Version 6.10.11 - (released 3/18/2016) Web viewBug fix: When adding/editing an SQL field, if the SQL...

Released by REDCap on 10/14/2016Partners Healthcare to upgrade on 11/21/2016

HSPH REDCap v. 6.15.11 Full Release Notes

Version 6.15.11 - (released 10/14/2016)BUG FIXES & OTHER CHANGES:

Major bug fix: When performing a data import (API, mobile app, or Data Import Tool) in which one of the fields being imported is a checkbox field, if only some (but not all) of the checkbox options are included in the data import, then those options that are not included in the import will mistakenly get overwritten as "unchecked" (0) if they are currently "checked" (1) in the project. (Ticket #8325)

Major bug fix: When performing a data import (API, mobile app, or Data Import Tool), in which a field being imported contains a checkbox with negative coded choices (e.g., -3), then in specific situations the values for the negative coded choices might not get successfully saved during the import process.

Bug fix: The page footer on project-level pages might mistakenly overlay onto the Automated Invitations popup on the Online Designer page. (Ticket #8946)

Bug fix: On the Configuration Check page in the Control Center, it will no longer automatically try to set the permissions of the temp and edocs directories as "world writable" (777), which could create security issues for some server configurations depending on the institution's local IT policy.

Bug fix: The API method exportFieldNames and the plugin/hook method REDCap::exportFieldNames were mistakenly not returning calc fields. (Ticket #9041)

Bug fix: In Step 3 (Filters) when creating/editing a report, if a Form Status field is selected as a filter, the drop-down of choices that appear on the right of it would mistakenly include a blank choice option. Since Form Status fields never have a blank value ("0" is the default value), it should not have an empty option to choose.

Bug fix: When using the Twilio telephony services in a longitudinal project in which the designated email field or designated phone field is used for survey invitations, then when sending/scheduling new invitations and setting the invitation type as "participant's preference", it might mistakenly deliver the survey invitation via email rather than using their preference.

Version 6.15.10 - (released 10/4/2016)

BUG FIXES & OTHER CHANGES:

Major security fixes: Several vulnerabilities (cross-site scripting, cross-site request forgery) were found on various pages throughout REDCap, in which they could possibly be exploited by a malicious user who has knowledge of REDCap's internal file architecture and who also knows how to craft a specific string of JavaScript code. (The changes to the Activity Graphs page in the Control Center, in which a different chart technology is now used for displaying the charts, is due to a vulnerability that was discovered in the older charts package that was used.)

Major bug fix: When an API user has been assigned to a Data Access Group, it might mistakenly allow their API request to modify data for existing records that are not in their DAG. It could also allow the API request to reassign an existing record to the user's DAG, which should not be possible if the API user is already assigned to a DAG.

Bug fix: Some error messages for API data imports were mistakenly not displaying all the error messages back the client but instead were returning a very generic message saying that the data might be in the wrong format.

Bug fix: If the variable for a checkbox field somehow ends with an underscore (they typically should not, but could due to older bugs that have since been fixed), then their data might not get parsed and interpreted correctly during a data import, thus resulting in an import error. (Ticket #7028)

Bug fix: If a field (excluding checkboxes) has a value and then the value is later deleted, it would mistakenly leave a blank value in the redcap_data database table rather than removing the whole row in the table. This would not affect data quality in any way but could cause problems for groups that have plugins or reports that query REDCap's back-end directly.

Bug fix: The page footer on project-level pages might mistakenly overlay onto the Automated Invitations popup on the Online Designer page. (Ticket #7059)

Bug fix: If a calculated field contains a datediff() function that does not reference "mdy" or "dmy" explicitly as the date format in the function, then on some occasions REDCap might crash due to a fatal PHP error during a data import or when saving a form or survey. (Ticket #7264)

Bug fix: When attempting to create a longitudinal project using a project XML file, if the XML file contains data on forms that used to be designated for a given event but now are not, in which the data remains orphaned but still exists in the export, then it would display an error that the project could not be created from the XML file because it will not allow data to be imported in undesignated form/events. (Ticket #7794)

Bug fix: When copying a project and selecting to copy the Automated Survey Invitation settings, it would mistakenly not copy the settings for reminders and the "Ensure logic is still true" setting. (Ticket #7941)

Bug fix: When entering conditional logic for Automatic Survey Invitations, Survey Queue, etc., it would mistakenly throw an error if a variable inside square brackets was not used in the logic. There are some cases in which logic may not have any variables in them.

Bug fix: The characters were not displaying correctly for the Friendly Code column of the Spanish characters table on the "Help & FAQ" page. (Ticket #8000)

Bug fix: When a project's "character encoding for exported files" setting is set to "Japanese (Shift JIS)" on the "Edit a Project's Settings" page, it would prevent Japanese text from displaying properly for field labels, field notes, etc. in the REDCap Mobile App.

Bug fix: For unknown reasons in particular MySQL configurations, REDCap projects were mistakenly not getting deleted successfully (when a project had been deleted by a user) and thus the project would forever remain in the database, in which REDCap would continuously try (but fail) to delete them over and over again. (Ticket #4994)

Bug fix: If a user has Data Access Group privileges in a project but does not have User Rights privileges, then the "DAGs" link on the left-hand menu would mistakenly not get displayed. (Ticket #8381)

Bug fix: If a data value is somehow saved multiple times within the same second of time for a given record-event-field, then the Data History popup would mistakenly not show all the logged events for that field but instead would only show the last event logged within that second of time. (Ticket #8323)

Bug fix: When using the Twilio telephony services for surveys, if a participant was sent an SMS message from the Public Survey Link page in order to begin a survey as an SMS conversation, then it would never allow them to start the survey but would mistakenly keep asking for a survey access code. This occurred for public surveys only, and only with SMS conversation surveys.

Bug fix: The "Custom Application Links for Projects" page in the Control Center would mistakenly not display the "delete" column on the far right of the page, thus making it impossible to delete a custom application link that had been created.

Bug fix: When using the Twilio telephony services for surveys, the "Auto-continue to next survey" setting would mistakenly not advance the participant to the next survey if taking the survey via SMS or voice call.

Bug fix: Custom Event Labels were mistakenly not getting copied when doing "Copy Project" or when creating a new project via the project XML file. (Ticket #7835)

Bug fix: When exporting the project XML file, it would mistakenly not include the Bioportal Ontology attribute of a field in the XMl file if the field was utilizing the ontology auto-suggest feature.

Bug fix: The two gray box sections on the Project Home page would mistakenly display side by side on very wide screens. (Ticket #8093)

Bug fix: When editing a File Upload field in the Online Designer, in certain circumstances it would mistakenly set the field type as "Text Box" instead of "File Upload" after opening the "Edit Field" popup dialog. (Ticket #8163)


Bug fix: When on the To-Do List page in the Control Center, clicking on the "Add Users (Table-based only)" link on the left-hand menu mistakenly results in a 404 "page not found" error. (Ticket #6739)

Bug fix: When adding/editing an SQL field, if the SQL query is pulling two fields and they are both named the same thing in the query (e.g., "select a.value, b.value..."), then it will mistakenly overwrite the first value with the second value, thus making the drop-down values also be the same as their corresponding labels (rather than the actual desired value). (Ticket #6758)

Bug fix: When a project's "character encoding of exported files" is set to "Japanese (Shift JIS)", the PDF export of instruments will fail if the server is using PHP 7.

Bug fix: If the @HIDEBUTTON action tag is used for a date or datetime field, the date format note to the right of the field (e.g., "M-D-Y") would mistakenly not be displayed on forms and surveys.

Bug fix: If a project has been taken offline via the "Edit A Project's Settings" page in the Control Center, it displays a red box at the top of the Home/Project Setup page in the project; however, the link inside the red box that points to the "Edit A Project's Settings" page mistakenly does not load the settings for that particular project.

Bug fix: The Configuration Check page was not checking to see if the PHP extension named "XMLReader" is installed. This extension is used for some important features, such as project XML export. (Ticket #7128)

Change/bug fix: Updated "Help & FAQ" page with new content. Also fixed links to the FAQ that pointed to sections that no longer exist.


Minor security fix: A cross-site scripting vulnerability was found on survey-related page in which the vulnerability could possibly be exploited by a malicious user who has knowledge of REDCap's internal file architecture and who also knows how to craft a specific string of JavaScript code.

Bug fix: When the survey confirmation email has been enabled for a given survey, but REDCap does not possess the participant's email address, the green box displayed on the Survey Completion page (for the participant to enter their email) is not aligned correctly on the page. Also, the button text inside the green box would mistakenly spill out of the button in Internet Explorer 11 only.

Bug fix: If using the @READONLY or @READONLY-SURVEY action tag on a survey that has the Enhanced Choices option enabled, the options for those radio button fields and checkbox fields would mistakenly not be disabled but would allow participants to select a choice and save data for the field.

Bug fix: If executing a rule in the Data Quality module where the rule runs for more than 20 minutes, in which it would have timed out, it might not display an error message to the user but instead might mistakenly appear to run forever (even though it has really stopped).

Bug fix: If using a literal date or datetime value (e.g., "01-31-2016") inside the datediff() function that is nested inside another function in a calculated field *and* that literal value is also in MDY or DMY date format, then it may mistakenly not perform auto-calculations correctly and may return incorrect discrepancies for Data Quality rule H. (Ticket #1954)

Bug fix: If a calc field's value was created via Auto-calculation during a data import, then it would mistakenly not include the "(Auto calculation)" note for the logged event on the project Logging page.

Bug fix: When attempting to edit a matrix of fields in the Online Designer, if one of the field labels contains non-displayable characters (black diamond with question mark), it would mistakenly throw a JavaScript error and prevent the "Edit Matrix of Fields" popup from opening.

Bug fix: If authentication has not been enabled in REDCap and a new Table-based user is created by an administrator, then if the new user follows the "reset password" link in the email they receive, it will not do anything except load the REDCap Home page. This is due to the fact

that authentication must be enabled before the link will work, which is not always obvious and can be very confusing. In this situation, after clicking the link in the email, it now displays a message to the user that the administrator must first enable authentication before the link will work and allow them to log in using their new REDCap account.

Change (bug fix for future bug): The Text-To-Speech functionality that can be enabled on surveys will cease to work as of Oct 1st, 2016 since the current TTS service being used (AT&T) will be discontinuing the service. To prepare for this, this REDCap version will instead utilize the IBM Watson text-to-speech API service. The disadvantage of this new service is that it does not yet work on mobile devices, iOS, or the Safari browser, although this will soon be improved (according to IBM). Note: For all REDCap versions 6.9.1-6.16.6 (Standard) or 6.10.2-6.15.7 (LTS), the text-to-speech functionality will still work between now until Oct 1st, 2016, after which it will not work again until you upgrade to the latest release.

Bug fix: If using the Enhanced Choices setting on surveys, and a choice for a radio or checkbox field has no choice label, then the enhanced choice button on the survey page mistakenly looks flattened and smaller than the intended height.

Bug fix: If a respondent is returning to a multi-page survey that has the "Save & Return Later" option enabled, it might mistakenly take them to the wrong survey page if the @HIDDEN and @HIDDEN-SURVEY action tags are being utilized on that instrument and also have data saved for fields utilizing those action tags. It now ignores fields that utilize @HIDDEN and @HIDDEN-SURVEY when determining which page to load for the respondent.

Bug fix: The Data Search functionality on the Add/Edit Record page would mistakenly return duplicate results on some occasions.


Medium security fix: A cross-site scripting vulnerability was found on the Project Bookmarks page, Project Home page, and Project Revision History page, in which the vulnerability could possibly be exploited by a malicious user (who is a valid REDCap user) who knows how to craft a specific string of JavaScript code.

Bug fix: When viewing the Project Setup page on a wide screen, the steps on the page may mistakenly get displayed as two columns instead of one.

Bug fix: The configuration setting "Contact person web address/URL" on the Home Page Settings page in the Control Center was mistakenly not being used on the login page in place of the "Contact name email". (Ticket #5961)

Bug fix: Fixed outdated text inside the "Move Project to Production Status" popup on the Project Setup page. (Ticket #5974)

Bug fix: When exporting data via the API's "Export Records" method in which the data is being exported as "labels" (rather than "raw") and in EAV format, then any Yes/No or True/False fields that used to have a value at one point but then had the value removed, those will mistakenly get exported as "No" and "False", respectively, rather than as blank. It will now not return the row of EAV data if the value is blank or has been removed. (Ticket #6011)

Bug fix: When exporting data via the API's "Export Records" method in which the data is being exported in EAV format, any values that belong to multiple choice fields that have had an option/choice removed, thus orphaning the stored data value, would mistakenly return a blank value for the field in the data export rather than the raw value that is actually stored. It now returns the raw data value that has been orphaned, regardless of exporting "labels" or "raw" data. This only occurs for EAV format exports. (Ticket #6012)

Bug fix: When clicking the "Request delete project" button on the Other Functionality page of a project that is in Inactive or Archived status, it would mistakenly display a popup window that contained a "0" rather than the correct text content, and thus would not function correctly. (Ticket #6031)

Bug fix: When using the Twilio telephony services for surveys, the following things would mistakenly not get triggered if a survey was completed via voice call or SMS: 1) sending confirmation email to respondent, and 2) sending email notifications to project users.

Bug fix: When printing the schedule of a record via the "Print Schedule" link at the bottom of the Scheduling page, it would mistakenly not display the Custom Record Label or Secondary Unique Field label on the page to be printed.

Bug fix: When exporting the To-Do List as a CSV file in the Control Center, the user's name and email address are not correct for the user who made the request. (Ticket #5885)

Bug fix: When using the Twilio telephony services for surveys, piping might not be successful if data is being piped into a Section Header or Descriptive field.


Major bug fix: If the Survey Login feature is being used on a survey, if no data exists for the login fields for the given record, then it would mistakenly allow the participant to navigate to the survey without having entered a value for the login field.

Bug fix: On iOS devices, drop-down fields on surveys and data entry forms would have their option text truncated if it is fairly long, thus making it impossible to view the entire choice's label.

Bug fix: If creating a new report and selecting an instrument from the "add all fields from selected instrument" option in Step 2, it would mistakenly add empty placeholder fields to the report where any Descriptive fields exist. (Ticket #5301)

Bug fix: If a survey invitation had attempted to send but failed (e.g., email address was not available) for an existing record in a project, it would mistakenly show the send status of the invitation as pending at the top of the data entry form for that record. In this case, it now correctly shows the status as failed to send.

Bug fix: For multi-page surveys where an entire page has every question hidden due to branching logic, it might mistakenly still display the page (it is supposed to skip the page) even though no questions are visible on the page. (Ticket #5230)

Bug fix: The action tags @HIDDEN and @HIDDEN-SURVEY were mistakenly not being considered when a survey page is supposed to be skipped due to all questions on the page being hidden, thus possibly displaying the survey page with all questions hidden.

Bug fix: When editing a matrix of fields in the Online Designer, if a \' (backslash apostrophe) are entered together in the section header, field labels, question numbers, field annotations, or choice labels for any field in the matrix, then the "Edit Matrix of Fields" popup would not open anymore in the future due to a JavaScript error, thus making the matrix no longer editable in the Online Designer. (Ticket #5332)

Bug fix: Error in API documentation for the Import Records method. (Ticket #5333)

Bug fix: For certain server configurations, if a user logs out of REDCap, it will correctly destroy their session on the server (thus effectively ending their session), although the session cookie in the client might mistakenly not get deleted and may end up with the value "deleted". The leftover cookie does not pose a security concern since it is orphaned from the user's session after the logout has occurred. But regardless, the cookie should be deleted.

Bug fix: If the Dynamic Data Pull (DDP) module is enabled in a project, the "Today"/"Now" button and date picker widget of a temporal field would mistakenly not trigger DDP to pull data from the source system.

Bug fix: If the Dynamic Data Pull (DDP) module is enabled in a project, the "select all" and "deselect all" links on step 1 of the DDP field mapping page would not work correctly, and it would also cause the "number of fields selected" count to be mistakenly incorrect. (Ticket #5624)


Medium security fix: A cross-site scripting vulnerability was found on survey pages and data entry forms regarding File Upload fields, in which the vulnerability could possibly be exploited by a malicious user (who is a valid REDCap user) or survey respondent who knows how to craft a specific HTTP request to REDCap.

Minor security fix: A cross-site scripting vulnerability was found on the Define Events project page, in which the vulnerability could possibly be exploited by a malicious user (who is a valid REDCap user) who knows how to craft a specific HTTP request to REDCap.

Bug fix: If a super user is attempting to permanently delete a project via the "Delete it now" link on the Browse Projects page in the Control Center, it would mistakenly not delete the project, even though it says it did.

Bug fix: If a user opens a link to a project page while they are not yet logged in to REDCap, in which it displays the login page, then on certain occasions it might mistakenly display a dark overlay over the login page, thus making it impossible to put one's cursor into the input fields or click the "Log In" button".

Bug fix: In the email that users are sent via Survey Email Notifications when a survey is completed, the date format of the timestamp contained in the email would not be in the format of the user's preference but instead would mistakenly always be in M/D/Y format. It now displays the date in the user's preferred date format in the email. (Ticket #4540)

Bug fix: More fixes for the floating project page footer, which would sometimes cover page content if some of the page was loaded via AJAX. (Ticket #4781)

Bug fix: For compatibility purposes, bare line feeds that exist in emails sent from REDCap are now replaced by a space + carriage return + line feed. (Ticket #3944)

Bug fix: When copying a longitudinal project via the Copy Project button on the Other Functionality page and selecting the option to copy reports, then if a report in the project contains a filter that specifies a field on an explicit event, then the event designation will be mistakenly converted to "all events" in the same subsequent report in the new project. (Ticket #4779)

Bug fix: Corrupted line feeds (carriage returns) can sometimes get added to Section Headers and Choices in data dictionaries. This was originally fixed in Ticket #4148 for Field Labels, but mistakenly still exists as a bug for Section Headers and Choices when uploading or downloading data dictionaries.

Bug fix: When undesignating a super user on the "Designate a Super User" page in the Control Center, the user's row in the table would mistakenly not get removed after they had been undesignated if their username contained a dot or @ sign. Although it would still successfully undesignate them, the change would not be reflected on the page until the page was reloaded.


Minor security fix: A cross-site scripting vulnerability was found on the Scheduling project page, in which the vulnerability could possibly be exploited by a malicious user (who is a valid REDCap user) who knows how to craft a specific HTTP request to REDCap.

Bug fix: If a user had requested an API token in a project, it would mistakenly allow them to send a duplicate request on the API Playground page and on the Mobile App page in a project.

Bug fix: Corrupted line feeds (carriage returns) can sometimes get added to Field Labels in data dictionaries. Their origin is unknown, although Microsoft Excel is suspected. This can sometimes cause line breaks to double (i.e., two carriage returns instead of one) when uploading data dictionaries, or can cause line breaks to completely disappear if editing a field in the Online Designer. Any existing corrupted line feeds will now be properly converted and fixed when importing or exporting data dictionaries and when editing a field in the Online Designer. (Ticket #4148)

Bug fix: When using min/max range validation on a field having a validation type of datetime or datetime w/ seconds, in which a user enters an out-of-range value on a survey or data entry form, the error message popup that is displayed would mistakenly mangle the format of min/max values in the error message. (Ticket #4478)

Version 6.15.3 - (released 7/15/2016) Bug fix: If the Duo option is enabled for Two-Factor Authentication, then it would mistakenly

always return the user to the page "index.php" of the current directory they are in after they log out or after their session times out, even if that page does not really exist in REDCap, which could be very confusing to users. (Ticket #3592)

Bug fix: If using the @NOW or @TODAY action tags for date, time, or datetime fields, it would mistakenly set the text field to full width on a survey or data entry form rather than shortening the text field to its typical width based upon its specific validation type. (Ticket #3742)

Bug fix: In older versions of Internet Explorer, if a survey respondent opens a survey link, then completes the survey, and then clicks the "Close survey" button afterward, then it might throw a JavaScript error. (Ticket #3721)

Bug fix: If a user with E-signature privileges was attempting to e-sign a data entry form that had been previously locked, it would display an erroneous error.

Bug fix: The page footer on project pages would sometimes obscure page content.

Bug fix: If all the fields in a given section of a data entry form have the action tag @HIDDEN-APP or @HIDDEN-SURVEY, then when viewing the form, the section header above that section would mistakenly be hidden even though some of the fields in the section are still displayed. The section header should only be hidden if all fields in the section are hidden.

Major bug fix: When editing a survey's settings via the Survey Settings button on the Online Designer, it might mistakenly fail to save the settings for certain MySQL configurations. (Ticket #3003)

Bug fix: Minor formatting error in API documentation for Export Records method. (Ticket #4059)

Bug fix: When using Enhanced Choices for radios/checkboxes on surveys, if a choice label has long words, it might mistakenly causes horizontal scrollbars to appear around the choice in certain web browsers.

Version 6.15.2 - (released 7/7/2016) Bug fix: When loading a public survey, it now employs stricter checking to doubly ensure that a

public survey link does not get confused with a participant's unique survey link (since there might be a one-in-a-million chance that it could get confused under very specific and rare circumstances).

Bug fix: Fixed compatibility issues specifically related to MySQL 5.7 and its default sql_mode setting.

Bug fix: If a File Upload field has the @READONLY action tag, and the field already contains an uploaded file for a given record, then when viewing the survey page or data entry form, it would mistakenly allow the user to delete the file and even upload another file afterward. (Ticket #3263)

Bug fix: The server-side field validation would mistakenly get triggered on the record ID field when submitting a data entry form or survey if a record's name did not follow its specific field validation format. This would cause the server-side field validation message to constantly appear

for that record unnecessarily whenever a form or survey was saved for the record. It now skips the server-side field validation for the record ID field when saving existing records.

