’s left-hand menu. This would sometimes cause all Control Center pages to load unnecessarily slowly.
Bug fix: If a user is viewing a survey response on a data entry form to which they have viewing access but do not have privileges to edit survey responses, any fields with @NOW, @TODAY, or other similar Action Tags would mistakenly have new values pre-filled for them on the page if those fields did not already have a value. This should not happen since the current user is not able to modify any values (i.e., they are not allowed to submit the form).
Bug fix: Data Quality rule H might fail to complete if the project contains a large amount (>300) calculated fields.
Bug fix: When uploading an image file to a File Upload field in which that field is piped somewhere using the “:inline” parameter, it would mistakenly not pipe the inline image successfully on the page if the image’s file extension was not all lower-case. (Ticket #103473)
Bug fix: When using Missing Data Codes in a project, if multiple fields are embedded together inside another field on a data entry form, it would cause the click event of the “M” icon not to function correctly in which the Missing Data Code popup would mistakenly fail to open for those particular fields. (Ticket #103213)

Version 10.8.5 (released on 2021-03-05)

CHANGES IN THIS VERSION:

Improvement: The upload max file size for File Upload fields and general file attachments can now be increased or decreased on a per-project basis if needing to be different from the system-level settings as defined on the “File Upload Settings” page in the Control Center. This can be changed at the bottom of the Control Center’s “Edit a Project’s Settings” page for any given project.
Minor security fix: Removed the outdated and unused JavaScript library YUI Charts.
Change/improvement: The institution name is now included in the email subject for all emails sent regarding user expiration and account suspension due to inactivity. This is done to provide greater clarity to the user regarding which REDCap installation is being referenced in the email.
Bug fix: When clicking “Cancel” inside the Logic Editor dialog, it might mistakenly revert the value of the text box being modified to the value of another text box that was previously edited via the Logic Editor while on that same page. (Ticket #101200)
Updates to various third-party PHP packages.
Bug fix: The rich text editors used for setting system-level custom text settings at the bottom of the General Configuration page in the Control Center would cause the custom text to display in its appropriate places but would mistakenly display a blank message when the custom text is blank, in which it should not display anything at all when the custom text is left blank.
Bug fix: Calculations or conditional logic containing >1000 variables might mistakenly cause PHP to crash while processing and parsing them.
Bug fix: Multi-page surveys that contain calculated fields might mistakenly take an unnecessarily long time to load each survey page due to inefficient calculation/logic processing on the server side.
Change: More tweaks to improve the style of the text displayed inside the rich text editors because they still did not quite match the general style and CSS classes of text on REDCap webpages.
Change: The language of the “Stop Action” prompt (displayed on survey pages when a Stop Action has been triggered) has been slightly modified to be more succinct and clear.
Bug fix: When adding a new Table-based user on the "Add Users (Table-based Only)" page in the Control Center, it would mistakenly allow admins to create usernames with spaces or apostrophes when not using LDAP or LDAP+Table authentication, which is the only time that spaces and apostrophes are allowed in usernames. (Ticket #101773)
Bug fix: When using the Smart Variables [survey-date-completed] and [survey-time-completed] in the Custom Record Label, they would mistakenly not have their date displayed according to the user’s preferred date format (as defined on their My Profile page) but instead would display it always in Y-M-D date format. (Ticket #102141)
Bug fix: Since calculations typically do not expect fields to have a “:value” signifier attached to field variables (because it is assumed), an error message would occur on a data entry form or survey page if any fields in branching logic, calc fields, or pseudo-calc fields (@CALCTEXT) have “:value” appended to the field variable (e.g., [race:value]). REDCap will now allow “:value” to be appended to field variables in branching logic or calcs/pseudo-calcs and will treat them as equivalent to using just the field variable. (Ticket #102149)
Bug fix: The “Check For Identifiers” page was mistakenly displaying any HTML that existed in a field label, thus making it unreadable on the page in certain instances. It now strips all HTML from the field label when displaying it.
Bug fix: When setting up the REDCap cron job on the Control Center’s “Cron Jobs” page on a Windows server, the page failed to mention the important fact that the cron job’s scheduled task needs to be set to "Run a new instance in parallel", which can be set under the Settings tab in the Windows Task Scheduler.
Bug fix: On the Browse Users page in the Control Center, the “Display User List” button on the “View User List By Criteria” would fail to load the user list table if using Internet Explorer 11. (Ticket #90646)
Bug fix: Clicking on the “Perl” tab at the bottom of the API Playground page when the “Import A File” API method has been selected would cause a fatal PHP error in PHP 8 and certain versions of PHP 7, thus causing that page to crash. (Ticket #102291)

Version 10.8.4 (released on 2021-02-26)

CHANGES IN THIS VERSION:

New feature: Export Data Quality rule results - After running a data quality rule, users may export the results/discrepancies of the rule as a CSV file. The CSV file will be structured exactly like a date export/import file, which should allow for faster and easier cleaning of data so that values can be fixed and then re-uploaded as a data import.
Improvement: The rich text editor is now utilized when editing the following system-level custom text settings on the “Edit a Project’s Settings” page in the Control Center: “Custom text to display at top of Project Home page in project” and "Custom text to display at top of all Data Entry pages in project".
Change/improvement: The custom text settings “Custom text to display at top of Project Home page in project” and “Custom text to display at top of all Data Entry pages in project” no longer default to being contained in a DIV with class="green" but can be styled with any color container (or none) using the rich text editor on the “Edit a Project’s Settings” page. Any custom text values that existed beforehand will be grandfathered in and will still be displayed with the green class, but they can be modified after the fact to remove/change it.
Change: The input element for @CALCTEXT fields was made wider on survey pages and data entry forms to be able to fit more viewable text.
Bug fix: When displaying Action Tags beneath fields in the field view in the Online Designer, the last letter of the Action Tag name would mistakenly get removed for certain Action Tags.
Bug fix: When a user is using the My Profile to reset their password while using certain versions of Internet Explorer, it might mistakenly fail to reset their password due to various JavaScript errors occurring on the page. (Ticket #100595)
Bug fix: Fixed issue with text and embedded images displayed for an item on the Help & FAQ page. (Ticket #101384)
Bug fix: Clicking on the "Past Day", "Past Week", etc. buttons near the top of the project Logging page might mistakenly add the “seconds” component of the timestamp into the time range filter fields, thus causing an error message to display on the page if the user puts their cursor inside the field and then then tabs out of the field. (Ticket #101369)
Bug fix: If the survey setting “Save a PDF of completed survey response to a File Upload field” is enabled on a survey that also has the e-Consent Framework enabled, and the File Upload field specified for the “Save a PDF” setting exists on that same survey (often hidden by @HIDDEN-SURVEY), the PDF of the completed survey response would fail to be saved to the specified File Upload field when the participant completes the survey.
Bug fix: When using an Adaptive or Auto-Scoring instrument from the REDCap Library (e.g., PROMIS, Neuro-QoL), the “reset” link next to each question’s radio buttons would mistakenly fail to reset the radio button, if selected.
Bug fix: The API Playground’s example R code for the API Import File method was not correct and has been fixed. (Ticket #101454)
Bug fix: The API Playground’s example R code for the API Export File method was not correct and has been fixed. (Ticket #101454)
Bug fix: When setting a survey’s text-to-speech value to “English (United Kingdom) Female” on the Survey Settings page, it would mistakenly fail to save that setting correctly, thus preventing it from working as expected on the survey. (Ticket #101419)
Bug fix: When an administrator is processing a “Move to production” request on the To-Do List page, clicking the “Check For Identifiers” link in the dialog while processing the request would mistakenly make the dialog go blank/empty. It will now open a new browser tab. (Ticket #101426)
Bug fix: When a slider field is the first field displayed on a data entry form, the field receives focus when the form loads (which always occurs for the first field on any form), which makes it appear as if the field might already have a value. If the user misunderstands this and doesn’t enter a value because they think it already has one (when it does not), data loss could result. Thus slider fields will no longer receive focus by default on a data entry form when they are the first field on the form. Note: This does not apply to surveys. (Ticket #101420)
Change: Small change to text describing the Designated Email Field on the Project Setup page.
Bug fix: If an Adaptive (CAT) survey has been downloaded into a project from the REDCap Shared Library, and the setting “Allow participants to skip questions?” has been set to “Yes” on the survey’s Survey Settings page, a participant attempting to skip a survey question without answering it would mistakenly receive an error message saying that an unknown error occurred and that they cannot continue with the survey.
Bug fix: When fields are embedded using the “:icons” parameter in order to additionally embed the field’s associated icons, depending on how the embedded fields are laid out on the page, the SPAN tag containing the icons might mistakenly wrap to the next line and appear below the embedded field rather than displaying to the right of the field. (Ticket #101466)
Bug fix: When the Smart Variable [survey-queue-link] or [survey-queue-url] is used in the email body of an Automated Survey Invitation or an Alert, if the record is being created via the API, which then triggers the sending/scheduling of the invitation or alert, the link/URL of the record’s survey queue would mistakenly be blank (not displayed at all) inside the email body. (Ticket #101536)
Bug fix: When a REDCap administrator attempts to add Stop Actions for a Dynamic SQL field on a survey instrument in the Online Designer, an error message would mistakenly be displayed, thus preventing them from doing so.

Version 10.8.3 (released on 2021-02-19)

CHANGES IN THIS VERSION:

Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the username field on the REDCap login form when logging in as a valid user for the very first time using an external authentication method, such as LDAP or Shibboleth. (Ticket #101037)
Bug fix: The “Instant Adjudication” panel in CDP-enabled projects would mistakenly not be displayed on the CDP field mapping page in projects with record auto-numbering disabled.
Bug fix: When copying a project that contains surveys with the e-Consent Framework enabled, it would mistakenly not copy over some e-Consent settings, such as the “force signature” fields and "Allow e-Consent responses to be edited by users".
Bug fix: When running Data Quality rule H’s “Fix calcs now” button, if any fields listed in the discrepancy list are calc or pseudo-calc fields that exist on a survey that was completed using the e-Consent Framework, it would not change the values of those fields (as expected) but would mistakenly not return any error messages regarding why the values weren’t changed, which could be confusing to users. It now displays error messages (if any) after clicking the “Fix calcs now” button for DQ rule H.
Bug fix: When an Automated Survey Invitation is set to be triggered by survey completion OR conditional logic, in which the ASI is set to send “Immediately” and also has the “Ensure logic is still true” checkbox checked in the ASI setup, if a user/participant completes the trigger survey while the conditional logic still evaluates as FALSE, it would mistakenly fail to send the survey invitation, but it would correctly schedule any reminders for that survey invitation if the ASI has reminders defined. (Ticket #100770)
Change: In addition to the stock Action Tags that come bundled with REDCap, the field view in the Online Designer now displays custom action tags (in pink text below the field) that are utilized by hooks or external modules. (Ticket #101045)
Bug fix: When using X-instance Smart Variables in report filter logic (e.g., [current-instance] = [last-instance]), in which the report is returning data for multiple repeating instruments in the project, the report might mistakenly display rows of repeating instance data that should not be returned. (Ticket #100577)
Bug fix: Fixed PHP 8 fatal error caused when parsing certain logic or calculations. (Ticket #101033)
Bug fix: Descriptive fields could not successfully be embedded if the Descriptive field’s field label does not contain any HTML tags and was not created using the rich text editor. (Ticket #101130)
Bug fix: When opening an existing field for editing in the Online Designer, it would mistakenly convert tags that exist in the “Action Tags/Field Annotation” text into literal line breaks. (Ticket #101178)

Version 10.8.2 (released on 2021-02-12)

CHANGES IN THIS VERSION:

Change: New “Applications Overview” video added to Training Videos
Change/improvement: When viewing the Survey Settings page for a repeating instrument, the “Location of the button on survey” option for the “Allow respondents to repeat the survey” setting now includes a new choice not to display the repeating survey button at all on the survey page. This is useful if users are utilizing the Survey Queue as the path for participants to enter new responses for the repeating responses instead of displaying the repeating survey button on the survey page itself.
Bug fix: When importing data from a CDISC ODM XML file (whether it be a Project XML file with data or a data-only ODM export file), in which the file contains data for repeating instruments, only the first repeating instance of any repeating instrument would get successfully imported.
Bug fix: When importing data from a CDISC ODM XML file (whether it be a Project XML file with data or a data-only ODM export file), in which the file contains data for repeating events, only the last repeating instance of any repeating event would get successfully imported and would mistakenly get saved into the first repeating instance of the event.
Bug fix: If a signature field is embedded on a survey page or data entry form, depending on where it is embedded, the signature image might mistakenly not be displayed directly above the download link after the user/participant adds their signature. It should always be displayed directly above the download link.
Bug fix: In a longitudinal project that contains calculated fields whose equations reference fields on other events, Data Quality rule H might fail to return discrepancies for events that do not contain any data for any fields.
Bug fix: Auto-calculations (i.e., the server-side processing of calculated fields) would mistakenly try to include all the fields in the project when assessing if calculated fields are being triggered and thus need to be updated, rather than only considering the fields that are being updated at that moment, such as during a data import or data entry. This could cause certain data imports to take much longer than they should.
Improvement: Performance improvements for the “datediff+today/now” cron job for Alerts & Notifications
Bug fix: A fatal PHP error would occur in certain situations when running PHP 8.0. (Ticket #100549)
Bug fix: A fatal PHP error would occur in certain situations when running PHP 8.0. (Ticket #100456)
Bug fix: A fatal PHP error would occur in certain situations when running PHP 8.0 while performing a data import via the API Import Records method. (Ticket #100416)
Bug fix: The “Quick Add” dialog on the “Create New Report” page might mistakenly not work correctly if a data collection instrument’s name/label contained a backslash.
Bug fix: When viewing the Survey Invitation Log for a project displayed in a non-English language, the “Delete all selected” button might mistakenly not be displayed on the page. (Ticket #100480)
Bug fix: When using advanced filter logic for reports, the logic would not get interpreted correctly if it contained certain Smart Variables, especially if it contained only Smart Variables with no field variables (e.g., [current-instance] <> “”). With this issue fixed, users may now utilize X-instance Smart Variables in a more intuitive way for filtering reports, such as the following: 1) Display only repeating instance data - [current-instance] <> "", 2) Display only non-repeating instance data - [current-instance] = "", 3) Display only the first instance of only repeating instance data - [current-instance] <> “” and [current-instance] = [first-instance], and so on. (Ticket #45618)
Change: Added a tip in Step 3 when creating a new report to inform users how to use [X-instance] Smart Variables to filter repeating data. This tip is only displayed in projects that have repeating instruments and/or repeating events.
Bug fix: On a project’s Project Setup page, some things would mistakenly display incorrectly (or display when they should not) if an administrator was using the “View project as user” feature.
Bug fix: If using the survey setting “Save a PDF of completed survey response to a File Upload field” in which an Alert is set to send “Immediately” with the PDF as an attachment on the alert, the PDF would mistakenly not get attached to the alert. However, if the alert was set to send after a delay of any kind, the PDF would correctly get attached.
Bug fix: When copying a project via the Copy Project page, in which the Survey Queue settings are being copied, the following Survey Queue settings would fail to be copied to the new project: “Custom text to display at top of survey queue” and "Keep the Survey Queue hidden from participants?".
Bug fix: Calculated field values were mistakenly not getting saved via cross-form or cross-event calculations (via Auto-Calculations) if the calculation was based on the value of a field being blank when the field’s value was not being changed.
Bug fix: When an action tag has text enclosed inside escaped apostrophes (e.g., @PLACEHOLDER=\’DD-MM-YYYY\’), it would cause the Online Designer page to crash and throw a fatal PHP error. (Ticket #100543)
Bug fix: It was recently discovered that due to a security fix added to REDCap 10.3.3 (Standard) and thus to all subsequent versions, some survey-specific features in REDCap do not function correctly if not using MySQL/MariaDB 5.5.5 or higher. Anyone using a version lower than MySQL/MariaDB 5.5.5 should upgrade their database to v5.5.5 or higher. The Configuration Check page now reflects MySQL/MariaDB 5.5.5 as being the minimum required database version that REDCap supports.
Bug fix: When a project has thousands or more records and has several records being created every minute, there might exist a slight lag in the back-end Record List Cache immediately after creating a new record, in which it could cause REDCap to mistakenly assume that a record doesn’t exist yet when in fact it was just created. This might cause a record’s data to get duplicated as a new record if a user is not paying attention while attempting to create another record.

Version 10.8.1 (released on 2021-02-05)

CHANGES IN THIS VERSION:

Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the URL of the Survey Settings page when enabling an instrument as a survey.
Bug fix: If an API user belongs to a Data Access Group, the project’s back-end Record List Cache would mistakenly get reset every time the user would import a batch of records via the API. This would cause performance degradation of the project if many API imports are occurring for the project in a relatively short amount of time.
Various fixes and updates for the External Module Framework
Bug fix: When a project has enabled the “Delete a record’s logging activity when deleting a record” setting, the action of deleting a record would correctly delete the record’s logging activity with regard to what can be viewed via the front-end user interface, but it was mistakenly not additionally deleting the back-end SQL logging details that are stored in the database log_event tables (even though this information can only be accessed if you have direct access to the database or via a special plugin or external module for doing such). (Ticket #100131)
Bug fix: When a calc field or @CALCTEXT field exists on a repeating instrument or repeating event, the calculation might not get triggered during a data import or when running Data Quality rule H, in which it will fail to find discrepancies for this field when some discrepancies exist (but only in specific situations depending on the calculation being used for the field). (Ticket #82961)
Bug fix: When a field has an @HIDDEN-PDF action tag in the Field Annotation/Action Tag text in which “@HIDDEN-PDF” is preceded with a line break with no space before the line break, the field would mistakenly not be hidden when downloading a PDF of the instrument.
Bug fix: When attempting to download a file that was just uploaded to a File Upload field on a survey page, it would display an error message and prevent the downloading of the file if the survey had not been saved yet (i.e., if the participant was still on page one of the survey, whether public or private). This should not occur at all when the participant is using a private/unique survey link. This error message now only displays on public surveys in which the survey has not been saved yet at all (before the record has been created), which is appropriate. (Ticket #99754)
Bug fix: When using cross-form or cross-event calculations or branching logic involving a DMY or MDY formatted date or datetime field, if the field referenced on the other instrument/event has a Missing Data Code saved for it, saving the current instrument would cause the “Invalid values entered!” warning to appear mistakenly. (Ticket #100238)
Bug fix: When a project has thousands or more records and has several records being created every minute, there might exist a slight lag in the back-end Record List Cache immediately after creating a new record, in which it could cause REDCap to mistakenly assume that a record doesn’t exist yet when in fact it was just created. This might cause a record’s data to get duplicated as a new record if a user is not paying attention while attempting to create another record.
Bug fix: In some rare cases for projects that have calculated fields on repeating instruments, running Data Quality rule H would return valid discrepancies, but clicking the “Fix now” button on the page would mistakenly fail to fix the calculations.
Bug fix: When attempting to download an instrument’s Instrument ZIP file in the Online Designer when the instrument was created in Draft Mode but does not yet exist in the live version of the project, it would display a generic error message, which could be confusing to users. It now displays a more informative message regarding why exactly the zip file cannot be downloaded. (Ticket #100290)

Version 10.8.0 (released on 2021-01-29)

CHANGES IN THIS VERSION:

New feature: Instant Adjudication for Clinical Data Pull (CDP) with improved CDP Field Mapping page
- Once enabled here for the whole system via the CDIS page, the Clinical Data Pull “Instant Adjudication” setting can be enabled on a CDP project’s field mapping page, after which it will allow users to bypass the normal data adjudication process and will let them import and save all data into the project that has already been cached from the EHR system. This can save a great deal of time when importing lots of patient records. After Instant Adjudication is enabled in a CDP project, users with CDP-adjudication privileges will see the button to initiate this process on the Record Status Dashboard. After the button is clicked, it will begin adjudicating the EHR data for all records in real time, thus saving the data into records in the projects. On the CDIS page in the Control Center, administrators can enable or disable the Instant Adjudication feature for all CDP-enabled projects in the system. By default, the system-level Instant Adjudication option is enabled.
- Also, the user interface for the CDP Field Mapping page in all CDP-enabled projects has been updated and improved to allow users to more quickly and easily map their REDCap fields to EHR fields for their CDP project.
Improvement: Custom ranges (min/max) for slider fields - Users may now set a custom minimum and/or custom maximum integer value for slider fields. The default min and max is still 0 and 100, respectively. If no value is entered for the min or max value, it will assume the default value. These can be set via the Edit Field popup in the Online Designer, and via the “Text Validation Min” and “Text Validation Max” columns in the Data Dictionary.
New feature: New API “Export Logging” method - This new API method allows users to export a project’s logging via the API using very similar methods and filters as in the project’s user interface. See the documentation for all filter parameters that are available.
New feature: Ability to to import/export user rights via a CSV file on the User Rights page - Users can download a CSV file to view all the user privileges of the existing users in a project, including their instrument-level user rights. Users can upload a CSV file to grant new users access to the project and/or to modify the user privileges of existing users, including their instrument-level user rights.
Improvement: The rich text editor is now utilized when editing the following system-level custom text settings in the Control Center: Custom login text, Homepage announcement custom text, Homepage informational custom text, Help & FAQ custom text, Custom message when creating/copying project, and Custom message when moving project to production.
Improvement: The Email Users page in the Control Center now has a new quick-select link to select and email only the currently logged-in users. (Ticket #99532)
Bug fix: When using the “:link” piping option for a File Upload field on a survey or data entry form, in which the field being piped exists on that same page, if a user initially uploads a file for that File Upload field, it would mistakenly pipe the value instead of the hyperlink for downloading the file. However, if the page is reloaded or revisited later, the piping works correctly to display the hyperlink. This issue only occurs at the moment in which the file is uploaded when piped on the same page.
Bug fix: In specific cases when using the “:inline” piping option for a File Upload field that has a PDF uploaded to it, instead of displaying the PDF inline on the page, it would mistakenly cause the PDF to be auto-downloaded by the user’s browser. (Ticket #99572)
Bug fix: When a REDCap administrator is using the “View project as user” feature to impersonate a user when viewing an “initial survey” in the Participant List while the project is in production, it would mistakenly not disable the “Enable” button for the Participant Identifier column in the Participant List. In this scenario, that button should remain disabled since it would be disabled for the user being impersonated.
Bug fix: The style of the text displayed inside the rich text editors did not match the general style and CSS classes of text on REDCap webpages (e.g., the text in the editors were much larger). This made it more difficult to accurately determine what the resulting text would actually look like on the page.
Bug fix: When using the Field Bank feature, some specific field types that are imported into a project might mistakenly have choices that belong to other fields that appear in the Field Bank search. However, this only appears to occur when searching in the 'REDCap Catalog of Common Data Fields’, which was deprecated in REDCap 10.7.1 and thus is no longer accessible. (Ticket #99552)
Bug fix: When the text inside the @CALCTEXT action tag contains an opening parenthesis inside quotes but does not contain a closing parenthesis inside those same quotes (and vice versa), the @CALCTEXT equation would mistakenly not get parsed correctly and might cause an error to display on the survey/form or might cause the @CACLTEXT field to display as a normal editable text field instead of a pseudo-calc field.
Bug fix: When a required field is left empty/blank on a survey or data entry form, in which the required field has no field label defined, instead of displaying a bullet point with no text in the error prompt, which is confusing, the variable name of the field will be displayed as an alternative. (Ticket #99551)
Bug fix: When using the “:link” or “:inline” piping options pointing to a File Upload field, in which the field is from a different event than the event where it is being piped, the user would receive an error message when attempting to download or view the file. (Ticket #99754)
Change/improvement: The maximum repeating instance number that can be added for a repeating instrument or repeating event has been increased from “9999” to "32767".
Bug fix: When running the “Re-evaluate Alerts” feature on the Alerts & Notifications page in a longitudinal project, in which the alert is set to be triggered on "[Any event]" if an instrument is saved with a Complete status, it would mistakenly trigger alerts for records that do not have a Complete status for the instrument. If the alert is set to be triggered by completing the instrument on a specific event (rather than on "[Any event]"), this issue does not occur. (Ticket #99889)
Bug fix: Data Quality rule F would mistakenly return false positives if the project is a multi-arm longitudinal project and a field’s branching logic references fields/events in arms where the record currently doesn’t exist. (Ticket #99922)

Version 10.7.1 (released on 2021-01-22)

CHANGES IN THIS VERSION:

New feature: New “:link” piping option for File Upload fields - If piping using the ':link’ option for a File Upload field, such as [my_field:link], the file’s filename will be displayed as a clickable hyperlink for downloading the file, which works on webpages and also inside the body of email text (i.e., survey invitations or Alerts & Notifications).
Improvement/change: When using the “:inline” piping option for File Upload files inside an email body (e.g., survey invitations, alerts), if the uploaded file is not an image file, it will still attach the file to the email but will display the file’s filename in the email text as an alternative to displaying it as an inline image.
Major bug fix: A race condition can occur when two records are being randomized at the exact same time, in which it is possible that they both mistakenly receive the same allocation and same value for the randomization field in the project. (Ticket #99159)
Minor security fix: In several places where a user can download a CSV file of various settings (e.g., export of Data Quality rules), it might be possible for a malicious user to perform CSV injection in a CSV file that is downloaded and opened in Microsoft Excel by another user, in which dangerous code could be injected and executed unknowingly by the user on their computer.
Change: In order to help emphasize the “NIH/NLM Catalog” more in the new Field Bank feature, the “REDCap Catalog of Common Data Fields” has been removed indefinitely as an option in the Field Bank dialog in the Online Designer.
Change: The Field Bank feature in the Online Designer can now be disabled at the system level on the “Modules/Services Configuration” page in the Control Center. Once disabled, the “Import from Field Bank” button will no longer appear in the Online Designer for any user.
Change: Some language on the Survey Settings page was modified for clarity with regard to the Time Limit for Survey Completion feature to note that it is not applicable to survey links sent via Alerts & Notifications.
Bug fix: In some situations where embedded fields have branching logic that is triggered by other embedded fields, if the parent field of those embedded fields is itself triggered by branching logic, then some of the embedded fields inside the parent might mistakenly be displayed when they should be hidden by branching logic.
Bug fix: When using the “:inline” piping option to display a PDF file inline on a webpage after it had been uploaded to a File Upload field, in specific circumstances with regard to the text/HTML surrounding the piped field, the inline piping of the PDF file may fail to display on the page.
Bug fix: When using the “:inline” piping option to display a PDF or image file inline on the same instrument on which the File Upload field itself exists, the inline piping of the PDF/image would fail to work. However, it would coincidentally work if the File Upload field was using the @INLINE action tag.
Bug fix: When clicking the “Send-It” link to send a file from inside a project (e.g., a data export file or a file from File Repository), after submitting the page to send the file to the desired recipients, an error message would mistakenly display saying that the user does not have permission to the file. Thus the file would not be sent. Note: This does not affect the main Send-It page that is accessible via the tab on the main REDCap home page, etc.
Bug fix: When a survey participant is taking a PROMIS, NeuroQoL, NIH Toolbox, etc. assessment that is adaptive or has auto-scoring, the “Anchor Text” would mistakenly not be displayed on the survey page for the first and last choices of the survey question (assuming anchor text exists for the question).
Bug fix: When using the Custom Record Label and/or Secondary Unique Field in a project that contains many records (i.e., thousands or more), running Data Quality rules would mistakenly take an inordinate amount of time to return the results.
Bug fix: When using the Custom Record Label and/or Secondary Unique Field in a project that contains many records (i.e., thousands or more), the Resolve Issues page (available when using the Data Resolution Workflow) would mistakenly take an inordinate amount of time to load.
Bug fix: The Configuration Check page might mistakenly display a yellow recommendation saying that the MySQL/MariaDB query cache is not enabled but mistakenly does not tell the user that they should set the setting query_cache_type to “ON” or “1” in their My.cnf or My.ini config file. It now checks the query_cache_type setting to recommend that it be enabled.
Bug fix: On a data entry form or survey, it might be possible in very specific situations for hidden radio elements to mistakenly be selected and be somewhat visible on the page. This would not affect any data but might cause confusion to the user. (Ticket #99271)
Bug fix: Fixed a fatal PHP error that occurs on certain pages in PHP 8 only. (Ticket #99323)
Bug fix: If an embedded checkbox field has the @READONLY action tag, it would mistakenly be possible to check/uncheck the checkbox and thus change its value by clicking its choice label, although clicking the checkbox element itself would do nothing and would remain read-only, as expected. (Ticket #99322)
Bug fix: If a file that is uploaded for a File Upload field or for a message in REDCap Messenger exceeds the maximum file size as defined by the server or by REDCap’s configuration, the file’s metadata would mistakenly remain in the database and (if the file size exceeded the REDCap limit but not the server limit) the file might still remain on the server. It will now set the file to be removed from these places when this occurs. (Ticket #99324)
Bug fix: When piping a field into a label on a data collection instrument in a longitudinal project in which the piped field variable is prepended with the [previous-event-name] Smart Variable, the piping would fail to work in certain specific contexts, such as if the instrument of the field being piped is not designated on the previous event when viewing a different instrument on the next event. In these cases, it would mistakenly display six underscores (as if there is no value) rather than the real value. (Ticket #99342)
Change: For longitudinal projects that are in production, the Define My Events now displays an extra warning that warns that renaming events could cause disastrous effects if any unique event names are utilized in conditional logic, branching logic, calculations, reports filters, data quality rules, etc.
Bug fix: In the field-view in the Online Designer, the floating help boxes on the right of the page might mistakenly overlap some of the instructional text. (Ticket #98688)
Bug fix: When a multi-page survey has fields utilizing the @CALCTEXT or @CALCDATE action tag, in which those fields themselves are used in a calculation or branching logic on a separate page that also does not display the fields utilized inside the @CALCTEXT or @CALCDATE logic, it would mistakenly display an error message on the survey page. (Ticket #98545)
Bug fix: If a user is attempting to enable the Secondary Unique Field on a field that somehow has records with blank values (for the “value” column) saved for that field in the database, REDCap would mistakenly not allow the user to enable the Secondary Unique Field for the field. (Ticket #83279)
Bug fix: If utilizing certain Smart Variables inside the query of a Dynamic SQL Field (e.g., [record-name]), the Smart Variable would mistakenly not get escaped in the query, which might cause the query to fail and not return the desired results.
Bug fix: When editing logic in the Logic Editor for the Survey Queue or Automated Survey Invitations, if a syntactical error exists in the logic, it might mistakenly create an infinite loop where the error popup keeps displaying and is not able to be fully closed, thus causing the user to have to reload the page. (Ticket #99412)

Version 10.7.0 (released on 2021-01-14)

CHANGES IN THIS VERSION:

New feature: Field Bank - When adding new fields via the Online Designer, users will see an “Import from Field Bank” button, which will allow them to search different standardized catalogs of commonly used fields, such as in the U.S. National Library of Medicine catalog. The Field Bank helps users add new fields quickly and easily to their data collection instruments. Over time, more standardized catalogs of fields will be added to the Field Bank.
New feature: @INLINE action tag - Allows a PDF file or image file (JPG, JPEG, GIF, PNG, TIF, BMP) that is uploaded to a File Upload field to be displayed in an inline manner on the survey page or data entry form so that the PDF/image can be viewed by the user or survey participant without having to download it.
- The PDF/image will be displayed inline on the page immediately above the download link for the field and will be displayed with 100% width by default (i.e., 100% width of the area in which it is contained).
- Images will be displayed with their native width:height ratio, although PDFs will be displayed with a 300 pixel height by default. If you wish to manually set the width and/or height of the image/PDF, you may put the width/height values inside parentheses after the action tag in the following manner: @INLINE(width) or @INLINE(width,height). The width/height can be a percentage value (e.g., 50%) or a number representing size in pixels (e.g., 400). Thus @INLINE(50%) will display an image at 50% size for the area in which it is contained on the page, and @INLINE(400,100) would display the image always at 400px tall and 100px wide. To make an inline PDF appear taller on the page, you might use @INLINE(100%,600) since 300px is the default height for inline PDFs.
- The @INLINE action tag also works if the File Upload field is embedded inside another field on the page.
- Thanks to Andy Martin for his inspiration for this feature, in which it is based on his “Image Viewer” external module. NOTE: Upgrading to REDCap 10.7.0 will *not* automatically disable the “Image Viewer” module if it is installed and enabled on any projects, nor will it conflict with the “Image Viewer” external module.
New feature: New “:inline” piping option for File Upload fields
- If piping using the ‘:inline’ option for a File Upload field, such as [my_field:inline], in which the uploaded file is a PDF file or image file (JPG, JPEG, GIF, PNG, TIF, BMP), the file will be displayed in an inline manner so that it is viewable on the page.
- The ‘:inline’ option DOES work inside emails, so you can pipe a field with ‘:inline’ inside the email body, thus allowing you to display inline images inside survey invitations or Alerts & Notifications.
- The @INLINE action tag does not need to be used on a field in order to utilize the “:inline” piping option.
- Note: Inline images are not able to be displayed inside a downloaded PDF of a survey/instrument that contains data.
Improvement: In the Online Designer, any fields that have action tags will have those action tags listed immediately below the field in the table on that page. This makes it easier to know if a field has a certain action tag without having to open the Edit Field dialog for the field.
Major bug fix: On a survey page or data entry form, if a slider field already has a value saved for it before the time that the page is loaded, and a user then modifies the slider field value, while it would appear that the slider’s value has changed, it mistakenly has not. Bug emerged in REDCap 10.6.2. (Ticket #98450)
Change: PHP 7.0.0 is now the new minimum PHP version that is required for running REDCap. Thus all versions of PHP 7 and PHP 8 are currently supported.
Bug fix: The Configuration Check page was mistakenly displaying MySQL database configuration suggestions for the MySQL query cache setting even though the query cache is deprecated in MySQL 5.7.20+. It will now no longer suggest changes to the query cache if using MySQL 5.7.20+. Note: This issue was supposedly fixed in REDCap 10.6.3 but mistakenly was not. (Ticket #97786)
Bug fix: If using an if() function inside the @CALCTEXT action tag, in which the if() function is outputting text that contains a comma, it would mistakenly display an error message on the survey page or data entry form.
Bug fix: If a longitudinal project’s Automated Survey Invitation (ASI) has conditional logic that contains datediff() with “today” or “now” as a parameter and also has a field in the logic that is prepended with any “event-name” Smart Variable, then the ASI cron job that runs every 4 hours might mistakenly schedule invitations when it shouldn’t or might mistakenly remove some already-scheduled invitations (but only if the “Ensure logic is still true before sending invitation?” option is checked).
Bug fix: The option “UNK, Unknown” was missing from the “race” field options when using the Clinical Data Pull (CDP) feature.
Bug fix: Two Laboratory fields (including a COVID-related one) and their associated LOINC code were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.
Bug fix: In some cases, the @CALCDATE action tag might mistakenly return the value “NAN” when it should return a blank/"" value. This often happens when one or more of the parameter values for @CALCDATE are blank. Bug emerged in REDCap 10.6.3.
Bug fix: In a longitudinal project, if a field on a repeating instrument or repeating event has branching logic that contains a field name appended with the Smart Variable “first-instance” or "last-instance", the branching logic might mistakenly not get parsed correctly and would display a branching logic error popup on the survey page or data entry form. (Ticket #98427)
Change: The “Help & FAQ” page was updated with new content.
Bug fix: In certain situations where an [X-instance] Smart Variable in piping, it would cause PHP to crash with a fatal error if using PHP 8. (Ticket #98920)
Bug fix: Ways were found where a user could access a file uploaded to a File Upload field that exists in another project, specifically via the Send-It link on data entry forms or via downloading the "ZIP file of uploaded files (all records)". However, this could only be done if the user has access to that other project.

Version 10.6.3 (released on 2020-12-30)

CHANGES IN THIS VERSION:

Database performance improvements: New cron job was added to check the percentage of database connections being used, in which it will notify the REDCap administrator if more than 2/3 of MySQL’s max connections have been used. Also, to preserve system performance, the cron job will automatically kill any long-running database queries (queries running longer than 30 minutes or any sleeping connections that are more than 60 minutes old).
Improvement: Field embedding can now be used for embedding a Descriptive field inside another field (even though descriptive fields do not have an actual input element for saving data). Embedding a descriptive field would merely relocate the field’s label to the new location where it is embedded. This is typically only useful if the descriptive field has branching logic, in which you could use branching logic to make the descriptive field’s text appear conditionally in a specific place on the page.
Improvement: A link to the "REDCap Language Library" has been added to the Control Center’s left-hand menu. The Language Library is a centralized place where administrators can download and share language files where the stock text in REDCap has been translated into another language.
Major bug fix: If using the datediff() function in a calculated field or in the @CALCTEXT action tag, if the returnSignedValue parameter is provided and has a TRUE value in the function but the dateFormat parameter is not provided, then the calculation might mistakenly return a positive number value on the page if the value is actually a negative number. Note: This could be fixed if running Data Quality rule H.
Bug fix: If a survey participant sends an SMS message to a Twilio phone number that is set up for a REDCap project, REDCap would reply simply with "Please enter your access code to begin the survey", which might be unexpected in some situations, such as if the participant sent the SMS to this number by accident or if they sent it before they were invited to take the survey. More response text has been added to the message now to provide more clarity to the respondent in these situations. (Ticket #97520)
Bug fix: When clicking the “M” icon to open the Missing Data Code menu for an embedded field on a data entry form, it would mistakenly not display the menu at all or it would display it on the wrong location on the page.
Bug fix: Fatal PHP error occurs in some branching logic parsing if running PHP 8.0. (Ticket #98045)
Bug fix: When using Twilio telephony services for Alerts & Notifications, the Notification Log would mistakenly fail to display the recipient’s phone number on the page if a phone/number field is being used as the recipient’s phone number. Instead it would merely display the unpiped variable name in the Recipient column.
Bug fix: When using Twilio telephony services for Alerts & Notifications and viewing a scheduled or sent notification via the View Notification dialog on the Notification Log, it would mistakenly fail to display the recipient’s phone number in the dialog if a phone/number field is being used as the recipient’s phone number. Instead it would merely display the unpiped variable name.
Bug fix: When viewing the Notification Log for Alerts & Notifications, it might mistakenly fail to display unsent/scheduled notifications in the log in certain cases if the “End time” filter is set to a blank value. This might make it appear as if the notification has not been scheduled.
Bug fix: The Configuration Check page was mistakenly displaying MySQL database configuration suggestions for the MySQL query cache setting even though the query cache is deprecated in MySQL 5.7.20+. It will now no longer suggest changes to the query cache if using MySQL 5.7.20+. (Ticket #97786)
Bug fix: If users cannot create projects on their own but must request that admins create them on their behalf, an administrator creating the project for a user mistakenly needs to have the “Allow this user to request that projects be created for them by a REDCap administrator?” privilege enabled for their user account. This should not be required but should be implied via their status as an admin. (Ticket #98128)
Bug fix: When performing a data import of a CDISC ODM (XML) file that contains only data (i.e., metadata not included), in which the XML file contains base64-encoded binary files for File Upload fields, those File Upload files would mistakenly be ignored during the import process and would not be imported with the rest of the data. (Ticket #96800)
Bug fix: When creating a new REDCap project using a Project XML file, in which the XML file contains surveys and fields with Stop Actions, the Stop Actions would mistakenly not get added to the fields for the new project created. (Ticket #97959)
Bug fix: When performing a data import where the uploaded data set contains checkbox fields, REDCap would mistakenly allow values of “1.0” and “0.0” (and other approximations of “1” and “0”) to be imported for checkbox fields. This would also cause the values not to save correctly for these fields, even though the logging implies otherwise. It should only explicitly allow values of “1” and “0” for checkboxes. (Ticket #97972)
Bug fix: When editing conditional logic for surveys in the Survey Queue dialog on the Online Designer, if the logic contains a syntactical error, it might persistently keep opening the Logic Editor over and over, thus preventing the user from successfully closing it and saving their changes. (Ticket #98213)
Bug fix: If a project has Double Data Entry enabled and DDE person #1 or #2 is viewing a custom record status dashboard, the dashboard will mistakenly return incorrect results on the page for custom dashboards that have filter logic defined. (Ticket #97174)
Bug fix: In a longitudinal project that contains repeating instruments and/or repeating events, if a custom data quality rule has logic that contains a field whose data collection instrument exists in both repeating and non-repeating contexts in the project, the data quality rule might not always return all the discrepancies that exist. (Ticket #97508)
Bug fix: If a project was marked as Completed, any Alerts & Notifications or survey invitations that had been previously scheduled would mistakenly continue to send. They should not send if a project is marked as Completed.
Bug fix: If reordering Report Folders inside the Report Folder dialog while using PHP 8.0, it would fail with a fatal PHP error. (Ticket #98217)
Bug fix: The language in the Account Expiration email to users (and their sponsor, if applicable) has been modified to provide more clarity to the user receiving the email. (Ticket #58767)
Bug fix: If a project has Double Data Entry enabled and DDE person #1 or #2 is viewing the record status dashboard, the Custom Record Label (if enabled) would fail to display on the page next to the record names. (Ticket #97116)
Bug fix: If a data collection instrument’s unique instrument name contains a triple underscore, in which its name was manually set via Column B in a data dictionary upload, when entering data for this instrument on the data entry form, the value for the instrument’s form status complete field would fail to save successfully and thus would always get set to Incomplete (“0”). Note: This would not affect data imports or surveys but only data entered on the data entry form. (Ticket #96547)
Bug fix: If using the @NONEOFTHEABOVE action tag on a checkbox field that is embedded inside another field, the @NONEOFTHEABOVE functionality would not function correctly if the user clicked the checkbox label to check/uncheck the option (as opposed to clicking the checkbox element itself). (Ticket #98269)

Version 10.6.2 (released on 2020-12-18)

CHANGES IN THIS VERSION:

Improvement/change: REDCap is now compatible with PHP 8.0
Improvement: Field variables and Smart Variables can now be piped into the “src” attribute of HTML image tags (“img”). Previous versions did not allow this but would allow the piping of values into the “href” attribute of hyperlinks. Now both are possible. Note: The value being piped into the “src” attribute must have already been saved prior to the page loading, which is how piping for the “href” attribute has always worked.
Minor security fix: Due to a vulnerability in the third-party JavaScript library "Handlebars", the library was updated to the latest version. (Ticket #97725)
Minor security fix: Due to a vulnerability in the third-party library TinyMCE, the library was updated to the latest version. (Ticket #97725)
Minor security fix: The “Prevent Clickjacking” security feature would mistakenly not work successfully on a certain page when that page is called in an unexpected manner without a “pid” parameter in the URL. (Ticket #97736)
Minor security fix: A Cross-Site Request Forgery (CSRF) vulnerability was discovered where a malicious user could potentially bypass the CSRF check by adding a specific parameter to HTTP requests in the application.
Bug fix: If a user clicks on a status icon for a repeating instrument on the Record Status Dashboard, in which there are many repeating instances for the record-instrument, it might display the popup list of repeating instances so that they mistakenly run off the top of the page, making it impossible to close the floating popup or to view it completely.
Bug fix: If a radio button or slider field has a Missing Data Code as its value, clicking the “reset” link next to the field would mistakenly not remove the Missing Data Code label from the user interface below the field, even though it would correctly set the value to blank/null for the field. (Ticket #97028)
Bug fix: If a slider field has a value and is being hidden by branching logic, in some scenarios it might mistakenly display the “survey errors exist” error on surveys or might keep displaying the “erase value” prompt repetitively in an infinite loop on a data entry form. (Ticket #97395)
Bug fix: If a survey participant clicks the “Survey Queue” icon at the top right of the survey page, in which the queue contains a lot of items so much that the queue is taller than the page itself, the queue would mistakenly run off the top or bottom of the page and would not be closable. (Ticket #96613)
Bug fix: If a survey title contains HTML tags, the tags would mistakenly be displayed in the drop-down list of surveys in the Participant List.
Bug fix: When an Automated Survey Invitation is triggered by a data import where a new record is being create, and the ASI email body contains a [survey-link] or [survey-url] Smart Variable that points to a survey other than the current one for which the ASI is being triggered, it would mistakenly not pipe the survey link/URL successfully into the email body. (Ticket #96305)
Bug fix: If the REDCap web server is running a version of PHP that is higher than the recommended PHP versions supported by REDCap, the “Server info” text at the top of the main Control Center page might mistakenly display a warning with incorrect text about the need to upgrade PHP. (Ticket #96749)
Bug fix: When using the SendGrid API to send emails from REDCap, the Reply-To email header would mistakenly not get set correctly and would thus cause all replying emails to be sent to the Global “From” Email Address instead of the actual sender’s email.
Bug fix: If a date or datetime field is embedded inside the choice label of a checkbox field, clicking the Today/Now button for the embedded date/datetime field would mistakenly check or uncheck the checkbox choice in which it is embedded. (Ticket #97719)
Bug fix: On the Alerts & Notifications page, when modifying an alert that previously had the option set to send it "Every time the form/survey in Step 1B is X", and then when the alert was later opened after being saved, if it was changed in Step 1A (selecting the third radio option) so that that choice was no longer viable and was hidden in the dialog, it would still keep the alert listed as a recurring alert in the backend database table, which could cause it to not get triggered or sent at the correct times. Note: This fix will prevent this issue from occurring in the future and will also retroactively fix any alerts that have been saved incorrectly due to this bug. (Ticket #97507)
Bug fix: 13 Laboratory and Vital Signs fields and their associated LOINC codes were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.
Bug fix: When calling the “Export List of Export Field Names” API method or the REDCap::getExportFieldNames() method for a project that has Missing Data Codes defined, it would mistakenly fail to add the Missing Data Codes as extra choice options for checkbox fields (excluding fields with the @NOMISSING action tag). (Ticket #96240)
Bug fix: When a project is being permanently deleted (either by an administrator on the Browse Projects page or via the cron job 30 days after a user has “deleted” the project), it would mistakenly fail to log the very last event for the project (i.e., that the project is itself being permanently deleted), which should include the following info about the project in this last logged event: the project title, project ID, number of fields, number of records, current project status, and list of current project users.
Bug fix: When processing a user request on the To-Do List page, in which the user making the request has an apostrophe in their email address, it might cause the request not to load successfully in the dialog on the To-Do List page. This only affects certain types of requests, such as moving a project to production. (Ticket #96958)
Bug fix: When a matrix field is embedded inside another field on a survey page or data entry form, in which some other fields on the page contain branching logic that reference the embedded matrix field, the branching logic might silently fail to show or hide the other field correctly. (Ticket #97114)
Bug fix: When accessing the REDCap server from a domain that is not the domain seen in the REDCap Base URL value (i.e., when using REDCap over multiple domains), the HTTP redirecting that occurs when REDCap is building a project’s record list cache (which is an automatic process), would mistakenly redirect the user to the other domain that is set in the REDCap Base URL. Thus the user ends up on the other server/domain by mistake. It now keeps the user on the current domain during this redirect process. (Ticket #97777)
Bug fix: When an administrator is using the “View Project as User” feature, the “Dynamic Query (SQL) Field” option would mistakenly be displayed for them when adding a new field in the Online Designer. (Ticket #96865)
Bug fix: The Java code that is auto-generated by the API Playground mistakenly had some missing closing parentheses in the MyClass constructor. (Ticket #96565)
Change/improvement: Small changes to improve the overall web accessibility of REDCap, especially on survey pages, such as increasing the contrast ratio of many light-colored labels and adding/removing “aria-X” HTML attributes where appropriate.
Bug fix: The Java code that is auto-generated by the API Playground mistakenly had some syntactical errors for certain API methods. (Ticket #97855)
Bug fix: In a longitudinal project where a field is used both in a non-repeating context and in a repeating instrument or repeating event, if a calculation or branching logic references the field in which it has the Smart Variable "[current-instance]" appended to it, the calc/logic might not get parsed correctly in the non-repeating context and thus would cause the calculation/branching logic not to evaluate correctly. (Ticket #96777)
Bug fix: When a field is embedded using the “:icons” attribute (e.g., {date_of_birth:icons}), it might not display correctly on the page, in which it might be displaying too widely or creating unnecessary text wrapping. (Ticket #96838)

Version 10.6.1 (released on 2020-12-10)

CHANGES IN THIS VERSION:

Improvement: The Logging page in a project now defaults to only displaying the logged events from the past week, although users can always adjust the filter settings to expand the time range values after initially loading the page. This change makes the Logging page load much faster when initially loaded by a user.
Improvement: The Logging page in a project now has helpful buttons to quickly adjust the time range filters to Past Day, Past Week, Past Month, Past Year, and all time (“no limit”) to make it easier for users to view the logging from various time ranges.
Improvement: The Logging page in a project now has more download options for exporting the logging. In addition to exporting all logged events, there are now the following new buttons: 1) Export all pages using current filters and 2) Export current page.
Improvement: When downloading a PDF of a data collection instrument containing a File Upload field that is embedded in another field, it will now display the file name of the uploaded file in the PDF rather than the doc_id number (i.e., the raw data value). This change only involves embedded fields since normal/non-embedded File Upload fields already display the file name of the file in the PDF.
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the URL on certain REDCap pages. (Ticket #97362)
Minor security fix: A Blind SQL Injection vulnerability was found on the User Rights page, in which a malicious user could potentially exploit it by manipulating an HTTP request on that page. (Ticket #97347)
Minor security fix: An Unrestricted File Upload vulnerability was found on the API Playground page, in which a malicious user could potentially exploit it by manipulating an HTTP request on that page for the Import File API method. (Ticket #97372)
Bug fix: When viewing certain adaptive instruments that have been downloaded from the REDCap Shared Library, in which one of the multiple choice options has both a code and value of "0", the label for that choice would mistakenly not be displayed next to its radio button, so it would appear not to have a label.
Bug fix: For the Data Mart and Clinical Data Pull services, the action “Fetching data from FHIR endpoint” was mistakenly getting logged on the project Logging page for every time that REDCap would make a call to the EHR, even when no new data is stored in REDCap from the EHR. It should not have been logging that but instead only logging when data points are actually imported.
Bug fix: For unknown reasons, the Ace Editor library (used by the new Logic Editor) is not compatible with Bootstrap dialogs when using the Firefox browser. This prevents the Logic Editor from being usable on the Alerts & Notifications page. To deal with this conflict (until a solution has been found), if a user is using Firefox, the Logic Editor will not be used on the Alerts & Notifications page. (Ticket #96992)
Bug fix: When a calc field or pseudo-calc field (e.g., @CALCTEXT) has an equation that references a multiple choice field that contains dashes in one or more of its choice values/codes, in which the value/code is greater than a certain length, the calculation may return a blank value rather than the correct value. (Ticket #97055)
Bug fix: When moving a project to production and deleting all records in the process, or if a user clicks the “Erase all data” button in a development project, any records that have been locked at the record level would mistakenly still have their locked status maintained after the record deletion. This could cause issues in the future if a record is created afterward and has the same record name as a previously-locked record. (Ticket #97167)
Bug fix: When a plugin, hook, or external module calls the method REDCap::getProjectXML(), it would mistakenly not include the “redcap::SurveysGroup” entry and other project-level information in the resulting XML. (Ticket #97151)
Bug fix: When viewing a data entry form that has drop-down fields with the auto-complete option enabled, the drop-down list might mistakenly be displayed incorrectly as if it is very narrow and has no options to select. Note: This issue occurs on data entry forms but not on survey pages.
Bug fix: The survey-date-complete or survey-time-complete Smart Variable would mistakenly not work correctly in some calculations and in many cases would display a calculation error message. Bug emerged in REDCap 10.0.29 LTS and 10.5.2 Standard. (Ticket #97057)

Version 10.6.0 (released on 2020-11-30)

CHANGES IN THIS VERSION:

New feature: New logic editor for conditional logic, branching logic, calculations, report filters, etc. In every place where users might add/edit logic or calculations, the new logic editor will be displayed in a modal dialog to provide a better user experience for entering their logic. The logic editor provides much more space for entering large amounts of logic, including a fullscreen mode to take maximum advantage of their screen’s real estate. It also provides bracket-matching and parentheses-matching where it will highlight a pair of matching brackets/parentheses to make it easier for users to gauge which brackets/parentheses belong together in the logic, thus reducing possible errors in the logic when typing.
New feature: Auto-numbering of repeating instances for data imports - When using repeating events or repeating instruments, it may be difficult when performing dynamic imports of data for these because it is not easily known how many repeating instances already exist in a project for a given repeating event/instrument, thus often forcing users to invent clever ways to determine this, such as performing data exports beforehand and then dynamically determining what the next repeating instance number should be. However, that is no longer necessary. When performing a data import now for a repeating event/instrument, users may use the literal value “new” as the value for the “redcap_repeat_instance” field in their data import. By doing so, REDCap will perform the instance auto-numbering on its own to increment the repeating instances properly based on the highest numbered instance that already exists in the saved data in the project.
New feature: New survey option “Save a PDF of completed survey response to a File Upload field” - On the Survey Settings page in the Online Designer, users may select a File Upload field in the project where a static PDF file of a participant’s survey response will be stored immediately after they complete the survey. For longitudinal projects, if the target field exists on multiple events, users may set this feature so that it stores the PDF in the selected field in the current event (default) or else in a specific event in the project. Thanks to Philip Chase and his team at University of Florida for their inspiration for this feature, in which it was based on their “Save Survey PDF to Field” external module. NOTE: Upgrading to REDCap 10.6.0 will *not* automatically disable the “Save Survey PDF to Field” module if it is installed and enabled on any projects, nor will it transfer the saved settings of that module into this new feature in REDCap.
Improvement: File Upload fields and Signature fields may now be used in piping. If you are piping *from* a File Upload field or Signature field, the field’s numerical value will be piped by default, but you may pipe the original filename of the uploaded file by appending the ‘:label’ option, such as [my_field:label].
Improvement: The REDCap::saveData method for plugins/hooks/modules now has an alternative way of passing parameters to the method. Rather than providing the method’s parameters individually, they instead may be passed to the method in an associative array, in which each key in the array exactly matches the parameter names listed above (must match case). Note: Not all the parameters have to be included in the array, but only the ones one wishes to set explicitly. Example: $params = array('dataFormat’=>’json’, 'type’=>’flat’, ‘data’=>’[{"record_id":"1","age":"41","dob":"1978-07-20","form_1_complete":"0"}]');$response = REDCap::saveData($params);
Change/improvement: Users are now permitted to import data values for Biomedical Ontology fields. In previous versions, this was not allowed and would return an error message when a user attempted this. The Data Import Tool now displays a warning (instead of an error) that informs users that importing data for such fields is allowable but is not recommended because the value might not display correctly if viewed afterward on a report or in the data entry interface, in which this is caused by the fact that the label is missing because it has not been fetched via the BioPortal web service and then cached in REDCap’s database tables. (Ticket #8096)
Bug fix: If a user has REDCap Messenger opened and is viewing the System Notifications or the General Notifications channel, if they navigate from page to page while leaving Messenger opened, the messages in either of those channels would mistakenly fail to display until they clicked the “System Notifications” or “General Notifications” links in the Messenger window.
Bug fix: If a user is using REDCap Messenger, the height of the Messenger window might not get calculated correctly and thus might mistakenly run off the bottom of the page (making it impossible to read all the messages) or else might leave unnecessary extra space at the bottom of the page.
Bug fix: When importing the value for a field that is referenced inside the @CALCTEXT action tag of another field, the import process would mistakenly fail to update the @CALCTEXT field. (Ticket #96419)
Bug fix: In a longitudinal project where a checkbox field is referenced in the branching logic and/or calculation of another field on the same instrument, in which the branching logic or calculation references that checkbox field on the same event and also on other events (i.e., cross-event logic/calc), the branching logic and/or calculation will evaluate correctly when the page is initially loaded, but if the checkbox’s value gets modified on that page by checking/unchecking any of its choices, the branching logic and/or calculation might begin not to evaluate correctly anymore on that page until the page is refreshed or returned to at a later time. (Ticket #95744)
Bug fix: Forty-three Laboratory fields and their associated LOINC codes were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.
Change: On the Survey Settings page, the e-Consent Framework setting “Allow e-Consent responses to be edited by users?” is now pre-selected by default when enabling the e-Consent Framework.
Bug fix: When importing data for pseudo-calc fields (i.e., fields with the @CALCDATE or @CALCTEXT action tag), it would mistakenly allow values for such fields to be imported. It should instead prevent values for pseudo-calc fields from being imported since their value will be calculated automatically during the import process. Similar to calculated fields, any pseudo-calc fields will be ignored during the data import process. If values for pseudo-calc fields need to be updated en masse, this can be done by running Data Quality rule H.
Bug fix: The “View project as user” feature would mistakenly not work correctly on the Other Functionality page in a project, and thus it might display some things that it should not and also might hide some things that should be displayed.
Bug fix: The “Time Limit for Survey Completion” option on the Survey Settings page would mistakenly not function correctly if using MySQL 8. (Ticket #94256)
Bug fix: When a repeating instrument is enabled as a repeating multi-page survey in a longitudinal project, and all the fields on a given survey page are hidden by branching logic, in which the the fields in the branching logic does not have [current-instance] appended to them, then in certain circumstances a survey page might mistakenly get skipped while a participant is taking the survey. (Ticket #96426)
Bug fix: The ontology Current Procedural Terminology (CPT) was removed from the list of BioPortal Ontology Services since that ontology is no longer usable by the BioPortal service due to licensing reasons.