Bug fix: On the Administrator To-Do List page in the Control Center, the page navigation for the "Completed & Archived Requests" table would become unwieldy if there existed more than 20 pages, thus causing all the page numbers to overflow and take up too much space. It now only displays the first and last handful of pages for navigation.

Bug fix: Fixed incorrect language in the "Move project to production" popup on the Project Setup page.

Bug fix: When using calculated fields that utilize cross-event calculations in a longitudinal project, Auto-Calculations and Data Quality rule H would mistakenly not be able to process any calculation that references a field on an event that did not contain any data (i.e., an empty event) for a given record. Thus, DQ rule H would not find any discrepancies even when they exist, and Auto-Calculations would not properly get performed. (Ticket #2898)

Bug fix: The action tags @HIDEBUTTON and @PASSWORDMASK were mistakenly not being employed on the Online Designer page when utilized for a given field.

Bug fix: If using MySQL-over-SSL secure database connection while on PHP 5.1 or 5.2, it might not be able to make successful database connections since REDCap was using the MYSQLI_OPT_SSL_VERIFY_SERVER_CERT flag, which was introduced in PHP 5.3. It now only applies that flag if on PHP 5.3 or higher.

Version 6.15.1 - (released 6/30/2016) New LTS branch based on REDCap 6.15 (Standard) + the changes below. Bug fix: If importing data via the Data Import Tool or API import for a longitudinal project in which

multiple events are being imported for a record whose record name is mistakenly in different cases (e.g., "mea-101" vs "MEA-101") in the data being imported, then after importing that data, some of the data will never be displayed in reports in exports and will thus be orphaned. However, all the data is still accessible and viewable on data entry forms and surveys, but just not in exports and reports.

Bug fix: If REDCap is configured so that only super users are allowed to create projects and thus normal users must request new projects be created for them, then if a user knows how to send a specifically-crafted request to a certain page in REDCap, they could bypass the request process and actually create a new project on their own without a super user's permission.

Bug fix: The option to enable "enhanced radio buttons and checkboxes" on surveys was mistakenly not taking effect on CATs (computer adaptive tests) and Auto-scoring instruments, such as PROMIS assessments, that were downloaded from the REDCap Shared Library.

Bug fix: In a production project when a user clicks the "Request delete project" button on the Other Functionality tab of the Project Setup page, it would mistakenly not disable the button after being clicked, which would mistakenly allow users to click it multiple times (although it would correctly be disabled if they left the page and then returned).

Change: The "multiple tabs/windows open" error message now additionally notes that if a Cross-Site Request Forgery (CSRF) was just attempted that it was successfully blocked. This is helpful for any app scanners that are scanning REDCap and believe they have found a CSRF vulnerability when in fact it is a false positive.

Bug fix: On survey pages, the submit buttons at the bottom of the page were causing the page to become too wide on small screens in some cases if both the Previous Page and Next Page buttons were displayed at the same time.

Bug fix: A survey page would not automatically widen if the browser window was widened if the page was initially loaded with a narrow width.

Bug fix: When a project's metadata is exported as an ODM/XML file, if a field contains a range validation min or max with a value of "0", it would mistakenly be omitted in the resulting XML file.

Bug fix: When creating a new project using an uploaded ODM/XML file, if a field contains a range validation min and max value, then the max value would mistakenly overwrite the min value and leave the max value blank, resulting in incorrect validation range values for the field.

Reverted the bug fix for Ticket #1100 since it did not ultimately fix the issue. More work will need to be done in a near-term version to ultimately remedy this. (Refers to bug fix: If a Data Quality rule returns more than 10,000 discrepancies, which is the maximum that it will return, if there have been any discrepancies that have been excluded, then when displaying the discrepancy count to the user, it would mistakenly subtract the excluded count from 10,000 rather than subtracting it from the actual total discrepancy count.)

Version 6.15.0 - (released 6/22/2016) New feature: Enhanced radio buttons and checkboxes for surveys - A new survey option

"enhanced radio buttons and checkboxes" can be found on the Survey Settings page in the Online Designer in which a user can enable the feature so that radio buttons and checkboxes are displayed differently on the survey page, in which they appear as large animated buttons that look more modern and stylish than traditional radios and checkboxes. This new feature can

be enabled for any given survey in a project where it will transform *all* radios and checkboxes on the survey into the enhanced version. Note: This feature does not work for radios and checkboxes in a matrix.

Improvement: Server-side field validation - In addition to the existing client-side field validation that is performed on surveys and data entry forms, REDCap will now also perform server-side validation to validate all submitted values prior to saving them to ensure they are valid values. This means verifying the value via a text field's field validation type, or if a multiple choice field, verifying that the value is indeed a valid choice for the field. If they are considered invalid values, then the value will not be saved, and the page will be reloaded with an error message (similar to the Required Fields error message) informing the user that invalid values were entered and should thus be corrected, if desired. This new server-side validation improves the overall quality of data being entered on surveys and form.

New feature: Create custom public survey link - On the "Public Survey Link" page in a project that utilizes surveys, users now have the option to create their own custom public survey link that begins with "http://is.gd" (e.g.,http://is.gd/diabeticsurvey), in which the custom URL will simply redirect to the public survey in their project. They may enter a desired URL, and it will check if the URL has already been taken. If not, it will store that custom URL in the project so that it is always able to be obtained on the Public Survey Link page.

New Action Tag: @HIDEBUTTON - Hides the 'Now' or 'Today' button that is typically displayed to the right of date, time, and date/time fields.

New Action Tag: @APPUSERNAME-APP - In the REDCap Mobile App, this action tag sets a field's value to the app username of the current mobile app user - i.e., their username in the mobile app, which is not necessarily the same as their REDCap server username that can be captured using @USERNAME. NOTE: For use only in the REDCap Mobile App.

Improvement: Updated "Help & FAQ" page. Has better navigation and is easier to read.

Improvement/change: If a user has had access to REDCap for more than 7 days and they are logging in to REDCap's home page, then it will redirect them to the My Projects page after a successful login. This is to save them a click, assuming that they have no need to view the home page at this point. Note: Due to certain limitations, this feature is only available for installations using "LDAP", "Table-based", or "LDAP & Table-based" authentication methods.

Improvement: Users can now only send the request one time for moving a project to production or requesting that a production project be deleted. In previous versions, the request could be sent many times and could thus cause confusion for the administrator regarding which request should be processed. Additionally, any user that has submitted either of these types of requests may also manually cancel the request by clicking a "Cancel request" button next to the disabled button where the request was originally submitted.

Improvement: Administrators can now add comments to items in the Control Center To-Do List. A comment can be added or edited for any item in the To-Do List.

Major bug fix: If using the median() function in a calculated field in which there are an even number of non-blank values being used in the function for a given record, then it would mistakenly return an incorrect value when viewing the calculated field on a survey or data entry form. However, if the value was calculated via Auto-Calculation via a data import or Data Quality rule H, then the result would be correct.

Major bug fix: If an authenticated user is on a data entry form that has been locked and/or e-signed, and the user knows how to manipulate the webpage in specific ways (e.g. JavaScript methods via their web browser's console) for malicious purposes, they could potentially submit data on the form and modify data values even though the form is locked.

Bug fix: If a radio button field (including Yes/No and True/False fields) has a @READONLY action tag, in which that field is being used on a survey where question pre-filling is being performed via query string or form submit and also where that same field's value is being piped somewhere else on the survey page, then the piped value would mistakenly change on the page if the choice label next to the read-only radio button was clicked. (Ticket #1881)

Bug fix: For certain server configurations, certain pages would cause a PHP fatal error to do case sensitivity when referencing REDCap's ToDoList PHP class.

Bug fix: If using the Data Resolution Workflow in a project, it was mistakenly not displaying the field-level data changes inside the table in the DRW popup but instead was only displaying the actions related to the DRW module. It now correctly displays both the actions and the data changes as it did previously.

Bug fix: For data entry forms that begin with one or more slider fields, inside of the user's cursor getting placed on the slider fields as it should, it would mistakenly skip over them and place the cursor in the field that follows them further down the page. (Ticket #2239)

Bug fix: When using a survey theme on a survey page, the text color for the "Returning?" link, "Survey Queue" link, and page number text would mistakenly not get incorporated into the survey theme colors, thus sometimes making them hard to read if close enough to the background color used.

Change: Modified the "Table-based User Mgmt" link on the Control Center's left-hand menu so that its text says "Add Users (Table-based Only)" instead for greater clarity.

Bug fix: When importing a text field with "datetime w/ seconds" validation in which its date is either MDY or DMY format (either via Data Import Tool or via API import), if the "seconds" time component is missing from the end of the value, then it will mistakenly prepend the time

component with a "0" in the error message that is returned. This does not affect any data because it fails field validation.

Bug fix: When downloading the entire logging record of a project on its Logging page, if any field values contain a "less than" (<) sign followed immediately by a number or letter, then it would mistakenly truncate the Data Changes column for that row in the resulting CSV file. (Ticket #1788)

Change: Added new video "Mobile App Project Setup" on the REDCap Mobile App page in a project that discusses the process of setting up the mobile app for a given project.

Change: If an entire data entry form is disabled due to a user's form-level privileges being set to "read-only", the user would mistakenly not be able to add an E-signature to the form even if they have E-signing privileges. This is inconsistent since they can Lock or Unlock the form but cannot E-sign it. Users with E-signing privileges will now be able to e-sign a data entry form that is disabled. This is allowable since Locking and E-signing privileges are separate from data entry privileges.

Bug fix: If a Data Quality rule returns more than 10,000 discrepancies, which is the maximum that it will return, if there have been any discrepancies that have been excluded, then when displaying the discrepancy count to the user, it would mistakenly subtract the excluded count from 10,000 rather than subtracting it from the actual total discrepancy count. (Ticket #1100)

Bug fix: The "reset" link for a matrix of radio button fields was mistakenly getting displayed on the line above the radios rather than below them, thus messing up some of the formatting of the matrix.

Version 6.14.2 - (released 6/8/2016) Change: A link to the Control Center was added (for super users only) at the top left of a project

page (to the right of the "My Projects" link). Bug fix: Permittable HTML tags that were manually entered in a calendar event's Notes field are

no longer interpreted but are mistakenly escaped and displayed as-is on the calendar event. Example: In the mouseover tooltip for a calendar event on the Calendar page, instead of bolding the text when using <b>, it would instead display it explicitly as "<b>". Bug emerged in REDCap 6.14.1.

Bug fix: If an authenticated user has special knowledge of REDCap's architecture, they could potentially set or remove the project-level expiration date of a user in a project to which they have access, even if the user does not have privileges to access the User Rights page in that project.

Bug fix: If using the GET or POST pre-fill method for pre-filling survey fields, it would mistakenly fail to perform the pre-filling action on checkbox fields having option values of two characters or more in length. (Ticket #1243)

Bug fix: If an authenticated user has special knowledge of REDCap's architecture, they could manually call a certain page that would create a new project with a blank project title, even if they do not have project creation privileges. (Ticket #1246)

Bug fix: If a survey queue page has many completed surveys, in which it hides them and displays the "view all" link, then if the participant clicked the "view all" link, it would mistakenly not display the hidden completed surveys in the table. Bug emerged in version 6.13.0.

Change: All links pointing to pages on the Trac wiki have now been replaced with their corresponding pages on the new REDCap Community website (https://community.projectredcap.org) since the Trac wiki at devguard.com has now been officially retired.

Bug fix: The REDCap Hook documentation notes that the global variable $conn should be used for database connections. However, that variable is mistakenly not defined at the time any hook is called and thus is not able to be utilized.

Bug fix: In certain cases when using Shibboleth authentication, it would mistakenly not set the user's last login time correctly in the redcap_user_information table. (Ticket #1251)

Version 6.14.1 - (released 5/25/2016) Improvement: A field's Section Header and Field Annotation are now displayed in the Codebook

for the project. Medium security fixes: Several cross-site scripting vulnerabilities were found on various pages

throughout REDCap, in which these vulnerabilities could possibly be exploited by a malicious user (who is a valid REDCap user) who knows how to inject specific malicious text into field labels and other various field attributes, which then get displayed on certain pages. (Ticket #1234)

Major bug fix: If using the CDC's SAMS authentication, there is the possibility that the REDCap session could mistakenly persist via the user's browser's session cookie on their computer, despite the fact that the session was destroyed on the REDCap server.

Bug fix: When viewing the REDCap upgrade module on Mac OS X, the text inside the SQL upgrade script textbox might mistakenly not display line breaks incorrectly and thus might cause SQL errors if executed as is.

Bug fix: Some JavaScript? errors were occurring in Internet Explorer 8, which caused some functionality to work and some pages not to render correctly.

Bug fix: If a super user is submitting production Draft Mode changes in which the changes are not automatically approved, it would mistakenly not add the event to the To-Do List in the Control Center.

Change: Updated some of the language in the Install module to provide better guidance and clarity for the installation process, and also to remove language that caters heavily to phpMyAdmin as a preferable MySQL client. Additionally, text was added to stating that MariaDB is a completely compatible alternative for MySQL as a database back-end.

Bug fix: If using Two Factor Authentication, it was mistakenly not using the web server's default value for the "Secure" cookie attribute for the Two Factor cookies created, as per changes for session cookies in version 6.14.0.

Change: The attribute autocomplete="off" was added to all text input fields on surveys and data entry forms (and to the form tag itself) to allow institutions to better comply with certain regulatory requirements, even though most modern browsers ignore this attribute.

Bug fix: If the Double Data Entry module is enabled for a project, the Project Statistics table and the Current Users table would mistakenly overlap on the Project Home page. (Ticket #1233)

Bug fix: When selecting the Import Users API method on the API Playground page, it would mistakenly throw an error and crash the page. (Ticket #1226)

Change/bug fix: When exporting data via the Export Records API method, specifically in flat JSON format, it might mistakenly return the record names as different data types, in which some may be returned as numbers while others as strings. This should not affect anything adversely but might be confusing to users. For consistency, it now returns all record names as strings (i.e., surrounded by quotes) when exported in flat JSON format. (Ticket #1230)

Version 6.14.0 - (released 5/13/2016)NEW FEATURES & IMPROVEMENTS:

New feature: Administrator To-Do List

New page in the Control Center that allows all REDCap administrator requests to be processed in a single place. This includes approving production drafted changes, API token requests, create/copy projects (if applicable), and move projects to production (if applicable).

All requests will be listed in a table on this page and will include all associated information about the request, such as time of request, requestor, project, request type, etc.

If desired, email notifications can be disabled on this page if administrators no longer wish to receive the emails associated with these requests, but instead wish to solely use the To-Do List page without any email notifications.

NOTE: This page will always reflect the current status of all requests, whether or not they were processed using the tables below or using the link inside the email to the administrator (if email notifications are enabled).

New action tag: @USERNAME - Sets a field's value to the username of the current REDCap user. If this is used on a survey, the value will be “[survey respondent]”. Once the value is captured, it will not be changed when visiting the page at a later time. New action tag: @DEFAULT - Sets a field's initial value.

This action tag allows a field to have a specified default value when viewing the field on a survey or data entry form that has not yet had any data saved for it (i.e., when the form status icon is gray or when a survey has not been started).

The format must follow the pattern @DEFAULT="????", in which the desired default value should be inside single or double quotes.

For checkbox fields, simply separate multiple checkbox values with commas - e.g., @DEFAULT='1,3,6'. NOTE: The default value does *not* get applied during any data imports (via API or Data Import Tool) but only operates when viewing survey pages and data entry forms.

For text fields, you may even perform Piping inside the default value to pipe data from another field in the project - e.g., @DEFAULT=”Name: [first_name] [last_name], DOB: [dob]”.

NOTE: If being used on a date or datetime field, the date value inside the quotes must be in Y-M-D format - e.g., @DEFAULT='2007-12-25'.

If this action tag is used on a survey question that is utilizing a survey pre-fill method (via query string or POST submit), then the pre-fill values supplied will override the default values provided by the action tag.

New hook: redcap_every_page_top - Allows custom actions to be performed at the top of every page in REDCap (including plugins that render the REDCap page header) New hook: redcap_every_page_before_render - Allows custom actions to be performed by every PHP script in REDCap (including plugins) before the script itself begins to be formally processed. Improvement: When in production, users can now request that a project be deleted by an administrator. The request will be added to the To-Do List in the Control Center, and the administrator will be emailed (if email notifications are enabled). New method for hooks/plugins: REDCap::getCopyright - Returns the REDCap copyright text to be displayed on all pages - i.e., "REDCap X.X.X - © 20XX Vanderbilt University". This is recommended to be used if a hook is utilized to alter an existing REDCap page so much that the normal page footer that contains the REDCap copyright notice is no longer displayed. Thus you may use this method to display the copyright notice on that page but in a different way or in a different location. This is to conform to the REDCap license agreement that stipulates that the REDCap copyright notice should not be removed from any REDCap pages (this excludes plugins).BUG FIXES & OTHER CHANGES: Change: To be more consistent and simpler with regard to how REDCap administrators are notified about user-submitted requests, the “Person who will approve changes for production projects” option has been removed from the system-level and project-level configurations. Instead, REDCap will now use the “Project Contact Person” name and email for *all* requests rather than using the two options for various requests, which can be confusing regarding which will be

used for what type of request. This will keep things much more simplified going further. Change: On the General Configuration page and Edit A Project’s Settings pages in the Control Center, the option “Project Contact Person” has been re-labeled as “Name of REDCap Administrator” to improve clarification regarding what this option refers to. Change/improvement: Piping can now work recursively in case the initial data that is piped also contains variables that should then be piped. Change/improvement: The mailto link at the bottom left of a project has now been replaced with a "Contact REDCap administrator" button that, when clicked, opens the user's default email client and pre-fills the email body with their username, the title of the current project, and a link to the project. This should help administrators in case this information is not provided by the user themselves, which is often the case. Bug fix: When creating a new Data Quality rule that contains "<-", such as "[field]<-6", in which the "less than" character is followed immediately by a minus sign, it would mistakenly remove everything in the logic beginning with the "less than" sign and after it, and would thus cause the entire logic not to execute correctly. Bug fix: When exporting a project's metadata and data as a project XML file on the Other Functionality tab of the Project Setup page, the title of the dialog would mistakenly say "Exporting 'report'" when it should instead say "Exporting 'Entire project (metadata & data)'". Change: When adding a new field in the Online Designer, the Custom Alignment setting no longer resets back to "Right Vertical (RV)" alignment every time as it did in previous versions, but instead it now reverts to the alignment value of the previous field that was opened beforehand while on that page. Bug fix: If using question auto-numbering on a survey that contains fields that utilize the @HIDDEN or @HIDDEN-SURVEY action tag, it would mistakenly not display the question numbers correctly but would appear to skip some because they belong to the questions being hidden. Bug fix: A fatal PHP error would occur if calling the "Import Events" API method with the "override" parameter having a value of FALSE. (Ticket #1199) Change/improvement: The Browse Projects page in the Control Center now displays a project's PID (i.e, its project ID number) next to the project title to allow administrators to more easily identify a project, especially when some projects are similarly named and thus difficult to tell apart. Bug fix: When viewing the Project Setup page on a mobile device, the link to the My Projects page inside the navigation drop-down list at the top of the page would not be formed correctly, thus causing the link not to work correctly. Bug fix: If a field references a checkbox field in its branching logic or its calculation (if a calc field), then if the checkbox field's instrument is copied using the Copy action in the Online Designer, the new copy of the checkbox variable would mistakenly not get updated in the branching logic or calculation. (Ticket #1206) Bug fix: On some project pages, the page footer might mistakenly cover some content at the very bottom of the page. (Ticket #1204) Improvement: Added an "Edit" link on the left-hand project menu in the "Project Bookmarks" panel to allow users to easily navigate to the Project Bookmarks page if they have Project Design/Setup privileges. Improvement: When copying a user role on a project's User Rights page, the Edit Role popup now opens immediately after copying a role to allow the user to more easily modify the newly created role. Bug fix: When creating or editing a report in a project, HTML tags used inside Field Labels would mistakenly get displayed in the field drop-downs on the page, thus causing it to be difficult to view all the Field Labels in the drop-down correctly. (Ticket #1203)

Bug fix: If a matrix of fields has matrix ranking enabled, in which one of the choices in the matrix contains a period/dot in its raw/coded value, then the ranking feature would not work and would mistakenly throw a JavaScript error. Change: Small clarification in instruction text when a REDCap administrator is creating an API token for a user. Change: If the REDCap web server already has a large value set for the "max_execution_time" setting in PHP.INI, then REDCap will not lower that setting's value if REDCap's required value is smaller than the system value. Bug fix: When using the CDC's SAMS authentication, it was mistakenly reporting every page request as a login event in the redcap_log_view database table. This did not affect anything other than causing all logged web requests to be duplicated in the backend database. Bug fix: The survey table of questions might mistakenly be too narrow (not full width) in some web browsers when taking a survey that is a CAT (computer adaptive test) or auto-scoring instrument downloaded from the REDCap Shared Library. Bug fix: If the Dynamic Data Pull (DDP) module is enabled for a project, and a non-temporal field's value (e.g., last name) has been imported into REDCap from the source data system, then if the value in the source system ever changed afterward, it would mistakenly never get pulled into REDCap to allow the new value to be adjudicated by a user. Now if it detects that a non-temporal field's value has changed when pulling data from the source system again, then even though it has already been cached in REDCap, it replace the cached value with the new value received from the source system, and will prompt the user to re-adjudicate the new value. Bug fix: Normal users were not able to do anything on the Record Locking Customization page in a project due to a JavaScript error. Bug emerged in version 6.13.0. Bug fix: Live Filters on a given report will have no effect when viewing the "Stats & Charts" page for the report, but instead the report will mistakenly display all results as if a Live Filter had not been selected. (Ticket #1219) Fixed a typo in some Twilio instructions. (Ticket #1209) Bug fix: When clicking the [?] link for the option "Enable auto-complete for this drop-down" in the Add/Edit Field popup on the Online Designer, it would mistakenly make the browser go to a blank page in certain web browsers (e.g., Firefox). Fixed typo for instructional text when moving a project to production. Bug fix: When using the Randomization module in a project, if a super user uploads a new allocation table while in production in order to append those allocations to the existing randomization allocation table, it would mistakenly not log the event. Change/improvement: The REDCap installation package now comes with the hook_functions.php file and a hooks directory, and the path to the hook_functions.php file is set automatically during the installation process. Change/improvement: REDCap now uses the value of session.cookie_secure in the PHP.INI configuration file when setting the default cookie parameters. This allows for the "Secure" cookie attribute to be set to True if session.cookie_secure=On in PHP.INI. By default, the "Secure" cookie attribute is set to False.

Version 6.13.3 - (released 4/22/2016) Major bug fix: If using the Randomization module in a project while viewing a data entry

form of a record that had already been randomized, it is mistakenly possible to click the "Delete data for this form only" button and delete the form's data even when the randomization field or strata fields exist on the page. There should be no way to modify the value of the randomization field or strata fields once a record has been randomized. In

this case, it now displays a message saying that the form's data cannot be deleted for the reasons above.

Major bug fix: If using the Randomization module in a project while viewing a data entry form of a record that had already been randomized, it is mistakenly possible to click the "Delete data for this event only" button and delete the whole event's data even when the randomization field or strata fields exist on that event. There should be no way to modify the value of the randomization field or strata fields once a record has been randomized. In this case, it now displays a message saying that the event's data cannot be deleted for the reasons above.

Major bug fix: If one or more data entry forms have been locked on a given event for a record in a longitudinal project, then it would mistakenly be possible to click the "Delete data for this event only" button at the bottom of the data entry form. There should be no way to delete values for a locked form. In this case, it now displays a message saying that the event's data cannot be deleted until all of the locked forms on the event have been unlocked by someone with locking/unlocking privileges.

Change: Added a compatibility notice for the embedded audio option for attachments for Descriptive fields on surveys and data entry forms. The compatibility notice informs the user that the embedded audio option for attachments is not 100% compatible for all audio file types across all web browsers. This is not a limitation in REDCap, but is simply a compatibility issue across web browsers. The most compatible audio file types to use are MP3 and WAV. Other audio types may work on some browsers but not in others. Unfortunately, there is not always an easy way to know what audio file will work for which browser, especially as operating systems and web browsers evolve over time.

Improvement: When a user opens the Data History popup or the Data Resolution Workflow popup for a given record/field, the popup should now open a bit more quickly than before if it had been slow in the past, especially for projects with many records and/or data changes.

Bug fix: Issue when using Twilio telephony services when using a proxy with the REDCap web server. (Ticket #1190)

Bug fix: When importing data via the Data Import Tool or API data import, the number of records that were created or modified during the import would mistakenly be reported as the number of values that were added/updated rather than the number of records that were created/modified. Bug emerged in 6.13.2. (Ticket #1189)

Bug fix: If a BMP image file was used as an inline image for a Description field on a data collection instrument, then a fatal PHP error would occur if a user attempted to download a PDF of that instrument, thus preventing the user from ever downloading the PDF successfully. It now simply omits the BMP file in the PDF because the third-party PDF software used in REDCap is not able to render BMP files. But at least the user will be able to download the PDF now.

Bug fix: For certain server configurations, the Configuration Check page might mistakenly say that the database structure is incorrect when there is actually nothing wrong, in which it would display a lot of SQL queries to fix the "issue" that would fail if they were run (although they would not harm anything).

Bug fix: If Automated Invitations have been set for a survey, in which it is using conditional logic to trigger the invitations, and if the logic contains the operator "<=", then when the Automated Invitations popup is reloaded at a later time, it would mistakenly insert a space into the operator ("< =") when displaying it in the popup. Although this issue does get caught by REDCap before allowing the user to save it (thus it should not cause problems), it still is rather annoying to have to manually fix every time prior to saving the logic again.

Version 6.13.2 - (released 4/19/2016) Major bug fix: Some specific web server configurations might throw a fatal PHP error if a user attempted to use the API Metadata Import method or attempted to export/import a CDISC ODM file. Major bug fix: When using the Randomization module in a project and saving data on the data entry form where the randomization field is located, it is possible in some rare cases that the value of the randomization field, despite being disabled on the page, might somehow get changed (i.e., as seen on the data entry form or reports/exports - although its value in the randomization allocation table will remain unchanged). This might occur due to unforeseen interaction with certain browser extensions, as well as due to unknown manipulation of the form when using certain tablets. More safeguards have now been added in order to prevent the randomization field's value from ever changing on a data entry form. Bug fix: When importing data via Data Import Tool or API for a field with "vmrn" validation (Vanderbilt medical record number), it would mistakenly convert any blank values into the value "000000000" when importing. Bug fix: If non-Latin characters (especially multi-byte characters) exist in a project title, then the project title would not display correctly on the My Projects page on a mobile device (small screen) but would instead be garbled. Bug emerged in version 6.13.0. (Ticket #1182) Change: Disabled the backspace-goes-back "feature" of browsers, which could cause unexpected issues and confusion if a user accidentally clicked the backspace button on a page. Bug fix: If using the Dynamic Data Pull (DDP) module with "Preview Fields" enabled, then if a value is entered for a source identifier field on a data entry form and then the record is saved after viewing the Preview Fields while a required field is left blank on the page, then it would mistakenly not display the DDP adjudication popup on the next screen but would instead show the required field popup. It now shows the DDP popup instead. Change: Matrix fields are now no longer allowed to have a Field Label. (Ticket #1188) Change: The width of date and datetime fields was increased on surveys with "Large" or "Very Large" text so that the entire value is always visible. Bug fix: If a file is uploaded to a File Upload field or Signature field on a survey or data entry form and then another File Upload field or Signature field is opened within one second of closing the first one, then the second field's popup prompt would mistakenly close. This would require the user to have to reopen it.

Version 6.13.1 - (released 4/12/2016) Change: The Configuration Check page now checks to make sure that the DOM extension in PHP is installed.

Bug fix: The table displayed on the Record Status Dashboard and Event Grid (in longitudinal projects) might get widened too far on mobile devices in certain cases or if the browser window is resized. This would make the page unusable. Bug fix: When using the Quick Add feature when adding/editing a report, if an instrument begins with a Descriptive field, then it would mistakenly not display the instrument name and the "Select All/Deselect All" options in the Quick Add popup, thus making it impossible to select/deselect all fields in that instrument at once. Bug fix: If the words "and" or "or" are used inside single quotes or double quotes in branching logic or a calculation (e.g., [text_field] = "x and y"), then it would not get parsed correctly and thus would not function as expected. (Ticket #1160) Bug fix: When sending emails in a Google App Engine environment, REDCap would think the emails did not send even when they actually did. Bug fix: It was not possible to move a project to Inactive status because the button on the Other Functionality did not do anything. Bug fix: When using the REDCap::getPDF method in a plugin or hook, in certain circumstances it might mistakenly return a single instrument in the PDF even though the $instrument parameter is passed as NULL in order to force it to return all instruments. (Ticket #1177) Bug fix: When performing a search using the Data Search utility on the Add/Edit Records page, it might mistakenly return results that belong to orphaned events that have since been deleted. Change: The enhancement added in a recent version to prompt the user to have a text field's value automatically trimmed if the value begins or ends with whitespace was mistakenly being applied to Notes fields when it should have only been applied to Text fields.

Version 6.13.0 - (released 4/8/2016) New feature: Responsive design of REDCap web pages Now has a more flexible and responsive user interface to conform to and fit screens on devices of all sizes. Major improvement for how surveys and data entry forms look on mobile devices (i.e., phones), including automatic font increase and forced left-alignment of questions for better user experience when screen real estate is limited. REDCap now has the Bootstrap front-end framework embedded inside it, thus allowing plugin/hook developers to utilize all the Bootstrap UI elements and features. Technical note: The “label” CSS class used for field labels in the question table on surveys and data entry forms has been replaced with “labelrc” to prevent conflicts with Bootstrap. Improvement: Slider fields on surveys and data entry forms are now much easier to use on mobile/touch devices. Improvement/change: When a user moves a project to production (or requests to have a project moved to production) on the Project Setup page, it now forces them to choose if they want to delete all project data or to keep all existing records. In previous versions, it would pre-check the “delete all data” checkbox, which could sometimes cause users to unwittingly lose all their data if not paying attention to what they are agreeing to. Improvement/change: A new system-level setting allows administrators to hide the option where users can export an entire project as a single REDCap XML file (i.e., project backup). Because some institutions are wary of users feeling the need to download an entire project and its data, they may unwittingly download unencrypted project backups (containing data) to store on their local drive, which could be a security or privacy concern. This option can now be disabled on the Modules Configuration page in the Control Center.

Change: The Record Locking Customization page in a project now allows normal users to view the locking and e-signature information in read-only format when in production. In previous versions, only super users were allowed to view this page in production status. Major bug fix: If the randomization module is enabled in a project and is using Data Access Groups to randomize by group/site (i.e., using DAGs as a strata field), then it is possible to delete any given Data Access Group and thus cause catastrophic issues with the randomization process, especially if the randomization allocation table has already been uploaded and/or users have already begun to randomize records in the project. It now prevents users from deleting DAGs if randomization has already been enabled and set up. (Ticket #1135) Major bug fix: If the function min() or max() is used in a calculated field, then auto-calculations (via data import, Data Quality rule H, etc.) might mistakenly not get triggered for this field and thus might leave the existing incorrect value as-is. This is related to bug fix for these functions in the previous version. Bug fix: If a survey has custom survey theme options set (as opposed to using a pre-built theme), then the custom theme options would mistakenly not be reflected on the Survey Completion Text page after a participant has completed the survey. Improvement: The User Rights page in a project now prevents users from mistakenly assigning themselves to a role that does not have User Rights privileges, which could inadvertently cause them to be locked out of that page in their own project. Bug fix: If the first field on a data entry form is a drop-down autocomplete field that has no value entered yet, then the drop-down's choices will not be displayed automatically when the page loads. This is done in order to simulate the behavior of real drop-down fields and also because the previous behavior it confused some users and might even cause the website to react in unexpected ways if the list was very long when displayed on smaller screens. Bug fix: If a user has uploaded a WAV audio file as an attachment on a Descriptive field on a form or survey, then it would not be able to play the sound file in any version of Internet Explorer if the user has selected the file to play in an embedded player on the page. (Ticket #1158) Bug fix: When attempting to import a REDCap project XML file when creating a new project, in which the XML file contains data for checkbox fields, it would display an erroneous error message and would prevent the user from creating the project. (Ticket #1154) Bug fix: When attempting to import a REDCap project XML file when creating a new project, in which the XML file contains data and also contains Data Access Group assignments for the records in the data, it would throw an erroneous error and prevent the user from creating the project. It now ignores any DAG assignments in the XML data during the project creation process since no DAGs will actually be created in the new project during this process. Bug fix: If a project has fields that contain UTF-8/non-Latin characters that have been encoded incorrectly (often due to Microsoft Excel not saving a data dictionary in the right character encoding), then the project might mistakenly not sync to the REDCap Mobile App when attempting to set up the project on a mobile device. Bug fix: If a field in a project is selected to be the Secondary Unique Field and that field also has field validation (e.g., integer, email), then the field validation will mistakenly get removed when viewing that field on the data entry form or survey page, thus allowing data in any format to be entered without validation. (Ticket #1138) Bug fix: If a field is hidden because of the action tag @HIDDEN, @HIDDEN-SURVEY, or @HIDDEN-FORM, then it would mistakenly not hide the section header belonging to that field's section if all fields in the section were hidden (due to either branching logic or due to @HIDDEN action tags).

Change: On the Survey Settings page in the Online Designer, the text for the "Delete Survey" button at the bottom of the page has been changed to "Delete Survey Settings" to reduce confusion regarding what the button does. Bug fix: Due to changes in MySQL 5.7.4, a database table cannot have a date field with '0000-00-00' as a default, which was causing some issues during REDCap installation. Bug fix: When utilizing the Randomization module in a project and using one or more strata fields, if a user is randomizing a record but does not have edit privileges to a data entry form on which one of the strata fields is located, then it would mistakenly allow the user to modify the value of the field during the randomization process despite not having edit privileges to do so. Bug fix: When resetting the password of a user when using Table-based authentication, it might sometimes mistakenly lock the user out of REDCap for a limited period of time (as if they had several failed login attempts) after clicking the "Set your new password" link in their email. This was supposedly fixed in earlier versions but still persisted randomly in rare cases. Bug fix: If new Table-based users are being created via uploaded CSV file on the "Create Users (Bulk Upload)" page in the Control Center and they have non-Latin/UTF-8 characters in their name, comments, or other attributes, it would not be able to display those attributes correctly when viewing the user's account on the Browse Users page if the CSV file being uploaded was not encoded correctly as UTF-8 encoding with a BOM (byte-order mark).

Version 6.12.2 - (released 3/18/2016) Major bug fix: If the function min() or max() is used in a calculated field in which one of

the values used in the function is blank/null, then auto-calculations (via data import, Data Quality rule H, etc.) would mistakenly return an incorrect answer. This is despite the fact that it would calculate it correctly when viewing the calculated value on a data entry form or survey. In this way, the calculation might get saved correctly initially but then may get changed later to the incorrect value via auto-calculations or by running rule H in the Data Quality module.

Major bug fix: If a calculated field has somehow ended up having an incorrect value when its value should instead be blank/null, then auto-calculations (via data import, Data Quality rule H, etc.) would mistakenly not be able to correct the value to set it as blank/null. This would often be seen when running rule H in the Data Quality module, in which it would appear not to fix any values even though it said that it did fix them. (Ticket #1156)

Major bug fix: If a user executes rule H in the Data Quality module in which some of the values listed exist on a data entry form that has been locked, then the process will fail when the user attempts to fix all incorrect calculated values, even though it may mistakenly say that it did fix them. This prevents any of the calculations from being fixed in the project. (Ticket #1156)

Bug fix: If a user accesses a data entry form that has been disabled (either because they have read-only form rights or because the form is locked), then calculations could be triggered on that page when the page loads, thus changing the values of the calc fields and possibly showing/hiding other fields if they have branching logic based on those calc fields. This is normally fine if the data is not being saved; however, if the user leaves the

page, it would mistakenly display for them the "Save your changes?" dialog, which inadvertently allows them to save the values of those calc fields even though they should not be able to modify data on that page. (Ticket #1128)

Bug fix: If a drop-down field on a survey has a Stop Action and the auto-complete feature is enabled for the drop-down field, then if the Stop Action gets triggered by a participant, then it would not correctly remove the field's value if the participant clicked the button "Continue survey and undo last response" and might also cause lots of popups to pile on top of each other.

Bug fix: If a survey participant is using IE6 or IE7, then it would throw a JavaScript? error on the Survey Completion Text page after completing the survey (although it would successfully save their responses with no problem). (Ticket #1142)

Version 6.12.1 - (released 3/9/2016) New feature: Live Filters for reports

Any report can now have up to 3 fields that can be designated as a Live Filter. The Live Filters are displayed as drop-downs when viewing a report at the top-right of the page, and selecting a Live Filter will cause the report to be re-run in real time using the Live Filter value as a filter.

If exporting a report that has a Live Filter selected, the export popup window will provide an extra choice to allow the user to export the full report data set or to apply the currently selected Live Filter to the report when exporting.

Note: Currently only multiple choice fields can be used as Live Filters (as well as Events, if longitudinal, and Data Access Groups, if any exist).

Improvement: The left-hand menu of each project now has collapsible sections so that a user may collapse the section for easier navigation or to have a more compact page. The collapsed state of each section in each project is remembered using a cookie on the user's device so that when a user returns to the project in the future, the menu section remains in the same collapsed/non-collapsed state as the last time they viewed it on that device. Improvement: Performing data exports or viewing reports for projects containing very large amounts records, especially in conjunction with lots of events and/or fields, should not halt the export process very often anymore. In the past this might cause REDCap to display an error message saying "the data export is not able to complete" due to the large amount of data being exported or viewed. In the case when too much web server memory is used during the data export process, REDCap will now invisibly revert to a backup process that utilizes a local temp file on the server for temporarily storing data during the export process (rather than relying on server memory solely for this). This will allow the export process to complete successfully; however, the process will take several times longer to complete than if simply using server memory. Change: When exporting an entire project as a REDCap Project XML file, it now provides the option "Include all uploaded files and signatures?", which is unchecked by default. In previous versions, it automatically included all uploaded files and signatures in the resulting XML file, but this often caused the export to fail due to the project either containing many files or containing very large files.

Change: A new parameter "exportFiles" (boolean) was added to the REDCap::getProjectXML developer method for plugins and hooks. The parameter, which defaults to FALSE, specifies whether or not the resulting XML will include all files (base64 encoded) that were uploaded for File Upload and Signature fields for all records in the project. Please note that while the previous version (6.12.0) exported all files in the resulting XML by default, it no longer does that and must now be specified explicitly. Change: A new parameter "exportFiles" (boolean) was added to the "Export Project XML" API method. The parameter, which defaults to FALSE, specifies whether or not the resulting XML will include all files (base64 encoded) that were uploaded for File Upload and Signature fields for all records in the project. Please note that while the previous version (6.12.0) exported all files in the resulting XML by default, it no longer does that and must now be specified explicitly. Bug fix: When uploading a data dictionary containing a calc field whose calculation has a syntactical error, it would mistakenly display some seemingly irrelevant numbers at the end of the error message, which could be confusing. Bug fix: When using certain non-English translation files (i.e., French), the "Suspend user account" button might not display correctly or function on the Browse Users page in the Control Center. (Ticket user information (closed: Will fix in upcoming release)" style="text-decoration: line-through; color: rgb(187, 0, 0); border-bottom-width: 1px; border-bottom-style: dotted; border-bottom-color: rgb(187, 187, 187);">#1081) Bug fix: When downloading the CSV file of the list of users in the popup on the Browse Users page in the Control Center, if the file contained any UTF-8 characters, it would mistakenly not add the Byte Order Mark (BOM) at the beginning of the file, thus preventing the file from being opened easily by most programs. (Ticket #1099) Bug fix: When exporting data to a statistical analysis package (e.g., SAS) if a multiple choice field in the project contains two or more choices having the same coded value, which is typically discouraged, it could throw an error in the statistical analysis software when loading in the syntax file from REDCap. In the case where duplicate codings exist for a given multiple choice field, it will now merge those choice labels together in the syntax file for the stats package when performing a data export. Bug fix: If a data entry form is opened and the first field on it has a min/max range validation check, in which the value is already entered and is out of range, then if any dialog popups get displayed initially when the form loads (e.g., required fields were missing, data quality real-time execution rules were violated), it would mistakenly display the out-of-range error message for that first field whenever the user would click on a dialog popup on the page that happens to be obscuring the field in question. Bug fix: When assigning an existing user in a project to a role or when re-assigning an existing user to another role, it would mistakenly display the "Notify user via email?" option above the role names when choosing their role. It should only display that option when initially adding a user to the project via assigning them to a role. Bug fix: The time field was mistakenly not being validated for Step 3 when setting up Automated Survey Invitations with option "Send on next [day] at time [time]" and also when enabling reminders using option "Send every [day] at time [time]" when composing survey invitations. This could allow users to accidentally enter an invalid value, thus causing the invitations/reminders not to send at the desired time. (Ticket #1136) Bug fix: When clicking the "Use advanced logic" link in Step 3 when creating or editing a report in a project, if a text field for the filter value was left blank, then it would mistakenly convert that blank value to "undefined" in the advanced logic that is produced, rather than it being just two double quotes (i.e., "").


NEW FEATURES & IMPROVEMENTS:

Improvement: New option to download charts displayed on the "Stats & Charts" tab of the "Data Exports, Reports, and Stats" module. The charts will download as PNG image files.

New feature: Users may now export a project’s data in CDISC ODM format. This new option is found on the “Data Exports, Reports, and Stats” page in the data export popup when selecting export format.

New feature: An entire REDCap project can now be exported as a single XML file (which happens to be in CDISC ODM format). The file includes events, arms, instruments, fields, and project attributes – even Descriptive field attachments. If the project contains data, then the user can also optionally export the project data (including uploaded files) in the same XML file. This XML file can serve as a snapshot or backup copy of the project, and can even be imported on the Create New Project page to create a clone (more or less) of the project.

New feature: Create a new project from a REDCap XML file (or other XML file containing metadata in CDISC ODM format). This is a new option on the Create New Project page, which allows the user to optionally upload their XML file rather than choosing a project template or creating the project from scratch.

New and improved SDK developer methods for plugins and hookso REDCap::getProjectXML – New method – Returns the contents of an entire

project (records, events, arms, instruments, fields, and project attributes – even uploaded files and Descriptive field attachments) as a single XML file, which is in CDISC ODM format.

o REDCap::getData – Parameter for data format now accepts value of “odm” to export data in CDISC ODM format. This only returns data (not the project structure/metadata).

o REDCap::saveData – Parameter for data format now accepts value of “odm” to import data in CDISC ODM format. This only returns data (not the project structure/metadata).

New and improved API methodso Export Project XML – New API method – Returns the contents of an entire

project (records, events, arms, instruments, fields, and project attributes – even uploaded files and Descriptive field attachments) as a single XML file, which is in CDISC ODM format.

o Export Records – Parameter for data format now accepts value of “odm” to export data in CDISC ODM format. This only returns data (not the project structure/metadata).

o Import Records – Parameter for data format now accepts value of “odm” to import data in CDISC ODM format. This only returns data (not the project structure/metadata).

o Create Project – New optional parameter named “odm” can be used to pass the ODM XML string of an entire project’s structure (the same as output by the Export Project XML method) when creating a new project using a Super API Token. This will allow you not only to create the project with the API request, but also to import all fields, forms, and project attributes (and events and arms, if longitudinal) as well as record data all at the same time.