Version 10.5.2 (released on 2020-11-20)

CHANGES IN THIS VERSION:

Improvement: The “E-signature and Locking Management” page in a project now displays information with regard to record-level locking, whereas in previous versions it only displayed information for instrument-level locking. (Ticket #95496)
Bug fix: In the Add/Edit Field popup in the Online Designer, if the user selects “Slider” from the Field Type drop-down, whenever they have their cursor inside any of the fields in the “Labels displayed above slider” section in the popup and then they click Enter on their keyboard, it would mistakenly display an unrelated popup dialog about SQL Fields. (Ticket #96061)
Bug fix: The action tags @CALCDATE and @CALCTEXT might fail to work correctly or might display an error on the form/survey page if they are referencing a field from another event in a longitudinal project. (Ticket #95993)
Bug fix: If using the Smart Variables [form-link], [form-url], [survey-link], [survey-url], [survey-queue-link], [survey-queue-url], [survey-time-completed], or [survey-date-completed] in branching logic or in a calculated field’s equation, an error message might mistakenly display on the data entry form or survey page saying that there is something syntactically incorrect about the logic/calculation. (Ticket #96080)
Change: Added more informative text in the Biomedical Ontology information popup regarding the use of the BioPortal API web service and also how to contact BioPortal directly if a user has specific questions about their service.
Bug fix: When new records are created rapidly in a project, especially when they are created nearly simultaneously, it could cause the record list cache on the database back-end to mistakenly get out of sync, thus causing record dashboards, reports, etc. to display the records in an incorrect order. (Ticket #94027)
Bug fix: If a field with variable name “title” is used in the branching logic of another field, it would mistakenly display a branching logic error on the page. (Ticket #96154)
Bug fix: If a data entry form or survey page has many fields with branching logic, the page might load unexpectedly slow because of an inefficiency with the process of checking if any embedded fields exist on the page. The inefficient code has been fixed so that if field embedding is not being used on a data entry form or survey page, the branching logic of all fields on the page will be processed 10x-30x faster than in previous versions of REDCap 10.X, thus making the page load much more quickly, especially when the instrument contains many fields. (Ticket #92556)
Bug fix: If a Signature field or File Upload field is embedded inside another field on an instrument, if the field is Left-aligned (LV or LH) and the instrument has been taken as a survey, in which the survey participant has uploaded a file for the field, the field would fail to embed and would appear invisible when viewed on a data entry form prior to the user clicking the “Edit response” button.
Bug fix: If the record name is very long for a record in a project, the record name in the Action column of the Logging page might overflow onto other text in the Logging table, thus sometimes making it unreadable.
Bug fix: If a survey has the e-Consent Framework enabled and is using a survey theme, the e-Consent certification box and text on the last page of the survey would mistakenly not respect the survey theme colors. (Ticket #96277)

Version 10.5.1 (released on 2020-11-12)

CHANGES IN THIS VERSION:

Major bug fix: If a user is in a classic/non-longitudinal project and selects an instrument after clicking the “Show data collection instruments” link on the left-hand menu, the instrument page displaying the record drop-down lists would mistakenly be only partially displayed due to a fatal PHP error on the page.
Bug fix: On the Configuration Check page, it was mistakenly displaying MySQL database configuration suggestions for the MySQL query cache setting even though the query cache is deprecated in MySQL 8.0. It will now no longer suggest changes to the query cache if using MySQL 8.0. (Ticket #95873)

Version 10.5.0 (released on 2020-11-12)

CHANGES IN THIS VERSION:

New action tag: @PREFILL - Sets a field’s value to static text or dynamic/piped text whenever a data entry form or survey page is loaded, in which it will always overwrite an existing value of the field. The format must follow the pattern @PREFILL="???", in which the desired value should be inside single or double quotes. A field with @PREFILL will always be read-only, thus its value cannot be modified manually on the data entry form or survey page. For text fields, you may pipe and concatenate values from other fields in the project - e.g., @PREFILL=’Name: [first_name] [last_name], DOB: [dob]‘. For checkbox fields, simply separate multiple checkbox values with commas - e.g., @PREFILL=’1,3,[other_field:value]‘. NOTE: The piped value does *not* get applied during any data imports (via API or Data Import Tool) but only operates when viewing survey pages and data entry forms. NOTE: A field with @PREFILL will have its value updated ONLY when the page loads, which means that its value will not be updated in real-time if you modify other fields on the same page that are piped into the @PREFILL tag. NOTE: If being used on a date or datetime field, the date value inside the quotes must be in Y-M-D format - e.g., @PREFILL=’2007-12-25’ - regardless of the field’s set date format. NOTE: The only difference between @PREFILL and @DEFAULT is that @DEFAULT is only applied when an instrument has no data yet, whereas @PREFILL will always be applied on an instrument, meaning that @PREFILL will ALWAYS overwrite the value if a field value already exists. TIP: To pipe the value of one multiple choice field into another multiple choice field, make sure you append ‘:value’ to the variable being piped - e.g., @PREFILL=’[my_dropdown:value]'.
New special functions: left(), right(), mid(), length(), find(), trim(), upper(), lower(), and concat(). These nine new functions can be specifically used when dealing with text values and may be especially useful when using them in conjunction with the @CALCTEXT action tag. To learn more and to see some practical examples of their usage, click the blue ‘Special Functions’ button in the Online Designer in any project.
- left (text, number of characters) - Returns the leftmost characters from a text value. For example, left([last_name], 3) would return ‘Tay’ if the value of [last_name] is 'Taylor’.
- right (text, number of characters) - Returns the rightmost characters from a text value. For example, right([last_name], 4) would return ‘ylor’ if the value of [last_name] is 'Taylor’.
- length (text) - Returns the number of characters in a text string. For example, length([last_name]) would return ‘6’ if the value of [last_name] is 'Taylor’.
- find (needle, haystack) - Finds one text value within another. Is case insensitive. The “needle” may be one or more characters long. For example, find(‘y’, [last_name’]) would return ‘3’ if the value of [last_name] is 'Taylor’. The value ‘0’ will be returned if “needle” is not found within "haystack".
- mid (text, start position, number of characters) - Returns a specific number of characters from a text string starting at the position you specify. The second parameter denotes the starting position, in which the beginning of the text value would be '1’. The third parameter represents how many characters to return. For example, mid([last_name], 2, 3) would return ‘AYL’ if the value of [last_name] is 'TAYLOR’.
- concat (text,text,…) - Combines/concatenates the text from multiple text strings into a single text value. For example, concat([first_name], ' ', [last_name]) would return something like 'Rob Taylor’. Each item inside the function must be separated by commas. Each item might be static text (wrapped in single quotes or double quotes), a field variable, or a Smart Variable.
- upper (text) - Converts text to uppercase. For example, upper(‘John Doe’) will return 'JOHN DOE’.
- lower (text) - Converts text to lowercase. For example, lower(‘John Doe’) will return 'john doe’.
- trim (text) - Removes any spaces from both the beginning and end of a text value. For example, trim(' Sentence with spaces on end. ') will return 'Sentence with spaces on end.’.
Improvement: The Configuration Check page will now provide MySQL/MariaDB database configuration recommendations to improve database performance and stability. REDCap will check and compare various MySQL/MariaDB configuration settings to identify any settings that are not set correctly or should be changed. Most of the suggestions are based on the same recommendations from a popular open-source product named MySQL Tuner. If no recommendations have been identified, the Configuration Check page will display a green checkmark icon with a short message saying that the configuration settings appear sufficient for optimal performance and stability.
Bug fix: One Laboratory field and its associated LOINC code was not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.
Bug fix: Certain third-party PHP packages used in REDCap were mistakenly not compatible with PHP versions lower than PHP 7.2.5, and this would prevent some REDCap installations from upgrading to a recent release.
Bug fix: When using Missing Data Codes in a project that has a drop-down field or a radio button field with a @NOMISSING action tag, in which one of the choice codings of the drop-down/radio is exactly the same as a Missing Data Code, if the field’s value was set to a choice that corresponds to a Missing Data Code, after saving the data entry form and then returning to it later, the field would mistakenly be disabled on the page, thus preventing anyone from changing its value. In this scenario, the field should not be disabled if the @NOMISSING action tag is being used. (Ticket #95510)
Bug fix: When an admin is using the “View Project as User” feature in a project, it might mistakenly display the “External Modules” link on the left-hand menu, even though the user being impersonated would never actually see that link displayed. (Ticket #95371)
Bug fix: When exporting a PDF of saved data, if the PDF contains a survey response in which a Participant Identifier value had been entered into the Participant List for that participant, the PDF would mistakenly always display the Participant Identifier at the top right corner of the PDF. If a user that has De-Identified export privileges or Remove Identifier export privileges is exporting the PDF, or if a survey participant is exporting the PDF of their own responses, it should not display the Participant Identifier inside the PDF. (Ticket #95435)
Bug fix: When importing certain PROMIS instruments or batteries from the REDCap Shared Library in which the instrument contains a T-Score and Standard Error field, if the PROMIS instrument is viewed as a data entry form in the REDCap interface, it might mistakenly display a branching logic error on the page. In these cases, the bug cannot be fixed except by deleting the instrument from the project (beware: this might delete or orphan any already-collected survey responses for the PROMIS instrument) and then by re-downloading it from the Shared Library. Bug emerged in REDCap 9.10.0 Standard and 9.5.28 LTS. NOTE: This would not impact the display of the PROMIS instrument when being taken as a survey by a participant.
Bug fix: When assigning records to Data Access Groups via data import, in certain scenarios the records being imported would get assigned to DAGs properly but the Record List Cache would mistakenly not get updated during the import process, thus causing specific pages (e.g., reports, Record Status Dashboard) not to display those records when filtering by their DAG. If this issue occurred, the only thing that would fix it would be for an admin to know to click the “Clear the Record List Cache” button in the project. (Ticket #95133)
Change: Added the project PID to the prepopulated email subject field when clicking the blue “Contact REDCap administrator” button on a project’s left-hand menu.
Change: When uploading a file to the File Repository and when uploading an attachment to an alert, it now specifies the max file upload size in each location.
Bug fix: The User Access Dashboard’s drop-down list filter of project statuses mistakenly included “Archived” projects, which is a mistake since “Archived” is no longer a valid option for a project status as of REDCap 9.8.0.

Version 10.4.1 (released on 2020-11-06)

CHANGES IN THIS VERSION:

Bug fix: If a checkbox field whose variable name matches a PHP function (including REDCap-defined PHP functions) is used in conditional logic, report filter logic, branching logic, calculations, etc., it would not get parsed correctly, and the logic/calculation would mistakenly be considered syntactically invalid.
Bug fix: When viewing the project Logging page, any “Sent Alert” logged events that pertain to records would mistakenly not be displayedBug fix: When importing data via the Data Import Tool for a Text Field with min/max range validation, if the value being imported is out of range, it would correctly display it inside an orange box but would mistakenly fail to list the existing value in red below the new value if the field already contained an existing value. on the page when filtering by record name. (Ticket #95222)
Bug fix: When an administrator is approving Draft Mode changes for a production project in the To-Do List, the dialog popup on the page would mistakenly not close itself after an action was taken on that To-Do List item. (Ticket #95292)
Bug fix: When using certain Smart Variables inside @CALCDATE or @CALCTEXT, it might mistakenly cause a calculation error to occur on the data entry form or survey page.
Bug fix: When using the @DEFAULT action tag on an instrument that is not the first instrument, if the record has the record name “0” and is an existing record, the action tag would fail to work successfully. (Ticket #95296)
Bug fix: If an administrator sends a General Notification to users in REDCap Messenger, it might mistakenly send an email notification multiple times to each user when instead it should only send a single email notification (if the user’s permissions dictate that they receive email notifications). Bug emerged in REDCap 10.4.0.
Change: On the Data Quality page, the text boxes used for adding/editing custom data quality rules were enlarged and are now resizable.

Version 10.4.0 (released on 2020-10-30)

CHANGES IN THIS VERSION:

New action tag: @CALCDATE - Performs a date calculation by adding or subtracting a specified amount of time from a specified date or datetime field and then provides the result as a date or datetime value - e.g., @CALCDATE([visit_date], 7, ‘d’). The first parameter inside the @CALCDATE() function should be a text field with date, datetime, or datetime_seconds validation, in which you may specify (if needed) the event and repeating instance - e.g., @CALCDATE([baseline_event][visit_date], 7, ‘d’). The second parameter represents the offset number amount that should be added or subtracted. It can be a decimal number or integer. Tip: To subtract (i.e., go backwards in time), use a negative number. The third parameter represents the units of the offset amount, which will be represented by the following options: ‘y’ (years, 1 year = 365.2425 days), ‘M’ (months, 1 month = 30.44 days), ‘d’ (days), ‘h’ (hours), ‘m’ (minutes), ‘s’ (seconds). The unit option must be wrapped in quotes or apostrophes. NOTE: Both the source field and the result field must be a text field with date, datetime, or datetime_seconds validation. It is important to realize that a field with @CALCDATE will not be editable on the survey page or data entry form, and the field will function almost exactly like a normal calculated field, in which its value may get updated via a data import, when running Data Quality rule H, or in real-time during normal data entry on a form or survey.
New action tag: @CALCTEXT - Evaluates logic that is provided inside a @CALCTEXT() function and outputs the result as text, typically performed with an if(x,y,z) function - e.g., @CALCTEXT(if([gender]=’1’, 'male’, ‘female’)). NOTE: It is important to realize that a field with @CALCTEXT will not be editable on the survey page or data entry form, and the field will function almost exactly like a normal calculated field, in which its value may get updated via a data import, when running Data Quality rule H, or in real-time during normal data entry on a form or survey. If desired, it is possible to return the value as a number - e.g., @CALCTEXT(if([age] >= 18, 'adult’, 5*[other_field])).
New feature: Data Access Group import/export and DAG-User assignment import/export - The Data Access Groups page in a project now displays a drop-down list of options for users to import/export Data Access Groups, which allows users to bulk create or rename DAGs via a CSV file. It also allows for the import/export of DAG-user assignments via CSV file to bulk assign/reassign/unassign users from DAGs in a project. Note: The DAG-user assignment import affects only a user’s *current* DAG assignment; thus, it has no effect on the DAG Switcher assignments for the user.
New feature: Data Quality Rule import/export - The Data Quality page in a project now displays a drop-down list of options for users to import/export custom Data Quality rules via a CSV file. Note: This does not apply to the pre-defined DQ rules (rules A-I). Also, when DQ rules are imported, the process is additive only, meaning that the CSV upload cannot replace or edit existing DQ rules but will only add new ones to the project.
Improvement: On a user’s My Profile page, there is a new setting under “Notification Preferences for REDCap Messenger” to enable/disable email notifications specifically for General Notifications and System Notifications. This setting will be enabled by default for all users. This is intended to help users who ignore messages from Messenger to become more informed about messages sent from administrators (via General Notifications) and to become more aware of new features (via System Notifications). Note: Users with this option enabled will not receive an email notification for General/System Notifications if they have not logged into REDCap in the past 6 months. Also, if you wish to automatically disable this setting for all users, simply run the following SQL immediately after the upgrade has completed: update redcap_user_information set messaging_email_general_system = 0;
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags with JavaScript event attributes in a very specific way into text that ultimately gets displayed on a webpage (e.g., via a message in REDCap Messenger, via field labels on a survey or data entry form).
Bug fix: If a checkbox field whose variable name ends with “round” is used in conditional logic, report filter logic, branching logic, calculations, etc., it would not get parsed correctly and would mistakenly be considered syntactically invalid. (Ticket #94109)
Bug fix: The “redcap_survey_complete” hook was mistakenly being called at incorrect/additional times on a survey when it should only be called when the survey had just been completed. (Ticket #93703)
Bug fix: In specific situations where both Field Embedding and branching logic are used together on a multi-page survey, in which fields on one page have branching logic referencing fields from previous pages, it might mistakenly display a branching logic error prompt on the page. (Ticket #94536)
Bug fix: The “View Project as User” feature was not behaving accurately on the “Designate Instruments for My Events” page in longitudinal projects. (Ticket #79227)
Bug fix: When exporting data to SAS, the “format” of a multiple choice field might not get represented correctly in the SAS syntax file, thus causing errors to occur when loading the data into SAS for certain types of REDCap projects and for certain SAS clients/versions.
Bug fix: In the API Playground, the example Ruby output was slightly incorrect due to a variable naming issue and would throw an error if someone attempted to run it. (Ticket #94486)
Bug fix: When utilizing Missing Data Codes in a project and performing a data export to a stats package (R, Stata, SAS, SPSS), in which the export contains a checkbox field that has a @NOMISSING action tag, the resulting syntax file for the stats package would mistakenly include the Missing Data Code options for the checkbox even though the CSV file would correctly omit them. This would cause an issue when loading the exported data into the stats package. (Ticket #94334)
Bug fix: If a user contains an apostrophe in their username (because LDAP allows this), the username search functionality and some buttons might not work on the Browse Users and Browse Projects pages in the Control Center. (Ticket #79647)Bug fix: REDCap might mistakenly fail to correctly parse logic (conditional logic, branching logic, calculations) in certain contexts if the logic contains Smart Variables that have parameters appended to them after a colon, such as [form-link:instrument]. (Ticket #93955)
Bug fix: The R code that gets auto-generated by the API Playground was out of date and was no longer valid.
Bug fix: In a project that has a project-level or survey-level designated email field, in which the project is longitudinal or has repeating events or instruments, if a designated email field is being updated via a data import for a given event or repeating instance, it would mistakenly fail to additionally update that email field in all events/instances that contain data for the given record being imported. This could cause records to end up with differing values of the email field on different events/instances, which should never happen. (Ticket #94408)
Bug fix: When running Data Quality rule B, it might mistakenly not return discrepancies that exist on repeating instruments or repeating events. (Ticket #94979)
Bug fix: When running Data Quality rule F, it might mistakenly return false positives for fields that exist on repeating events. (Ticket #94985)
Bug fix: When using the “Move multiple fields” functionality on the Online Designer, it would correctly move them all to the right position, but they would mistakenly be in reverse order.
Bug fix: When uploading a new Instrument Zip file via the Online Designer, if a field in the Instrument Zip file contains branching logic or a calculation that references a checkbox field, it might mistakenly not auto-fix the branching logic/calculation correctly if the checkbox field’s variable name already exists in the project and is thus renamed on the fly. This would cause branching logic or calculation errors to be displayed on the new instrument when viewing on a data entry form or survey. (Ticket #95101)

Version 10.3.8 (released on 2020-10-23)

CHANGES IN THIS VERSION:

Medium security fix: If a malicious user has knowledge of REDCap’s infrastructure and code, they might be able to inject specific PHP code into conditional logic or calculations that get evaluated by PHP. Note: This same security fix from a recent release was not fully remediated in that previous version.
Minor security fix: A Cross-Site Request Forgery (CSRF) vulnerability was discovered where a malicious user (who must be logged in) could potentially exploit it by adding some specific parameters to POST requests in the application.
Minor security fixes: Various Cross-site Scripting and SQL Injection vulnerabilities were discovered where a malicious user (who must be logged in) could potentially exploit them by adding some specific parameters and values to GET and/or POST requests in the application.
Minor security fix: If a malicious user has knowledge of REDCap’s infrastructure and code, they might be able to pass possibly dangerous values into input parameters that eventually pass through PHP’s unserialize() function, which could possibly be used for remote code execution. The usage of unserialize() has been modified to protect against dangerous values passed to it.
Improvement: When using the Clinical Data Mart feature in a project, it now contains a new setting (for Admins only) on the Project Settings page that will turn off the daily data fetch cron job at a specified date. In addition, a record-level version of this Data Mart cron job “kill switch” has been added as a new field on the “Project Settings” instrument in the Data Mart project that will stop running the daily cron job for specific records based on the date values (i.e., a beginning and end date) entered into fields for a given record. Note: If an existing Data Mart project already exists, you can add the variables fetch_date_start and fetch_date_end to the Project Settings instrument to utilize the record-level setting to only fetch data within a specified time period for a given record.
Change: Regarding a code change in v10.3.5 (Standard) that allowed PHP warnings (but not PHP errors) to be displayed on REDCap pages for development servers (and also for any servers where hooks or external modules were incidentally enabling the PHP error reporting on the server), this has been reverted so that PHP warnings will no longer be displayed anymore on any REDCap server except for the REDCap development team.
Bug fix: When a data entry form is being viewed for a record that has not been created yet, it was mistakenly displaying the “H” icon to view the Data History popup, which is nonsensical if the record does not exist yet. It no longer displays the “H” icon on the page until the record has been created. (Ticket #94427)
Bug fix: If a checkbox is being piped somewhere else on the same page as where the checkbox field itself exists, it might mistakenly not update in real time when the checkbox is checked or unchecked. However, it would pipe correctly whenever the page is loaded.
Bug fix: If the Clinical Data Mart feature is enabled at the system level but the Clinical Data Pull is disabled at the system level, then the user-level option to grant a user Data Mart privileges would mistakenly not be displayed on the Browser Users page in the Control Center.
Bug fix: When a matrix of checkboxes are embedded individually inside another field on the same page, any change to those embedded checkboxes (either checked or unchecked) would mistakenly not take effect and thus its value would not get saved appropriately. (Ticket #94519)
Bug fix: When using the “project_id” field for the “Custom Surveys for Project Status Changes” feature, specifically for the project creation process when users must request that admins create their projects on their behalf, the PID value of the new project would mistakenly not get stored in the project that contains the embedded survey and is used to capture project creation details. (Ticket #90873)
Bug fix: When using the PDF Auto-Archiver option for a survey, if the survey response is completed and then is later deleted via the Delete button on the data entry form, if that survey is taken again for that same record, then it would mistakenly not save a new PDF in the File Repository for the new response but would only retain the original one.

Version 10.3.7 (released on 2020-10-13)

CHANGES IN THIS VERSION:

Critical security fix: If a malicious user has knowledge of REDCap’s infrastructure and code, they could potentially manipulate the URL of certain project-level pages in REDCap and bypass authentication to view those pages without ever having logged in. Note: There is no known report of this vulnerability ever having been exploited in the wild on any REDCap installation. Given that this vulnerability is present in all versions of REDCap beginning with 9.1.16 (LTS) and 9.3.7 (Standard), and given the fact that a previously patched vulnerability affects all versions beginning with REDCap 6.18.0, it is recommended that anyone on REDCap 6.18.0 or higher should immediately upgrade to this version: 10.3.7 (Standard), 10.0.23 (LTS), or 9.5.36 (LTS).
Bug fix: When evaluating logic for large amounts of records, such as with the “datediff” cron jobs for both Alerts and ASIs, REDCap was making an inordinate amount of calls to the database and was also performing too much logic processing unnecessarily. These unnecessary processes have been removed, which should improve general performance of logic parsing/processing in REDCap. (Ticket #93787)
Various fixes for PHP warnings that only get displayed in non-production installations.