BUG FIXES & OTHER CHANGES:

Major bug fix: When using Table-based authentication, in which a new user account is created and the user receives an email to set their password, in some cases it would mistakenly cause multiple false logins after loading the page, which might possibly trigger the auto-lockout feature. If this happens, the user would have to wait until after the set lockout period has passed, but it is possible that the auto-lockout could occur again, thus preventing the user from gaining access to REDCap for a while. This does not occur on all occasions but only randomly. This bug was thought to have been fixed in a prior version but apparently still occurred in certain cases. (Ticket #1112)

Bug fix: If running PHP 5.1 or 5.2 on the REDCap web server, REDCap might not be able to send emails successfully but instead will throw a PHP parsing error. Bug introduced in REDCap 6.11.0.

Bug fix: When using a survey theme on a survey containing a matrix of fields, it would mistakenly not highlight the matrix field labels in green when focus is put on the field.

Change: Added a new check to confirm that the version directory of the current REDCap version (e.g., redcap_v6.12.0) has not been mistakenly removed from the web server, thus resulting in a strange non-styled Home page or My Projects page.

Bug fix: If the system-level setting "Enable the use of surveys in projects?" is disabled on the Modules Configuration page in the Control Center, then it would mistakenly still allow users to access survey modules in a project if surveys had been enabled in the project prior to the disabling of the system-level survey setting. (Ticket #1124)

Bug fix: The Logging page in a project would mistakenly not display the logged event correctly when uploading or downloading a file attachment on a Descriptive field. Instead it would display it similar to that of a file uploaded to a File Upload field.

Version 6.11.5 - (released 2/12/2016) New feature: Domain whitelist for cross-domain HTTP access control - By default, for flexibility purposes, AJAX requests (via JavaScript?) can be made to REDCap from any domain/URL. If you wish to restrict this so that only certain domains can make cross-domain AJAX requests to REDCap, then you will need to set the domain name of all allowed access control origins (i.e., the domain of the URLs) in the text box to the right. If the text box is left blank (default), then any domain will be able to make cross-domain AJAX requests to REDCap.

Restricting access control to specific domains is generally considered to make REDCap more secure to prevent against possible Cross-Site Scripting attacks by malicious users. This setting can be found at the bottom of the Security & Authentication page in the Control Center. Improvement: When an instrument has been enabled as a survey and the survey has the setting "Auto-continue to next survey" enabled, then a down arrow icon will now appear in the Online Designer for that survey to denote that this setting has been enabled. Major bug fix: It was mistakenly possible to import dates or datetime values that contained no dashes or slashes (e.g. 20160229 instead of 2016-02-29) via the Data Import Tool or API for date-, datetime-, or datetime_seconds-validated Text fields. This could result in storing incorrectly formatted date and datetime values. Major bug fix: If a field in a project contained a double underscore in its variable name (because it was created in an older version of REDCap that mistakenly allowed the double underscore), then when downloading and uploading the data dictionary for the project when in production status, it would mistakenly remove the double underscore, thus resulting in the deletion of the original field and unwittingly orphaning data. (Ticket #1012) Bug fix: If using the Twilio telephony services for surveys and using multiple SMS/phone surveys in a single project when having the Twilio configuration option "Behavior for overlapping SMS invitations" set to "Allow participant to choose which survey to take next", then it might mistakenly include already-completed surveys in the list sent to the user. Also, it would mistakenly not include surveys in the list whose invitations are set to call the participant after the participant sends an SMS message with an access code. Bug fix: When creating a new report in a project, if a user opted to use advanced logic for Step 3 (Filters), it would mistakenly not save the logic when creating the report but leave it blank. It would save correctly if advanced logic was added to an existing report but not to one that is being created. Change: New videos for REDCap Mobile App Bug fix: Some HTML character codes (such as " ") inside Field Labels would get mistakenly displayed on the Data Dictionary Codebook page for a project. Bug fix: When exporting a project's logging as a CSV file on the Logging page, then if any UTF-8 characters existed in the CSV file, it would mistakenly not include a Byte Order Mark (BOM) at the beginning of the file. Without the BOM, the UTF-8 encoded file could not be opened in certain text editors or applications. (Ticket #537) Bug fix: When exporting a project's Participant List or Survey Invitation Log as a CSV file, then if any UTF-8 characters existed in the CSV file, it would mistakenly not include a Byte Order Mark (BOM) at the beginning of the file. Without the BOM, the UTF-8 encoded file could not be opened in certain text editors or applications. (Ticket #1099) Bug fix: If the text-to-speech feature is enabled on a survey that contains a logo at the top of the survey page, then the speaker icons that appear next to the survey title and instructions would mistakenly be in the wrong place on the page when the webpage loads instead of right next to the title and instructions text. (Ticket #1113) Bug fix: For certain server configurations, some stray double quote characters in the English.ini language file would cause the upgrade module to crash, thus making it impossible to complete the upgrade process to upgrade from a prior version.

Version 6.11.4 - (released 2/5/2016) Major bug fix: If the "Save & Return Later" option had been enabled for a survey and an instrument had been locked by a user for a specific record/response, then a survey participant having a unique survey link (as opposed to a public survey link) would mistakenly be able to return to the

response and erase all the data values on the survey using the "Start Over" button, even though the responses should have been locked and not editable. This has been changed so that if the response is locked, it will not even display the "Start Over" button or the text field for entering a Return Code but instead will display to the survey participant a message saying that they cannot return to the response at this time because it is currently locked. Bug fix: If trying to utilize the SSL/TLS connection to MySQL, it would mistakenly not be able to connect to the database at all. (Ticket #1097) Bug fix: If a project has the main "Use surveys in this project?" setting enabled but no instruments have been enabled as a survey yet, then it would mistakenly not display the "Manage Survey Participants" option on the User Rights page when adding/editing a user or role. (Ticket #1100)

Version 6.11.3 - (released 1/29/2016) Bug fix: On certain pages, such as the "Table-based User Management" page in the Control Center, in which the PEAR DB module is utilized for database connections, if REDCap was not using the default MySQL port (i.e., 3306), then the page would result in a fatal PHP error. This bug emerged in version 6.11.0. Bug fix: The project Logging page was mistakenly not noting if a record was created or updated via a data import. It now says "(import)" after "Created Record" or "Updated Record" in the Action column if the record was imported via the Data Import Tool page. Bug fix: When saving text values containing apostrophes for text boxes on many Control Center system configuration pages, it would save the values correctly but would mistakenly not re-display the values correctly if the page was revisited, in which the value in the text box would get truncated at the location of apostrophe. So if the reloaded page was then saved again, then the truncated value would mistakenly get saved. (Ticket #1083) Bug fix: If using the Twilio telephony services for surveys, then if a participant was added to the Participant List but the participant had not yet started the survey, and then a user attempted to change their Invitation Preference in the Participant List, it would appear to change but mistakenly would not, which could be seen once the page was reloaded. Bug fix: When using the Data Search feature on the Add/Edit? Records page in a project and entering "b" as the search query, it would mistakenly return a result with the HTML tag "<b>" highlighted in the result instead of the first "b" in the data value. Bug fix: After having set the conditions for an Automated Survey Invitation in the Online Designer, in which a survey has been selected in the drop-down list in Step 2 of the Automated Survey Invitations setup, if a user then changed that drop-down's value back to "select a survey" (the default value), it would mistakenly display an error popup message. It should instead not display any message at all in that case. Bug fix: On the Browse Users page of the Control Center when viewing a user, the "Suspend user account" button might mistakenly not work when clicked if using certain language translation files for REDCap, such as French. (Ticket user information (closed: Will fix in upcoming release)" style="text-decoration: line-through; color: rgb(187, 0, 0); border-bottom-width: 1px; border-bottom-style: dotted; border-bottom-color: rgb(187, 187, 187);">#1081) Change: "action" was added to the reserved variable name list to prevent users from creating fields with that variable name since it can cause JavaScript? errors to occur on a survey or form in certain browsers when the field is used in branching logic. (Ticket #1093) Bug fix: When using the Randomization module in a project and performing randomization for a record on a data entry form, if the randomization field has any HTML inside its field label or its choice labels, then in the popup displayed after a successful randomization, it would

mistakenly display the label's HTML as escaped rather than having the HTML be interpreted on the page. This makes it more consistent with how the label is displayed on the data entry form. (Ticket #1091) Bug fix: Users in a longitudinal project would mistakenly be able to delete all events in the project if they deleted the second to last event and then immediately deleted the last event prior to leaving the page. It now prevents users from deleting all events, which can cause problems in the project such as not displaying certain things correctly. (Ticket #1073) Change: The Help & FAQ page was updated. Change/improvement: If the Survey Login feature is enabled in a project, it now offers a "Show value" checkbox immediately below each login field, and when checked it will remove the password mask from the field to allow the participant to view the value as clear text. Removing the mask may be necessary in certain cases, such as entering specially formatted values like dates/times and also when using mobile devices, on which it might be more difficult to type with accuracy. Note: The password mask feature for text fields on the survey login form were added recently in version 6.11.0, whereas in prior versions the password fields had unmasked clear text values. (Ticket #1084) Bug fix: When using the Scheduling module in a longitudinal project containing more than one arm, it would mistakenly not allow users to generate a new schedule for records that exist in more than one arm and have been scheduled for at least one arm already. (Ticket #1020)

Version 6.11.2 - (released 1/16/2016) Major bug fix: When using Table-based authentication, in which a new user account is created and the user receives an email to set their password, in some cases it would mistakenly cause multiple false logins after loading the page, which might possibly trigger the auto-lockout feature. If this happens, the user would have to wait until after the set lockout period has passed, but it is possible that the auto-lockout could occur again, thus preventing the user from gaining access to REDCap for a while. This does not occur on all occasions but only randomly. (Ticket #1071) Medium security vulnerability: It was discovered that SQL Injection might be possible on the File Repository page if a malicious user knows how to send a specifically-crafted request to REDCap to exploit the vulnerability. Change: When performing the field mapping step in the Dynamical Data Pull (DDP) module in a project, it would display a question mark icon next to each field in the tree of source fields even if the metadata web service does not provide a "description" attribute for the field. This could be confusing since the icon would essentially serve no purpose in this case. It now only displays the icon if a description is actually provided by the metadata web service for a given field. Bug fix: The Import Users API method had a mistake in its documentation, in which it said the "content" parameter should be "user_rights" when it should instead be "user". Bug fix: If a survey has the "Save & Return Later" feature enabled and also allows respondents to edit completed responses, then the Return Codes export on the "Data Exports, Reports, and Stats" page would mistakenly leave blank all the return codes for completed responses in the exported CSV file. Bug fix: When using the REDCap Mobile App page in a project, in which the project has been set up on the mobile app and then the user has performed an emergency data dump from the app, if a file from a Signature field or File Upload field was uploaded to the Mobile App File Archive, its download icon on the page would mistakenly say "Excel CSV". That

should only happen for CSV files, such as a logging file or data dump CSV on that page. (Ticket #1074) Change: When a project is in production status, it was too difficult for users to find the Check For Identifiers page, so it has now been added to the bottom of the Project Setup page when the project is in production. Bug fix: When opening the Add/Edit? Field popup in the Online Designer, it was mistakenly displaying the Field Annotation section for Section Headers when it should not be displayed for them. (Ticket #1072) Bug fix: When HTML tags and/or CSS is used inside the Field Label of a required field and a user or survey participant submits the page without having entered a value for the field, it would display the Field Label in a popup when listing which fields have a missing value, but it would mistakenly strip out all HTML in the Field Label. It now maintains all the HTML and styling when displaying it inside the required field popup. Bug fix: In a longitudinal project that has multiple arms and the first instrument is enabled as a survey, when adding the first event to an empty arm, it would display an erroneous warning message saying that the first event of the arm was moved to another position, which is not correct and should not be displayed in this scenario. (Ticket#1070) Bug fix: When the Dynamic Data Pull (DDP) module is enabled for a project, on certain occasions the DDP Mapping page might mistakenly display a field at the bottom of the mapping table and list it erroneously as a composite field. Bug fix: If the Secondary Unique Field feature is enabled in a project, there are certain occasions on which a user or participant might be able to bypass the uniqueness check when submitting values on a form or survey.

Version 6.11.1 - (released 12/22/2015) Change/improvement: When users are being assigned to a role while being granted access to a project on the User Rights page, it now displays a checkbox option to have the user emailed in order to notify them of having been granted access to the project. In previous versions, there was no way to notify a user when being added to a project via role assignment. (Ticket #1051) Bug fix: When using the plugin/hook method REDCap::getPDF() for an instrument that has been enabled as a survey, it would mistakenly return the form version of the PDF rather than the survey version of the PDF, which includes the survey title, instructions, and survey completion time. Bug fix: Several places in REDCap currently send an email in which the From and To address are the same (e.g., emailing a survey Return Code, emailing a confirmation that someone has downloaded a Send-It file, when a Table-based user recovers their password), but that can sometimes cause the email not to be received by the recipient because it can get flagged as spam by certain email services. In those cases, REDCap now uses the email address of the Project Contact Person as to email sender for greater compatibility. Bug fix: The "Map of Users" page in the Control Center would mistakenly no longer load the map due to changes in the Google Maps API. (Ticket #1058) Bug fix: If a user is on the File Repository page in a project and selects the "All Exports/Types?" to filter data export files, it would mistakenly display the files from the last export instead. (Ticket #1060) Bug fix: If a user is on the File Repository page in a project and makes a selection in the drop-down list to filter data export files, in which it will return zero files for that selection, then when the page is redisplayed it would mistakenly hide the "filter by" drop-down, thus making it impossible to make another selection, and the user would be forced to click the Back button in their browser and click on a tab above.

Bug fix: When copying a project or creating a new project from a Project Template, it would mistakenly not copy certain project attributes from the original project, such as if the Randomization module is enabled. Bug fix: When using the Randomization module in a project and moving the project to production after some records have been randomized while in development status, it would mistakenly leave the "Randomize record" events in the project's Logging history when all records are being deleted during the move-to-production process. It now removes those logged events from the Logging. Bug fix: The plugin/hook method REDCap::getSurveyLink() would mistakenly return a survey link if provided with a record name for a record that does not yet exist. Also, in a longitudinal project it would mistakenly return a survey link for a record that has not been created in a given arm when an event_id from that arm has been passed as a parameter in the method, and if the link was used by a respondent, it would create the record in the other arm. In these situations, it should instead return NULL.

Version 6.11.0 - (released 12/18/2015) NEW FEATURES & IMPROVEMENTS:

New API methods (please see the API documentation embedded in REDCap for details regarding these methods)o Arm import/delete - for longitudinal projects only; requires API Import

privileges and Project Design/Setup? privilegeso Event import/delete - for longitudinal projects only; requires API Import

privileges and Project Design/Setup? privilegeso Import instrument-event mappings - for longitudinal projects only; requires

API Import privileges and Project Design/Setup? privilegeso Import metadata, i.e. data dictionary - available only in development status;

requires API Import privileges and Project Design/Setup? privilegeso Import users (import new users into a project while setting their user

privileges, or update the privileges of existing users in the project.) - requires API Import privileges and User Rights privileges

o Create project Allows a user to create a new REDCap project while setting some

project attributes, such as project title, project purpose, enable/disable record auto-numbering, enable the project as longitudinal, and enable surveys in the project.

This method requires a Super API Token that must be granted to a user by a REDCap administrator on the API Tokens page in the Control Center.

After the super token has been granted, the user can view the super token on their My Profile page.

Improvement: Added support for hosting REDCap in Google Cloud AppEngine? (with Google Cloud Storage). When hosted on the Google Cloud Platform, you can set file storage option to “Google Cloud Storage” on the File Upload Settings page and provide the names of the buckets where the

files will be stored. It also works seamlessly to connect with Google Cloud SQL that would host the MySQL backend for REDCap.

Improvement: REDCap now supports secure connections to MySQL using SSL/TLS. The following PHP variables must be added into database.php in the main "redcap" directory (the first 3 are required at minimum, while the last 2 might be optional for certain configurations).

1. $db_ssl_key = ''; // e.g., '/etc/mysql/ssl/client-key.pem'2. $db_ssl_cert = ''; // e.g., '/etc/mysql/ssl/client-cert.pem'3. $db_ssl_ca = ''; // e.g., '/etc/mysql/ssl/ca-cert.pem'4. $db_ssl_capath = NULL;5. $db_ssl_cipher = NULL;

Improvement: Users may now download and upload arms and events as a CSV file on the “Define My Events” page, as well as download and upload the instrument-event designations as a CSV file on the “Designate Instruments for My Events” page. Using these methods, users can now fully reconstruct the structure of a project if they wish to copy it, in which they could download the data dictionary file, arms file, events file, event mappings file, and data export file, and then upload all of them into a new project to recreate it. In previous versions, this could only be done for classic projects, but this now allows it to be done for longitudinal projects. When uploading the CSV file for arms, events, or event mappings, it will display a preview to the user to show what changes will be made, such as which things may be added, modified, deleted, or stay the same. Improvement: “select all” and “deselect all” links were added to the “Designate Instruments for My Events” page to allow users to more easily check off the checkboxes if many instruments and/or events exist in the project. Improvement: When assigning projects to Project Folders, there is now a checkbox option to hide archived projects in the project list. This should make it easier for users to ignore those projects during the folder assignment process. Improvement: A new optional API parameter named "filterLogic" was API method "Export Records". filterLogic should be a string of logic text (e.g., [age] > 30) for filtering the data to be returned by this API method, in which the API will only return the records (or record-events, if a longitudinal project) where the logic evaluates as TRUE. This parameter is blank/null by default unless a value is supplied. Please note that if the filter logic contains any incorrect syntax, the API will respond with an error message. Improvement: The Activity Graphs page in the Control Center now includes two new charts: 1) Database Usage (MB), and 2) Usage by Uploaded Files (MB).* BUG FIXES & OTHER CHANGES: Change/improvement: If the Survey Login feature is enabled in a project, it now performs a password mask for the text fields on the survey login form in order to obscure the participant's password value(s). In previous versions, the password fields were displayed as clear text. Changes to existing API methods

Change: For the API method “Export Users”, many more user privilege rights are included in the response. The following is the full header list: username,email,firstname,lastname,expiration,data_access_group,data_access_group_id,design,user_rights,data_access_groups,data_export,reports,stats_and_charts,manage_survey_participants,calendar,data_import_tool,data_comparison_tool,logging,file_reposito

ry,data_quality_create,data_quality_execute,api_export,api_import,mobile_app,mobile_app_download_data,record_create,record_rename,record_delete,lock_records_all_forms,lock_records,lock_records_customization,forms

Change: For the API method “Export Users”, when requesting a response in CSV format, form-level rights are returned in a different format in order to prevent possible duplication of other new user privileges that are returned, in which all form rights will now be consolidated into a single column named “forms” (whereas in previous versions each form was represented as an individual column). The last column of the CSV string returned will have “forms” as the header, and the value will be each [unique] form name and its numerical value as a colon-separated pair with all the form value pairs strung together as a single comma-separated string (e.g. “demographics:1,visit_data:3,baseline:1”). See a full CSV example below of two users exported from a project.

username,email,firstname,lastname,expiration,data_access_group,data_access_group_id,design,user_rights,data_access_groups,data_export,reports,stats_and_charts,manage_survey_participants,calendar,data_import_tool,data_comparison_tool,logging,file_repository,data_quality_create,data_quality_execute,api_export,api_import,mobile_app,mobile_app_download_data,record_create,record_rename,record_delete,lock_records_all_forms,lock_records,lock_records_customization,forms harrispa,[email protected],Joe,User1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,"demographics:3,baseline_data:1,visit_lab_data:1,patient_morale_questionnaire:1,visit_blood_workup:1,completion_data:1,completion_project_questionnaire:1,visit_observed_behavior:1" taylorr4,[email protected],Joe,User,2015-12-08,group_a,1,0,0,0,2,1,1,1,1,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,"demographics:3,baseline_data:1,visit_lab_data:1,patient_morale_questionnaire:1,visit_blood_workup:1,completion_data:1,completion_project_questionnaire:1,visit_observed_behavior:1" Change: For the API method “Export Users”, when requesting a response in XML format, the main parent tags at the beginning and end of the response will no longer be <records> but instead will be <users> to be less confusing (since “records” often denotes something else in REDCap) and also to be more consistent with how other API methods return XML items. Change: For the API method “Export Users”, the new “data_access_group_id” field was added, in which it returns the numerical group ID number that the “data_access_group” field used to return in previous versions. And now, the unique group name of a user’s Data Access Group is returned for the “data_access_group” field rather than the numerical group ID number. Change: The API method “Export Instrument-Event Mappings” now returns a different structure if exporting as JSON or XML (however, the CSV format will remain the same). It will now export with “arm_num”, “unique_event_name”, and “form” as attributes of each item/mapping, as seen in the JSON/XML examples below. JSON example:[{"arm_num":1,"unique_event_name":"event_2_arm_1","form":"demographics"}, {"arm_num":1,"unique_event_name":"event_2_arm_1","form":"baseline_data"}, {"arm_num":3,"unique_event_name":"visit_2_arm_3","form":"completion_data"}] XML example:<?xml version="1.0" encoding="UTF-8" ?> <items> <item><arm_num>1</arm_num><unique_event_name>event_2_arm_1</unique_event_name><form>demographics</form></item> <item><arm_num>1</arm_num><unique_event_name>event_2_arm_1</unique_event_name>

<form>baseline_data</form></item> <item><arm_num>3</arm_num><unique_event_name>visit_2_arm_3</unique_event_name><form>completion_data</form></item> </items> Improvement: For “Export Project Information” API method, the following two project attributes were added:

secondary_unique_field – The variable name of the secondary unique field defined in the project (if applicable).

display_today_now_button – Value will be “0” or “1” (i.e. False or True). If “0”, then do NOT display the today/now button next to date/datetime fields on data entry forms and surveys. If “1” (default), display them.

Change: When using an API token associated with a super user account, the API now recognizes the API user as having maximum privileges (i.e., super user privileges) with regard to API requests, whereas in previous versions it only inferred the user's privileges literally from what is defined on the project's User Rights page, which was inconsistent with how super user rights are recognized by REDCap in the front-end user interface. Change/improvement: The Control Center's System Statistics page now has the counts for Total Logged Events and Dynamic Data Pull (DDP) separated as separate AJAX calls since it was causing the whole table to load very slowly on the page. Small security fix: When a table-based user would reset their password, the password value would mistakenly be displayed on the page (although invisible) for a fraction of a second before the page immediately redirected elsewhere once the page loaded. Bug fix: Small issue with PHP autoload function that only affects specific PHP configurations, in which it would throw a fatal PHP error when attempting to install REDCap. Bug fix: If using Google OpenID authentication and the REDCap web server does not have cURL installed, it would throw an error during login. Change: If using Google OpenID authentication and a user logs in for the first time, it will now capture the user's first name, last name, and email address and add them to the user's REDCap account automatically. Improvement: When installing REDCap, it is now possible to use the MySQL socket value in the database configuration by adding the PHP variable $db_socket to database.php in the main "redcap" directory. Bug fix: If a user has some kind of Data Export privileges but does not have Add/Edit? Reports privileges, when the user navigates to the "Data Exports, Reports, and Stats" page, it mistakenly displays a blank page and thus will not let them view a report or export data. (Ticket #1055) Bug fix: The Field Note text of certain left-aligned fields (e.g. Notes fields) when displayed on surveys or forms would mistakenly begin wrapping their text to the next line after only going halfway across the webpage. Field Notes now extend to the full width of their column in the question table. Bug fix: When executing an API request in the API Playground for particular web server configurations, it would mistakenly not return anything from the request with an HTTP status code of "0". This was improved in version 6.9.7 but still gave issues for some.

Version 6.10.11 - (released 3/18/2016) ¶

Major bug fix: If the function min() or max() is used in a calculated field in which one of the values used in the function is blank/null, then auto-calculations (via data import, Data Quality rule H, etc.) would mistakenly return an incorrect answer. This is

https://iwg.devguard.com/trac/redcap/wiki/VersionToVersionDocSS#Version6.10.11-released3182016

despite the fact that it would calculate it correctly when viewing the calculated value on a data entry form or survey. In this way, the calculation might get saved correctly initially but then may get changed later to the incorrect value via auto-calculations or by running rule H in the Data Quality module.

Major bug fix: If a calculated field has somehow ended up having an incorrect value when its value should instead be blank/null, then auto-calculations (via data import, Data Quality rule H, etc.) would mistakenly not be able to correct the value to set it as blank/null. This would often be seen when running rule H in the Data Quality module, in which it would appear not to fix any values even though it said that it did fix them.

Major bug fix: If a user executes rule H in the Data Quality module in which some of the values listed exist on a data entry form that has been locked, then the process will fail when the user attempts to fix all incorrect calculated values, even though it may mistakenly say that it did fix them. This prevents any of the calculations from being fixed in the project.

Bug fix: When clicking the "Use advanced logic" link in Step 3 when creating or editing a report in a project, if a text field for the filter value was left blank, then it would mistakenly convert that blank value to "undefined" in the advanced logic that is produced, rather than it being just two double quotes (i.e., "").

Bug fix: If a survey has custom survey theme options set (as opposed to using a pre-built theme), then the custom theme options would mistakenly not be reflected on the Survey Completion Text page after a participant has completed the survey.

Bug fix: If a user accesses a data entry form that has been disabled (either because they have read-only form rights or because the form is locked), then calculations could be triggered on that page when the page loads, thus changing the values of the calc fields and possibly showing/hiding other fields if they have branching logic based on those calc fields. This is normally fine if the data is not being saved; however, if the user leaves the page, it would mistakenly display for them the "Save your changes?" dialog, which inadvertently allows them to save the values of those calc fields even though they should not be able to modify data on that page.

Bug fix: If a drop-down field on a survey has a Stop Action and the auto-complete feature is enabled for the drop-down field, then if the Stop Action gets triggered by a participant, then it would not correctly remove the field's value if the participant clicked the button "Continue survey and undo last response" and might also cause lots of popups to pile on top of each other.

Bug fix: If a survey participant is using IE6 or IE7, then it would throw a JavaScript? error on the Survey Completion Text page after completing the survey (although it would successfully save their responses with no problem).


Bug fix: When uploading a data dictionary containing a calc field whose calculation has a syntactical error, it would mistakenly display some seemingly irrelevant numbers at the end of the error message, which could be confusing.

Bug fix: When using certain non-English translation files (i.e., French), the "Suspend user account" button might not display correctly or function on the Browse Users page in the Control Center.

Bug fix: When downloading the CSV file of the list of users in the popup on the Browse Users page in the Control Center, if the file contained any UTF-8 characters, it would mistakenly not add the Byte Order Mark (BOM) at the beginning of the file, thus preventing the file from being opened easily by most programs.

Bug fix: When exporting data to a statistical analysis package (e.g., SAS) if a multiple choice field in the project contains two or more choices having the same coded value, which is typically discouraged, it could throw an error in the statistical analysis software when loading in the syntax file from REDCap. In the case where duplicate

https://iwg.devguard.com/trac/redcap/wiki/JavaScript

codings exist for a given multiple choice field, it will now merge those choice labels together in the syntax file for the stats package when performing a data export.

Bug fix: If a data entry form is opened and the first field on it has a min/max range validation check, in which the value is already entered and is out of range, then if any dialog popups get displayed initially when the form loads (e.g., required fields were missing, data quality real-time execution rules were violated), it would mistakenly display the out-of-range error message for that first field whenever the user would click on a dialog popup on the page that happens to be obscuring the field in question.

Bug fix: The time field was mistakenly not being validated for Step 3 when setting up Automated Survey Invitations with option "Send on next [day] at time [time]" and also when enabling reminders using option "Send every [day] at time [time]" when composing survey invitations. This could allow users to accidentally enter an invalid value, thus causing the invitations/reminders not to send at the desired time.


Major bug fix: When using Table-based authentication, in which a new user account is created and the user receives an email to set their password, in some cases it would mistakenly cause multiple false logins after loading the page, which might possibly trigger the auto-lockout feature. If this happens, the user would have to wait until after the set lockout period has passed, but it is possible that the auto-lockout could occur again, thus preventing the user from gaining access to REDCap for a while. This does not occur on all occasions but only randomly. This bug was thought to have been fixed in a prior version but apparently still occurred in certain cases.

Bug fix: When using a survey theme on a survey containing a matrix of fields, it would mistakenly not highlight the matrix field labels in green when focus is put on the field.

Bug fix: If the system-level setting "Enable the use of surveys in projects?" is disabled on the Modules Configuration page in the Control Center, then it would mistakenly still allow users to access survey modules in a project if surveys had been enabled in the project prior to the disabling of the system-level survey setting.

Bug fix: The Logging page in a project would mistakenly not display the logged event correctly when uploading or downloading a file attachment on a Descriptive field. Instead it would display it similar to that of a file uploaded to a File Upload field.


Major bug fix: It was mistakenly possible to import dates or datetime values that contained no dashes or slashes (e.g. 20160229 instead of 2016-02-29) via the Data Import Tool or API for date-, datetime-, or datetime_seconds-validated Text fields. This could result in storing incorrectly formatted date and datetime values.

Major bug fix: If a field in a project contained a double underscore in its variable name (because it was created in an older version of REDCap that mistakenly allowed the double underscore), then when downloading and uploading the data dictionary for the project when in production status, it would mistakenly remove the double underscore, thus resulting in the deletion of the original field and unwittingly orphaning data.

Bug fix: If using the Twilio telephony services for surveys and using multiple SMS/phone surveys in a single project when having the Twilio configuration option "Behavior for overlapping SMS invitations" set to "Allow participant to choose which survey to take next", then it might mistakenly include already-completed surveys in the list sent to the user. Also, it would mistakenly not include surveys in the list

whose invitations are set to call the participant after the participant sends an SMS message with an access code.

Bug fix: When creating a new report in a project, if a user opted to use advanced logic for Step 3 (Filters), it would mistakenly not save the logic when creating the report but leave it blank. It would save correctly if advanced logic was added to an existing report but not to one that is being created.

Change: New videos for REDCap Mobile App Bug fix: Some HTML character codes (such as " ") inside Field Labels would get

mistakenly displayed on the Data Dictionary Codebook page for a project. Bug fix: When exporting a project's logging as a CSV file on the Logging page, then if

any UTF-8 characters existed in the CSV file, it would mistakenly not include a Byte Order Mark (BOM) at the beginning of the file. Without the BOM, the UTF-8 encoded file could not be opened in certain text editors or applications.

Bug fix: When exporting a project's Participant List or Survey Invitation Log as a CSV file, then if any UTF-8 characters existed in the CSV file, it would mistakenly not include a Byte Order Mark (BOM) at the beginning of the file. Without the BOM, the UTF-8 encoded file could not be opened in certain text editors or applications.

Bug fix: If the text-to-speech feature is enabled on a survey that contains a logo at the top of the survey page, then the speaker icons that appear next to the survey title and instructions would mistakenly be in the wrong place on the page when the webpage loads instead of right next to the title and instructions text.


Major bug fix: If the "Save & Return Later" option had been enabled for a survey and an instrument had been locked by a user for a specific record/response, then a survey participant having a unique survey link (as opposed to a public survey link) would mistakenly be able to return to the response and erase all the data values on the survey using the "Start Over" button, even though the responses should have been locked and not editable. This has been changed so that if the response is locked, it will not even display the "Start Over" button or the text field for entering a Return Code but instead will display to the survey participant a message saying that they cannot return to the response at this time because it is currently locked.

Bug fix: If a project has the main "Use surveys in this project?" setting enabled but no instruments have been enabled as a survey yet, then it would mistakenly not display the "Manage Survey Participants" option on the User Rights page when adding/editing a user or role.


Bug fix: The project Logging page was mistakenly not noting if a record was created or updated via a data import. It now says "(import)" after "Created Record" or "Updated Record" in the Action column if the record was imported via the Data Import Tool page.

Bug fix: When saving text values containing apostrophes for text boxes on many Control Center system configuration pages, it would save the values correctly but would mistakenly not re-display the values correctly if the page was revisited, in which the value in the text box would get truncated at the location of apostrophe. So if the reloaded page was then saved again, then the truncated value would mistakenly get saved.

Bug fix: If using the Twilio telephony services for surveys, then if a participant was added to the Participant List but the participant had not yet started the survey, and then a user attempted to change their Invitation Preference in the Participant List, it

would appear to change but mistakenly would not, which could be seen once the page was reloaded.

Bug fix: When using the Data Search feature on the Add/Edit? Records page in a project and entering "b" as the search query, it would mistakenly return a result with the HTML tag "<b>" highlighted in the result instead of the first "b" in the data value.

Bug fix: After having set the conditions for an Automated Survey Invitation in the Online Designer, in which a survey has been selected in the drop-down list in Step 2 of the Automated Survey Invitations setup, if a user then changed that drop-down's value back to "select a survey" (the default value), it would mistakenly display an error popup message. It should instead not display any message at all in that case.

Bug fix: On the Browse Users page of the Control Center when viewing a user, the "Suspend user account" button might mistakenly not work when clicked if using certain language translation files for REDCap, such as French.

Bug fix: When using the Randomization module in a project and performing randomization for a record on a data entry form, if the randomization field has any HTML inside its field label or its choice labels, then in the popup displayed after a successful randomization, it would mistakenly display the label's HTML as escaped rather than having the HTML be interpreted on the page. This makes it more consistent with how the label is displayed on the data entry form.

Bug fix: Users in a longitudinal project would mistakenly be able to delete all events in the project if they deleted the second to last event and then immediately deleted the last event prior to leaving the page. It now prevents users from deleting all events, which can cause problems in the project such as not displaying certain things correctly.

Bug fix: When using the Scheduling module in a longitudinal project containing more than one arm, it would mistakenly not allow users to generate a new schedule for records that exist in more than one arm and have been scheduled for at least one arm already.


Major bug fix: When using Table-based authentication, in which a new user account is created and the user receives an email to set their password, in some cases it would mistakenly cause multiple false logins after loading the page, which might possibly trigger the auto-lockout feature. If this happens, the user would have to wait until after the set lockout period has passed, but it is possible that the auto-lockout could occur again, thus preventing the user from gaining access to REDCap for a while. This does not occur on all occasions but only randomly.

Medium security vulnerability: It was discovered that SQL Injection might be possible on the File Repository page if a malicious user knows how to send a specifically-crafted request to REDCap to exploit the vulnerability.

Bug fix: If a survey has the "Save & Return Later" feature enabled and also allows respondents to edit completed responses, then the Return Codes export on the "Data Exports, Reports, and Stats" page would mistakenly leave blank all the return codes for completed responses in the exported CSV file.

Bug fix: When using the REDCap Mobile App page in a project, in which the project has been set up on the mobile app and then the user has performed an emergency data dump from the app, if a file from a Signature field or File Upload field was uploaded to the Mobile App File Archive, its download icon on the page would mistakenly say "Excel CSV". That should only happen for CSV files, such as a logging file or data dump CSV on that page.

Bug fix: When opening the Add/Edit? Field popup in the Online Designer, it was mistakenly displaying the Field Annotation section for Section Headers when it should not be displayed for them.

Bug fix: When HTML tags and/or CSS is used inside the Field Label of a required field and a user or survey participant submits the page without having entered a value for the field, it would display the Field Label in a popup when listing which fields have a missing value, but it would mistakenly strip out all HTML in the Field Label. It now maintains all the HTML and styling when displaying it inside the required field popup.

Bug fix: In a longitudinal project that has multiple arms and the first instrument is enabled as a survey, when adding the first event to an empty arm, it would display an erroneous warning message saying that the first event of the arm was moved to another position, which is not correct and should not be displayed in this scenario.

Bug fix: When the Dynamic Data Pull (DDP) module is enabled for a project, on certain occasions the DDP Mapping page might mistakenly display a field at the bottom of the mapping table and list it erroneously as a composite field.

Bug fix: If the Secondary Unique Field feature is enabled in a project, there are certain occasions on which a user or participant might be able to bypass the uniqueness check when submitting values on a form or survey.


Bug fix: When using the plugin/hook method REDCap::getPDF() for an instrument that has been enabled as a survey, it would mistakenly return the form version of the PDF rather than the survey version of the PDF, which includes the survey title, instructions, and survey completion time.

Bug fix: Several places in REDCap currently send an email in which the From and To address are the same (e.g., emailing a survey Return Code, emailing a confirmation that someone has downloaded a Send-It file, when a Table-based user recovers their password), but that can sometimes cause the email not to be received by the recipient because it can get flagged as spam by certain email services. In those cases, REDCap now uses the email address of the Project Contact Person as to email sender for greater compatibility.

Bug fix: The "Map of Users" page in the Control Center would mistakenly no longer load the map due to changes in the Google Maps API.

Bug fix: If a user is on the File Repository page in a project and selects the "All Exports/Types?" to filter data export files, it would mistakenly display the files from the last export instead.

Bug fix: If a user is on the File Repository page in a project and makes a selection in the drop-down list to filter data export files, in which it will return zero files for that selection, then when the page is redisplayed it would mistakenly hide the "filter by" drop-down, thus making it impossible to make another selection, and the user would be forced to click the Back button in their browser and click on a tab above.

Bug fix: When using the Randomization module in a project and moving the project to production after some records have been randomized while in development status, it would mistakenly leave the "Randomize record" events in the project's Logging history when all records are being deleted during the move-to-production process. It now removes those logged events from the Logging.

Bug fix: The plugin/hook method REDCap::getSurveyLink() would mistakenly return a survey link if provided with a record name for a record that does not yet exist. Also, in a longitudinal project it would mistakenly return a survey link for a record that has not been created in a given arm when an event_id from that arm has been passed as a parameter in the method, and if the link was used by a respondent, it would create the record in the other arm. In these situations, it should instead return NULL.


Small security fix: When a table-based user would reset their password, the password value would mistakenly be displayed on the page (although invisible) for a fraction of a second before the page immediately redirected elsewhere once the page loaded.

Bug fix: Small issue with PHP autoload function that only affects specific PHP configurations, in which it would throw a fatal PHP error when attempting to install REDCap.

Bug fix: If a user has some kind of Data Export privileges but does not have Add/Edit? Reports privileges, when the user navigates to the "Data Exports, Reports, and Stats" page, it mistakenly displays a blank page and thus will not let them view a report or export data.

Bug fix: The Field Note text of certain left-aligned fields (e.g. Notes fields) when displayed on surveys or forms would mistakenly begin wrapping their text to the next line after only going halfway across the webpage. Field Notes now extend to the full width of their column in the question table.


New LTS branch based off of 6.10.1 (Standard Release)

Version 6.10.1 - (released 12/03/2015) ¶

Medium security fixes: Several cross-site scripting vulnerabilities were found on various pages throughout REDCap, in which these vulnerabilities could possibly be exploited by a malicious user (who is a valid REDCap user) who knows how to craft specific HTTP requests to such pages or can trick other authenticated users to navigate to specifically-crafted URLs.

Change: Updated the Help & FAQ page Bug fix: When importing data via the API with the "returnContent" parameter set as

"ids" in which the "format" (or "returnFormat") parameter is set as "json", then it would mistakenly not put quotes around non-numerical record names that are returned in the API's response. Also, it would mistakenly not escape certain characters in the record names if the response is returned as "json" or "csv" for the "format" (or "returnFormat") parameter.


NEW FEATURES & IMPROVEMENTS:o New feature: Project Folders

Project Folders are a way for users to organize the projects on their My Projects page by putting them into groups. The folder can be given a name and can be color-coded (by setting a text color and background color) so that it displays boldly in the My Projects page.

Once a folder has been created, the user can assign any number of projects to a folder (and can even assign a single project to multiple folders). This allows the projects to be grouped together under that folder when displayed on the user’s My Projects page.

Project Folders are for personel organization, so no one else can see a user’s folders (except for REDCap administrators when viewing the user’s projects on the Browse Projects page in the Control Center).

o New feature: Survey themes

3 new options were added to the Survey Settings page for any given survey (accessed via the Online Designer):

Size of survey text – Set the survey text to a bigger font size (Normal, Large, or Very Large).

Font of survey text – Set the font family of all the text displayed on the survey (Arial, Georgia, Tahoma, and more).

Survey theme – Set the color scheme for the survey. There are 10 predefined themes available that users may use, but if they do not prefer them, users can easily click the Customize button to customize the color scheme of the survey any way they want, in which it will open up 8 different options for modifying the colors of various elements in the survey. Also, users may create their own custom survey theme to save the theme with a specified name, after which they may easily use it their saved theme in the future for another survey.

A “survey design preview” box is displayed on the Survey Settings page so that the user can see how their survey design choices will make their survey look to respondents.

Create institution-specific themes: REDCap administrators with access to their MySQL database can create their own installation-specific themes by adding them to the redcap_surveys_themes database table (add new row to the table with NULL value for “ui_id” field). The easiest way to do this is to create a new theme on the Survey Settings page in a project and save that customized theme, and then find that theme in the redcap_surveys_themes database table and set its ui_id value as NULL, after which it will appear for all users as an official REDCap survey theme in the theme drop-down list.

o New feature: A project's Survey Invitation Log is now downloadable in CSV format.

o Improvement: On the Define My Events page in a longitudinal project, it no longer displays the Days Offset and Offset Range columns in the events table if the Scheduling module is not enabled for the project. Since those columns are only utilized during scheduling, this provides a simpler and less confusing interface for users when scheduling is not being used. When creating a new event in this case, the event name is the only thing that needs to be provided, after which the order of that event or any event in the current arm can be change using drag-n-drop by dragging that event's row in the table.

o Improvement: New styling options were added to the rich text editor for survey instructions and survey completion text, such as setting text color and background color, inserting tables, copy-paste options, and indentation options.