Version 10.3.6 (released on 2020-10-09)

CHANGES IN THIS VERSION:

Improvement: The filename of a file uploaded to a File Upload field will now be displayed in a downloaded PDF with saved data and also in the download button for File Upload fields displayed in reports. The filename will also be displayed as the value of a File Upload field in a data export (excluding CDISC ODM exports, including API exports).
Bug fix: If an SQL field is used in a Custom Record Label, it would mistakenly run that same SQL query for every record being displayed on the Add/Edit Records page and Record Status Dashboard, which could cause performance degradation to the REDCap server for larger projects.
Bug fix: If a Notes field has text data that contains tab characters, those tab characters would mistakenly be represented in an exported PDF as square box characters.
Bug fix: When exporting an instrument as a PDF with data, if a given page in the PDF ends with a Signature field displayed at the bottom (but not necessarily being the last field on the instrument or survey), it might get confused about inserting a page break directly after the signature, thus causing the next page to be overwritten on top of the first. This would typically make the two pages unreadable.
Bug fix: If a calculated field’s equation begins with the function "log", "min", or "max", then the PHP-side processing of the calculations (via Data Import or Data Quality rule H) would cause the calculation to not return the correct result if one or more fields used in the equation contained a blank value. (Ticket #93169)
Bug fix: When upgrading REDCap to v9.6.0 or higher from a lower version, an SQL error might occur for the redcap_mobile_app_log table when running the SQL upgrade script. (Ticket #92240)
Bug fix: When a survey that has the e-Consent Framework enabled also has the option enabled to prevent users from editing e-Consent responses, if a user is on the data entry form at the same time that a respondent is consenting that instrument as a survey, then the user could mistakenly overwrite the respondent’s survey results and nullify their consent if the user submits the page after the respondent does. Now in this scenario, if the respondent has already consented and the user attempts to save the data entry form, it will not save the data the user submitted and will instead display an error that explains why their data cannot be saved. (Ticket #92297)
Bug fix: When viewing the survey login screen for a survey on certain devices (e.g., Safari on iOS), the browser would mistakenly suggest to the participant that they should use the fields as if they are creating a new password, which is incorrect and confusing. (Ticket #93095)
Bug fix: When running a custom Data Quality rule that contains checkbox fields, the resulting display of discrepancies might mistakenly not display the checkbox fields but would display all other field types.
Bug fix: When using logic for report filters, ASIs, DQ rules, etc., in which the logic has an [X-event-name] Smart Variable that is prepended to a checkbox field, it might mistakenly not parse and process the logic correctly, thus possibly returning incorrect results. (Ticket #93534)
Bug fix: When using the Survey Queue in which a survey in the queue has been completed and is either 1) a repeating survey, or 2) a survey that allows the respondent to return and modify completed responses, the rows in the Survey Queue for such surveys might get hidden and thus can only be seen when clicking the “view all” link. This could prevent some respondents from finding these hidden surveys in the queue if the respondent needs to add another response for the repeating survey or to modify the completed, editable survey.
Change: When editing a field in the Online Designer, if the field’s variable name is longer than 26 characters, the page no longer gives the warning popup about this when clicking the Save button in the Edit Field dialog but only at the point when the variable name is actually changed. This new behavior should be a lot less annoying to users with very long variable names.
Bug fix: When a checkbox field is a required field and is embedded inside another field that has an @HIDDEN action tag (including @HIDDEN-SURVEY or @HIDDEN-FORM), if the checkbox had some checkboxes checked (after being saved previously) and then a user saved the form/survey, it would mistakenly uncheck all the checked checkboxes for that hidden, embedded checkbox field. (Ticket #93766)
Change: Some warning text was added to the Edit Alert dialog on the Alerts & Notifications page in the event that the user selects the third radio option for Step 1A while selecting the “every instance of a repeating instrument” option in Step 1C, which can cause the alert to be triggered off of every new repeating instance that is added to *any* repeating instrument in the project. Such behavior is often not intended, and could mistakenly cause many unintended alerts to be sent. New warning text: “WARNING: It is generally not recommended to use ‘Using conditional logic…’ in Step 1A together with the option ‘…on every instance of a repeating instrument’ in Step 1C. If these are used together, that means that this alert will be trigger by EVERY repeating instance that is saved for ANY repeating instrument in the project.”

Version 10.3.5 (released on 2020-10-02)

CHANGES IN THIS VERSION:

Security improvement: The concept of “public projects” have been removed and thus the My Projects page will no longer display the list of public projects at the bottom of the page. This means that the first 13 projects in a fresh installation of REDCap (and subsequently any projects having “Public/None” authentication) will no longer be accessible via the “site_admin” user anymore. They will no longer be accessible to the public web. This feature has been removed to reduce the overall attack surface area in REDCap to protect against potential malicious users who would like to use these public projects as a testing ground. In general, public projects have not really been utilized very much in recent years, so removing this functionality would not seem to adversely affect many (if any) REDCap institutions.
Security improvement: The OpenID authentication method has been permanently removed from REDCap. This authentication method only supported OpenID version 1, which is very outdated, and the current third-party PHP package being used for OpenID authentication has some potential security issues.
Medium security fix: If a malicious user has knowledge of REDCap’s infrastructure and code, they might be able to read certain files from the web server’s filesystem by manipulating the URL for a file uploaded as a rich text file in an External Module’s configuration.
Medium security fix: If a malicious user has knowledge of REDCap’s infrastructure and code, they might be able to inject specific PHP code into conditional logic or calculations that get evaluated by PHP. Note: This same security fix in last week’s release was not fully remediated in that version.
Minor security fix: A Blind SQL Injection vulnerability and a Cross-Site Scripting vulnerability were found on the To-Do List page, in which a malicious user could potentially exploit it by manipulating the query string of an HTTP request on that page.
Major bug fix: When two users are about to create a new record with the same record name on a data entry form, in which they both upload a file to a File Upload or Signature field on that form prior to pressing the Save button, the last file uploaded might mistakenly get attached to the first record and possibly also to the second record at the same time, thus orphaning the file originally uploaded to the first record. Note: This bug does not exist on surveys. (Ticket #89678)
Major bug fix: When using Twilio to send voice calls for Alerts & Notifications, the message of the voice call would mistakenly be blank, in which it would simply hang up after being picked up by the recipient. (Ticket #93384)
Improvement: The Clinical Data Pull and Data Mart features can now import the date/time of death of a patient (if deceased) as a mappable field.
Change/improvement: The Clinical Data Pull and Data Mart features can now import extra email fields (in addition to the primary email) for a patient using the new mapping fields “email_2” and “email_3” on the field mapping page. In previous versions, multiple email addresses might have been imported into the email field as semicolon-delimited text, but now they can be separated and imported as separate fields. Note: If any existing Data Mart projects already exist, the fields “email_2” and “email_3” must be added to the Data Mart project in order for the extra email addresses to be imported into any record.
Bug fix: If a field is embedded inside the choice label of a multiple choice field that is used in the Custom Record Label, it would mistakenly not embed the field correctly on the page at all. Bug emerged in the previous release. (Ticket #92551B)
Bug fix: Four Laboratory fields and their associated LOINC codes were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.
Bug fix: If randomizing a record while the randomization field and/or a strata field on the page are radio button fields (as opposed to being drop-down fields), after the record has been randomized, those fields would mistakenly not appear to be selected until the page is reloaded or revisited later. This would not affect the data values of the fields at all but could be confusing to users because it seemingly implies that perhaps the randomization process was not completely successful. (Ticket #92825)
Bug fix: REDCap Messenger would mistakenly not open when on the External Modules page in the Control Center.
Bug fix: When copying a project and selecting the option to copy "All settings for Survey Queue and Automated Survey Invitations", it would mistakenly fail to copy the time lag fields of “before/after” and "the ASI has been triggered/[date or time field]" (if defined) for Automated Survey Invitations. (Ticket #92213)
Bug fix: When a project has some alerts set to send as SMS or Voice Calls, but the Twilio functionality has been completely disabled at the system-level in the Control Center, the REDCap page would mistakenly crash with a fatal PHP error when those alerts get triggered. (Ticket #92179)
Change: When a user submits production changes via Draft Mode in the Online Designer, if the changes are approved automatically, it no longer sends an email to the user themselves. This email was superfluous since the user was already notified of this in the user interface. (Ticket #91415)
Bug fix: When a user copies a project or creates a new project via a Project Template, in which a survey in the original project had enabled the Survey Confirmation Email and had its option “Include PDF of completed survey as attachment” checked, that checkbox option would mistakenly not be saved/checked in the new resulting project. (Ticket #92058)
Bug fix: The underlying code/logic that determines when PHP warnings in REDCap should be output to the page on development servers was not quite correct, although it does not appear to have had any adverse consequences.
Bug fix: When the system-level setting “Utilize the Display Name in all outgoing emails?” is turned off, the user interface on the Alerts & Notifications page would still mistakenly display the “Display name” text box in the “Create new alert"/"Edit alert” dialog. (Ticket #92245)
Bug fix: When creating/editing an Automated Survey Invitation and clicking the “Save & Copy to…” button, it would mistakenly fail to copy the time lag fields of “before/after” and "the ASI has been triggered/[date or time field]" (if defined) for the ASI. (Ticket #92213B)
Bug fix: When downloading or uploading a CSV file containing the settings for Automated Survey Invitations on the Online Designer, it would mistakenly forget to include the time lag fields of “before/after” and "the ASI has been triggered/[date or time field]" (if defined) for the ASIs in both the import and export files.
Bug fix: When an alert has been created in a project containing repeating instruments, in which the alert is to be triggered by both conditional logic and when a record is saved on a specific form/survey (i.e., the second radio button in Step 1A), specifically a repeating instrument, then if other repeating instruments exist in the project and contain data while the Trigger Limit value (in Step 1C) is set to “only once per record and also on every instance of a repeating instrument” and then a user clicks the “Re-evaluate Alerts” button on the Alerts & Notifications page, instead of sending/scheduling an alert for just the targeted repeating instrument, it would mistakenly send/schedule an alert for all repeating instruments that contain data for a given record. Note: This only occurs when clicking the “Re-evaluate Alerts” button.
Bug fix: When an alert has been created in a project containing repeating instruments, in which the alert is to be triggered when a record is saved on a specific form/survey (i.e., either the first or second radio button in Step 1A), if the specified instrument is a repeating instrument and a data import is being performed, in which the imported data contains repeating instances of that repeating instrument, then it would mistakenly trigger the alert. When an alert has either the first or second radio button selected in Step 1A, the alert should never be triggered by a data import (including API import or REDCap::saveData) but only when clicking a Save button on a survey page or data entry form.
Change: If the MySQL database is somehow in read-only mode, which means that REDCap will not function properly, REDCap will now display the database error message on the page so that an admin will be notified of this issue and fix it. (Ticket #93212)
Bug fix: If the Data Transfer Services (DTS) are enabled at the system level and the current user has access to a project that has DTS enabled, then a fatal PHP error would be displayed on the My Projects page if on PHP 7.3+. (Ticket #93190)
Bug fix: When viewing the My Projects page or Home page on a mobile device, the Send-It option would mistakenly not be visible in the pull-down navigation menu (i.e., 3-line button at top right).
Change/improvement: The External Service check on the Configuration Check page now returns an error if specific HTTP 4XX status codes are returned and also if any HTTP 5XX status codes are returned from a given external service. This will allow the checks to be more accurate for certain web server configurations.
Bug fix: On the Alerts & Notifications page, the red asterisk in Step 1A of the Edit Alert dialog did not have a corresponding explanation in that section regarding what the asterisk implies. It was mistakenly removed in a previous version, and has now been re-added.
Change/bug fix: When clicking the “Re-evaluate Alerts” button on the Alerts & Notifications page, it was only re-evaluating alerts that had only conditional logic and thus was not re-evaluating alerts that had the first two options selected in Step 1A of the Edit Alert dialog (i.e., “When a record is saved on a specific form/survey…”). The Re-evaluate Alerts now considers all three options in Step 1A when it is evaluating.
Bug fix: The datediff+today/now cron job for Alerts & Notifications that runs every 4 hours might mistakenly fail to remove any scheduled/unsent alerts if the alert’s conditional logic no longer evaluated as TRUE at the time of the cron job running.
Bug fix: Signature fields would mistakenly not work (or not work well) or certain non-mobile touchscreen devices because the jSignature library being used was very out of date. (Ticket #67122)

Version 10.3.4 (released on 2020-09-25)

CHANGES IN THIS VERSION:

Medium security fix: If a malicious user has knowledge of REDCap’s infrastructure and code, they might be able to inject specific PHP code into conditional logic or calculations that get evaluated by PHP.
Bug fix: When loading a public survey for a project that contains 10K+ or 100K+ records, the initial loading of the survey page could be unnecessarily slow due to incorrect assumptions in the code regarding the employment of record auto-numbering for public surveys. Thus it should now load much faster.
Bug fix: When loading a public survey for a project that contains 10K+ or 100K+ records, the initial loading of the survey page could be unnecessarily slow if the project’s back-end “record list cache” has not been recently built, which may occur if users have not been active in the project recently even while many participants are taking the public survey very often. This was caused due to incorrect assumptions in the code regarding when to trigger the auto-build process for the "record list cache". Thus it should now load much faster.
Bug fix: For some REDCap installations, especially those on older PHP versions (7.0 and below), a fatal PHP error might be thrown on the install page or upgrade page, thus preventing someone from installing or upgrading REDCap. Bug emerged in REDCap 10.3.3 (Standard). (Ticket #92141)
Bug fix: In longitudinal projects that contain repeating instruments, if the “designated email field for sending survey invitations” is used or else the survey-level designated email field is used, then it is possible that the designated email field might mistakenly receive repeating values even when its instrument is not a repeating instrument. In this case, the email field’s instrument would mistakenly display a repeating instance status icon (i.e., the stack status icon) on the Record Status Dashboard, but would confusingly prevent the user from navigating inside that instrument for a given record on the dashboard page.
Bug fix: If clicking the pencil icon for a Signature field on the Codebook page, when it opens the field for editing in the Online Designer, it would mistakenly set it as a File Upload field rather than a Signature field, which would cause the field to be modified and saved incorrectly as a File Upload field if the user clicked the Save button in the dialog without changing the field type. (Ticket #92271)
Bug fix: In development environments, PHP warnings might mistakenly be displayed on some survey pages. (Ticket #92303)
Bug fix: If using the SendGrid Email API for sending outgoing emails, if the email subject, email sender, or email recipient is left blank, it would mistakenly crash with a fatal PHP error. This would halt the cron job if this occurred while the cron was running. (Ticket #92266)
Bug fix: When using Clinical Data Interability Services (CDP or Data Mart), all non-Integer record IDs would mistakenly not get inserted into the redcap_ehr_import_counts database table, which tracks the amount of data points/records that have had clinical data imported into them. (Ticket #92426)
Bug fix: If an existing Automated Survey Invitation is modified so that the “Ensure logic is still true?” option is checked (when previously it was unchecked), in which it is the only setting that was modified during this save, it would mistakenly not save that option being checked. (Ticket #92372)
Bug fix: If the survey confirmation email option is enabled for a survey, it would mistakenly include the participant’s email address on the project logging page, which is a privacy concern because it makes anonymous survey responses no longer anonymous and also because it is inconsistent with the text listed below the survey’s Completion Text that says "Your email address will not be stored". Instead of listing the participant’s email on the logging page, it now displays "To: [undisclosed email address]" instead. (Ticket #92210)
Bug fix: If a field is embedded inside the choice label of a multiple choice field that is used in the Custom Record Label, it would mistakenly attempt to embed the field inside the blue/green row near the top of the data entry form. This would also cause an embedding error to be displayed on the page if the field were embedded elsewhere on that page. (Ticket #92551)

Version 10.3.3 (released on 2020-09-17)

CHANGES IN THIS VERSION:

Medium security fix: Since it has been determined that REDCap versions 10.3.1 Standard Release and lower and 10.0.17 LTS and lower contain security vulnerabilities that are still executable if those version directories continue to remain on the REDCap web server, the Configuration Check page in the Control Center now recommends that you remove those older version directories that contain specific major vulnerabilities that they cannot be exploited by a malicious user.
Minor security fix: To prevent potentially malicious users from harvesting Table-based usernames from REDCap via the Password Recovery page, it now displays a deterministic (but fake) security question if the username entered does not exist in the system. This behavior makes it impossible for the malicious user to determine if the username entered was a real username or not.
Bug fix: If a new user is accessing REDCap for the first time while using an external authentication method (i.e., not using Table-based authentication), the page that asks them to enter their name and email address would not get saved and would mistakenly display the “multiple tabs open” error message.
Bug fix: If using the Twilio telephony feature on the Public Survey Link page of a project to send an SMS message containing a link to the public survey, it would mistakenly omit the survey link in the content of the SMS if the content contains the Smart Variables [survey-url] and [survey-link] with no “instrument” parameter defined inside the square brackets.
Bug fix: If a data entry form contains a Descriptive field with an embedded audio or video file, it might mistakenly allow two users to access and modify values on that form at the same time, thus allowing them to mistakenly bypass the Simultaneous User Prevention feature. (Ticket #91334)
Change/improvement: When navigating through pages in the Control Center, it now only places the admin’s cursor in the PID Search textbox on the main Control Center page (i.e., “Notifications & Reporting”). On other pages, such as URL Shortener, Browse Users, Browse Projects, and Add Users, it will automatically place the cursor in the first textbox on the page as a convenience. (Ticket #91939)
Change: The Configuration Check page now recommends that the web server setting “max_input_vars” be set to a value of at least 100000 in the PHP.INI configuration file.
Bug fix: If a field is embedded inside the choice label of a checkbox field, it might cause issues if the embedded field contains branching logic to hide/show it when its associated checkbox option is clicked. In many cases, clicking the embedded field might cause the parent checkbox to mistakenly uncheck itself, thus making normal data collection in this way impossible.
Bug fix: If a radio button field is embedded inside the choice label of a checkbox field, the radio field’s “reset” link would mistakenly not uncheck a selected radio button.

Version 10.3.2 (released on 2020-09-11)

CHANGES IN THIS VERSION:

Critical security fix: If a malicious user has knowledge of REDCap’s infrastructure and code, they could potentially manipulate the URL of certain non-project pages in REDCap (e.g., Control Center pages, non-project External Module pages) to bypass authentication and view those pages without ever having logged in. And in very specific cases, the user might (if they have specialized knowledge of REDCap) be able to submit the page and actually affect system configuration settings. Note: There is no known report of this vulnerability ever having been exploited in the wild on any REDCap installation. This vulnerability is present in all versions of REDCap beginning with REDCap 6.18.0.
- Manual code fix: If you are unable to upgrade REDCap but are able to modify the REDCap PHP files on your server, open the file /redcap_vX.X.X/Classes/System.php and in the function defineAppConstants(), modify the line if ($Route->get()) define("PAGE", $Route->get()); to replace it with if ($Route->get() && strpos(PAGE_FULL, “/redcap_v{$redcap_version}/index.php”) !== false) define("PAGE", $Route->get());
Minor security fixes: Various minor security vulnerabilities (including SQL injection, Cross-site Request Forgery, and Cross-site Scripting) were found on various pages throughout REDCap and were remediated.
Major bug fix: If a survey participant’s email address was added to an initial survey on the Participant List, and then the participant takes the survey using their private survey link, in which they fail to enter a value for a required field on the first page of that survey, it would mistakenly cause their partial survey completion status to be mistakenly orphaned (thus not displaying the partial response status icon but a red/Incomplete status icon) and might cause their email address to disappear from the Participant List. Additionally, it would cause the next record name in the project to be skipped, thus leaving a gap in the list of record names.
Change: If a project has Randomization enabled and is currently in production, REDCap administrators will not be allowed to move the project back to development status as they normally can on the Other Functionality page. This option is disabled in this case to prevent issues occurring with randomization, such as the fact that all values for the randomization field get erased when moving from development to production.
Bug fix: When a participant loads a public survey, if the tentative record name that was generated when the survey loaded somehow matches the record name of an existing record that has been locked via Record-level Locking, it would mistakenly display the erroneous message that the public survey cannot be taken because the record is currently locked, which is not correct.
Bug fix: If a user is running Data Quality rule H to fix calculations that exist on a survey that has been completed via the e-Consent Framework, although it might note that some calc fields’ values need to be fixed, clicking the “Fix calcs now” button for DQ rule H would mistakenly not fix them and would not explain why.
Bug fix: Queries would mistakenly get displayed on the page momentarily right after logging in via Shibboleth or Shibboleth+Table. (Ticket #91504)
Bug fix: If a value is being entered into a "Phone (North America)" validated field, and the field’s value is formatted slightly after being entered (to add parentheses, spaces, and dashes), any branching logic or calculations triggered by the field would mistakenly use the hand-entered value of the field rather than the final formatted value, which could cause issues in certain scenarios. (Ticket #91722)

Version 10.3.1 (released on 2020-09-03)

CHANGES IN THIS VERSION:

Major bug fix: If running PHP 5.5 or 5.6, it would not be possible to upgrade to a recent version of REDCap because it would throw a fatal PHP error on the upgrade page. (Ticket #91097)
Bug fix: When using Twilio, it would mistakenly not send SMS messages to U.S. phone numbers with an 854 area code. (Ticket #90686)
Bug fix: If a calc field is using the function sum, min, max, stdev, mean, or abs, and the variable names referenced inside those functions are not numeric-type fields (i.e., has number/integer validation, is a calc or slider field), it would not return a correct result if one of more of the fields referenced in the function had a negative value. (Ticket #90881)
Bug fix: The language has been made clearer in the popup that is displayed on the User Rights page when selecting the radio option "Locking / Unlocking with E-signature authority". (Ticket #90961)
Change: When REDCap is routinely deleting temporary files inside its internal “temp” directory, if a file there does not have the expected timestamp inside the file’s filename to designate the file’s time of creation, then the file’s “last modification time” property will then be checked to determine its age to see if it should be deleted. This also includes files in subdirectories within the temp directory.
Change: Added the REDCap version number to the top of the Configuration Check page for those institutions that wish to print the page for version-specific documentation.
Bug fix: When adding choices that do not contain a comma for a multiple choice field in the Add New Field dialog on the Online Designer, it would not always automatically set the raw coded values correctly if the user provided a mix of numeric and non-numeric values for the options. (Ticket #83895)
Bug fix: If the e-Consent Framework is enabled on a one-page survey that contains a field that is required and is also embedded inside another field on the survey page, if the participant loads the e-Consent certification page and then clicks the “Previous Page” button, it would mistakenly delete the value of the field that was both required and embedded on the previous page. (Ticket #91139)
Change: The option to enable a twice-daily cron job (available to admins only) to automatically run the Clinical Data Mart in a project has now been changed to run only once per day due to various technical and scalability considerations.
Bug fix: The External Modules link on the left-hand menu both in projects and in the Control Center would mistakenly be a full link rather than a relative link to the page, which could cause some issues in specific situations. (Ticket #91223)
Bug fix: When entering a value into a field that has been designated as the Secondary Unique Field in a project, each time the user/participant leaves the field and then re-enters the field, it will cause the amount of SUF unique value checks performed to double each time (e.g., 1 check, then 2, 4, 8), when it should only be running once after entering a value in the field. This could cause the page to get really slow and unresponsive. (Ticket #91344)
Bug fix: When using Shibboleth or Shibboleth+Table for authentication, it might mistakenly not update a user’s “Time of last login” as noted on the Browse Users page. (Ticket #85105)

Version 10.3.0 (released on 2020-08-27)

CHANGES IN THIS VERSION:

Critical bug fix: When collecting data using a public survey where multiple participants are entering data near-simultaneously, if piping is being performed on the first page of the public survey, a scenario may arise in which a survey participant may mistakenly see some piped data that was entered by another participant that had just saved their responses at the same time as (or moments before) the current participant had loaded the survey page. While this issue is fairly rare, the worst-case scenario could be that a participant ends up viewing another participant’s response, thus possibly resulting in a privacy leak if private and/or identifying information (e.g., PHI) has been entered on the survey.
New feature: Added “Language of text to be spoken” for the “Text-To-Speech” survey functionality, which is available on the Survey Settings page. For several years, REDCap has had a Text-to-Speech feature for surveys that, when enabled, allows questions and other text on survey pages to be converted into natural-sounding audio for the participant to hear. Up until now, it supported English only, but now REDCap users may utilize the Text-to-Speech feature in a variety of non-English languages and voices, assuming that the survey text is in a non-English language. This includes Arabic, Brazilian Portuguese, English (UK and US), French, German, Italian, Japanese, and Spanish (Castilian, Latin American, and North American).
New feature: Users may re-evaluate some or all Automated Survey Invitations for all records in a project. If an ASI has been modified after data has already been entered in the project, users may click the “Re-evaluate Auto Invitations” button in the Online Designer, which will re-evaluate selected ASIs for all records to ensure that invitations get properly sent or scheduled based on the new conditions of the ASI (otherwise they could only be triggered if each individual record had data modified). If a user modifies the conditional logic of an ASI, it will recommend that they utilize the “Re-evaluate Auto Invitations” functionality. If an ASI has the “Ensure logic is still true…” option checked, then it is possible during this process that some already-scheduled invitations might get removed (and thus would no longer be scheduled) based on the new conditions.
New feature: Users may re-evaluate some or all Alerts & Notifications for all records in a project. If an alert has been modified after data has already been entered in the project, users may click the “Re-evaluate Alerts” button on the Alerts & Notifications page, which will re-evaluate selected alerts for all records to ensure that notifications get properly sent or scheduled based on the new conditions of the alert (otherwise they could only be triggered if each individual record had data modified). If a user modifies the conditional logic of an alert, it will recommend that they utilize the “Re-evaluate Alerts” functionality. If an alert has the “Ensure logic is still true…” option checked, then it is possible during this process that some already-scheduled notifications might get removed (and thus would no longer be scheduled) based on the new conditions.
Improvement: When deleting an invitation from the Survey Invitation Log (either as a single invitation or using the multi-select option to delete many invitations at once), it now provides a new option in the dialog prompt to “Permanently cancel this invitation?”, in which the phrase “permanently cancel” implies that the invitation cannot be re-triggered/scheduled again in the future even if the ASI conditions are met again. If the user chooses to uncheck the option, then the scheduled invitation will be removed, but could possibly get re-triggered in the future if the ASI conditions are met again (assuming it was originally scheduled via an ASI).
Improvement: The Survey Invitation Log has a new filter drop-down option to view “only deleted invitations” (i.e., permanently cancelled invitations).
New developer method: REDCap::reserveNewRecordID() - A thread-safe way to reserve a new record ID in a project prior to creating the record by using record auto-numbering or by manually providing a new record name to reserve as the $recordIdToReserve parameter. NOTE: This method will not create the record but will merely reserve the record ID so that it will not be used by any other processes in REDCap when creating a record in the near future. Once the record ID is reserved, it will remain reserved for up to 72 hours. When using this method, the assumption is that after reserving a new record ID, you should create a new record with that record name shortly thereafter.
Improvement: Import Records API method has a new parameter “csvDelimiter” to specify the delimiter character when sending data in CSV format. Options include: comma ‘,’ (default), 'tab’, semi-colon ';’, pipe '|’, or caret '^’.
Improvement: Large performance improvement when importing lots of records (via Data Import Tool, Mobile App, API, or REDCap::saveData) when record auto-numbering is enabled in a project and the import process is forcing the new records to be auto-numbered on the fly. (Ticket #90747)
Improvement: Smart Variables and regular field variables can now be piped into the URL of Project Bookmarks. Note: While many Smart Variables can be piped successfully outside of a record context (e.g., [redcap-base-url]), all field variables (e.g., [age], [dob]) and some Smart Variables (e.g., [record-name], [previous-event-name]) can only be piped into the URL while the user is inside a record context, such as viewing the Record Home Page or data entry form. (Ticket #75783)
Improvement: When using the “Custom Surveys for Project Status Transitions” feature (as seen near the top of the User Settings page in the Control Center), administrators may now create a new field having the variable name “project_id” in any of the custom survey projects, in which it will automatically save the PID value (Project ID) of the project for which the user is completing the survey. This will allow the survey responses for these custom surveys to be easily identifiable with the project for which each corresponds. Note: This will make project tracking much easier for these. Regarding the “project_id” field being added, if the custom survey project is longitudinal, the field must exist in the first event of the first arm in the project.
Improvement/change: When using the “Custom Surveys for Project Status Transitions” feature, the embedded “Create Project” survey is now utilized when a user is copying a project. In previous versions, the survey was only displayed with creating new projects on the Create New Project page. (Ticket #90911)
Change: When a user is using the E-signature feature at the bottom of a data entry form, the database query to determine the user’s last login time was not optimized and might be very slow in certain circumstances.
Change: Slight re-organization of buttons at the top of the instrument list on the Online Designer.
Bug fix: If a longitudinal project is utilizing the randomization module and is randomizing by group/site by using Data Access Groups in Step B, then it would mistakenly display an erroneous message about erasing the randomization model because the event designation is missing for the randomization field or criteria fields.