BUG FIXES & OTHER CHANGES:o Major bug fix: For surveys that have the survey option "Allow respondents to

return and modify completed responses?" enabled for a multi-page survey, then some responses might appear to be completed (i.e., they appear in the Completed Responses drop-down list of records) even though they have not truly been completed (they appear as "[not completed]" in the drop-down list). This fix will retroactively fix the existing records and will also prevent this issue from occurring in the future.

o Improvement: If using Two-Factor Authentication with the Twilio SMS/phone option enabled, then the Table-based User Management page in the Control Center will now allow administrators to include a user's "Expiration time for 2-step login code" in the CSV upload file when creating user accounts in bulk.

o Improvement: Better handling of memory on the web server in order to prevent large data exports and large reports from hitting a memory limit.

o Improvement: The Survey Queue now displays better on mobile devices.o Improvement: If a survey participant has added or modified any data on a

survey page and then attempts to exit the survey by closing their browser or browser tab before saving their changes, it will now display the "Save your changes?" prompt in a similar fashion to the prompt that is currently displayed when exiting a data entry form prematurely.

o Improvement: The hook/plugin method REDCap::logEvent() now accepts a new optional parameter $project_id that can be used to specify the project for which the event should be logged when in a system-level context or alternatively to specify the project_id for another project when in a project-level context.

o Change: In the "Edit Field" popup on the Online Designer, the Field Annotation box has been moved over to the bottom left of the popup dialog to distinguish it more from the Field Note box while at the same time helping to keep the popup itself more compact for most field types.

o Bug fix: The <tbody> HTML tag was mistakenly not whitelisted as a safe HTML tag to utilize in field labels, survey instructions, etc. This would inadvertently cause the tag to get HTML-escaped and thus get displayed to the user on the page.

o Bug fix: When viewing the "Data History" popup for a File Upload field on a data entry page, it would mistakenly not display the logged event(s) where a file was uploaded for that field.

o Bug fix: When using the Twilio telephony services and using the designated phone field for survey invitations, it would mistakenly not display the participant's phone number on the Survey Invitation Log. Also, it would not allow users to click on the "Responded?" icon in the Participant List in order to view the response on the data entry form.

o Bug fix: When using the hook/plugin method REDCap::logEvent() in a hook, it would mistakenly not display correctly on a project's Logging page.

o Bug fix: If a user is attempting to import date or datetime fields (either via API or Data Import Tool) that are not in the specified date format, it would return a slightly incorrect error message, in which it would not mention that date or datetime fields can also be imported in Y-M-D format.

o Bug fix: If there exist two or more adjacent Text fields on a survey or data entry form, in which those Text fields have some form of field validation with min/max range validation, then there is the possibility that if the validation error message gets displayed for a field and then later gets displayed again for another field below it, it may mistakenly display multiple popup messages on top of each other so that it makes it impossible for the user to close them all. This can result in the inability to return to data entry on the page, thus forcing the user to have to reload the page, possibly losing any data entered.

o Change: When setting up a new Automated Survey Invitation, the checkbox option "Ensure logic is still true before sending invitation?" is no longer checked by default since it could unwittingly cause confusion or issues in certain use cases when users simply left it checked.

o Change: When importing data in CSV format via API or Data Import Tool, all blank rows will now be ignored instead of returning an error. This is to avoid the common mistake by users of leaving some lines as blank in the CSV file since most users assume the blank line would be ignored anyway.

o Bug fix: If a user purposefully injects HTML tags into a survey's title for styling purposes, then those tags would mistakenly get displayed literally (e.g. "<b>My Survey Title</b>") in certain places in the project, such as the survey list in the Participant List, Survey Invitation Log, and Survey Queue.


Major bug fix: When importing data into a project via the API or Data Import Tool, if any of the fields being imported were used in a calculated field's equation, then it would mistakenly not perform an auto-calculation and save the calculated field value if the record being imported did not already exist in the project prior to the import. The auto-calculations would, however, work correctly for any existing records that had values imported.

Major bug fix: If the @NOW or @TODAY action tags are being utilized on a Text field that has no field validation, then if that field comes after another Text field having date or datetime validation and also has MDY or DMY date format, then the field with the @NOW or @TODAY action tag will mistakenly have its value displayed in the date format of the nearest date/datetime field displayed above it. It should instead be displaying the value in YMD date format when using the @NOW or @TODAY action tags on a field that has no validation.

Bug fix: When executing an API request in the API Playground for particular web server configurations, it would mistakenly not return anything from the request with an HTTP status code of "0".

Bug fix: If executing Rule F on the Data Quality page, it may mistakenly provide false positives in the discrepancy list that is returned. In particular, this would occur if a field had branching logic that referenced a checkbox field that had no values saved (was left all unchecked) for a given record.

Bug fix: When using the REDCap::getData() method in a plugin or hook, if the parameter $combine_checkbox_values is set to TRUE and $exportAsLabels is also set to TRUE, then it would mistakenly not export the multiple choice option labels correctly for checkbox fields if more than one checkbox was being returned. In the case of multiple checkboxes being returned, it would inadvertently use the checkbox option labels from another checkbox field rather than the option labels for that field itself.

Bug fix: An error would mistakenly be displayed if a user attempted to use the Send-It module to send a file to a person having an email address that contains an apostrophe, and thus it would prevent the user from sending a file to that person.

Bug fix: When creating or editing a report in a project and using a multi-select drop-down (e.g. when using a filter for filtering events or data access groups), it would not always be possible to deselect an option in the multi-select once the option had already been selected.

Improvement: Less erratic behavior of the Project Notes popup on the My Projects page when a user moves their cursor over a project that has some text defined for its Project Notes.

Bug fix: In certain PDF exports of a data collection instrument, multiple pages of the instrument might mistakenly overlap on a single page in the PDF. This is often caused when branching logic is used on the instrument, in which an entire section of the instrument must be hidden.

Bug fix: When editing the record ID in the Online Designer, it would mistakenly not display the Field Note option to allow the user to add/edit the Field Note for the record ID field.

Bug fix: If a user steps away from their computer/device when logged into REDCap, after which the autologout time elapses, then even though the automatic logout alert popup displays on the page saying that the user has been logged out, sensitive data may still be visible momentarily on the page underneath the popup after the user clicks the "Log In" button. This was supposed fixed in version 6.9.5, but was only partially fixed.


Bug fix: If a user creates a record that contains a double space in the middle of the record name, then if someone uploads a file for a File Upload field or saves a signature for a Signature field on a form or survey, it would mistakenly create another record containing only that uploaded file/signature in which the new duplicate record will contain a single space in its record name rather than a double space. However, when viewed in most places in the project (e.g. Record Status Dashboard), the two record names will appear identical when viewed next to each other, thus causing even more confusion about how a duplicate record exists and how it was created.

Bug fix: If the Field Label of a field contained a line break when the field is right-aligned, the PDF export of the instrument might mistakenly display strange rectangle characters in place of the line breaks.


Bug fix: In some projects that utilize the public survey option together with the designated email field option, it might mistakenly display blank values for each participant in the participant list of the first survey in the project when it should display the email addresses.

Bug fix: If utilizing the randomization module in a project, if using a strata field in the randomization process, in which the strata field is a drop-down field with the auto-complete option enabled, then if that field already has a value saved for it prior to the randomization of a record and also the strata field exists on the same instrument as the randomization field, then it would mistakenly display the value of the field twice in its auto-complete text box inside the randomization popup. This would prevent the record from being randomized because the user's cursor would get forever stuck in the strata field's text box and thus cause the user to have to refresh the page.

Bug fix: When using the @LATITUDE or @LONGITUDE action tag, it would mistakenly display the "Save your changes" prompt when leaving the data entry form even though the latitude/longitude value did not change on that page but were saved when the form was loaded previously. This would not affect data but might be confusing to the user.


Improvement: New action tag @BARCODE-APP - Allows the REDCap Mobile App to capture the value of a barcode or QR code by scanning it with the device's camera. NOTE: For use only in the REDCap Mobile App.

Major security vulnerability: It was discovered that SQL Injection might be possible on certain authenticated pages as well as via the API if a malicious user knows how to send a specifically-crafted request to REDCap to exploit the vulnerability.

Major bug fix: If a field's variable name somehow contains a double underscore, which should not be allowed, and then after the project is in production, a user modifies the field in Draft Mode via the Online Designer, there is a chance that it may replace the double underscore in the variable name with a single underscore, thus mistakenly renaming the variable and causing data to get orphaned as if the original field had been deleted.

Bug fix: If a user in a project has been set to receive email notifications whenever a participant has completed a survey, they would still mistakenly receive the emails even if the user was suspended from REDCap.

Bug fix: The R code that is automatically generated for a given API method in the API Playground module has a small error when defining the URI for the API request.

Bug fix: Small typo fixed on the Project Setup page. Bug fix: If a user steps away from their computer/device when logged into REDCap,

after which the autologout time elapses, then even though the automatic logout alert popup displays on the page saying that the user has been logged out, sensitive data may still be visible on the page underneath the popup.

Bug fix: If a survey invitation has been scheduled for an existing record but then the invitation was deleted via the Survey Invitation Log, then it would still mistakenly display the timestamp of the deleted invitation at the top of the data entry form for that record.

Change: The API is now more strict with regard to the validation of API tokens sent in API requests. In previous versions, if the token was longer than 32 characters, it would truncate the token to 32 characters (which is the expected length). It no longer truncates the token if longer than expected but merely returns an error message.

Minor security fix: A page in the Control Center was found to be susceptible to SQL injection if a super user was tricked into following a custom-created URL by a malicious user. However, the likelihood of occurrence is low and the difficulty is high.

Bug fix: If the API is returning an error message in JSON format, some messages might mistakenly not get JSON-encoded correctly.

Bug fix: If a user does not have "Create Record" user privileges, then it would mistakenly display the "Add new record" button on the data entry form in a project with record auto-numbering enabled. However, it would not allow them to create a new record, so at worst, this would merely cause confusion to the user.

Bug fix: The data dictionary upload page would mistakenly allow variable names containing a double underscore, even though the Online Designer would prevent it. It now replaces any double underscores with single underscores.

Bug fix: In some random cases when loading a CAT survey, it would mistakenly attempt to determine if the page should be skipped based upon branching logic. Since it should never check this for CATs, it now ensures that it skips that logic check, which makes the survey page load much faster for those affected.

Change: The "Brief Overview" video was updated. Bug fix: In the downloaded PDF export of an instrument, it would not display Field

Notes correctly for Notes fields and Signature fields, in which it might run off the page or not display at all, either due to field type and custom alignment values.

Bug fix: PDFs containing Japanese or Chinese characters (when project encoding is set to Japanese or Chinese) would not get rendered correctly and would basically be unable.

Bug fix: When copying an instrument in a project using the "Copy" button in the instrument list in the Online Designer, it would mistakenly remove any non-Latin characters that were entered for the new instrument name.

Bug fix: The API Playground would not be able to send API requests successfully if the REDCap server was using a proxy server for outbound web requests.

Bug fix: The "Submit Changes for Review" button on the Online Designer when in Draft Mode would not display correctly for certain languages (e.g., French).

Bug fix: When using the Dynamic Data Pull (DDP) module, clicking the "Remove unused DDP data" button on the Other Functionality page would mistakenly not get logged properly.

Bug fix: When upgrading from version 5.X, if any fields in a report have a "not =" operator with a blank limiter value, then that limiter would mistakenly get lost and not migrated into the version 6.X report format.

Bug fix: If the Dynamic Data Pull (DDP) module is enabled, then the System Statistics page in the Control Center might mistakenly report incorrect DDP stats, in which they might be overinflated.


Bug fix: The "All custom" button at the top of the rules table in the Data Quality module would mistakenly not work and would display an incorrect error message when clicked.

Bug fix: When using the datediff() function in a custom data quality rule in the Data Quality module, if a record is missing a value for one of the dates used in the datediff() function in the DQ rule, it will mistakenly get returned as a discrepancy when in fact it should not return it as a discrepancy. This does not appear to affect any other advanced functions but only datediff() and only when used in the Data Quality module.

Bug fix: The floating table headers that appear on some pages (e.g. reports) would mistakenly appear on top of a dialog popup that would later be opened on the page.

Bug fix: If HTML tags are used in the record ID field' Field Label in a project, then it would mistakenly display those tags as visible on the Record Status Dashboard table and (if a longitudinal project) also on the event grid after a record has been chosen.

Bug fix: If a survey expiration time was set for a survey, then if a user reopened the survey settings page afterward and pressed Save, it would mistakenly lose the time portion of the expiration date/time, which might prevent the survey from being expired at the exact desired time. Bug emerged in version 6.9.0.

If the Mcrypt PHP extension has not been installed on the REDCap web server, then the Stats & Charts page for reports would mistakenly not display correctly if the report contains any filters. The report would instead display plots representing *all* records in the project rather than just the records after applying the filter.

Change: Since the REDCap Mobile App is now available on the Amazon Appstore for Android, a link was added on the REDCap Mobile App page in each project to download the mobile app from the Amazon Appstore.

Bug fix: If a super user is on the Manage All Project Tokens section of the API page in a project or on the API Tokens page in the Control Center, if a user's username contains either a period/dot (.) or an "at" sign (@), then the Last Used column for that user will mistakenly never display the timestamp but will continually say "Loading...".

Bug fix: When using some non-English languages (specifically French) for a project's language, it might mistakenly not allow a production project to be moved to inactive status on the Other Functionality page because of a JavaScript? error that occurs.

Bug fix: When using the randomization module in a project and utilizing strata fields, if a user is randomizing a record on a data entry form in which one or more of the strata fields are a drop-down field with the auto-complete option enabled, then it would mistakenly not display the drop-down correctly in the randomization popup, thus preventing the user from performing randomization on the record.


Improvement: When copying a project, it now displays a new option to copy "all project bookmarks" on the Copy Project page, thus allowing users to copy all project bookmarks in that project to the new project.

Improvement: When copying a project, it will now automatically copy the values for "Custom text to display at top of Project Home page in project" and "Custom text to display at top of all Data Entry pages in project", which are only accessible for modification on the "Edit a Project's Settings" page in the Control Center.

Minor security fix: A cross-site scripting vulnerability was found on the Install page that could possibly be exploited if a malicious user knows how to append certain characters into the web address for the page. However, the ability of a user to take advantage of this vulnerability is severely limited.

Bug fix: If the user is creating a new record on a data entry form (i.e., record auto-numbering is not enabled), then after they place their cursor inside the text box to enter a new record name, it would mistakenly not allow them to remove their cursor in order to do something else on the page if they have not entered anything yet, in which the only way to get the cursor out of the text box is the refresh the page.

Change: If a project's first instrument has been enabled as a survey, and then a user on the Online Designer drags/moves an instrument that has not been enabled as a survey into the front so that it becomes the new first instrument, previous REDCap versions would transfer the survey settings onto the new first instrument (which was not a survey instrument) and thus removing them from the survey instrument, which would then become a regular data entry form and no longer a survey. This was done to preserve the public survey link in case a user had already distributed the public survey link and would not want it to change. However, due to possible conflictions with newer features, in which this behavior could cause other major issues, it now no longer transfers the survey settings from the survey instrument to the non-survey instrument in this scenario but leaves them as-is (aside from moving their position in the instrument list).

Change: Small aesthetic changes on survey pages to remove gray gradient background and borders to provide a flatter look.

Change: The id or class names of certain elements on survey pages and data entry forms have changed. See the list below for both the old and new name of each element affected. This should only affect REDCap hooks that are referencing these elements via CSS or JavaScript? to manipulate the page.

o The id of the main table housing all the survey questions: #form_table => #questiontable

o The spans and divs that contain a multiple choice field's choice label (for both radios and checkboxes)

o Vertically-aligned .frmrd => .choiceverto Horizontally-aligned .frmrdh => .choicehorizo Div containing "must provide value" text for required fields: .reqlbl

=> .requiredlabelo Table that houses a slider field's labels (that sits above the slider): .sldrlbl

=> .sliderlabelso "Reset" links for radio buttons: .cclink => .smalllinko Matrix header row: .matrixHdrs => .headermatrixo Field labels for matrix fields: .label_matrix =>.labelmatrixo Question number (surveys only): .quesnum => .questionnumo Question number for matrix fields (surveys only): .quesnummtxchk

=> .questionnummatrixo The div just inside the body tag has changed from #outer to #pagecontainero The div that contains the survey instructions was changed from #surveyinstr

to #surveyinstructions Change: When a super user is adding/editing a bookmark on the Project Bookmark

page in a project and selecting "REDCap Project" as the Link Type, it will now display in the project drop-down list the projects belonging to all the users in that project. Whereas in previous versions, super users would only see their own projects.

Bug fix: If a project using the randomization module has the randomization field set as "required" and also has Left/Vertical? or Left/Horizontal? custom alignment, then the red "*must provide value" label for the field as displayed on the survey page or data entry form would mistakenly not display correctly but get appended as black text onto the end of the Field Label.

Bug fix: The plugin/hook documentation for the REDCap::saveData() method's dateFormat parameter is incorrect and mistakenly refers to something completely different.

Bug fix: When tabbing through fields on a data entry form or survey, it might mistakenly skip over some fields and put the cursor on links or images on the page. Bug introduced in version 6.9.2.

Bug fix: If a user's project has drafted changes that are currently awaiting approval by an administrator, the user could mistakenly still upload a data dictionary before the administrator has reviewed and approved the changes. This would not cause any data loss but could cause confusion as to how the user made field changes while the project was in review.


Major bug fix: If Automated Survey Invitations had been set to be triggered via conditional logic based upon the changes of data values, then the ASIs would mistakenly not get triggered when they should during an API data import. This issue would not manifest when importing data via the Data Import Tool page but only via the API data import method.

Improvement: New configuration setting added to File Upload Settings page in Control Center if using AWS S3 storage for file storage, in which you can now manually set the AWS endpoint URL. In previous versions, it only allowed the endpoint to be "s3.amazonaws.com", which now only works for U.S. East region of AWS. This allows you to manually set the endpoint if you are using a different AWS region.

Improvement: When viewing a data entry form where the instrument has been enabled as a survey, it will now display the "Save and Mark Response as Complete" button if the survey has not been started yet (i.e., on the survey page), thus allowing the user to mark it as complete without even having to open the survey page. In previous versions, users would only see that button as a valid option once the survey had at least been partially completed via the survey page.

Improvement: When exporting a survey's participant list to CSV file, it now includes the record name of the respondent if it corresponds to an existing record and if it is identifiable (i.e., if the participant has a Participant Identifier defined or if the designated survey email field has been enabled).

Improvement: When using the REDCap::getParticipantList() plugin/hook method for obtaining a survey's participant list, it now includes the record name of the respondent if it corresponds to an existing record and if it is identifiable (i.e., if the participant has a Participant Identifier defined or if the designated survey email field has been enabled).

Improvement: When viewing the Compose Survey Invitations popup on the Participant List page, it now displays the total count of all participants that have been selected in that popup to be invited to take the survey.

Bug fix: When a project has record auto-numbering enabled and a user opens a data entry form to create a new record, instead of clicking one of the Save buttons on the page, the user clicks another form on the left-hand menu, after which if they click the "Save changes and leave" option, it will redirect them to the desired form but will advance to the next record number as if they are going to create a new record on that form. In this way, they unwittingly navigate off of the record they just created, which could be confusing and could cause new records to get inadvertently created when they shouldn't.

Change: The jQuery and jQueryUI libraries inside REDCap were upgraded to version 1.11 since the existing ones were outdated.

Bug fix: If using the Real Time Execution feature for a Data Quality rule, in which it determines on a data entry form that a DQ rule was violated while at the same time a required field was left empty/blank on the form after clicking a Save button, it would only display the "Some fields are required!" popup and would mistakenly not display the "Data Quality rules were violated!" popup, which could cause some confusion and

might accidentally cause a user to not be aware of a DQ rule that was violated. It has been changed so that if both issues occur at the same time, it will now display both popups at the same time on the page so that the user is aware of them both.

Bug fix: When utilizing Automated Survey Invitations in a project in which an ASI has the option "Ensure logic is still true before sending invitation?" enabled and the ASI is using only conditional logic as the Condition in Step 2 and *not* basing it off of whether a survey has been completed, then it would mistakenly display empty duplicate rows in the Survey Invitation Log. Note: This would not affect how or when survey invitations were sent.

Bug fix: The tabs on the File Repository page in a project would not display correctly on certain occasions.

Bug fix: If the Double Data Entry module is enabled for a project, then the correct form status icons will mistakenly not display correctly on the Record Status Dashboard for DDE user 1 or 2, but instead it will only display gray icons for all forms/records.

Bug fix: An SQL query that would get executed after a user logged in might be really slow for some server configurations. It has been optimized to reduce any slowness.

Bug fix: When downloading a PDF of a data entry form with data, in which all the field's in a section are hidden by branching logic, it might mistakenly display the section header for that section in the PDF instead of hiding it if the section would have spilled over onto the next page if it would have been displayed.

Bug fix: If a drop-down field on a survey or data entry form has a very long choice label, then the drop-down would mistakenly spill out of the table and could crowd other fields and text on the page, thus distorting the whole form/survey.


Bug fix: Duplicate rows mistakenly appear in a survey's participant list when records are created via data entry form or via data import and when more than one person then goes to view the participant list at the exact same time. This can cause a race condition, which generates duplicate rows in the back-end database tables for each record being populated in the table. There is unfortunately no way to fix the duplicates retroactively except by exporting all data in the project, then erasing all records, and then re-importing all the exported data.

Bug fix: If the "redcap_save_record" hook function is being used on a survey, in which the hook will redirect the page or stop page execution while at the same time a survey question that is required has not had a value entered, then it will mistakenly not set the survey response as being partially completed but leave it as if the survey had not been started yet.

Change: Replaced TTS-API.com as the third-party service used for the text-to-speech feature on surveys since that service has ceased to function for unknown reasons, thus making it no longer viable for use in REDCap. It has now been replaced by a service hosted by Vanderbilt at https://redcap.vanderbilt.edu, which utilizes the AT&T Text To Speech API service. Note: This service hosted by Vanderbilt does not store any of the text sent to it in any way.


NEW FEATURES & IMPROVEMENTS:o New hook function: redcap_project_home_page - Allows custom actions to be

performed on the "Project Home" page in a projecto New feature: API Playground - The API Playground is an interface that allows

experimentation with the REDCap API without actually writing any code. Users can explore all the different API methods and their various options to

customize a given API request. Users may even execute a real API request and see the exact response that REDCap returns from the request.

o New action tags @LATITUDE - Allows a Text field to capture the latitude of the user, in

which the user will be prompted on the webpage to allow or deny this. Once the value is captured, it will not be changed when visiting the page at a later time.

@LONGITUDE - Allows a Text field to capture the longitude of the user, in which the user will be prompted on the webpage to allow or deny this. Once the value is captured, it will not be changed when visiting the page at a later time.

@PASSWORDMASK - Masks the value of a Text field so that the true value is not visible on the webpage after it has been entered (like password fields on login pages).

@HIDDEN-APP - Hides the field only on the form ONLY on the REDCap Mobile App. Field will stay hidden even if branching logic attempts to make it visible.

@READONLY-APP - Makes the field read-only (i.e., disabled) on the form ONLY on the REDCap Mobile App so that its value cannot be changed.