Version 10.2.3 (released on 2020-08-21)

CHANGES IN THIS VERSION:

Improvement: When importing a CSV file of data on the Data Import Tool or when importing a CSV Data Dictionary, users may now specify the delimiter of the CSV file as a Comma (default), Tab, or Semicolon.
Improvement: In previous versions, the DAG Switcher would not be very performant if there existed very many users and/or Data Access Groups within a project, thus the DAG Switcher would (by design) be automatically disabled for projects in those situations, which was not ideal with regard to user experience. The DAG Switcher is now no longer limited in that way and will now function fully regardless of there being many users and DAGs in a given project.
Major bug fix: When exporting a report in ODM XML format or exporting an entire project as ODM XML Metadata & Data, and there exist 30 or more records in the project (or 30+ rows of data as seen in a report), it would mistakenly fail and erroneously display the “We are sorry, but apparently the data export is not able to complete successfully…” error message. Bug emerged in REDCap 10.2.1. (Ticket #90241)
Bug fix: When using an AWS-hosted REDCap installation that was deployed using the AWS Quickstart process, the REDCap Easy Upgrade process would not work successfully if Amazon Linux 2 had been used as the server operating system for the AWS deployment. This fix makes the REDCap Easy Upgrade process work with both Amazon Linux 1 and 2.
Bug fix: If a longitudinal project contains repeating events, in which a record has multiple repeating instances saved for a repeating event but the first instance of the repeating event was deleted, the Record Home Page would mistakenly still display a column for the first instance even though it has no data. It should not be displaying that column at all if it has no data.
Bug fix: When viewing a report containing multiple pages, the search feature for the report would mistakenly not display except on the first page. Bug emerged in REDCap 10.2.1. (Ticket #90262)
Bug fix: When upgrading to REDCap 10.0.0, the encoding/collation of a column in one database table might not get set correctly depending on the default collation setting of the REDCap installation. (Ticket #90343)
Bug fix: Small aesthetic issues with the width of contents inside the DIV color classes (e.g., red, blue, green).
Bug fix: If a survey page or data entry form has several Signature fields (i.e., Signature field type), if a user downloads a PDF of that instrument/survey, the PDF file might mistakenly cause the signatures not to be placed correctly inside the PDF, and in some more extreme cases might cause some of the signatures not to display at all depending on their placement relative to the end of the page in the PDF. (Ticket #90310)
Change: Due to the amount of users complaining about the fact that SAS exports will truncate long field labels and long multiple choice option labels, this behavior has been changed so that those will no longer be truncated in the SAS syntax file for SAS data exports. Note: This behavior to truncate labels in SAS exports was originally changed in REDCap 10.0.3.
Bug fix: If a field is embedded inside itself, which is not allowed, it would throw a JavaScript error and prevent the survey page or data entry form from loading fully. Instead it now displays a proper error on the page when this occurs. (Ticket #90394)
Bug fix: When using the Double Data Entry module in a project, if a DDE user attempts to create a new record that has already been created by the other DDE group, it would mistakenly re-number the record name to a new name (as if record auto-numbering were enabled) when saving the record *only if* some fields on the data entry form were required and were left blank. (Ticket #89152)
Bug fix: The variable “target” was added to the reserved list of illegal variable names because it might cause JavaScript errors to occur on a survey page or data entry form when a field with that variable name is being used in branching logic or a calculation.
Bug fix: Data Quality rule B might return false positives or might fail to return true discrepancies if a field with no value has certain branching logic. (Ticket #89337)

Version 10.2.2 (released on 2020-08-14)

CHANGES IN THIS VERSION:

Major bug fix: When on a survey page or data entry form, the Secondary Unique Field (if enabled in the project) would mistakenly not be checking for the uniqueness of the field’s value when a value was entered/changed for that field on page. Note: This issue did not affect values being imported via Data Import Tool, API, or Mobile App.
Major bug fix: When using the randomization module and utilizing strata fields that exist on a different instrument and/or event from the randomization field, if a user adds or changes a strata field’s value during the process of randomization, it mistakenly would not save the new values for the strata fields, thus leaving them with their value prior to when randomization took place. (Ticket #89686)
Bug fix: In longitudinal projects, the events listed at the top of the table on the Record Status Dashboard were mistakenly not being displayed.
Bug fix: When using the Smart Variable [survey-link] when the survey title is blank (i.e., has no value entered), it would mistakenly output an invisible hyperlink. In this particular case, it will instead now set the hyperlink label to be the URL of the link itself.
Bug fix: Seven Laboratory fields and their associated LOINC codes were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.
Bug fix: When moving multiple fields at the same time in the Online Designer when the project is in Draft Module while in production, it might mistakenly throw a fatal PHP error. (Ticket #89734)
Bug fix: In certain unknown situations when importing large amounts of records at the same time into a project that contains Data Access Groups, in which a user that is not assigned to a DAG is performing the import and is assigning records to DAGs during the import process using the “redcap_data_access_group” field, the back-end Record List Cache might get out of sync and might cause some pages (e.g., Record Status Dashboard) to mistakenly show that the imported records are not assigned to a DAG. This situation would often require a REDCap administrator to have to clear the Record List Cache via the button on the Other Functionality page in order for the record(s) to display as if assigned to their proper DAG.
Bug fix: When viewing the Data History dialog of a field in a multi-arm longitudinal project, in which a record exists on multiple arms and then is deleted from one of the arms, it might mistakenly display the history of data values incorrectly in the Data History dialog. (Ticket #67037)
Bug fix: When using the randomization module while a project is in production status, and then a REDCap administrator moves the project back to development status and then back to production again, the randomization field’s values do correctly get erased for all records when moving back to production; however, it mistakenly does not set all the records back to a pre-randomized state. Instead, all the records are still listed as having been randomized, even though they no longer have a value for the randomization field, which results in an error being displayed on the data entry form. (Ticket #89334)
Bug fix: The “Edit project settings” link next to the tabs on the Project Setup page would mistakenly disappear if the browser window was not very wide or if the user was using the text enlarge/zoom feature in the browser. (Ticket #89772)
Bug fix: When downloading very large data export CSV files, due to various server configurations, it might mistakenly result in a CSV file that is 0 bytes in size, thus preventing the user from actually downloading the exported data file. (Ticket #89117)
Bug fix: A foreign key on the “redcap_alerts” database table was not set up correctly.
Bug fix: While some of REDCap’s pages were widened in version 10, the DIV color classes (e.g., red, blue, green) were not, thus causing some pages not to look like they are aligned correctly, especially if using custom banners at the top of the Home Page, login page, or My Projects page. (Ticket #89979)
Bug fix: When assigning a user to multiple Data Access Groups using the DAG Switcher, if the user’s current DAG assignment has not been enabled for them in the DAG Switcher, it would mistakenly allow the DAG Switcher to work but could lead to a confusing user experience because the user would not be able to move themselves back to their original DAG assignment after moving out of it. This has been changed so that an error message is now displayed in this use case and informs the user how to address it.

Version 10.2.1 (released on 2020-08-07)

CHANGES IN THIS VERSION:

Major bug fix: When upgrading REDCap using the Easy Upgrade process, it would mistakenly not execute all the incremental upgrade scripts required during this process, thus resulting in the “YOUR REDCAP DATABASE STRUCTURE IS INCORRECT!” error message that would be displayed in the Control Center immediately after the upgrade. Note: This issue might still occur when upgrading to this version, but it will not occur when you upgrade to another version after this version. (Ticket #89382)
Improvement: The “Response Limit” option on the Survey Settings page now allows for the use of the rich text editor when defining custom text to display to respondents on the survey when limit is reached.
Improvement: The performance of the getAutoId() function has been improved, in which it can now determine the next auto-numbered record ID twice as fast (or faster), thus using less database resources during the process for large projects. (Ticket #89389)
Change: For the option “Survey-specific email invitation field” on the Survey Settings page, it adds a note that the survey-specific email field is not required to be set if a project-level email field has already been defined in the project. This was added to reduce confusion for users.
Bug fix: Depending on the type of deployment initially made in AWS via the REDCap AWS Quickstart, REDCap might not always be able to successfully determine if it is currently running on AWS Elastic Beanstalk.
Bug fix: When performing piping of a field with both “:value” and the Smart Variable [X-instance] appended to the field variable (e.g., [field:value][last-instance]), it would sometimes mistakenly not perform the piping at all. (Ticket #59671)
Bug fix: If a longitudinal project is utilizing the randomization module but randomization has not been fully set up yet, the Randomization Setup page would mistakenly display an erroneous message about erasing the randomization model because the event designation is missing for the randomization field or criteria fields.
Change: REDCap no longer suppresses PHP warnings when error_reporting is set to “E_ALL” in PHP by manually changing it in the REDCap code or when the REDCap server has been specifically designated as a “development server” in the Control Center. (Ticket #86767)
Bug fix: The Easy Upgrade feature might mistakenly display two columns for “Standard Release versions” (in which the second one is empty) when notifying an administrator that a new REDCap version is available. It should not display the second, empty column. (Ticket #89356)
Bug fix: Prevent a user’s IP address from getting auto-banned if somehow the IP address is a blank/empty string value. (Ticket #89367)
Bug fix: When a report filter references a field from a repeating event or repeating instance, in which the filter logic is checking if the field’s value is blank ([field] = “”) or non-blank ([field] <> “”), it might mistakenly return too many rows in the report as false positives for the filter logic. (Ticket #89256)
Bug fix: The action tag @HIDECHOICE would fail to function correctly for a matrix of checkbox fields, thus mistakenly displaying all the checkboxes for the field in the matrix when it should instead be hiding some. (Ticket #88810)
Change: When viewing the Participant List page, if the survey has the “survey-specific email invitation field” enabled, it will now display a small notice about this fact near the top of the Participant List table to inform the user and provide more clarity regarding the source of the email addresses being used for that particular survey.
Change: A warning message is now displayed for users that attempt to use both the Survey Queue and Survey Auto-Continue features together in the same project. If one is already enabled while attempting to enable the other, the warning will inform the user that these two features can sometimes conflict with each other.
Bug fix: If the Secondary Unique Field is enabled in a project and its value is being pre-filled via 1) the @DEFAULT action tag, 2) the GET/query string parameter method for surveys, or 3) the POST parameter method for surveys, it would fail to perform the duplicate value check on the field when the form/survey initially loads, thus mistakenly allowing for duplicate values to be entered. (Ticket #88854)
Change: When creating a new Table-based user account or editing an existing user account, it would not allow the user’s expiration date/time to be set to today’s date. In some cases this is desirable, so this has been modified so that it merely gives a warning about this and no longer prevents the form from being submitted in this case. (Ticket #89376)
Bug fix: When using the “View project as user” feature, the left-hand menu would mistakenly not display only the reports to which the user being impersonated has access to view. (Ticket #82697)
Bug fix: When using the “View project as user” feature, some parts of the Other Functionality page would mistakenly be displayed to admins that the impersonated user normally would not see. (Ticket #88759)
Bug fix: If an instrument label is very long with no spaces or hyphens, it might cause the Data Entry Rights table in the Editing Existing User dialog on the User Rights page to spill over and push the radio buttons into incorrect places.
Bug fix: When sending SMS messages via Twilio for alerts or for survey invitations, if the Smart Variables [survey-link] or [survey-queue-link] are included in the SMS text, it will mistakenly remove the URL from the message but leave the link’s label. (Ticket #89621)

Version 10.2.0 (released on 2020-07-31)

CHANGES IN THIS VERSION:

New feature: Integration of Paul Litwin’s Stealth Queue external module
- New ”Keep the Survey Queue hidden from participants?” setting in the “Set up Survey Queue” dialog on the Online Designer
- This setting will keep the Survey Queue table hidden from participants, and will force Auto Start to be enabled for all queue-activated surveys. This is useful if users wish to use the Survey Queue to automatically guide survey participants to the next survey without displaying the queue of surveys.
New hook: redcap_survey_acknowledgement_page - Allows custom actions to be performed on a survey’s acknowledgement/"thank you" page immediately after the survey has been completed. Note: This hook is different from the redcap_survey_complete hook because the redcap_survey_complete hook is not recommended if you wish to output HTML, CSS, or JS onto the survey page after the survey is completed (because the page may be redirected immediately after the survey is completed, thus the participant might never see anything output by this hook prior to the redirect). The redcap_survey_acknowledgement_page hook is recommended for outputting HTML, CSS, or JS onto the survey page after the survey is completed.
Improvements to the Data Resolution Workflow feature
- When a user is opening a new data query and assigning the query to a user, there are new options to send a notification to the assigned user via email and/or REDCap Messenger to inform them about their query assignment.
- Attachment files that have been uploaded to an opened data query may now be deleted after the fact, if needed. Note: As a precaution, only REDCap administrators may delete such attachments.
- For existing data queries, users may now be assigned to an opened query after the fact, and if the data query already has a user assigned to it, it may be reassigned to another user.
Bug fix: When using the Clinical Data Interoperability Services with Cerner EHR, the FHIR results could mistakenly return as paginated, thus not returning the entire data set expected.
Bug fix: If an alert is set to be recurring or is set to send only once but not "Immediately", then if the alert fails to send (e.g., if the recipient’s address is blank/has no value), it would mistakenly keep trying to send repeatedly every minute. And if the “Email to send email-failure errors” option is set, then the recipient defined for that option would mistakenly get sent an email every minute for every record upon which the alert has been triggered, which could mean that thousands or tens of thousands of emails will get inadvertently sent per day.
Bug fix: A bug fix was made in REDCap 9.5.26 LTS and 10.0.3 Standard to truncate long field labels and multiple choice labels for fields in any stats package file downloaded from the Data Exports page. However, this should have only been applied specifically to SAS exports since the truncation can cause issues in other stats packages when certain labels are very similar, thus making it difficult to tell fields apart from one another. This truncation of labels now only occurs during SAS exports.
Bug fix: When REDCap is using an SSL database connection, while most pages in REDCap will work normally, some pages might mistakenly crash due with a fatal PHP error for some types of database connections pertaining to the use of specific SSL certificate-related parameters. (Ticket #89096)
Bug fix: The “Redirect to a URL” survey termination option would allow survey URLs to be entered but would mistakenly not allow survey queue URLs to be entered.
Bug fix: When using the datediff() function in a calculated field or branching logic in which the date format parameter is not provided but the returnSignedValue parameter is provided as the fourth parameter, then it would mistakenly result in an error popup on the survey page or data entry form. Bug emerged in REDCap 9.9.2. (Ticket #89007)
Bug fix: When a REDCap administrator is adding or editing an alert in a project in which they are not a user, if the admin selects their own email address as the Email To, CC, or BCC for the alert, it would mistakenly not save their email address correctly for the alert, which would often prevent the alert from sending successfully upon being triggered. (Ticket #89226)

Version 10.1.5 (released on 2020-07-24)

CHANGES IN THIS VERSION:

Minor security fix: If a malicious user has knowledge of REDCap’s infrastructure and code, they could potentially make calls to a specific REDCap end-point that is used to ping third-party web services that REDCap utilizes throughout the application, in which carefully-crafted calls to this end-point could cause service account information from the platform to be returned back and leaked to the user. This issue appears to only exist when hosting REDCap on certain cloud-based hosting platforms, such as Google Cloud.
Improvement/change: When running Data Quality rule H on a project with many hundreds or thousands of records, the rule might mistakenly time out or might crash due to a PHP memory limit error, in which none of the calculations could ever be corrected by rule H if it timed out or crashed. To prevent this, rule H will perform an internal batching of 100 records at a time to ensure that the rule will execute more efficiently and thus will finish successfully. Note: The internal batching process will occur invisibly, so nothing will appear different at all with regard to user experience.
Bug fix: If the [survey-link] Smart Variable is being utilized for an instrument that is not enabled as a survey, it would mistakenly return a blank value/string rather than of six underscores, and if custom text is provided as a parameter for the Smart Variable, it would return a hyperlink with a blank value for the “href” attribute.
Change: In the field-view display of the Online Designer, each field will no longer have a link to open the instructional popup for Field Embedding (since this is a bit repetitive), but instead there will be a single floating box on the right side of the page for informing users on how to utilize Field Embedding and for opening the popup. (Ticket #88418)
Bug fix: Addressed issues with regard to incremental upgrades in which SQL errors might occur when upgrading from very old versions.
Bug fix: When downloading a PDF of an instrument/survey containing data, if a single word in the text data of a Notes field exceeds the maximum width of the text in the PDF, such as if a long URL exists in the text data, it would mistakenly cause the text to get split up with one word on each line, thus making the text unnecessarily tall in the resulting PDF. (Ticket #86991)
Bug fix: If a longitudinal project is utilizing the randomization module, and somehow the event mapped for a strata field or randomization field has been set to NULL (missing a mapped event) on the backend (possibly due to various changes in the project after the randomization model had been saved), it would fail to display the randomization button on the data entry form for any event. To make users aware of this issue when this occurs, it will now display a warning message on the randomization setup page and inform the user how to correct the issue. (Ticket #88594)
Bug fix: The “email” field validation was slightly incorrect and would allow a period/dot to be entered immediately before the @ symbol in an email address that was entered in an email-validated field, in which this should not be considered a valid
Bug fix: On PHP 7.4.6+, some pages in REDCap (e.g. Add/Edit Records page) were loading much slower than expected. This fix should resolve this slowness; however, it has not been officially confirmed. email address.
Bug fix: When an embedded field has branching logic and is also a required field, if the embedded field is currently hidden by branching logic when the survey page or data entry form is submitted, REDCap will mistakenly display the “Some fields are required” message for that field. It should never display that message for fields hidden by branching logic. (Ticket #88864)

Version 10.1.4 (released on 2020-07-17)

CHANGES IN THIS VERSION:

Major bug fix: When piping is being performed or when logic is being evaluated that contains an event-based Smart Variable that is prepended to a field variable (e.g., [first-event-name][age]), it might not get parsed correctly and might mistakenly return an incorrect result.
Bug fix: When more than one auto-complete drop-down field is embedded inside another field on a data entry form or survey page, only the first embedded auto-complete drop-down in that table row would get enabled and function correctly. Thus all other drop-downs in that row would mistakenly not function.

Version 10.1.3 (released on 2020-07-17)

CHANGES IN THIS VERSION:

Change: The text was updated for the REDCap features listed on the REDCap Home Page.
Bug fix: When sending emails via the Mandrill Email API, the SendGrid Email API, or while using the Google App Engine platform for hosting, attachments on emails would mistakenly not retain their original file name in the email received.
Bug fix: In the API Playground, the example R code produced for API method “Export PDF file of instruments” was missing certain arguments (record, instrument, event), and also was mistakenly missing quotes around the API token value. (Ticket #88079)
Bug fix: When a calculation or branching logic references a field from a repeating instrument or repeating event, in which the instance number or an [X-instance] Smart Variable is explicitly provided (e.g., [field][current-instance] + [field][2] + [field][3]), the JavaScript version of calculations and branching logic that runs on a form/survey page might mistakenly assume the value as a string of text even when the field is a number/integer field type, thus resulting in an incorrect value displayed on the page. However, the correct value would be saved for a calculated field on the page after clicking the Save button. Note: For calculations, data imports and Data Quality rule H would still be correct and store the correct value. (Ticket #88143)
Bug fix: When a field is embedded inside another field that is being hidden by branching logic on the page, it might cause a “BRANCHING LOGIC ERRORS EXIST!” error to mistakenly appear on the data entry form or survey page. (Ticket #88134)
Bug fix: When importing a CSV of arms on the Define My Events page, it would mistakenly allow an arm’s number to be imported with a value of "0", which is not allowed and causes issues with accessing records in that arm afterward in the user interface.
Bug fix: When using a calculation or conditional logic in a longitudinal project that contains repeating instruments and/or repeating events, if a checkbox field is referenced in the calc/logic and has an [X-instance] Smart Variable appended to it (e.g., [checkbox_name(2)][last-instance]), the calc/logic might mistakenly not get parsed correctly and might return an incorrect result. This only occurs for checkboxes on repeating instruments/events in longitudinal projects. (Ticket #88065)
Bug fix: When viewing the instrument/event options for Report B on the “Data Exports, Reports, and Stats” page in a project, the instrument/event multi-select fields would mistakenly be too narrow and would often prevent users from being able to distinguish which instruments/events they are selecting. (Ticket #88261)
Bug fix: CSV files that are exported for the following places might be exported as UTF-8 encoded but would mistakenly be missing the BOM (Byte Order Mark): export for randomization template allocation tables, export for Automated Survey Invitations in the Online Designer, and the export for the “E-signature and Locking Management” page. (Ticket #87787)
Bug fix: If users have bookmarked the link to the PDF archive tabs in the File Repository for either the survey PDF Auto-Archiver or the Record-level Locking Enhancement (PDF confirmation & automatic external file storage) feature, and either of those features have been disabled in a given project, the user would mistakenly be able to view those pages in the File Repository and possibly download PDF files from those pages if those features were previously enabled and utilized in the project.
Bug fix: When piping the [form-url] or [form-link] Smart Variable when they have an [X-instance] Smart Variable appended to them, in which the “instrument” parameter of [form-url] or [form-link] is not specified, it might mistakenly return a blank value instead of the URL/link.
Bug fix: When a slider field’s value is being piped onto the same instrument or survey page in which the slider itself is located, it might mistakenly not update the piped value on the page when the user modifies the slider value, such as when initially clicking on the slider to activate it or when clicking the slider’s “reset” link.
Bug fix: The documentation for the developer method REDCap::saveData() was incorrect with regard to what “item_count” represents in the returned response, specifically for type="flat" data. (Ticket #88378)
Bug fix: When a REDCap administrator is using the “View Project as User” feature on a user that has been assigned to multiple Data Access Groups via the DAG Switcher, the “Current Data Access Group” banner would mistakenly not be displayed at the top of the page for the administrator. (Ticket #88392)

Version 10.1.2 (released on 2020-07-10)

CHANGES IN THIS VERSION:

Major bug fix: If calculated fields in a project have the exact same calculation/equation as another calc field in that project, it could cause incorrect values to be returned and saved for those calc fields when submitting a form/survey, when importing data, or when running Data Quality rule H. Bug emerged in REDCap 10.0.7 (LTS) and 10.1.1 (Standard). This bug might also affect the results of custom Data Quality rules, but it is currently unknown if this is true. This would only affect calculations that were triggered by data changes after upgrading to 10.0.7 (LTS) and 10.1.1 (Standard), in which they can be fixed afterward by running Data Quality rule H in a given project.
Bug fix: Some language variables were duplicated and mistakenly overwrote some text on the Field Embedding instructional page/popup. (Ticket #87989)
Bug fix: The Easy Upgrade feature might mistakenly not execute the entire SQL upgrade script for certain web server or database server configurations (the ultimate cause is unknown). This could cause problems after the upgrade completes in which the Auto-Fix feature might not be able to fix it without some extra SQL needing to be run. (Ticket #87994)
Bug fix: The parsing of some conditional logic might mistakenly fail with a fatal PHP error for unknown reasons, possibly only for specific PHP versions. (Ticket #87983)
Bug fix: If a “Designated email field for sending survey invitations” is being used in a project, in which that email field exists on a repeating instrument or repeating event, then the Survey Invitation Log page would mistakenly fail to display the record name for a scheduled/sent invitation and would instead display the slash-eye icon to indicate that the record name is not displayable. (Ticket #87795)

Version 10.1.1 (released on 2020-07-09)

CHANGES IN THIS VERSION:

Critical bug fix: When collecting data using a public survey where multiple participants are entering data near-simultaneously (i.e., submitting the survey within the same fraction of a second), a scenario may arise in which those multiple responses could get partially merged together. When this occurs, it appears in the logging that two new records were created, but on some occasions the second participant ends up overwriting the first participant’s responses. This issue only occurs when the project’s back-end Record List Cache gets out of date and somehow doesn’t include some of the new records created via the public survey. While this issue is fairly rare, it can cause data loss when a participant accidentally overwrites another’s response, and the worst-case scenario could be that a participant ends up viewing another participant’s response, thus possibly resulting in a privacy leak if private and/or identifying information (e.g., PHI) has been entered on the survey.
New feature: SendGrid Email API Integration
- As an alternative for sending outgoing emails from REDCap (rather than using the standard settings in PHP.INI to send them natively from the web server), you may use SendGrid, which is a third-party paid service (owned by Twilio) that can send emails on behalf of REDCap.
- The option can be configured on the General Configuration page in the Control Center. You merely have to provide the API key for your SendGrid account, and it will begin using the SendGrid Web API to send *all* emails going out of REDCap.
New feature: Select and modify multiple fields together on the Online Designer - Users may select multiple fields on the Online Designer by holding the Ctrl, Shift, or Cmd key on their keyboard while clicking on the field in the table, which will reveal the options to Move, Copy, or Delete all the selected fields. To make users aware of this feature, a floating note now appears near the right side of the page in the Online Designer with instructions on how to use this.
Improvement: Projects that have the Clinical Data Mart feature enabled will now be able to export the Clinical Data Mart settings in the Project XML file for the project and thus will be able to create new projects using that Project XML file as an alternate means of creating a Data Mart project. Note: Users will still be required to have system-level Data Mart permissions (granted by an admin) in order to use the XML file to create a Data Mart project.
Major bug fix: If a record has been locked at the record level and the record is renamed, the record will mistakenly no longer appear to be locked anymore.
Major bug fix: If a record has been locked at the record level and then the record is deleted and another record is created with the same name, the new record will mistakenly be initially locked after creation and have the same lock status and lock time as the original record bearing its name.
Bug fix: Branching logic now works for embedded fields - A JavaScript issue (which is resolved separately in this release) was affecting embedded fields and made it impossible for a field’s branching logic to function if it was embedded inside another field. Now that the other issue has been resolved, it has unblocked the issue that prevented branching logic from functioning for embedded fields. Thus, fields embedded inside other fields will now be hidden/displayed appropriately according to their own defined branching logic, as was originally intended with the embedded fields feature. Note: The documentation regarding branching logic for embedded fields has been modified accordingly to reflect this change in behavior due to the fix.
Bug fix: If a slider or file upload field is being hidden by branching logic, they would mistakenly not get reset back to their original state with the slider placed back at mid-position and the file upload field reset back to the “Upload file” link, respectively. This would be very confusing to users if the fields were hidden by branching logic, in which their field was erased, and then while on the same page, the fields were revealed again looking as if they had a value when they actually did not.
Bug fix: Only administrators that have the specific admin privilege “Access to all projects and data” could create a General Notification in REDCap Messenger. This is a mistake. Instead it should be that a user that has at least one of any type of admin privilege can create a General Notification.
Bug fix: When clicking the “All custom” button on the Data Quality page, it would mistakenly execute rule I.
Bug fix: When using Data Access Groups in a project, if a user was added to the project’s User Rights page with a capital letter in their username, then the Data Access Groups page would mistakenly display the user’s username and name as blank (with only a comma displayed) in the “Users in group” column no the page. (Ticket #86811)
Bug fix: If a File Upload field is embedded in the choice label of a radio button or checkbox field, it would mistakenly overlap the choice label text.
Bug fix: When importing data via the API for a repeating instrument, many of the normal checks that ensure that the fields “redcap_repeat_instrument” and “redcap_repeat_instance” have valid values where mistakenly getting bypassed and thus not performing all the necessary checks to ensure the best data quality during the import. For example, importing a field on a repeating instrument but leaving the “redcap_repeat_instance” field blank would not return an error but would instead assume the value is "1", which should not be assumed. (Ticket #75854)
Change: When a user accesses a project for which their user privileges have expired, it now tells them to contact the project owner rather than telling them to contact the REDCap administrator.
Bug fix: When using the Clickjacking Prevention feature, it would mistakenly prevent REDCap from being embedded inside an EHR when using the Clinical Data Pull (CDP) EHR launch.
Bug fix: If using the Mandrill Email API integration to send emails from REDCap, it would mistakenly fail to add the appropriate file attachments (when applicable) to any outgoing emails and would instead send emails successfully without any attachments.
Bug fix: If a text field or notes field is embedded inside a radio button or checkbox field on a survey, in which the Enhanced Radio/Checkbox setting has been enabled for the survey, it would prevent participants from using the Space key when entering a text value for the embedded field.
Minor security fix: Prevention of CSV injection - Users or survey participants could enter +, -, @, or = at the beginning of a text field’s value, and if a user is performing a CSV export of the data and opening the file in Excel (and possibly other spreadsheet software), it could cause that data to be inferred as a formula by Excel, which could have some security consequences. In these cases if a data value in a CSV Raw or CSV Labels export begins with one of those characters, a space will be prepended to the text value to prevent this issue from occurring.

Version 10.1.0 (released on 2020-06-30)

CHANGES IN THIS VERSION:

New feature: Granular administrator privileges - There now exist seven different categories of privileges that may be attributed to a REDCap administrator. If a user has at least one admin privilege, they are considered a REDCap administrator and thus will be able to access the Control Center; however, they will only be able to access the things to which they have been granted access. Note: Following the upgrade to v10.1.0, any users who were designated as REDCap administrators beforehand will now have all seven categories enabled. Thus they will not lose any privileges at all after the upgrade. Listed below are each of the admin privilege categories and an explanation of what they mean and where they apply.
- Set REDCap Administrator Privileges – User can access the ‘Administrator Privileges’ page (i.e., this page), and can set admin rights for any user.
- Access to all projects and data with maximum user privileges – User has full access to all REDCap projects in the system and has maximum privileges within those projects. Within the Control Center interface, the user can access and use the following pages that pertain to project administration: To-Do List, Survey Link Lookup, and API Tokens.
- Manage user accounts – User can access, modify, and (if using Table-based authentication) create REDCap user accounts. The following pages can be accessed and utilized: Browse Users, Add Users, User Allowlist, and Email Users.
- Modify system configuration pages – User can modify settings on all system configuration pages in the Control Center, which includes all pages listed under the ‘Miscellaneous Modules’ and ‘System Configuration’ sections on the left-hand menu. Note: If the user does not have this specific privilege but does have at least one other administrator privilege, they may still access and view the system configuration pages but only in read-only mode.
- Perform REDCap upgrades – User can access tools used for upgrading the REDCap software, including notifications about new versions available and also accessing the Easy Upgrade feature (if enabled). Note: This admin privilege does not apply when upgrading REDCap using traditional methods (i.e., when not using the Easy Upgrade) because the traditional upgrade process occurs mostly outside of the REDCap user interface in a database client and via direct server access.
- Install, upgrade, and configure External Modules – User has the ability to install External Modules from the REDCap Repo, and can enable and configure them at the system level. This does not apply to enabling and configuring an External Module in a project, which is governed by other user privileges. Note: If the user does not have this specific privilege but does have at least one other administrator privilege, they may still access and view the External Modules page in the Control Center but only in read-only mode.
- Access to Control Center dashboards – User can access and utilize all pages listed under the ‘Dashboard’ section of the Control Center’s left-hand menu.
Change/improvement: In Alerts & Notifications, the email “To” field that is used for an alert now allows fields having custom email validation (i.e., added manually in the redcap_validation_types database table) to be utilized as the recipient. Previous versions only allowed fields to be used that had the explicit “email” field validation.
Bug fix: When using the color-picker to edit the text color or background color of a Project Folder on the My Projects page, the text field to add/modify the hex color code would mistakenly be disabled when it should instead be editable.
Bug fix: If an External Module is calling REDCap::saveData() in a project using Twilio for surveys or Alerts & Notifications, depending on the context it might mistakenly throw a fatal PHP error if the call to REDCap::saveData() triggers a voice call or SMS message via Twilio.
Bug fix: On the System Statistics page, the number of Completed projects would mistakenly not get included in the count of Total Projects. (Ticket #86998)
Bug fix: The iOS version number would mistakenly not be detected accurately for iPads running iOS 13. (Ticket #87081)
Bug fix: If the Clickjacking Prevention setting is enabled on the “Security & Authentication” page in the Control Center, it might prevent the Clinical Data Pull feature from working correctly when performing an EHR Launch in which a REDCap window is embedded inside an EHR user interface.
Bug fix: When editing an alert on the Alerts & Notifications page, the “Email From” drop-down might mistakenly list the current user’s email address twice, in which the second instance might have the text "[email no longer belongs to a project user]" appended to it.
Bug fix: When adding a new Table-based user via the "Create User (bulk upload)" tab on the "Add Users (Table-based Only)" page in the Control Center, it might give an inaccurate and confusing message if that user account already exists. (Ticket #87143)
Change: Support for Internet Explorer 9 has been removed.

Version 10.0.4 (released on 2020-06-23)

CHANGES IN THIS VERSION:

Improvement: In REDCap 10.0.2, a new feature was added to the Online Designer’s “Add/Edit Branching Logic” dialog to help users modify branching logic for many fields at once if they had the exact same branching logic. Now this has been improved further so that if users do not want to keep seeing this prompt when editing branching logic, a new checkbox in the dialog that says “Do not show this message again” can be checked, which will prevent the prompt from being displayed in that project for that user during the remainder of their REDCap session.
Change: When using the new Break the Glass feature as part of the CDIS (Clinical Data Interoperability Services) functionality, it now requires that you enter your password for your REDCap account for increased security as part of the Break the Glass process.
Various fixes and updates for the External Module Framework
Bug fix: If Missing Data Codes are utilized in a project and a number-validated or integer-validated text field is used in branching logic in which the value of that number/integer field is a non-numerical Missing Data Code, the branching logic might not behave as expected. Bug emerged in REDCap 9.9.2. (Ticket #86841)

Version 10.0.3 (released on 2020-06-19)

CHANGES IN THIS VERSION:

Change: To be more inclusive in our community, all references to the terms “blacklist” and “whitelist” have been replaced with “blocklist” and “allowlist”, respectively, in the REDCap user interface, the REDCap code, and in all database table names and columns.
Bug fix: If using the HTML tags OL or UL inside the choice label of a left-aligned radio button or checkbox field, the labels might mistakenly overlap on top of the bullets and make them hard to read. This was supposedly fixed in the previous version, but that fix only addressed right-aligned radios/checkboxes.
Change: When exporting data to a stats package (R, Stata, SPSS, SAS), if a field contains a long field label, it now truncates the field label in the center of the text (i.e., putting an ellipsis in the middle) to make it more compatible with and easier to read in certain stats packages.
Bug fix: When performing an “EHR Launch” for the Clinical Data Pull feature, it would fail to load the REDCap window inside the EHR user interface due to a fatal PHP error. Bug emerged in REDCap 10.0.2.
Bug fix: The “reset” link for embedded radio button fields would mistakenly be left-aligned instead of right-aligned.
Bug fix: If Field Embedding is used on an instrument in which the field being embedded is a required field, the user would not receive the required field warning if the embedded field was left empty when the instrument was saved.
Bug fix: When viewing the Sponsor Dashboard page, if the user is a sponsor of many users, then when the page is scrolled downward, the table header would mistakenly get obstructed and covered by the top navbar.
Bug fix: On the My Projects page, the field count hyperlink in the Fields column would mistakenly link to the Online Designer even if the user did not have Project Setup & Design privileges, which would result in an “Access Denied” message when following that link. In that case, it now links to the Codebook instead. (Ticket #86602)
Change: When copying a project via the Copy Project page, Alerts & Notifications will now be automatically set to “Deactivated” status in the newly created project, similar to Automated Survey Invitations when copying a project. This is to ensure that they do not start getting triggered and start sending if all the project records were copied from the original project.
Bug fix: When sending an Alert as an SMS message via Twilio, the SMS would mistakenly only go to one recipient (and perhaps multiple times to that same recipient) if more than one SMS recipient was listed for the Alert. (Ticket #86623)
Bug fix: If a survey title contained HTML tags, those tags would mistakenly get displayed as escaped characters in the Survey Queue setup dialog and on a record’s Survey Queue page.
Bug fix: When an administrator is resetting the password of a Table-based user’s account on the Browse Users page, it would mistakenly send the email with the From as the admin’s name/email when it should instead send it with the From as the general administrator name and email address that is defined for the system.
Bug fix: When adding users to a project using the API Import Users method, the format of the usernames were mistakenly not being checked and thus would allow usernames containing invalid characters to be added to projects.
Bug fix: When a radio button field is embedded via Field Embedding in another field on an instrument, and that instrument is enabled as a survey and has the Enhanced Radios/Checkboxes option enabled, then if a participant is taking the survey and selects a choice for the field and then clicks the “reset” button to de-select it, although this action would correctly remove the radio value, it would appear as if it hadn’t been de-selected, which is confusing. (Ticket #86645)
Bug fix: When using Twilio telephony services for surveys, in which the default invitation preference for new survey participants has been set to a value other than "Email", when new records are created in the project specifically via the API Import Records method, those participant’s invitation preference in the Participant List would mistakenly not get set to the correct value but would always get set to "Email". Note: If importing data via the Data Import Tool, the invitation preference would get set correctly. (Ticket #86673)
Change: In previous versions, date fields that have Y-M-D date format would allow M/D/Y format values (i.e., American format dates with slashes instead of dashes) to be entered, in which it would automatically reformat the value to a Y-M-D format date with dashes. This is a very old behavior from the earliest days of REDCap that was meant to be a convenience for users, who were mostly from the U.S. at that time. However, since that time REDCap has grown internationally, and it is no longer U.S.-centric as it was in the early days. It makes more sense at this time to remove this old behavior so that Y-M-D date formats only accept Y-M-D formatted values. (Ticket #86446)
Bug fix: If the Save & Return Later feature has been enabled on a survey but participants are not allowed to return once they have completed the survey, then there is a scenario in which a participant could mistakenly erase all their survey responses after having completed the survey. If they partially complete the survey and then return back to the survey page, in which it asks them to either enter their Return Code or erase all their responses and start over, if that page is opened twice in two different browser tabs, and then the participant completes the survey in one tab and then later views the other tab and clicks the “Start Over” button, it would mistakenly erase all their responses, even though they should not be able to modify their responses after having completed the survey.
Bug fix: When an alert has the option “Using conditional logic during a data import or data entry” selected in Step 1 in the “Edit Alert” dialog, in which the alert’s conditional logic contains the datediff() function with “now” or “today” as a parameter, if the project is longitudinal and the logic also explicitly references a field in a specific event (i.e., has the unique event name prepended to the field variable), if that particular event being specified has no data in it, then the logic would mistakenly not get evaluated correctly, and the alert would not get triggered/scheduled correctly by the “AlertsNotificationsDatediffChecker” cron job. (Ticket #86689)

Version 10.0.2 (released on 2020-06-11)

CHANGES IN THIS VERSION:

Improvement: Integration of Günther Rezniczek’s “My Projects Tweaks” External Module - Improvements for the My Projects page
- Adds project PIDs (for REDCap Admins only): Adds a new PID column (in between Project Title and Records). The PIDs are links that lead to the Edit Project’s Settings page.
- Link to Online Designer: Adds links to the Online Designer page of projects in the Fields column.
- Link to Record Status Dashboard: Adds links to the Record Status Dashboard in the Records column.
- Collapse All: Adds a Collapse All button next to the Organize button that collapses all project folders.
- Organize Projects filtering: Adds a filter in the Organize Projects pop-up.
Improvement: When editing a field’s branching logic in the Online Designer’s “Add/Edit Branching Logic” dialog, when saving the branching logic for a given field, it will now check if any other fields in the project have identical branching logic and will prompt the user to ask them if they want to change the branching logic accordingly for all fields having the same branching logic.
Change: The Control Center page “Find Calculation Errors in Projects” has been removed. It served a purpose several years ago to address specific issues with calculation errors that occurred during that time, but it has not been needed in quite a long time. If any calculation errors might exist in a project, as always they can be dealt with using Data Quality rule H.
Bug fix: If a hyperlink is used inside a field label or section header text for a field on a survey or data entry form, in which the hyperlink is merely an anchor link to point to another place on the current page, then in some cases clicking the link would mistakenly prompt the “Save your changes?” dialog to be displayed unnecessarily if data had been added/modified on the page. (Ticket #85880)
Bug fix: When the survey option “Allow survey respondents to view aggregate survey results after completing the survey?” is enabled on a public survey and a respondent completes the public survey, it would mistakenly not display the button to allow the respondent to view the aggregate survey results. Bug emerged in REDCap 9.10.0 Standard and 9.5.28 LTS.
Bug fix: If a vertically-aligned radio button field is embedded in a table in a section header, the choice labels would mistakenly cover the radio button elements themselves and make them either hard to see and/or hard to utilize.
Bug fix: Some math functions used in calculations and branching logic (e.g., max, min, sum) might mistakenly yield an incorrect result (often a blank value) if a multiple choice field is referenced inside the function in which the multiple choice field has all numerical codings but at least one of the codings is a negative number. Bug emerged in REDCap 9.9.2.
Bug fix: The API method “Export a Survey Queue Link” would mistakenly fail with a fatal error. Bug emerged in REDCap 10.0.1 Standard and 9.5.30 LTS. (Ticket #86155)
Bug fix: If using the HTML tags OL or UL inside the choice label of a radio button or checkbox field, the labels might mistakenly overlap on top of the bullets and make them hard to read.
Change: When viewing an Automated Survey Invitation in which the From address belongs to a user that no longer has access to the project, it would display the note "[email no longer belongs to a project user]" next to the email address, but it would not display that note for Administrators. It now displays it to both regular users and Administrators to eliminate any confusion.
Change: When viewing an alert on the Alerts & Notifications page in which the alert’s From address belongs to a user that no longer has access to the project, it now displays the note "[email no longer belongs to a project user]" next to that email address in the drop-down list.
Bug fix: When using the Twilio telephony services for surveys in a project, if the “SMS Conversation” option has not been enabled in the project but a participant mistakenly replies back to an SMS they received from REDCap, it would begin the survey as if using the “SMS Conversation” option, which is incorrect. In this case, it now will reply back to them with an SMS saying "Auto-Reply: This SMS phone number is not monitored". (Ticket #61331)
Bug fix: When the Save & Return Later option for a survey has been disabled but somehow a user has enabled the sub-option to “Allow respondents to return without needing a return code” for the survey, it would create a scenario via the Survey Queue in which the survey participant might be able to return to the survey even with Save & Return Later having been disabled.Bug fix: In some very specific cases when an External Module is calling the REDCap::evaluateLogic() method in a repeating event context, it might not mistakenly parse the logic correctly if the logic contains a stand-alone [X-instance] Smart Variable (i.e., when it is not appended to a field variable). (Ticket #85914) (Ticket #85891)
Bug fix: When executing Data Quality rule E (“Outliers for numerical fields”) for a project that has Missing Data Codes defined, it might mistakenly return discrepancies for records that have a numerical Missing Data Code. It should instead be ignoring Missing Data Code values in this DQ rule. (Ticket #85991)

Version 10.0.1 (released on 2020-06-05)

CHANGES IN THIS VERSION:

Improvement: New “Break the Glass” feature for CDIS (used for both CDP and Data Mart)
- This feature is only for installations that have Epic as their EHR, and it is an add-on to the existing Clinical Data Interoperability Services (CDIS) in REDCap. If clinical data is being pulled via the FHIR services from Epic, and REDCap determines that data cannot be pulled for a given patient because the glass needs to be broken for that patient (because they are staff, a VIP, etc.), REDCap will keep a list of these patients, in which they can be selected afterward and have their glass broken by the user on the REDCap side. The user will be given a “break the glass” prompt very similar to the one that users would see inside Epic Hyperspace, and when they break the glass in REDCap, it will make a web service call to Epic to perform the “break the glass” action on behalf of the user, in which case it will get logged appropriately in Epic’s activity logs.
- NOTE: Because the REDCap “Break the Glass” feature allows users to perform glass-breaking for many patients at once, this feature (once enabled at the system level) is DISABLED by default at the project level due to the possibility of abuse. So an administrator will need to enable this feature for a given project
- The Break the Glass settings can be set on the Clinical Data Interoperability Services page in the Control Center. It must be enabled and set appropriately for the given Epic installation. Note: The Break the Glass web services must be enabled on the local Epic Interconnect server in order for this feature to work in REDCap.
Improvement: Survey pages are now considered ADA Section 508 compliant. The REDCap Development Team at Vanderbilt has been collaborating with the CDC to improve the accessibility of REDCap overall. While the user-facing side of REDCap (i.e., non-survey pages where users must authenticate) is not 508 compliant, it continues to be improved with regard to accessibility over time. But according to the CDC’s recommendations and testing of REDCap, survey pages in REDCap do meet the minimum requirement for ADA Section 508 compliance.
Bug fix: If upgrading to 9.10.0 from a version lower than 9.9.2, it would result in duplicate queries being added to the upgrade script, thus resulting in MySQL errors during the upgrade. (Ticket #85303)
Bug fix: If two users load the same data entry form in a project (i.e., same record, event, instrument, instance), in which one of the users has clicked the plus/minus icon on the left-hand menu to collapse/uncollapse a menu section after loading the form, it would mistakenly not display the Simultaneous User Prevention warning and thus would allow both users to have edit access on that from. (Ticket #85305)
Change: Permanently removed some PHP global functions files (form_renderer_functions.php, survey_functions.php) since they have been gutted and no longer utilized for several months.
Bug fix: Some CSS styling in REDCap’s style.css file was mistakenly overwriting CSS used specifically by DataTables, which could affect the look and style of any DataTables used in a plugin or external module. The CSS has been reverted so that it no longer overwrites the DataTable CSS. Bug emerged in REDCap 9.9.0 (Standard). (Ticket #85306)
Bug fix: If a field is embedded via Field Embedding into the choice label of a radio button or checkbox field and then is viewed on a survey in which the Enhanced Choice survey option is enabled for radios and checkboxes, then an error message would mistakenly get displayed on the survey page saying that the field had been embedded more than once, which is not true.
Bug fix: A JavaScript error might occur on a survey page where it tries to call the undefined function displayFormSaveBtnTooltip(). This error does not seem to cause any issues on the survey though.
Bug fix: For certain screen widths, the search box displayed above a report might mistakenly be displayed too far to the right on the page. (Ticket #85415)
Bug fix: If Field Embedding is used in which a text field is embedded inside the choice label of a checkbox field, then if the checkbox is checked or unchecked by clicking its choice label (rather than by clicking the checkbox element itself), then it would fail to change the value of the checkbox field despite the fact that it looks like its value has changed. (Ticket #85387)
Bug fix: The database query used to generate the list of a record’s repeating instances for a given instrument was not correctly optimized and was causing major performance issues for certain projects on certain installations. (Ticket #84936)
Change: The @READONLY action tags now display the field labels as slightly less faded out (using 60% opacity instead of 50% as in previous versions), and the text of drop-downs, text boxes, and textarea boxes that have a @READONLY action tag now have a darker text to make them more readable despite being disabled on the page. (Ticket #85396)
Bug fix: When sending an Alert as an SMS message, if there is an email address selected for errors to be emailed to a project user in the event that the SMS fails to send for that Alert, it would mistakenly send the error email every time an SMS is sent rather than only when an error occurs.
Bug fix: When a Yes-No or True-False field is piped into an Alert’s email subject or message text, in which the alert is set to be sent after a delay (not immediately) and/or on a recurring schedule, then the value of the Yes-No or True-False field would fail to be piped into the text and instead would be replaced with 6 underscores as if the value did not exist.
Bug fix: Reports that are very wide and very tall would have the fixed headers and fixed first column behavior automatically employed on the report table, but often times the scrollable width of the resulting table would be too wide and would run off the page, thus causing the user to have to scroll the main viewport first and then scroll the table second. It now tries to ensure that the scrollable table itself will fit on the page so that only one instance of horizontal scrolling is required.
Bug fix: When upgrading to version 10.0.0 from a previous version, it would mistakenly place the v10.0.0 upgrade SQL queries before the other cumulative upgrade SQL queries for previous versions that were being upgraded through (the in-between versions). The SQL queries being out of order might cause some issues during the upgrade process. (Ticket #85668)
Bug fix: The Easter Egg functionality of appending “"&__display_errors=1” to the URL in order to force output a PHP error onto the webpage has now been removed for all cases except for authenticated REDCap administrators because it is a potential security issue.
Bug fix: Nearly 200 Laboratory and Vital Signs fields and their associated LOINC codes were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.
Bug fix: When using the Smart Variable [survey-queue-link] in a context where the current record does not yet exist (e.g., on the first page of a public survey), it would mistakenly return a URL that might not actually be associated with the record after the record has been created. Instead it now returns a blank value if the record does not yet exist. (Ticket #85602)
Bug fix: If Field Embedding is used for at least one field on a survey or data entry, it would cause all auto-complete drop-down fields not to display correctly. (Ticket #85744)
Bug fix/change: The Field Embedding feature now notes in the documentation that the Record ID field cannot be embedded, and if a user tries to embed it, it will now display a warning on the survey or data entry form. (Ticket #85739)
Bug fix: The REDCap hook named “redcap_survey_complete” would get mistakenly called when a survey participant would attempt to return to a completed survey that has the “Save & Return Later” option enabled when the sub-option is enabled to allow respondents to return without needing a return code - i.e., when it displays the message "Thank you for your interest, but you have already completed this survey". (Ticket #80109)

Version 10.0.0 (released on 2020-05-29)

CHANGES IN THIS VERSION:

New feature: Field Embedding
- Field Embedding is the ultimate way to customize surveys and data collection instruments to make them look exactly how you want. Field Embedding is a Shazam-like feature that allows you to reposition field elements on a survey page or data entry form so that they get embedded in a new location on that same page. Embedding fields gives users greater control over the look and feel of your instrument. Users may place fields in a grid/table for a more compact user-friendly page, or they can position fields close together in a group if they are related.
- To use Field Embedding, users simply need to place the REDCap variable name of a field inside braces/curly brackets - e.g., {date_of_birth} - and place it in the Field Label, Field Note, Section Header, or Choice Label of any other field on that same instrument. Field embedding will not work across instruments but only on the current instrument/survey being viewed. If on a multi-page survey, then the embedded field must be on the same survey page as its host field.
- No action tags or custom HTML is required to use Field Embedding. Users can simply use the rich text editor in the Online Designer to design their layout and then place the field variables inside that layout. The layout does not have to be a table/grid (although tables are common for this), and fields can be embedded inside *any* field type (not just Descriptive fields).
- We wish to thank Andy Martin (Stanford) because his popular Shazam external module served as the conceptual inspiration of the Field Embedding feature.
- Note: When installing or upgrading to v10.0.0, a new project “Field Embedding Example Project” will be automatically added as a project template to allow users and admins to easily see some examples of Field Embedding in action.
Change: A new link to “REDCap Administrator Videos” has been added to the Control Center’s left-hand menu under the “Administrator Resources” section, in which this link points to a page that consolidates many REDCap videos aimed at administrators on various topics.
Change: Removed the thick black border seen on input fields that have focus for Chrome 83 and higher, which was by default adding the black border to all input fields on all webpages.
Change/improvement: Added better error detection to make the data import process more accurate and informational by ensuring that any datetime_seconds values that are missing a “seconds” component will be reformatted to append “:00” and if any datetime values are missing a “minutes” component it will be reformatted to append “:00”, in which it will display a warning to the user on the Data Import Tool page to inform the user that these modifications are happening. Also, if the first two digits of the “year” component are missing for a date or datetime value, it now displays a warning to inform the user that the full year value will be estimated and will note the resulting estimated year value.
Change: On the Survey Settings page, The Save & Return Later option “Allow respondents to return without needing a return code” now has a note immediately below it to encourage users not to use this survey option if they are collecting identifying information (PHI, PII) on their survey.
Change/improvement: If the Twilio SMS and Voice Call services are enabled at the system level, the Twilio module can now be disabled (if desired) at the project level by an administrator on the “Edit a Project’s Settings” page in the Control Center. If disabled for a given project, all references to the Twilio functionality will no longer appear in the project.
Bug fix: Clicking on the “What is an E-signature?” link in the “Editing existing user” dialog on the User Rights page would mistakenly not do anything and would result in a JavaScript error.
Bug fix: If a project does not contain any date or datetime fields, then when creating/editing an Alert or Automated Survey Invitation, the third “send time” setting’s text would mistakenly be missing the text “after time lapse of” immediately after the text "Send the invitation/alert", which could cause confusion for users. (Ticket #84929)
Bug fix: Report B would return incomplete returns when viewed on a webpage (but not when exported) under certain conditions, especially if the project is longitudinal. (Ticket #84937)
Bug fix: When piping data into a drop-down field on a survey or data entry form that is a repeating instrument or exists on a repeating event, although piping would occur correctly when initially loading the page (using saved values), it would mistakenly not perform real-time piping on the page as fields were modified if those modified fields’ values were being piped into drop-down fields on that same page. (Ticket #84951)
Bug fix: When the Double Data Entry module is enabled in a project, the Current Users table on the Project Home page might mistakenly get partially covered by the Project Statistics table. (Ticket #84903)
Bug fix: When setting a Missing Data Code for a field, it would mistakenly hide all buttons in that row instead of only the Today/Now button for date/datetime fields. (Ticket #84909)
Bug fix: When composing multiple batches of survey invitations on the Participant List page without refreshing the page in between batches and the user uses their mouse to highlight the existing email body text and then pastes new text using Ctrl-V into the email body without typing on the keyboard while the cursor is inside the email body text box, then the new pasted text might mistakenly not be used in that batch of invitations being sent, but instead it would send invitations using the default email body text. (Ticket #84351)
Bug fix: When executing a custom Data Quality rule that has logic containing fields from both repeating and non-repeating contexts, in some cases the hyperlink for the data value displayed in the discrepancy dialog popup might mistakenly be pointing to a repeating context (e.g., URL contains “&instance=??”) even though the field does not exist on a repeating instrument or repeating event. (Ticket #84934)
Bug fix: The left-hand instrument menu in a project would mistakenly denote the maximum instance number of a repeating instrument rather than the total count of repeating instances, which can be confusing to users if some instances had been deleted after having been created. If the total count of repeating instances does not match the maximum instance number, then it will now display “max: X, total: Y” next to the instrument name to provide this distinction. Also, the “plus” icon next to a repeating instrument on the left-hand menu would mistakenly not appear if the first instance of the instrument had been deleted (this would occur when viewing the left-hand menu while on another instrument). Additionally, if a repeating instrument had its first repeating instance deleted, the form link on the left-hand menu would still mistakenly point to the first instance by default, which is not intuitive. It now points to the lowest existing instance of that instrument as the default. (Ticket #84943)
Bug fix: The note “You may use HTML formatting in the email message…” was mistakenly still being displayed below the rich text editors when composing survey invitations in various places in a project. That note no longer makes sense now that the rich text editor must be used in these places, so the note has been removed.
Change: If enabling the Survey Login feature in a project containing repeating instruments or repeating events, it now displays the clarifying message in the Survey Login setup dialog to users so that they are aware: "NOTICE: Fields existing on repeating instruments/events will not work as login fields". (Ticket #85208)
Bug fix: In some situations where a data entry form or survey is being submitted after an External Module has relocated some fields on the page (e.g., Shazam), it may prevent the page from being saved successfully due to a JavaScript error. (Ticket #47120)
Bug fix: The color picker popup used for Project Folders and for Survey Themes would not be displayed correctly after being opened, so the preset color palette of squares in the color picker had to be removed since they could not otherwise be fixed.
Bug fix: When using Missing Data Codes in a project and a radio button or checkbox field has been assigned a missing data code for a given record, and then the user clicks one of the seemingly disabled choices of the field and then clicks Save, it would mistakenly change the value of the field to the choice that was clicked, even though it did not appear as if the field’s value changed prior to saving it. (Ticket #85220)
Change: The REDCap cron job now logs all events in the redcap_log_eventX table using the current time that the activity is logged - via PHP’s date(“YmdHis”) - whereas previous versions would log all cron activity using the time at which the cron job script began. This is more optimal since cron jobs can sometimes last for many minutes, which makes it more difficult to troubleshoot the timing of certain issues with cron jobs. Regular non-cron scripts will still continue to log events using the time at which the script began.

Version 9.10.0 (released on 2020-05-21)

CHANGES IN THIS VERSION:

New feature: Record-level locking feature
- This feature allows users to lock an entire record (as opposed to locking individual instruments) so that none of the record’s data can ever be modified unless someone with record-level locking/unlocking privileges goes and unlocks the record again.
- The old “lock all forms for all events” feature has been changed into this new record-level locking feature, which is distinguishable from the existing instrument-level locking feature. Now the instrument-level locking can only be used while on a data entry form (using the Locking checkbox at the bottom of the form). Whereas the record-level locking feature is available as an option on the Record Home Page and on the project’s left-hand menu after a record has been selected.
- While records have always been able to be locked (i.e., made read-only) for individual data collection instruments in a project, you may now easily lock an ENTIRE record so that no data in the record can ever be modified while it is locked.
- WHAT HAS CHANGED? It is important to note that the old user privilege “Lock all forms” has now been converted into the new record-level locking feature, which works completely independently from instrument-level locking (i.e., the checkbox at the bottom of data entry forms). Instead of that particular user privilege allowing you to lock all forms individually (which was the previous behavior), it will now serve in a slightly different capacity as the record-level locking user privilege to lock an entire record fully.
- HOW TO USE IT: You may lock an entire record via the “choose action for record” drop-down on the Record Home Page or by clicking the “Lock Entire Record” link on the project’s left-hand menu when viewing a record. Note: Since the record locking and instrument locking are completely separate features, they both may be used together in a project, if you wish. However, please note that since record locking is a higher-level locking than instrument locking, an entire record may be locked or unlocked while one or more instruments are currently locked, but an instrument cannot be locked or unlocked while the entire record is locked.
New feature: Record-level Locking Enhancement: PDF confirmation & automatic external file storage (project-level setting) - requires PHP 5.6.0
- This feature allows users to utilize extra functionality regarding the use of record-level locking in a project. It must first be enabled at the system level (at the bottom of the Modules/Services Configuration page in the Control Center). It is disabled by default for all projects, but users with ‘Project Setup & Design’ rights can enable it for a project in the Additional Customizations popup on a project’s Project Setup page.
- How it works: When enabled for a project, if a user goes to lock an entire record, they will be presented on the page with an embedded PDF of the entire record’s data, and after confirming that the record is correct, the record will be locked at the record level and a PDF copy of the entire record will be stored in a “PDF Archive of Locked Records” section of the File Repository of the project and additionally will be stored on a secure external server via WebDAV or SFTP storage.
- The connection to the external file server can be set up as WebDAV or SFTP, in which the details/credentials must be provided when enabling this system-level setting at the bottom of the Modules/Services Configuration page in the Control Center.
- This feature may be utilized for projects wishing to adhere to certain regulatory compliance, such as 21 CFR Part 11 for FDA trials. Please note that enabling this feature does not make the feature or your REDCap installation automatically “Part 11 compliant”. It is assumed that if using this for Part 11 compliance that you have already gone through all the processes of documenting and validating your REDCap environment (or parts of it) to validate it as “Part 11 compliant” beforehand.
Major bug fix: When submitting a one-page public survey, in some specific scenarios after completing the survey, a participant could incidentally cause the survey to get resubmitted (minutes, hours, or even days later), thus creating a duplicate record in the project. This appears to occur mostly for certain mobile devices, in which returning to a tab containing the completed survey might mistakenly cause the survey to get resubmitted somehow. (Ticket #75626)
Major bug fix: If a calculated field’s equation contains a field with "Number (comma as decimal)" validation or "Number (X decimal places - comma as decimal)" validation, the calculation would mistakenly fail and would often result in an error prompt on the page stating that a syntactical error exists in the calculation, which is untrue. Bug emerged in REDCap 9.9.1. (Ticket #84622)
Change: The project ID (PID) of a project is now displayed immediately after the project title at the top of every project page. This will make it easier for users to obtain their project’s PID when attempting to identify their project to administrators.
Bug fix: When using the Survey Login and clicking the “Show value” link for one of the login fields on the survey login form, it would fail to remove the password mask from the login field. Bug emerged in REDCap 9.9.0. (Ticket #84417)
Bug fix: When using the Clinical Data Pull feature and viewing the embedded REDCap page in an EHR user interface, it would mistakenly display some escaped HTML on the page. (Ticket #84422)
Bug fix: When uploading an MP3 audio file to be embedded in a Descriptive field on a survey page or data entry form, it might mistakenly not play in Internet Explorer.
Bug fix: Seven Laboratory fields and their associated LOINC codes were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.
Bug fix: If a project is longitudinal and has either repeating instruments or repeating events, in which a field exists on both a non-repeating event/instrument and on a repeating event/instrument, then if that field is used as a report filter, the report might mistakenly return partially incorrect results. Part of this issue was caused by another fix in REDCap 9.9.1 Standard and 9.5.26 LTS, and the other part is a longer-standing issue caused by difficulty in parsing logic referencing different repeating and non-repeating contexts. (Ticket #84330)
Bug fix: For longitudinal projects, the project Logging page would mistakenly display the name of the first event next to the record name for logged events related to Data Access Group assignments for records. It should not display the event name because assigning DAGs is performed at the record level and not at the event level, so displaying the event name for the logged event is misleading.
Bug fix: The cron job to routinely reset the record list cache for all active projects was mistakenly not resetting the cache as often as it should.
Bug fix: If a calculated field’s equation contains certain Smart Variables (e.g., [project-id]), when saving the calc field in the Online Designer, it would note that it is syntactically incorrect, which is untrue. (Ticket #84524)
Bug fix: When importing an instrument from the REDCap Shared Library, in which the instrument contains a checkbox field that is used in branching logic or in calculations in the imported instrument, and also that checkbox field’s variable name already exists in the project as an existing variable, then when the variable is being automatically renamed during the instrument import process to prevent a conflict with the existing variable, it would mistakenly fail to perform the renaming successfully for checkbox fields, which require a slightly different syntax when being referenced in calc fields and branching logic.
Change: If a project contains a large number of users and/or Data Access Groups, it now automatically disables the DAG Switcher feature. This is done because if the table becomes very large, it can cause a major slowdown in the user’s browser and possibly cause it to crash. So any projects where Users X DAGs > 10K, the DAG Switcher will be disabled and will not be usable. Also, if a project has a count of Users X DAGs between 5K and 10K, it will still display the DAG Switcher, but it will auto-disable the floating headers and search features on the DAG Switcher table in order to prevent browser slowness. (Ticket #84610)
Bug fix: The User Whitelist would fail to work when using external authentication methods (e.g., LDAP). (Ticket #83958)
Bug fix: In the Required Fields dialog on data entry forms and surveys, one of the buttons mistakenly did not have its language abstracted for translation. (Ticket #81638)
Bug fix: Downloaded PDFs would mistakenly result in the error “AddMBFont: ERROR Encoding [SJIS] Undefine” if the project’s “Character encoding for exported files” setting was set to "Japanese (Shift JIS)".
Bug fix: When exporting data to SAS while using Missing Data Codes in a project, if any fields contain the @NOMISSING action tag, such fields would mistakenly not be made exempt from the Missing Data Codes when importing the data into SAS. (Ticket #83910)
Change: When exporting data to SAS, the line “OPTIONS nofmterr;” is now added to the SAS script to prevent any formatting issues from throwing fatal errors.
Bug fix: When rendering a report or performing a data export in which the report contains some report filters, some extra processing was being done unnecessarily that was making the report slower than it should have been. This unnecessary code was removed, which now makes reports load faster (up to 2x faster in some cases) for reports with report filters.
Bug fix: When a project that has record auto-numbering enabled exceeds 25,000 records in the project, then the text input field that is displayed (in lieu of a drop-down list) on the Add/Edit Records page would mistakenly allow users to free-form type a new record name that might not comply with the record auto-numbering scheme. To prevent this issue, it now checks to ensure the record being typed already exists.

Version 9.9.2 (released on 2020-05-15)

CHANGES IN THIS VERSION:

Improvement: New PDF customization to hide the Record ID from the PDF header. In the “PDF Customizations” section of the “Additional Customizations” dialog on the Project Setup page, users may set this option to display or hide the record name in the top header of every PDF page when downloading a PDF with data for a record. This is a project-level setting, so setting it applies to all PDFs generated for records in the project.
Improvement/change: A new “Clear the Record List Cache” button has been added to the Other Functionality page in a project, in which this button is only available to administrators to use. If there appear to be records missing from the project (in reports, record status dashboards, or elsewhere), then the Record List Cache (a secondary list of all record names) might be out of sync and thus might need to be cleared. Clearing the cache will cause the Record List Cache to regenerate and bring back records that appear to be orphaned/missing in the project. Clicking this button will clear the cache and fix the record list. NOTE: This is normally not needed, but there have been instances in which unknown factors caused the Record List Cache to get out of sync, which could cause major problems for some projects.
Improvement: A new field “Preferred language” has been added to projects that are created as Clinical Data Mart projects. This field will serve as the location where a patient’s preferred language will be imported as freeform text (e.g., “English”) from the EHR. If a Data Mart project was created in an earlier version of REDCap, this field can simply be added after the fact by adding the variable name “preferred_language” as a Text field with no field validation on the Demography data collection instrument.
Improvement/change: The sending of a survey confirmation email now gets logged on the project Logging page when a confirmation email has been set to send to a survey participant after having completed a survey, in which the logged event will note the record name, the To address, the From address, the email subject, and whether or not the email contained attachments (including the PDF of the participant’s survey responses).
Changes for long-standing quirks with calc fields and branching logic
- Change: In previous versions, calculated fields could only utilize either numeric fields or date/datetime fields in the calculation. Now non-numeric fields may be used, most notably inside IF statements. For example, if ([field1] = “A”, 0, 99).
- Change: In previous versions, using > or < in branching logic would not always work as expected. For example, [a] > [b] would have to be formatted as [a]*1 > [b]*1 to work correctly 100% of the time, which is not intuitive. This is no longer required, in which [a] > [b] will work as one would expect in branching logic. Note: This does not apply to calc fields, which have never had this problem.
- Change/improvement: The datediff() function used in branching logic and calc fields no longer requires the date format parameter (“ymd”, “mdy”, “dmy”). This was required for datediff() in calc fields and branching logic but was not required elsewhere, such as in report filters, DQ rule logic, ASI/Alert conditions, etc. The $returnSignedValue parameter (if provided) can now be provided as the fourth parameter - e.g., datediff([dob], “today”, “y”, true). NOTE: Both of the date/datetime fields used in the datediff function must still be in the same date format (“mdy”, “dmy”, or “ymd”), so that is still a requirement.
Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered on the project Logging page where a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags into the record name of a record imported via the API or Data Import Tool.
Change: When creating a new Clinical Data Mart project, the “mrn” field is automatically set as the Secondary Unique Field in the project to ensure that each patient corresponds to one record in the project and prevent duplicates.
Bug fix: If the foreign key of a database table is not defined correctly in the REDCap database, the SQL provided by the Control Center warning “Your REDCap database structure is incorrect” would mistakenly fail to fix the issue and would keep appearing after being run. It now provides the correct SQL to run in order to fix the database structure issues. (Ticket #83951, #84054)
Bug fix: When using Twilio Telephony Services to send SMS messages from a Short Code phone number, it would fail to send the messages because REDCap would mistakenly prepend a “+” to the Short Code when attempting to send it via Twilio’s API.
Bug fix: The “redcap_survey_complete” hook would mistakenly get called when a survey participant loads their survey queue when navigating directly to their queue as opposed to navigating there after completing a survey.
Bug fix: When using the Dynamic Data Pull (DDP) Custom module to import data from an external data source, the cron job that runs routinely to import data into projects might mistakenly crash with a fatal error.
Bug fix: The REDCap installation page would mistakenly crash with a fatal PHP error and would prevent anyone from going through the full installation process. Bug emerged in the previous version. (Ticket #84111)
Change/improvement: Added “PARTICIPANT OPTED OUT” as a new valid option that will be logged in the Survey Invitation Log when an SMS fails to be sent via Twilio telephony services because a blacklist rule is violated (as noted by the Twilio service). Documentation regarding how a participant may opt out of receiving SMS messages from Twilio can be found here and here.
Bug fix: If an alert on the Alerts & Notifications page contains attachment files in which two or more attachments have the exact same file name, then it would mistakenly not attach all the files to the email but only the last one listed. (Ticket #83903)
Bug fix: Two Laboratory fields and their associated LOINC codes were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.
Bug fix: The sum() function would mistakenly not work as expected and would return a blank value for a calculated field if one or more of the fields used inside sum() have a blank value. (Ticket #84284)
Bug fix: In certain cases, if new records are being created in a project while the project’s Record List Cache is being built, it might mistakenly cause new records to appear orphaned (as if they were never created) and not appear in reports, dashboards, etc. in the project for a few days (or until the cache is rebuilt). (Ticket #84159)
Bug fix: When performing a data import into a repeating instrument, in which all the fields in the row in the data import file have blank values (excluding the record id field, redcap_repeat_instance field, and redcap_repeat_instrument field), it would return a confusing error message and prevent the import from completing. (Ticket #84359)
Bug fix: When exporting a Project XML for a longitudinal project, in which the project contains reports with report filters that have the “in All Events” drop-down option selected for a given filter field, the resulting XML file would contain advanced filter logic that would work successfully in a new project created from the XML file, but if a user went to modify that report afterward in the newly created project, REDCap would note that the logic was not syntactically correct (even though the filter logic would work correctly when displaying the report). This is due to the fact that in the XML file it was mistakenly not prepending "[event-name]" to all fields in the advanced logic that did not already have a prepended unique event name. For longitudinal projects with advanced filter logic, all fields must have a prepended event name or else must have [event-name] prepended to the field.
Bug fix: If the setting “Email to send email-failure errors” has been defined for an alert in Alerts & Notifications, the email received after an error occurs would mistakenly not contain the real error message of why the alert did not send and also would not contain the alert number of the alert being triggered. (Ticket #84004)
Bug fix: When running Data Quality rule D ("Field validation errors (out of range)"), it would mistakenly return discrepancies for valid number values if a field had "Number (comma as decimal)" validation. (Ticket #84004)

Version 9.9.1 (released on 2020-05-08)

CHANGES IN THIS VERSION:

New feature: Integration with Mandrill Email API
- As an alternative for sending outgoing emails from REDCap (rather than using the standard settings in PHP.INI to send them natively from the web server), you may use Mandrill, which is a third-party paid service that can send emails on behalf of REDCap.
- The option can be configured on the General Configuration page in the Control Center. You merely have to provide the API key for your Mandrill account, and it will begin using the Mandrill API to send *all* emails going out of REDCap.
Improvement: A new send-time option has been added when setting up Automated Survey Invitations and Alerts & Notifications. When defining when the ASI/Alert should be sent, the option “Send after a lapse of time” has a new setting added so that, if desired, the user may set the time lapse relative to the value of a date or datetime field in the project. In previous versions, the time lapse setting could only be set relative to the time in which the ASI/Alert was triggered. That is still an option, but now users may also opt to send the ASI/Alert a certain amount of time either before or after the date/time of a specific field. This new setting will allow users to have greater control with regard to setting when ASIs/Alerts will be sent without getting too complicated in their setup, such as having to use complex logic (with datediff, etc.).
Improvement: When using the Clinical Data Mart, you may now choose specific MRNs for which to fetch data if you do not want to fetch data for all records in the project.
Improvement: When using the Clinical Data Mart, if the project is set to only allow users to fetch clinical data once (which is a project-level setting), this now applies to each record. So if a fetch was done for existing records, and then new records were created later, the user would still be able to fetch data at least once for those new records. Whereas in previous versions, it would only limit users to fetching data once for the entire project (and never again) rather than keeping track of how many times data has been fetched for each individual record.
Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered where a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags and/or JavaScript into the query string of a data entry form or record home page.
Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered where a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags into the uploaded CSV data file on the Data Import Tool page.
Change: For external module and hook developers, the location of where the redcap_save_record hook is called has changed very slightly. In previous versions, that hook was called after a record had been saved and also after the following things: the triggering of Automated Survey Invitations, of Alerts & Notifications, and of the Data Entry Trigger. This has now been changed so that the hook is still called immediately after the record has been saved but *before* ASIs, Alerts, and DETs are called. This does not have any negative consequences but comes with the advantage of allowing module/hook developers to manipulate data via the redcap_save_record hook so that the data may then be utilized via piping or conditional logic by ASIs, Alerts, and/or DET afterward. (Ticket #83095)
Bug fix: Certain menu toggles, such as the “hamburger menu” at the top right of the My Projects page when using a mobile device, were not working correctly due to a breaking change in jQuery 3.5.0 in REDCap 9.9.0 Standard and 9.5.25 LTS. A makeshift patch has been applied to fix this in lieu of a proper fix from jQuery. (Ticket #83490)
Bug fix: When creating a new record via the Schedule module in a project, especially if the user creating the record belongs to a Data Access Group, the record would mistakenly not appear in record lists, record status dashboards, or reports for up to several days due to a record list caching issue, in which the cache was not getting updated appropriately when creating the record via the Scheduling module. (Ticket #83478)
Bug fix: When using an API script to send the “authkey” value for an Advanced Link type of Project Bookmark, the script would mistakenly fail and would have a fatal PHP error returned to it. (Ticket #83498)
Bug fix: On the Data Access Groups page in a project, the “Table not displaying properly” link in the DAG Switcher section might mistakenly be superimposed onto the instruction text in certain circumstances. (Ticket #83416)
Bug fix: If some Alerts & Notifications had been created in a longitudinal project, in which recurring alerts had been scheduled for some records, it might prevent a user from deleting an event on the Define My Events page due to foreign key restrictions in the back-end database. (Ticket #83438)
Bug fix: When moving a project to production and selecting the option to "delete all data", if the Survey Queue is enabled in the project and some existing records had had a survey queue link generated for them, then even though the records would correctly get deleted when moving to production, the survey queue links for those deleted records would mistakenly not get cleared out of the back-end database and thus could mistakenly get reused by new records. (Ticket #83341)
Bug fix: When using a Missing Data Code value of "0", "1", or “2” in a project, the Missing Data Code would mistakenly get used on the Form Status Complete field on any given instrument and thus cause issues with being able to set that field’s value correctly. (Ticket #83423)
Bug fix: When branching logic or a calc field references a checkbox choice that has been hidden by the @HIDECHOICE action tag, it would mistakenly display a branching logic/calculation error alert on the survey page or data entry form. (Ticket #83376)
Various updates and fixes for the External Module Framework.
Bug fix: If an Automated Survey Invitation has conditional logic using the datediff() function with “today” or “now” as a parameter, in which “today” or “now” are not in lowercase form, the ASI Datediff cron job would mistakenly not run for these ASIs, thus causing invitations not to get scheduled at the appropriate time.
Bug fix: The cron job for scheduling Automated Survey Invitations that contain datediff+today/now in their conditional logic and are set to send “Immediately” would mistakenly send invitations immediately in real time by that cron, which can be a slow process and delay the scheduling of other invitations in some situations. Instead, the cron job should have been only scheduling the invitations and then letting the email-sending cron job actually send those scheduled invitations. (Ticket #83596)
Bug fix: When entering an X-event-name Smart Variable into conditional logic for an ASI, report filter, etc., when validating the logic, it might mistakenly return a confusing error saying that the syntax is not valid even when it is.
Bug fix: If one or more External Modules have been enabled in a project and have a link displayed for a module page in the “External Modules” section on the project’s left-hand menu, then if Report Folders have been created in the project and a user toggles a Report Folder to open or close the folder, it would mistakenly cause the reports section on the left-hand menu to be moved below the “External Modules” section when it should instead remain above it.
Bug fix: For a project where Missing Data Codes are defined, when exporting data to a stats package (R, Stata, SAS, SPSS) when the export file contains checkbox fields and the report being exported is set to include the Missing Data Codes, the extra fields/columns for the Missing Data Codes for the checkbox would mistakenly not get added to the stats package syntax file, even though they get added to the CSV data file, thus causing the data not to load properly into the stats package because of the column number mismatch. (Ticket #83329)
Bug fix: If running Data Quality rule A or B in a project, in which a blank field has branching logic based off of another blank field, then in certain cases it might not return discrepancies correctly for all the fields with blank values. (Ticket #82655)
Bug fix: When downloading a PDF of an instrument, sometimes rich text might mistakenly not display well in the PDF, such as paragraphs and tables being too far spaced out.

Version 9.9.0 (released on 2020-04-30)

CHANGES IN THIS VERSION:

New feature: DAG Switcher
- Users assigned to Data Access Groups (DAGs) can optionally be assigned to multiple *potential* DAGs, in which they may be given the privilege of switching in and out of specific DAGs on their own whenever they wish.
- When assigned to multiple DAGs, the user will see a blue banner at the top of every project page, which will present them with the option to switch to another DAG. NOTE: Users may not move themselves into another DAG unless someone with rights to this page has explicitly granted them privileges to be in multiple DAGs.
- To assign a user to multiple DAGs, navigate to the Data Access Groups page in a project where you will see the DAG Switcher near the bottom of the page. Then follow the directions provided there. The DAG Switcher feature is completely optional and can be used in any project that has Data Access Groups.
- NOTE: The DAG Switcher feature does not override a user’s current DAG assignment, as set on the Data Access Groups page or on the User Rights page.
- This feature is the result of integrating the “DAG Switcher” external module that was built by Luke Stevens. We thank him for his contribution and for agreeing to let us integrate this useful module into REDCap. NOTE: Because the “DAG Switcher” external module is not compatible with this integrated functionality in v9.9.0, when upgrading REDCap to 9.9.0 or higher, if the “DAG Switcher” external module is already installed and enabled on your REDCap system, it will be automatically disabled at the system level during the upgrade process to prevent a conflict.
Minor security fix: Due to a Cross-Site Scripting (XSS) vulnerability, the JavaScript library jQuery 3.4.1 was updated to version 3.5.0. (Ticket #82867)
Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered where a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags and/or JavaScript into the query string of the Data Access Groups page.
Improvement/change: Users are now able to utilize dots/periods/full stops in the codings of choices for checkbox fields. In previous versions of REDCap, this was not allowed for checkbox fields. (Ticket #83002)
Improvement/change: By popular demand, users may once again utilize dots/periods/full stops in Missing Data Codes. They are no longer forbidden. They were originally allowed for Missing Data Codes, but then removed in REDCap 8.5.0. Now that checkboxes can have dots/periods in their codings as of v9.9.0, it is no longer an issue for Missing Data Codes to use them too. (Ticket #83002)
Bug fix: When using the Dynamic Data Pull (DDP Custom) module and clicking the Save button in the adjudication dialog, it would correctly save the data but might mistakenly crash and display an error message in the dialog afterward. Note: This issue does not affect the CDP or Data Mart modules. (Ticket #82879)
Bug fix: The Missing Data Codes in the Additional Customizations popup on the Project Setup page could mistakenly be modified or removed while collecting data in production, which could cause issues with the saved data during analysis and in reports. It now displays a warning prompt to the user beforehand to inform them that re-labeling or removing Missing Data Codes after data collection has begun could cause data issues, but they will still be allowed to make modifications to the codes if they wish. (Ticket #82977)
Bug fix: When using Missing Data Codes in a project and selecting a missing data code for a radio button field on a data entry form, the missing data codes popup would mistakenly not close after the code had been clicked. (Ticket #82977)
Bug fix: When exporting data to Stata, it would mistakenly output the incorrect syntax in the .do file for text fields with datetime_seconds validation. (Ticket #83001)
Bug fix: When using a Super API Token for the API method "Export REDCap Version", it would mistakenly fail with a fatal PHP error. Bug emerged in REDCap 9.8.0. (Ticket #83068)
Bug fix: If upgrading to 9.5.24 LTS or higher or upgrading to 9.8.5 Standard or higher, the upgrade SQL script might throw a MySQL error during the upgrade process due to a foreign key constraint on a database table. (Ticket #83098)
Bug fix: Slider fields that are vertically aligned and have the “Display number value (0-100)?” option enabled will mistakenly display the number value field too narrowly and thus will not display the full value if its value is "100". (Ticket #83234)
Bug fix: If running REDCap on the Google App Engine platform and the email quota has been exceeded when sending outgoing emails, it would mistakenly crash with a fatal PHP error. It now continues to run and finish the script instead of halting the script with an error.