@NOW - Automatically provides the user's current time as the value of a Text when the page is loaded. Once the value is captured, it will not be changed when visiting the page at a later time. If the field has validation, the value will conform to the date/time format of the field.

@TODAY - Automatically provides the user's current date as the value of a Text when the page is loaded. Once the value is captured, it will not be changed when visiting the page at a later time. If the field has validation, the value will conform to the date/time format of the field.

o Improvement: New look for API Documentationo Improvement: Numbered lists and bullet lists (i.e., <ol>, <ul>, and <li> tags)

can now be used in field labels, survey instructions, etc.o Improvement: Much better search utility on Browse Users page in the user list

popup to allow administrators to search a user by a specific user attribute or by all user attributes. Also, the list is now exportable in CSV format. Additionally, columns for the time of suspension and expiration date are now listed in the user list.

o Improvement: If using a proxy server for outgoing HTTP requests, REDCap now supports proxies that require authentication via username and password. On the General Configuration page in the Control Center, you can now enter the proxy username and password.

o Improvement: On the REDCap main Home page (not the Project Home page), you may now provide a URL that gets linked at the end of the last sentence "If you require assistance or have any questions about REDCap, please contact..." rather than a mailto link to the home page contact email. This is useful if you have a ticket system (or something similar) at your institution that you would prefer to link to on the Home page rather than an email account. The URL can be set on the Home Page Settings page in the Control Center and is completely optional.

BUG FIXES & OTHER CHANGES:o Medium security fix: The Password Recovery page, which is only available if

using Table-based authentication, was found to have a Blind SQL Injection vulnerability that could be exploited if a malicious user sends a specially crafted request to that page to spoof certain client values that REDCap receives in the request.

o Change: The user list popup on the Browse Users page no longer displays the column "Active User?" because this designation was confusing and not very helpful because all it implied was that the user had a first activity timestamp, which merely means that (for most installations) the user had logged in to REDCap at least once.

o Change: Now compatible with PHP 7, which is to have its first stable release near the end of 2015.

o Change: When using the Survey Login feature in a project, it will no longer allow the record ID field to be used as a survey login field if record auto-numbering is enabled in the project for security reasons.

o Bug fix: When a user is viewing a project-level plugin, it would mistakenly display the auto-logout popup after being on the page for 3 minutes and would tell them that their session has expired, even thought it had not. Also, it would sometimes mistakenly display an error popup if the user attempted to click a project bookmark on the right-hand menu while viewing a project-level plugin, thus preventing them from navigating to the bookmark page.

o Bug fix: The cron job that resets any survey invitations that are stuck in limbo because they did not get sent properly (due to cron crashing, etc.) was mistakenly sending invitations that were weeks or months old, thus often useless to be received by that participant at that point. The cron job now only resets any invitations that have been stuck for less than one week.

o Bug fix: If any survey invitations were sent from the data entry form for a record (rather than via the Participant List) on a version of REDCap before v6.5.0, then the invitations would mistakenly no longer display in the Survey Invitation Log after upgrading to v6.5.0 or higher.

o Bug fix: When using the Twilio telephony services in a project with multiple surveys, in which the user attempts to modify a participant's Invitation Preference on the Participant List for any survey/event, it mistakenly would not apply the desired invitation preference to every survey/event, thus forcing the user to have to set the preference for each survey/event in order to work correctly.

o Bug fix: If data is being piped into the option of a drop-down field on a survey page or data entry form, then it would mistakenly not get updated if a user on that page changed the value of a field whose value is being piped into a drop-down option. Instead it would pipe into the drop-down only data values that had already been saved prior to loading the page.

o Bug fix: Calculated fields may mistakenly throw an error on a survey or data entry form if multiple round() and multiple if() statements are nested together in the calculation.

o Bug fix: The Participant Identifier of a given participant in a survey's participant list would mistakenly not be editable after the participant had started or completed the survey if the identifier was not blank. For privacy reasons, users are prevented from adding an identifier to a participant if the identifier was originally left blank, but it should allow it to be editable (either before or after taking the survey) if not blank. This fix will now allow the identifier to be editable at any time if the identifier is not blank.

o Bug fix: If using Twilio telephony services for two-factor authentication or for survey functionality, some voice calls or SMS messages might fail to send to certain international phone numbers that resemble U.S. phone number format - i.e., 10 digits long without a "1" at the beginning.

o Bug fix: If the randomization module is enabled and set up for a classic project and then the user converts the project into a longitudinal project, then the Randomize button will mistakenly not appear on the data entry form but instead display a the randomization field as a disabled field.

o Bug fix: When viewing the Compose Survey Invitations popup for a survey's participant list, it would note that the participants being displayed in the popup are "those who have not responded" (assuming that the option "Allow respondents to return and modify completed responses?" has not been enabled), which is confusing because the list does include those who have partially responded. To prevent confusion, the text has been changed to "those who have not responded completely" to signify that partial responses are included.

o Bug fix: On certain random occasions where a record was mistakenly saved with a blank record name, in which the record would then get orphaned and become inaccessible on the front-end web application, if that blank record were somehow assigned to a Data Access Group, the Data Access Groups page would mistakenly include it in the count of records for each DAG, even though the blank record is not viewable or accessible anywhere else.


Improvement: If utilizing the Dynamic Data Pull (DDP) module, the following two counts have been added to the DDP section of the Control Center's "System Statistics" page under the section "Project attributes (all projects)": "Total adjudicated data values imported via DDP" and "Projects with at least one data value adjudicated via DDP".

Major bug fix: If importing data via the API in XML format, then the import will mistakenly not be successful if only one record is being imported in that request. However, if multiple records are being imported in XML format in the same request, the issue does not occur.

Improvement/change: The HTML tags <sub> and <sup> are now allowed in Field Labels, Field Notes, Survey Invitation Text, and all other user-defined text that gets displayed somewhere.

Bug fix: The Twilio telephony services for surveys might not successfully send SMS messages to or successfully make phone calls to some non-U.S. phone numbers.

Bug fix: The Twilio option for Two-Factor Authentication might not successfully send SMS messages to or successfully make phone calls to some non-U.S. phone numbers.

Bug fix: When using calculated fields in longitudinal projects, a processing bottle-neck was discovered that was causing unnecessary slowdown when performing auto-calculations when a user clicked the Save button on a data entry form or survey page. This fix allows the page saving to be processed about 3x-10x faster than before.

Bug fix: When using calculated fields that utilize cross-event calculations in longitudinal projects, it may have mistakenly not been performing the calculation for other events. Thus, some events containing calc fields with cross-event calculations may not have gotten their value saved. (Note: The values can be fixed retroactively by running Data Quality rule H.)

Bug fix: When adding a filter field to a report, in which the field has some form of field validation (e.g., date_ymd, email), then if the user selects the operator to be "contains", "not contain", "starts with", or "ends with", then it would prevent the user from entering a value into the text field to the right unless the value entered adhered to the field validation format. For example, if a user selected "Email" as the filter field, then selected "contains" as the operator, and entered "gmail.com" into the text box as the filter value, it would display the validation error message.

Bug fix: The Twilio telephony services for surveys might not work successfully if using a proxy server in your web server configuration.

Change: On a project's Logging page, it now displays "SYSTEM" in the user drop-down filter at the top of the page to allow users to filter by events performed

automatically by the REDCap system, such as survey invitations being scheduled. In previous versions, the "SYSTEM" option was not available in the drop-down list of users.

Bug fix: If on the User Access Dashboard page and click the Reset link at the bottom of the page, any selected radio buttons would not have their cell background changed back to green but would mistakenly be changed to a white background instead.

Bug fix: When using the Survey Login feature on a CAT (computer adaptive test - e.g., PROMIS assessment), the questions on the survey page would mistakenly not be displayed at all.

Bug fix: When a participant is taking a CAT (computer adaptive test - e.g., PROMIS assessment), it should be selecting the choice's radio button whenever the choice label text was clicked, but it was mistakenly not and required clicking on the radio button itself.

Bug fix: In a project utilizing Data Access Groups, if a user does not have "View & Edit" permissions for any instrument in the project and also does not have "Create Record" privileges, then the user could still navigate to an instrument on a record and change the DAG assignment of the record. This could be done if the user changes the DAG selection drop-down on the instrument, in which the page will not allow them to click the Save button but it will mistakenly prompt them to save their changes if they attempt to click a link somewhere in order to navigate off the page.

Bug fix: If a user clicked the "Lock all forms" or "Unlock all forms" link for a record in a project, it would mistakenly lock/unlock forms to which the user does not have form-level access.

Bug fix: In a longitudinal project, if a record is created via the Scheduling module (rather than via form or survey), then the record would mistakenly not display on the Record Status Dashboard until some data was entered for it on a form or survey.

Bug fix: When importing data via the Data Import Tool, even if no checkboxes are being imported, the import comparison table displayed on the page would mistakenly display some checkbox fields, although they would be ignored and would not cause any issues with the data import process. Bug emerged in version 6.8.0.

Bug fix: If using a cross-event calculation for a calculated field on a data entry form or survey in a longitudinal project, in which a non-text field (e.g. drop-down, radio) used in the calculation has a negative value, then the calculation would mistakenly return a blank value instead of the correct calculated number.

Bug fix: In longitudinal projects only, the "Total survey responses" count was mistakenly being displayed on a project's "Add/Edit Records" page when it should not have because it only refers to the first survey (even though it does not specify that) and also is not always accurate. Displaying the total survey response count made sense in version 5.X of REDCap, but it no longer makes sense after version 6.0, which allows for multiple surveys.

Bug fix: When viewing a survey response on a data entry form, it notes at the top of the page all the users who have contributed to the response data, but it may mistakenly list users that contributed to other forms or surveys for the record but not necessarily that particular survey. This is now fixed for all survey responses collected hereafter. However, this issue is not able to be fixed retroactively for already completed responses.

Bug fix: The survey auto-continue feature would mistakenly not get copied for surveys when copying a project.

Bug fix: When clicking the Upload Document link for a File Upload field or when clicking the Add Signature link for a Signature field on a data entry form or survey, if data values are to be piped into the field's label inside the popup that is displayed, it would mistakenly only pipe saved values and would not pipe unsaved values that had been entered on the page.


New feature: Administrators may disable the auto-calculation functionality for a given project on the "Edit a Project's Settings" page in the Control Center. If left as enabled (default), server-side auto-calculations (introduced in REDCap 6.3.0) will be performed for calc fields when data is imported (via Data Import Tool or API) or when saving a form/survey containing cross-form or cross-event calculations. If auto-calculations are disabled, then calculations will only be done after being performed via JavaScript (client-side) on the data entry form or survey page on which they are located, and they will not be done on data imports. Tip: This setting should *only* be disabled if the auto-calculations are causing excessive slowdown when saving data. If disabled, then some calculations might not get performed, and if so, must then be fixed with Data Quality rule H.

Bug fix: The REDCap hook function "redcap_add_edit_records_page" was mistakenly not being called in longitudinal projects on the Add/Edit Records page but only in classic projects.

Bug fix: If a Text field is utilizing the biomedical ontology auto-suggest feature and the user then downloads the data dictionary and later re-uploads the data dictionary, the page will mistakenly display a warning message that is intended to be for multiple choice fields only. It should not display a warning message at all. However, it does not prevent the user from uploading the data dictionary, but might cause some confusion.

Bug fix: If two-factor authentication is enabled, in which the Google Authenticator option is used, it would mistakenly not display a user's Google Authenticator QR code on the My Profile page except only when the Twilio option is enabled (rather than if the Google Authenticator option is enabled).

Version 6.8.0 - codename "Pfeffernüsse" (released 08/11/2015)

NEW FEATURES & IMPROVEMENTS:o New feature: Two-factor Authentication

This feature is optional and can be enabled on the "Security & Authentication" page in the Control Center. Enabling two-factor authentication (also known as 2-step login) can provide greater security with regard to users logging in to the system. While the standard login process consists of entering a username and password, two-factor authentication provides a second step after the initial login, such as entering a 6-digit verification code received via SMS text message, via email, or generated using the Google Authenticator app on their mobile device, or responding to a phone call or a push notification (for Duo app only).

Administrators can choose one or more of the following options for users to log in via two-factor authentication on the REDCap login page:

Email - A six-digit verification code will be emailed to the user. Google Authenticator app - A six-digit verification code can be

obtained by the user in their Google Authenticator app. Before they can use this option, they must first go to their My Profile page and scan the QR code on that page in their Google Authenticator app to add their REDCap account to the app on their mobile device.

SMS message via Twilio (connected to Twilio account at https://www.twilio.com) - A six-digit verification code will be sent via SMS text message to the user on their mobile device using the phone number provided on the user's My Profile page.

Phone call via Twilio (connected to Twilio account at https://www.twilio.com) - A user's phone will ring, after which they will be asked to enter a number on their keypad to complete the login process.

Duo (connected to Duo account at https://www.duosecurity.com) - Duo Security provides push notifications via their mobile app, as well as SMS and phone call options.

Two-factor configuration settings: (Optional) Trusted IP range - You can enforce two-factor login

on all users OR only enforce it on users with an IP address in a specific IP range. For example, if you know the IP ranges of computers at your institution, then you can enforce two factor only for users accessing REDCap from outside your institution. There is an additional checkbox option to allow you to easy include all private network IP addresses in the IP exceptions (10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, 192.168.0.0-192.168.255.255).

(Optional) Authentication interval: Trust a device's two-factor login for X days - This optional setting, if enabled, will allow a user's 2-step login to be remembered and thus will allow them to only have to perform the 2-step login every X days, in which you can set the length of time.

(Optional) Secondary authentication interval for specific IP address ranges - If desired, you can set an alternative authentication interval for devices in certain IP ranges. For example, you may want to set the interval to 30 days for users on a semi-secure network but set it to 1 day for users not on a secure network at all. You can set the interval to X days that the user's device will be trusted if within a given IP range.

Project-level settings: Setting to exclude specific projects from 2-step login - On the

Edit a Project's Settings page in the Control Center, you can exempt a project from 2-step login, which means that if any user has access to an exempt project, then they will *not* be prompted with the 2-step login when they initially log in, nor will they be prompted when entering the exempt project, but they *will* be prompted with the 2-step login if they attempt to enter a non-exempt project or their My Profile page (and if a super user, if they enter the Control Center). This setting may be used to exempt certain projects where the 2-step login would be very burdensome and/or costly for users.

Setting to always force 2-step login on specific projects (even if the authentication interval is set) - For high-profile projects that might have very sensitive data, for example, this setting can be enabled so that even if the authentication interval is set to allow users to not have to perform the 2-step login for every session, if they enter a project with this setting enabled, they must *always* perform the 2-step login during their session before they can enter the project.

User-level setting: Setting to modify the expiration time of the 2-step login

verification code for SMS, email, and Google Authenticator options - In some cases where they might be a lag for a user to receive their 2-step login verification code, such as if sent via

email and doesn't appear in their inbox for a long time. By default, the code expires after 2 minutes. But in cases where it may take longer to be received by the user, an administrator can increase the expiration time of the code up to 30 minutes for a given user on the Browse Users page in the Control Center.

o New developer methods for plugins/hooks REDCap::saveData - Saves record data for a project. Accepts data in

the following formats: "csv", "json", "xml", and "array" (same array format as received from getData method with record name as 1st key, event_id as 2nd key, and field_name as 3rd key)

REDCap::getDataDictionary - Returns a project's data dictionary in any of the following formats: "csv", "json", "xml", and "array"

o New hook functions redcap_survey_page_top — Allows custom actions to be performed at

the top of a survey page - exactly like redcap_survey_page but executed in a different location

redcap_data_entry_form_top — Allows custom actions to be performed at the top of a data entry form (excludes survey pages) - exactly like redcap_data_entry_form but executed in a different location

redcap_add_edit_records_page — Allows custom actions to be performed on the "Add/Edit Records" page in a project

o Improvement: The Data Import Tool now has a new option "Allow blank values to overwrite existing saved values?" that allows users to choose if they want to perform a mass overwrite of saved values with blank values when importing data. By default, it will ignore all blank values in the uploaded CSV file (as it has always done).

o Improvement: If using the Twilio telephony services in a project, it will now detect (with fairly good accuracy) if a phone call is made to a survey participant in which an answering machine or voicemail answers the call instead of a person. In such a case, it will not begin speaking the survey text as it would to a person, but will instead leave the following message for the participant: "To take the survey, please call back at this phone number: XXX-XXX-XXXX."

BUG FIXES & OTHER CHANGES:o Major bug fix: If a user with "De-identified" export rights or "Remove all

tagged Identifier fields" export rights performs a data export for Report B on the "Data Exports, Reports, and Stats" page, in which they leave the "All instruments" option selected in the Instruments multi-select list, it would mistakenly export ALL fields in the project and would not remove free-form text fields and identifier fields like it should.

o Major bug fix: On rare occasions when using Automated Survey Invitations for a survey, in which the option "Ensure logic is still true before sending invitation?" is enabled and the logic is fairly complex, survey invitations that have been scheduled might mistakenly be sent twice to the same participant.

o Minor security fix: A cross-site scripting vulnerability was found on the project Logging page that could possibly be exploited if a malicious user knows how to inject certain text into the "Reason for Data Change" text box when editing an existing record in a project that has the "Require a Reason" feature enabled.

o Minor security fix: A vulnerability could possibly be exploited if a malicious user knows how to execute some specific JavaScript calls on a data entry form where the Locking/E-signature feature is used, in which it would allow them to bypass the signing process of entering a correct username/password when e-signing a data entry form for a record. Also, using certain methods to

manipulate page elements on a data entry form that has been locked, they could possibly execute some specific JavaScript calls that would allow them to unlock the form and make data changes even if the user does not have Record Locking privileges. NOTE FOR SHIBBOLETH USERS: If your institution is using a hack to modify the REDCap base code in order for e-signatures to work with Shibboleth, please be aware that this change *might* prevent your modifications from working.

o Bug fix: When using the Twilio telephony services in a longitudinal project where the first instrument is not used as a survey, it would throw an error whenever a user attempted to modify a participant's Invitation Preference on the Participant List for any survey/event.

o Bug fix: If a user clicks the "Delete data for this form only" button or clicks the "Delete data for this event only" button on a data entry form that has some required fields that have no values entered for them, it would mistakenly display the "Some fields are required!" popup to force the users to enter values for the required fields before it would let them delete the form's/event's data.

o Bug fix: When reviewing the drafted changes in a production project, it would mistakenly not display the Field Annotation column in the table of changes on that page.

o Bug fix: Incorrect text was used in the Twilio configuration popup for the "default invitation preference" option on the Project Setup page of a project.

o Bu fix: Incorrect text was used in the Twilio configuration step on the Project Setup page of a project.

o Change: The "Stats & Charts" section on the "Data Exports, Reports, and Stats" page no longer allows checkbox fields to be viewed as pie charts but only as bar charts. This is due to the fact that since checkboxes allow multiple values per field per record, the total counts/frequency can add up to higher than 100%, which is not compatible with the pie chart and thus causes it to display incorrect values.

o Change: If the Twilio SMS option is enabled for two-factor auth, then the My Profile page will display a "mobile phone number" field where they can enter their phone number, and then use it for two-factor login via SMS.

o Bug fix: If a project has the "Use surveys in this project?" setting enabled on the Project Setup page but does not have any instruments enabled as surveys, then when a data export is performed, it would mistakenly include the redcap_survey_identifier field in the syntax file for the stats packages but would appropriately not include that column in the CSV data export file. This would inevitably cause issues when attempting to import the data into a stats package, such as SPSS.

o Bug fix: If using the Twilio telephony services in a longitudinal project in which the first instrument was not enabled as a survey, then if a user attempted to change a survey participant's Invitation Preference in the Participant List, it would mistakenly not change it successfully.

o Bug fix: If using the Twilio telephony services in a project and sending out survey invitations for the participant to take the survey via phone call or SMS, in which one or more invitation reminders were set, then even though the participant would complete the survey, the reminders would still get sent to them afterwards (via SMS or phone call).

o Bug fix: If using the Twilio telephony services in a project in which records would be created via data entry form or data import (rather than via survey), then it would mistakenly not assign the record the correct default invitation preference as defined by the project's "Default invitation preference for new participants" setting in the Twilio configuration popup on the Project Setup page.

o Bug fix: After clicking the table headers of the user list on a project's User Rights page, it would no longer be possible to edit the rights of a user or role on the page by clicking a username or role name in the table until the page is reloaded.

o The Help & FAQ page was updated.o Bug fix: When enabling the auto-complete feature for a drop-down field on an

instrument, if any of the option labels contained an ampersand (&), less than character (<), or greater than character (>), it would mistakenly display the HTML character code version of those characters in the drop-down field rather than the literal character itself. (Bug emerged in version 6.7.0.)

o Bug fix: On the "Stats & Charts" tab of the "Data Exports, Reports, and Stats" page in a project, if a user clicks the "Show plots only" button, then it would mistakenly display the spinning circle image for text fields that have no data.

o Bug fix: When viewing the "Day" or "Week" tab on the Calendar module in a project, clicking the left-arrow icon or right-arrow icon would not advance to the prev/next day or prev/next week, respectively, but would always advance to the prev/next month, which is not intuitive and is confusing.

o Bug fix: If utilizing the randomization module in a project and trying to copy an instrument via the Copy option in "Choose action" drop-down on the Online Designer, if the randomization field or strata fields are located on the instrument being copied, it would mistakenly display an error message saying that the instrument could not be copied.

o Bug fix: If the REDCap page header was displayed on a REDCap plugin page or if the base.js JavaScript file was included on a plugin page, then it would mistakenly inject the redcap_csrf_token (Cross-Site Request Forgery token) onto all forms displayed on the plugin page and also inject it into all POST AJAX requests made via the jQuery $.post function on the plugin page. This might give the impression that REDCap provided CSRF protection on plugin pages when in fact it does not. The redcap_csrf_token value is now no longer injected into forms or in the $.post function on plugin pages.

o Bug fix: If a survey participant completes a survey that has the "Send confirmation email" setting enabled but the participant's email address has not yet been captured after having completed the survey, and if the Survey Queue is enabled for the project, then if the participant enters their email address on the survey acknowledgment page in order to receive their confirmation email, it would mistakenly display a popup message saying that the survey has not been set up yet, which is incorrect and confusing.

o Bug fix: When the Dynamic Data Pull (DDP) module is enabled in a longitudinal project, if a user selects some fields to be mapped to the external source system on the DDP Setup page, then it might mistakenly convert the last field on the page to a non-temporal field if it was a temporal field, which would prevent it from being mapped correctly on that page. (Ticket #913)

o Bug fix: Users would mistakenly be allowed to archive a development project even if the setting "Allow normal users to move projects to production?" in the Control Center was set to "No". This would allow a user to archive a development project and then un-archive the project, which puts the project in production status, thus inadvertently bypassing the production approval process. If users are not allowed to move projects to production on their own and they attempt to archive a development project, it will now display a message letting them know that they can only archive production projects.

o Bug fix: If a user imports data via the Data Import Tool in which the record names contain UTF-8 characters but the imported file is encoded with ANSI encoding, it would mistakenly store the record names incorrectly (with a black diamond character being displayed on the page) during the import, which

would prevent the records from being accessed or edited on a data entry form and thus prevent them from being deleted after having been imported.

o Change: If the setting "Require a 'reason' when making changes to existing records?" has been enabled for a project, it will now prompt the user for a reason if they attempt to delete a record via the Delete Record button on a data entry form. In previous versions, it only prompted for a reason whenever an existing record was changed and not when it was deleted.

o Bug fix: If the "Auto-continue to next survey" setting is enabled for a PROMIS CAT, it would mistakenly not auto-continue to the next survey instrument.

o Bug fix: If entering data on a survey or data entry form while using an Android device, fields with "Phone (North America)" validation would mysteriously have their value disappear immediately after it was entered, thus preventing the user from entering a value for the field.