Version 9.8.5 (released on 2020-04-24)

CHANGES IN THIS VERSION:

Medium security fix: A Cross-Site Scripting (XSS) vulnerability was discovered where a malicious user or survey participant could potentially exploit it by adding some specific HTML tags and JavaScript into a Text field on a survey page or data entry form, after which such HTML would get reflected back on the page and get executed for another user.
Major bug fix: If a multi-arm longitudinal project is collecting data via public surveys across multiple arms at a time, in which each public survey has its own URL that corresponds to a distinct arm, then if survey participants are submitting a survey at near the same time but for a different arm, then it is possible that those two responses might mistakenly get saved with the same record name, even though the records exist in different arms. This is easily remedied by renaming the record in one of the arms afterward, but it may be hard to detect when it occurs and might be confusing for users when it does.
Major bug fix: If a user in a longitudinal project clicks the “Delete data for this form only” button at the bottom of a data entry form, in which multiple instruments on the current event contain data for the current record, if all the data on that event had been imported via data import *and* no values for form status fields were imported during the data import process *and* no user ever clicked a Save button on an instrument in that event after the import was performed, then all the data on all instruments in that event would mistakenly get deleted, when instead it should only delete the data from the current instrument.
Bug fix: When using the Twilio telephony services in a project, specifically for surveys, if someone replies back to an initial SMS message they received in order to begin a survey, it might mistakenly reply back to them saying "Auto-Reply: This SMS phone number is not monitored".
Bug fix: If the Twilio telephony services have been enabled at the system level but have been set to be hidden to normal users on the Project Setup page, then even though Twilio had been enabled for a given project, it would still hide the Twilio option to the user on the Project Setup page. It now displays it if it is already enabled for the project. Additionally, if an administrator was using the “View project as user” setting and impersonating a project user with Project Design/Setup privileges, they would still see the Twilio option on the Project Setup page even when Twilio is not enabled yet in the project, in which the Twilio option is set at the system level to be hidden from all normal users.
Change/improvement: If MariaDB 10.4.6 is being used, which is known to have issues regarding the “optimizer_switch” configuration value and thus sometimes not returning some query results correctly from the database, a warning message will be displayed in the Control Center recommending that MariaDB be upgraded to a newer version. (Ticket #72984)
Bug fix: When entering conditional logic for Automated Survey Invitations or adding branching logic via the Online Designer, if the logic contained certain Smart Variables (.e.g., [survey-date-completed]), the logic check status displayed immediately below the logic text box would mistakenly state “Error in syntax” even when the logic’s syntax is correct.
Bug fix: In certain cases, if a large amount of external modules have been installed at the system level in REDCap, it could prevent the REDCap installation from reporting its weekly stats to the REDCap consortium.
Bug fix: If a large amount of HEAD requests hit a survey page, it might cause a disproportionate amount of load to be put on the web server and database server. (Ticket #82501)
Bug fix: If questions are being prepopulated on a survey using the @DEFAULT action tag, in which those fields are also being piped to other places on that same survey page, then the piping would mistakenly not occur when the survey page loads but only after one of the piped fields’ values are modified on the page. Bug emerged in REDCap 9.8.0. (Ticket #82678)
Bug fix: When clicking the “+ Add new” button to add a new repeating event for a record on the Record Home Page in a longitudinal project, it might cause the entire instrument/event table to disappear from the page. Bug emerged in REDCap 9.8.0.
Bug fix: The advanced function isblankormissingcode() would mistakenly not work correctly when used in the equation of a calculated field. (Ticket #82653)
Bug fix: When a survey participant attempts to close their browser window by clicking the “Close survey” button on the page after completing the survey, if their browser prevents the tab/window from being closed, then the text displayed on the page afterward would mistakenly always be in the language of the system-level language setting rather than the project-level language. (Ticket #82631)
Bug fix: The generic “Alert” jQuery UI dialog would often have its title and/or buttons displayed in hard-coded English rather than using the language file’s text for that particular project in which it is being displayed. (Ticket #81638)
Bug fix: Dots/periods were mistakenly allowed to be used in the raw coded values for Missing Data Codes. Dots/periods are not compatible to be used in checkbox codings and thus cannot be used as Missing Data Codes. (Ticket #82476)
Bug fix: When using a field from a repeating instrument in the logic of a Data Quality rule, in which the logic is trying to find instances of the field where its value is blank (e.g., [field] = “”), it might mistakenly not return the expected results in the discrepancy list. (Ticket #82201)
Bug fix: When using Data Quality rule I to find Missing Data Codes, the rule would mistakenly ignore checkbox fields and not include them in the results. (Ticket #82636)
Bug fix: When using the “View project as user” feature, the left-hand menu would mistakenly display all the reports in the project rather than displaying only the reports to which the user being impersonated has access to view. (Ticket #82697)
Bug fix: When setting up Randomization in a project that is not longitudinal and then later the project is converted to a longitudinal project, it would cause issues and might prevent the randomization process from working properly. (Ticket #82757)

Version 9.8.4 (released on 2020-04-17)

CHANGES IN THIS VERSION:

Major bug fix: If running certain versions of PHP (PHP 5.5 and 5.6 are suspected), then no pages will load and thus will throw a fatal PHP error when navigating into a REDCap project. (Ticket #82421)

Version 9.8.3 (released on 2020-04-16)

CHANGES IN THIS VERSION:

Improvement/change: Statistics regarding the counts of EHR data values imported into REDCap via Clinical Data Mart and Clinical Data Pull are now stored more efficiently in the database back-end.
- This allows the overall CDM and CDP stats to display faster on the System Statistics page in the Control Center.
- Also, a new FHIR Statistics page has been added to the Control Center for viewing tables and graphs displaying the counts for the different types of data (e.g., labs, medications, demography) being pulled from the EHR over time.
- Note: The “Data values pulled from source system via CDP” count on the System Statistics page has been removed since it was never very accurate and was mostly misleading as to what it implied.
Minor security fix: A Blind SQL Injection vulnerability was found using the Data Search feature, in which a malicious user could potentially exploit it by manipulating the query string or POST parameters of an HTTP request.
Bug fix: When using the [previous-event-name] and [next-event-name] Smart Variables when prepended to field variables in piping, calculations, or logic, they might mistakenly point to the previous/next designated event of the current instrument rather than the previous/next designated event of the field to which the Smart Variable is prepended. Note: This does not affect [previous-event-name] and [next-event-name] when they are used as standalone without being prepended to a field. (Ticket #81976)
Bug fix: If Twilio SMS and Voice Call Services have been enabled at the system level on the Modules/Services Configuration page in the Control Center, but they have been set to “No, hide all information about Twilio services” for the setting "Display information about Twilio services to all users on Project Setup page in a project?", then users would mistakenly still see the SMS and Voice Call options in the alert setup dialog when creating a new alert on the Alerts & Notifications page.
Bug fix: When viewing Report B for a project that contains repeating instruments, the “total number of records queried” in the report might mistakenly be incorrect and not match the "number of results returned".
Bug fix: When downloading a PDF of an instrument or survey, it would mistakenly display the project title as the PDF header instead of the survey title or instrument title. Bug emerged in REDCap 9.8.0. (Ticket #82070)
Bug fix: When a project is using Twilio telephony services for Alerts & Notifications but not for surveys, if someone received an SMS message from an alert being triggered and responded back to it, it would then respond back to the person saying that they need to enter a valid survey code. This is confusing if the Twilio functionality is not being utilized for surveys. Instead, in this case it will return another message stating that the phone number is not being monitored, thus implying that replying to it will do nothing.
Bug fix: When a project is using Twilio telephony services for Alerts & Notifications but not for surveys, the Configure Twilio Settings dialog on the Project Setup page would mistakenly always force the user to select at least one survey invitation type checkbox, even when not using Twilio for surveys.
Bug fix: When exporting data to SAS, it might throw an error when loading the CSV data into SAS in some cases if a field variable name ends in a number. Additionally, if the project is utilizing Missing Data Codes, it might throw an error on a numerical field if some of the Missing Data Codes are non-numerical.
Bug fix: Custom Record Status Dashboards that are set to sort by a field’s value would mistakenly sort in a case sensitive manner when instead it should be sorting in a case insensitive manner. (Ticket #82092)
Bug fix: When clicking the “All Status Types” link on the Record Status Dashboard, it would mistakenly hide the [+] buttons next to the status icons of repeating instruments. Instead they should remain displayed. (Ticket #82092)
Bug fix: If a survey participant partially completes a survey that has the “Save & Return Later” option enabled, the mechanism to send an email to the participant after clicking the “Save & Return Later” button would mistakenly throw a JavaScript error and not send the email. This bug was thought to have been fixed in REDCap 9.8.1 but mistakenly was not. (Ticket #82158)
Bug fix: If custom “Help & FAQ” text has been defined, then the navigation bar would mistakenly obscure the custom text on the “Help & FAQ” page. (Ticket #82192)
Bug fix: When a production project is in draft mode and a user deletes an entire instrument in draft mode, it would mistakenly delete any Descriptive field attachments that belong to fields on that instrument from the live version of the instrument in production, thus permanently losing the attachments. (Ticket #82322)
Bug fix: When a survey participant is viewing their Survey Queue, in which it contains a repeating survey, the “Take this survey again” button next to the repeating survey would mistakenly not be visible in the survey queue when viewing the page on a mobile device with a narrow screen. (Ticket #82335)

Version 9.8.2 (released on 2020-04-09)

CHANGES IN THIS VERSION:

Critical bug fix: When collecting data using a public survey where multiple participants are entering data near-simultaneously (i.e., submitting the survey within the same fraction of a second), some scenarios may arise in which those multiple responses could get mistakenly merged together as a single record rather than as separate new records. When this occurs, it appears in the logging that one participant has created the record while another participant modified the record afterward, in which it should instead log the events as two separate “create response” events. It is difficult to know when this kind of incident has occurred, and if discovered, might take some work (using the Logging page as a reference) to split the record back into separate proper records and resave them. While this issue occurs very seldom, the worst-case scenario can be if the survey allows the participant to download their responses as a PDF or have their responses emailed to them after completing the survey, in which it might possibly result in a privacy leak if private and/or identifying information (e.g., PHI) has been entered on the survey. (Ticket #81104, #81559)
Bug fix: Any REDCap plugins or module pages that utilize the HtmlPage::PrintHeaderExt() method would see the main DIV on the page mistakenly left-aligned when it should instead be centered on the page.
Bug fix: An error would occur when using Data Mart or Clinical Data Pull when importing EHR values from a patient’s Problem List.
Bug fix: A database query would fail invisibly but do little harm when importing data to a project via the REDCap Mobile App. (Ticket #81815)
Bug fix: If the e-Consent Framework is enabled on a survey that is a repeating instrument, in which the first name, last name, and/or date of birth fields (designated in the e-Consent Framework options) also exist on that same survey/instrument, then those name/DOB values would mistakenly not pipe correctly when REDCap adds them to the footer of the e-Consent PDF and also to the Identifier column in the PDF Archive table in the File Repository. Unfortunately, it is not possible to fix the missing piped values for survey responses that have already gone through the e-Consent process prior to this bug fix. (Ticket #81790)
Bug fix: The IE-specific Conditional Comments to detect Internet Explorer 9 (e.g., <!–[if IE 9]>) were mistakenly not formatted correctly and might cause some users using Internet Explorer to have issues loading pages.
Bug fix: When exporting a Project XML file for a project via the API, the resulting XML file would mistakenly be missing a lot of the project settings, such as surveys, Alerts & Notifications, Data Quality rules, reports, etc. (Ticket #81879)
Bug fix: When using the Clinical Data Pull (CDP) feature, the new line separator for storing repeated values (labs, vitals, medications…) was changed slightly. Those repeated values in CDP are stored in a single field using a string separator containing line breaks. The previous new line separator was mistakenly causing false positives in the CDP adjudication table when checking for new values to adjudicate.
Bug fix: A link in the “Piping” section of the “Help & FAQ” page would point to a non-existent page on the Vanderbilt REDCap server.
Bug fix: When editing an alert and changing Step 1A from the second option (form save + conditional logic) to the third option (only conditional logic), it would mistakenly not save the alert correctly and might cause the dialog not to reload properly when editing that same alert again later.

Version 9.8.1 (released on 2020-04-03)

CHANGES IN THIS VERSION:

New feature: New “Shibboleth & Table-based” authentication method
- Similar to “LDAP & Table-based” authentication, this new method allows one to use the existing Shibboleth authentication in REDCap while also having Table-based authentication for external users.
- This method can be enabled on the Security & Authentication page in the Control Center, along with some customizable settings near the bottom of that page. Once enabled, the login screen will display two tabs to allow users to choose between Shibboleth login and local (Table-based) login.
- Documentation on how to set up: https://redcap.vanderbilt.edu/redcap_v9.8.1/Help/shib_table_help.php
- Thanks to the following folks for their work on this effort: Philip Chase and Kyle Chesney, with testing and help from Taryn Stoffs and Andy Martin.
Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered on several pages, in which a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags into places in REDCap where such HTML gets reflected back on a page that a user is viewing.
Bug fix: When calling the API method "Export Metadata (Data Dictionary)" and providing values for the “fields” parameter, it would mistakenly ignore that parameter unless the “forms” parameter was also provided with a value. Bug emerged in the previous release.
Change: The downloadable Python example code provided in the API Playground has been improved.
Bug fix: The plain text section of outgoing emails (which is not ever displayed by most email clients unless they do not support HTML email) would mistakenly have links converted into text and might have unnecessary tabs or line breaks. Most extra tabs and line breaks have been removed from the plain text section of emails, and all links in the email body will have their URL extracted and placed in parentheses directly following the link text so as not to lose that information. (Ticket #80878)
Bug fix: The redcap_connect.php file was mistakenly not returning an HTTP 500 status error in the incident that the database connection fails. Following the upgrade to this version, REDCap will prompt administrators to replace their redcap_connect.php file.
Bug fix: If a survey participant partially completes a survey that has the “Save & Return Later” option enabled, the mechanism to send an email to the participant after clicking the “Save & Return Later” button would mistakenly throw a JavaScript error and not send the email. (Ticket #81287)
Bug fix: Certain tables displayed throughout a project, such as in the Record Status Dashboard, reports, etc., might mistakenly not have their table header float correctly when scrolling down a long page, in which a duplicate table header might appear strangely at the bottom of the page instead. Bug emerged in REDCap 9.8.0.
Bug fix: When using a Super API Token to create a new project via the API, it would mistakenly thrown a fatal PHP error. Bug emerged in REDCap 9.8.0.
Bug fix: If still using the old bit.ly (j.mp) URL shortener service for public surveys (instead of the newer https://redcap.link URL shortener), then when fetching a short survey link on the Public Survey Link page, it would appear to spin forever and never return the shortened URL. This is due to BITLY changing how their API web service works.
Bug fix: The new database table redcap_projects_user_hidden (added in v9.8.0) mistakenly did not have the table collation explicitly set, which could cause it to be set to an undesired value.
Bug fix: Some reports and data quality rules in longitudinal projects might run 2x-10x slower than expected in certain situations, such as if a field in the report filter logic or DQ logic does not have a prepended event name or if the report filter has “all events” selected for a filter field drop-down. The slowness is especially pronounced in projects having large numbers of events defined and/or a large amount of records in the project. (Ticket #79830)
Bug fix: When viewing the participant list of a longitudinal project containing multiple arms, the paging drop-down list for the participant list would mistakenly provide an incorrect number of participants for the given survey/event and might not be able to display subsequent pages in the participant list after changing the paging drop-down list to select another page to view. (Ticket #81118)
Bug fix: When viewing a drop-down field with auto-complete enabled, depending on the labels of the drop-down choices, some choices might mistakenly wrap their text to the second line inside the drop-down. (Ticket #81340)
Bug fix: If an administrator is using the "View as [user]" feature in a project in which the user selected has had their access expired in that project, it would mistakenly display the error message to the admin telling them that their user rights in the project have expired, thus preventing them from doing anything in the project, including preventing the admin from even disabling the "View as [user]" feature. (Ticket #81536)
Bug fix: If a project does not have record auto-numbering enabled, and the record ID field has min/max validation, then the min/max validation would mistakenly not be applied when a user is entering a new record name via the Record Status Dashboard or Add/Edit Record page. (Ticket #81117)

Version 9.8.0 (released on 2020-03-26)

CHANGES IN THIS VERSION:

New feature: Surveys to capture custom information during project status transition (optional)
- On the User Settings page in the Control Center, four optional fields have been added to allow you to utilize public surveys to capture custom information from users when projects transition to a new status (i.e., project creation, move to Production status, move to Analysis/Cleanup status, mark as Completed). This allows administrators to create custom surveys to capture all the info they desire from users during these project transitions. The survey will be presented inside an iframe on the page, in which the user must complete the survey before completing the process on the page. You may use any or none of these fields.
- NOTE: Administrators will not be forced to complete any of the public surveys set below but will be exempt from this process.
New feature: “View Project As…” feature
- When inside a project, administrators will see a “View project as user” drop-down on the left-hand project menu that will allow them to select a user in the project, after which they will have that user’s user privileges applied to them while in the project for the duration of their REDCap session.
- The “View project as…”feature is a project-level feature, so administrators can only impersonate users inside a project (as opposed to non-project contexts in REDCap). Additionally, admins may impersonate users in multiple projects during the same session.
- When impersonating a user, a green banner will appear across the top of the project page to remind the admin that they are currently viewing the project as that user.
- On data entry forms, the @USERNAME action tag and all [user-X] smart variables will operate using the impersonated user’s values.
- When performing actions in the project while viewing the project as another user, all logged events in the project will still reflect the true user (the impersonator) rather than the user being impersonated.
- When an administrator enables or disables the “View project as…” feature, it logs this particular action on the project Logging page. However, only administrators will be able to see these specific logged events when viewing the Logging page since they are only meant for admin purposes.
- If the user being impersonated has been assigned to a Data Access Group, then when viewing the project as that user, the impersonator will be simulated as being in that DAG also and thus will only be able to view and create records in that user’s DAG.
New feature: New “Mapping Helper” utility for Clinical Data Mart (CDM) and Clinical Data Pull (CDP)
- During the field mapping process in CDP and Data Mart projects, users may optionally use the Mapping Help page, which will provide methods for easily extracting all data for a single patient (using a medical record number) to help find all the LOINC codes associated with the data in that patient’s record.
- This tool will be especially useful when mapping Laboratory values, as it will provide the LOINC codes for all data values for the patient, and thus allow the user to take those LOINC codes and use them in the field mapping for CDP and Data Mart, which will make the mapping process significantly faster and more efficient.
Project life cycle changes
- Change: The “Archived” project status has been removed and converted into a built-in Project Folder named "My Hidden Projects", as now seen at the bottom of each user’s My Projects page. If users wish to hide any projects from their My Projects list, they may click the Organize button on that page and place the projects into that new Project Folder. NOTE: Any already-archived projects will be automatically placed there and will have their project status set as “Analysis/Cleanup” to match the projects’ general behavior prior to the upgrade.
- Change: The “Inactive” project status has been renamed to “Analysis/Cleanup” status to help reinforce that cleaning and analyzing the data is the next logical step after data collection in Production status.
- New feature: Projects that are in “Analysis/Cleanup” status can now optionally have their project data set as “Locked/Read-only” or “Editable” (see the top of the Project Setup or Project Home page). This will give users more control to prevent data collection from happening while in this project status.
- Change: New records can no longer be created while in “Analysis/Cleanup” status. If users wish to create records, the project must be moved back to Production status.
- New feature: Mark a project as "Completed": If users are finished with a project and wish to make it completely inaccessible, they may mark the project as Completed. Doing so will take it offline and remove it from everyone’s project list, after which it can only be seen again by clicking the Show Completed Projects link at the bottom of the My Projects page. Once marked as Completed, no one in the project (except for REDCap administrators) can access the project, and only administrators may undo the Completion and return it back to an accessible state for all project users. Marking a project as Completed is typically only done when users are sure that no one needs to access the project anymore, and they want to ensure that the project and its data remain intact for a certain amount of time.
Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered on the Scheduling page, in which a malicious user (who must be logged in) could potentially exploit it by adding some specific HTML tags into places in REDCap where such HTML gets reflected back on a page that a user is viewing. (Ticket #80773)
Improvement/change: When using the Clinical Data Mart feature while the system setting “Allow normal users to create new projects?” is set to “No”, the admin approving the “project creation” request is no longer required to have Data Mart privileges in their REDCap account nor access to the EHR system in order to approve the user’s request to create the Data Mart project.
Bug fix/change: 350 Laboratory fields (including 30 related to COVID-19) and their associated LOINC codes were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.
Improvement/change: The EHR demography field “Is deceased?” is now included on the field mapping page for Clinical Data Pull and Clinical Data Mart and is now added automatically when creating a new Data Mart project.
Change: Underlying technical changes
- REDCap now incorporates the use of Webpack and NPM to better keep front-end packages up to date more easily and also to help bundle many of them automatically.
- Each REDCap page now loads the three JS files /Resources/webpack/js/bundle.js, /Resources/js/Libraries/bundle.js, and /Resources/js/base.js. The libraries jQuery, Bootstrap, etc. are no longer included in base.js but are now inside either file named bundle.js.
- If you are a developer and have an external module that references a JS or CSS file from REDCap core (as opposed to an asset bundled with your module), you should check your module code because you may need to modify the path for those files for REDCap 9.8.0+.
- The global function files ProjectGeneral/form_renderer_functions.php and Surveys/survey_functions.php have had their content removed and moved into classes as static methods. These files will still exist until the end of May 2020 in Standard Release, but in releases afterward they will be completely removed. If a plugin, hook, or external module includes/requires these files in a version of Standard Release prior to the end of May 2020, a note at the top of the project page will be displayed to inform the user/admin/developer that it is no longer needed to include/require these files and that those references should be removed from the custom code being called on that page.
- The endpoint “/PDF/index.php” has been removed and has now been replaced with “/index.php?route=PdfController/index”. The developer method REDCap::getPDF() still works exactly the same way as in previous versions.
Bug fix: If a user has “No access” data entry form level privileges for the first instrument in a project, the Data Search feature on the “Add/Edit Records” page would mistakenly not include the record ID field in the search. (Ticket #80282)
Bug fix: If a checkbox field exists on a repeating event or repeating instrument and is utilized in a calculation or branching logic, in which the field is referenced on another repeating instance than the current repeating instance, then while the checkbox’s checked value will save correctly, if a field choice is unchecked later, it might mistakenly not clear/delete the checked value successfully. (Ticket #78956)
Bug fix: If using “LDAP” or “LDAP & Table-based” authentication, any user containing an apostrophe in their LDAP username would mistakenly not be able to be added to a user role in a project, in which it would fail silently when attempting to add a user to a role. (Ticket #79647)
Bug fix: If a user attempts to add a field comment to a field on a data entry form prior to creating the record (via Save button), when the user clicks the “Save and then open Field Comment Log” button to reload the page, the cursor’s focus might mistakenly be on a field on the form underneath the dialog rather than inside the dialog, possibly causing the user to get stuck and not be able to enter a field comment successfully. (Ticket #80511)
Bug fix: When clicking the Compose Survey Invitations the first time on the Participant List page in a project, it might mistakenly not load the list of participants to email inside the popup, but it would load it successfully if the popup was closed and then reopened. (Ticket #80584)
Bug fix: A database query would fail invisibly but do no harm whenever a record is renamed in a project. (Ticket #80895)
Bug fix: A database query would fail invisibly but do no harm whenever previewing a survey theme in the Online Designer. (Ticket #80940)
Bug fix: A database query would fail invisibly but do no harm whenever viewing a survey response on a data entry form. (Ticket #80901)
Bug fix: In a multi-arm longitudinal project that has record auto-numbering disabled, if the record names contain non-Latin/multi-byte characters, then the record names would mistakenly get scrambled whenever rebuilding the record list. (Ticket #74092)
Bug fix: A database query would fail invisibly in certain scenarios surrounding the piping of repeating instances, which might cause the piping not to work correctly. (Ticket #80901)
Change: The Python code generated by the API Playground has been changed/improved to better handle JSON-formatted outputs.
Bug fix: When performing a data import (via API or Data Import Tool) for a multi-arm project, in which a record is being imported into multiple arms during the import, the record might not initially appear as if it has been created in the subsequent arms when viewing the Record Status Dashboard (even though it had been created in the arm correctly). Note: This issue would automatically resolve itself within five days of the import. (Ticket #55039)
Bug fix: When using the randomization module in a project, the act of randomizing a record does not trigger any Alert & Notifications if an alert was set to be triggered based on the randomization field or strata fields having their values changed. (Ticket #80985)
Bug fix: When using the randomization module in a project, the act of randomizing a record does not trigger the REDCap hook "redcap_save_record".
Bug fix: If survey notifications have been enabled on a survey that is a repeating instrument or is on a repeating event, then the link back to the survey response on the data entry form would mistakenly always point back to the first instance of that instrument rather than to the correct instance. (Ticket #81009)
Bug fix: A database query would fail invisibly in certain API methods being called. (Ticket #81041)
Bug fix: A database query would fail invisibly in very specific occasions when using the Online Designer to add/edit fields. (Ticket #81020)
9.8.0: Bug fix: A database query would fail invisibly to the redcap_log_view_requests table when a user is logging in to REDCap. (Ticket #81056)

Version 9.7.8 - (released 3/12/2020)