Version 6.7.5 (released 07/29/2015)

Change: Replaced Google's Speech API with TTS-API.com as the third-party service used for the text-to-speech feature on surveys since Google now enforces a captcha upon heavy use of that free API, thus making it no longer viable for use in REDCap. This also means that there will no longer be a language option for text-to-speech on surveys (the option will be hidden) since TTS-API.com only works for English.


Medium security vulnerability: Several cross-site scripting vulnerabilities were found that could possibly be exploited if a malicious user knows how to inject certain text into an arm name or event name when creating/editing arms or events in a longitudinal project, in which this could execute malicious JavaScript on that page for other unwitting users.

Medium security vulnerability: A Cross-site Request Forgery vulnerability was found that could possibly be exploited if a malicious user tricks an unwitting super user into navigating to a specially-crafted REDCap link that would could cause a specified suspended user to be unsuspended just by clicking the link.


Major bug fix: If a user is attempting to perform a data import via the Data Import Tool or API, in which one of the fields being imported is a drop-down field with auto-complete enabled, then it would mistakenly throw an error saying that the value was in an invalid format. Bug emerged in version 6.7.0.

Major bug fix: When utilizing the Randomization module in a project, there is a very small possibility that when saving a data entry form for a record that has already been randomized, in which the form being saved contains the disabled randomization field, it mistakenly might be possible for the user to modify the randomization field's value after clicking the Save button before the form is officially saved.

Bug fix: If the MySQL database server is set to use ANSI_QUOTES for the SQL_MODE setting, then it will mistakenly display the warning "YOUR REDCAP DATABASE STRUCTURE IS INCORRECT!" on the main Control Center page and on the Configuration Test page.

Bug fix: When using the Twilio telephony services in a project and sending an SMS message to an invalid phone number, it would mistakenly not fail gracefully but would throw a fatal PHP error, which could result in crashing the cron job if the SMS

was being sent via the invitation scheduler cron. This could result in other invitations not getting sent on time but a few hours late.

Change: New cron job was added to fix any survey invitations that got stuck in 'SENDING' status but were never sent (due to server going offline unexpectedly, etc.).

Bug fix: When a super user would view the Manage All Project Tokens tab on the API page in a project, it would mistakenly not display the table of project users and would throw a JavaScript error.

Bug fix: The following features were mistakenly not enabled by default if performing a fresh install of version 6.7.X: Embedded video for Descriptive fields, Text-to-speech functionality for surveys, and BioPortal auto-suggest for Text fields. This upgrade will automatically turn them on.

Bug fix: If a Text field is utilizing the biomedical ontology auto-suggest feature and the user then downloads the data dictionary and later re-uploads the data dictionary, the field will lose the ontology auto-suggest feature.

Bug fix: If a Text field is utilizing the biomedical ontology auto-suggest feature, in which another field uses branching logic or calculations based upon that field, then the branching logic and/or calculations would not fire if a value was added to or removed from the field but would only fire when the page was later reloaded after being saved.


Major bug fix: When using the "Ensure logic is still true before sending invitation?" option for Automated Survey Invitations in a project, it might mistakenly prevent some survey invitations from getting scheduled whenever a record is updated via survey/data entry form or imported.

Improvement: The Codebook page in a project now has branching logic icons next to each field so that when an icon is clicked it takes the user to the Online Designer and opens that field for editing its branching logic. This allows users to quickly make edits to fields' branching logic when viewing the Codebook. There also exists a "Return to Codebook" button at the top of the Online Designer to allow them to return back to the Codebook again.

Bug fix: When clicking the pencil icon next to a field on the Codebook page in a project, it would mistakenly not open the matrix popup dialog on the Online Designer but would instead open the normal "Edit Field" popup, which could cause issues with the display of the matrix if the user changed anything in the "Edit Field" popup and then saved it. (Bug emerged in version 6.7.0.)

Bug fix: If a drop-down field has the "auto-complete" feature enabled and a user on a data entry form tabs into or puts their cursor inside the drop-down's text box but then leaves the field without entering a value, then if the user clicked a link or button to navigate away from the form, it would mistakenly display the "Save your changes?" popup even though no values changed on the page.

Bug fix: If some survey invitations with reminders have been scheduled in a project, then the Survey Invitation Log might display in incorrect count of the total invitations on that page, which could be very confusing to users. This only occurs when reminders exist.

Bug fix: On the Record Status Dashboard page of a project that has Data Access Groups, if a user is not in a DAG and they select a DAG from the DAG drop-down at the top of the page, in which the DAG selected does not contain any records yet, then it would mistakenly display ALL the records in the project on the page and also mistakenly display the form status icon as gray for every form/record. In this case, it should instead display a table with no rows. (Bug emerged in version 6.7.1.)

Bug fix: When using the Double Data Entry module in a project, DDE user #1 or #2 would mistakenly be able to view and edit events displayed in the

Upcoming Calendar Events table at the bottom of the Project Home page for records that do not belong to them but belong to another DDE user. It now only shows the records that belong to the DDE user and properly displays the record number (i.e., removes the --# ending) in the calendar description.


Improvement: On the Record Status Dashboard page of a project that has Data Access Groups, if a user is not in a DAG, then they will see a new drop-down at the top of the page to filter the records by any given DAG. Also, it will remember their selection in case they return to that page later, in which the drop-down will be pre-selected with their last selection of it during that same REDCap session.

Bug fix: If using Shibboleth authentication, then the biomedical ontology auto-suggest feature for Text fields will not work on survey pages (although it will work on data entry forms).

Bug fix: Certain API requests (e.g., File Export method) would return a response that was not gzip compressed but would mistakenly include the header "Content-Encoding: gzip" in the response, which could confuse some clients and cause the request to fail in specific situations. The API now only returns that gzip header if the API response is truly gzip compressed.

Improvement: Text fields with "Phone (North America)" validation now display the numeric keypad on iOS and Android devices instead of the QWERTY keyboard.

Bug fix: If a user goes to remove another user from their project, it might mistakenly display a warning message that the user being removed has used the REDCap Mobile App and therefore might have some unsynced data on the app. It will do this if the user doing the removing has initialized the project in the mobile app - i.e., not the user that is selected for removal.

Bug fix: When creating a Descriptive field on an instrument on the Online Designer and adding an inline YouTube video to that field, in certain web browsers the video frame might mistakenly be visible above any popups that open on the page, thus obscuring the contents of those popups.

Bug fix: If a project is utilizing the auto-complete functionality for a drop-down field on a survey or data entry form, then it would mistakenly display the "invalid value!" error message if the user begin to type the answer and then clicked the answer in the list below it *only if* what had been typed thus far did not match any of the valid values from the drop-down.

Version 6.7.0 - codename "Macaroon" (released 07/02/2015)

NEW FEATURES & IMPROVEMENTS:o New feature: Text-to-speech functionality for surveys

Can be enabled on the Survey Settings page for any given survey. Once enabled for a survey, it will display a "speaker" icon next to all visible text. When the icon is clicked, it will audibly speak that text to the survey participant in their web browser. Participants can click the "Disable speech" button at the top of the survey to remove the icons if they do not wish to use the text-to-speech functionality, in which it will remember that preference if they return to another survey on that REDCap server in the future.

Many different languages are supported, in which the text-to-speech service is capable of reading text in various languages. For example, if all the survey questions are in Spanish, you can choose Spanish to be the text-to-speech language, which will allow the service to read the text more accurately for that language. (Note: This feature does *not*

perform translation.) The language setting is also on the Survey Settings page.

Works on mobile devices when viewing the survey webpage in the mobile web view. However, the text-to-speech functionality is currently not supported in the REDCap Mobile App.

This feature can be disabled at the system level on the Modules Configuration page in the Control Center.

Note: This feature requires that your REDCap web server be able to make outbound HTTP requests to https://translate.google.com

o New feature: Embedded videos for Descriptive fields - Users can embed an externally hosted video (e.g., YouTube, Vimeo) on a data entry form or survey page by simply providing the video URL (web address). The video can be displayed inline on the page, or it can instead be initially hidden but displayed after clicking a button. Any video can be set to full-screen mode, if desired.

Works when viewed in a web browser on mobile devices. This feature can be disabled at the system level on the Modules

Configuration page in the Control Center. Note: Video embedding is not currently supported in the REDCap

Mobile App.o New feature: Embedded audio for Descriptive fields - New option that will take

an attached audio file (e.g., MP3, WAV) on a Descriptive field and display it in an embedded audio player on the data entry form or survey page.

Works when viewed in a web browser on mobile devices. Note: Audio file embedding is not currently supported in the REDCap

Mobile App.o New feature: Action Tags

Action Tags are special terms that begin with the '@' sign that can be placed inside a field's Field Annotation. Each action tag has a corresponding action that is performed for the field when displayed on data entry forms and survey pages. Such actions may include hiding or disabling a given field (either on a survey, data entry form, or both).

Full list of all available action tags: @HIDDEN - Hides the field on both the survey page and the

data entry form. Field will stay hidden even if branching logic attempts to make it visible.

@HIDDEN-FORM - Hides the field only on the data entry form (i.e., not on the survey page). Field will stay hidden even if branching logic attempts to make it visible.

@HIDDEN-SURVEY - Hides the field only on the survey page (i.e., not on the data entry form). Field will stay hidden even if branching logic attempts to make it visible.

@READONLY - Makes the field read-only (i.e., disabled) on both the survey page and the data entry form so that its value cannot be changed.

@ READONLY-FORM - Makes the field read-only (i.e., disabled) only on the data entry form (i.e., not on the survey page) so that its value cannot be changed.

@ READONLY-SURVEY - Makes the field read-only (i.e., disabled) only on the survey page (i.e., not on the data entry form) so that its value cannot be changed.

o New feature: New auto-complete feature for drop-down fields and "sql" fields Users can enable the auto-complete feature in the Online Designer for

drop-down fields. (Note: Super users can also enable auto-complete for "sql" fields.) Auto-complete can also be enabled via the Data

Dictionary by entering "autocomplete" in the validation column for "dropdown" and "sql" fields.

The auto-complete feature transforms the drop-down into a combobox that still functions as a normal drop-down list but has the additional capability of employing a text search on the options in the drop-down in order to find an option much more quickly. Enabling the auto-complete feature is most useful when a drop-down list is very long with lots of options.

Note: Even though users are able to hand-enter text into the text field when searching the autocomplete drop-down, it will not allow saving the value unless it is a valid option in the drop-down list.

o New feature: Enable searching within a biomedical ontology for text fields on a survey or data entry form

An ordinary text field on a survey or data entry form can have a special feature enabled that provides auto-complete functionality for real-time searching within biomedical ontologies, such as RxNorm, ICD-9, ICD-10, Snomed CT, LOINC, etc. There are over 400 ontologies available from which users may choose.

This feature can be enabled for any given Text field in the Add/Edit Field popup in the Online Designer by simply choosing an ontology in the ontology drop-down list in the popup.

This feature can be disabled at the system level on the Modules Configuration page in the Control Center.

Note: This feature utilizes the BioPortal API web service (see documentation at http://bioportal.bioontology.org), and thus it requires that your REDCap web server be able to make outbound HTTP requests to http://data.bioontology.org

o New feature: Auto-continue to next survey - Automatically start the next survey instrument after completing a survey.

On the Survey Settings page for any survey instrument listed on the Online Designer, under the "Survey Termination Options" section, the user can enable the survey auto-continue setting so that when that survey has been completed, the participant will automatically be redirected to the next survey instrument (if any exist after that survey). If the next instrument is a data entry form that has not been enabled as a survey, then it will be skipped during this process.

Linking surveys together is only supported inside the same event and must be enabled for each survey a user wishes to link. This feature allows users to have separate survey instruments strung together to appear as though they were a single survey to the participant. This is especially useful for complex longitudinal projects where different combinations of instruments are given in separate events. If enabled and this is the last survey, the selected termination option below will be used.

NOTE: If users wish to utilize more advanced conditional logic to control which survey that the participant goes to next, they should use the Survey Queue feature, which can be enabled in the Online Designer.

o New feature: New Survey Base URL (alternative to REDCap base URL used only when constructing web addresses for surveys)

This feature can be useful if you wish to use a different web address for surveys than for the web address where users normally log in to REDCap, such as if using a reverse-proxy server or separate web server for surveys.

The survey base URL will only be used when constructing survey URLs (e.g., when sending invitations to survey participants, displaying a public survey link). For all other URLs in REDCap, the REDCap base URL will be used.

This setting can be set on the General Configuration page in the Control Center immediately below the REDCap base URL setting.

o Improvement: Checkboxes and radio button fields on surveys and data entry forms can now be selected/checked by clicking the label text of the option rather than just clicking the checkbox or radio button itself. This makes it easier and more intuitive to select an option. (Note: This does not work on Internet Explorer 8 and earlier versions.)

o Improvement: The Codebook page in a project now has pencil icons next to each field so that when an icon is clicked it takes the user to the Online Designer and opens that field for editing. This allows users to quickly make edits to fields when viewing the Codebook. There also exists a "Return to Codebook" button at the top of the Online Designer to allow them to return back to the Codebook again.

o Improvement: Survey pages are now more compatible and better fitting to the screen when viewed on mobile devices.

o Improvement: New project-level attributes are now included in the "Export Project Information" API method. The following attributes were added: "project_irb_number", "project_grant_number", "project_pi_firstname", and "project_pi_lastname".

BUG FIXES & OTHER CHANGES:o Bug fix: When using the Twilio telephony features in a project, the language

instructing users on how to disable the Twilio "Request Inspector" setting was outdated.

o Bug fix: When executing a rule in the Data Quality module using Internet Explorer 9, it would always mistakenly return zero discrepancies because of a bug in IE9 that would cause the record drop-down list not to load properly whenever the user loads that page.

o Bug fix: Help & FAQ page was updated to remove some inaccuracieso Bug fix: When exporting a PDF of all forms/surveys with saved data in which

an instrument ends with a matrix of fields, then on the instrument directly following that one, it might mistakenly mangle the text in the PDF and cause some fields or parts of fields to not get displayed (or not get displayed correctly) in the PDF.

o Bug fix: When using a min or max validation range for a date or datetime field on an instrument, if the value entered into the field was out of range, the error message displayed to the user would mistakenly represent the min/max values in Y-M-D formate when it should instead display them in the field's designated date format.

o Change: The "API Tokens" link on the Control Center's left-hand menu has been moved to the "Users" section of the menu (in previous versions it was under the "Dashboard" section).

o Bug fix: When using the Data Resolution Workflow in a project that also has Double Data Entry enabled,if a user is assigned as DDE person #1 or #2 and accesses the Resolve Issues page in the project, it will mistakenly not display the record names correctly. This will cause the issues to not be displayed correctly when the button is clicked, and the link to the data entry form would not be correct.

o Bug fix: When using the Double Data Entry module in a project in which a user is assigned as DDE person #1 or #2, the "Displaying record" drop-down list at the top of the Record Status Dashboard page might mistakenly display

records that are not theirs. This only affects the display of the drop-down and not their access to any records.

o Bug fix: When viewing the "Stats & Charts" page of a report, it would mistakenly not display any Text fields with non-numerical field validation.

o Bug fix: If a value is manually hand-entered into a datetime or datetime_seconds field on a survey or data entry form and if a leading zero is not included as part of the hour component in the time (e.g., 2015-01-31 9:45), then it would mistakenly not add the leading zero before saving the value, which could cause some sorting issues on reports and possibly some data quality issues. It now makes sure that the hour component in the time gets padded with a "0" if it is only entered as one digit.

o Bug fix: When exporting the PDF of a survey or data entry form that contains a matrix of fields, on certain occasions some fields in the matrix might mistakenly not have any space vertically between them. There should be one blank line of space between matrix field labels in the PDF.

o Bug fix: If the first field on a data entry form is a radio button field, in which the cursor is automatically moved to that field when the form is loaded, it will mistakenly allow users to type values via their keyboard into the radio button field invisibly and will mistakenly save those values when the form is saved (even those the types values are not visible on the page), resulting in invalid data values being saved for that field.

o Bug fix: When using the Double Data Entry module in a project in which a user is assigned as DDE person #1 or #2, the "View or Edit Schedule" tab in the Scheduling module would mistakenly display records that are not theirs in the record drop-down list.

o Bug fix: If using filters in a report in which the filter value begins with "1-" (e.g., [study_id] = "1-35"), then it might mistakenly return a record named "1" in the report results (if record "1" exists) even if it record "1" should not be returned in the results.

o Bug fix: For any user-defined field labels or saved text where the text contains a < character followed immediately by anything other than >, =, or a number, it would mistakenly truncate the text at the < character if it was not the beginning of a valid HTML tag (e.g., "<this would be removed> and <-so would this").


Improvement: When using the Twilio telephony services for SMS surveys and voice surveys, it now supports the Matrix Ranking functionality if enabled for a matrix of radio fields. It behaves by removing a matrix choice once it has already been used by a previous question in the matrix. And if the user attempts to enter an already used value, it will tell them that it is an invalid choice and to try again.

Major bug fix: If the REDCap web server has the "short_open_tag" setting in PHP set to "Off", then the page would crash when a user would attempt to enable an instrument as a survey in the Online Designer.

Change: In longitudinal projects the order of the "delete" buttons at the bottom of data entry forms have been changed so that the "Delete data for this event only" button now comes before the "Delete data for this form only" as a means of ordering them according to the severity of what they delete.

Bug fix: When using WebDAV file storage, inline image attachments for Descriptive fields and Signature field images would mistakenly not get displayed in a downloaded PDF of an instrument.

Bug fix: If a user was attempting to copy an instrument via the "Copy" option next to an instrument on the Online Designer, in which one or more multiple choice fields on

that instrument had no choice options defined, then it would throw an error and prevent the instrument from being copied.

Bug fix: If the Email Domain Whitelist is enabled, then if a user logs in to REDCap for the first time and is prompted to enter their name and email address, it would mistakenly not enforce the Email Domain Whitelist but instead would allow the user to enter an email address of any domain. (This excludes users using Table-based authentication.)


Major bug fix: In the event that a public survey is being taken by a very large number of respondents simultaneously (e.g., hundreds or thousands of respondents per minute), there is a chance that some responses might mistakenly get merged together under the same record name when being saved, thus corrupting the data and making it difficult to manually split the separate responses into individual records. New methods have been implemented to ensure that this never happens.

Bug fix: When a user attempts to use the alternative method to obtain a mobile app initialization code on the REDCap Mobile App page in a project, if the REDCap web server is not able to communicate with redcap.vanderbilt.edu, which generates the code, then it would mistakenly return an incorrect 4-digit number to the user rather than the correct 10-character alphanumeric code.

Bug fix: In a longitudinal project containing multiple arms, if a user attempts to rename a record to a record name that exists in another arm, it would mistakenly display an error saying that the record could not be renamed. Instead, it should allow the record to be renamed for the current arm regardless of whether or not that same record name exists in other arms.

Bug fix: When using the Randomization module in a project and viewing the randomization dashboard page, the record names that appear in the "Allocated records" column of the table would mistakenly not wrap to the next line in the table cell but would instead be truncated.

Bug fix: When the cron job is expiring user accounts that have an expiration time set, it might mistakenly CC the sponsor of another user who is getting expired in that same batch of emails.

Bug fix: Confusing or incorrect instructions were given when exporting data into SPSS or SAS on a non-Windows operating system with regard to modifying the CSV data file's path in the syntax file.

Bug fix: When copying a project that has surveys, some survey attributes would mistakenly not get copied to the new project. This would include "display page numbers at top of page", "allow respondents to return and modify completed responses", "hide the Previous Page button", and the confirmation email settings.

Change: For clarity, a new note was added on the Security & Authentication page in the Control Center to denote that the Login Settings section is not applicable to Shibboleth authentication.

Post-release fix: If a project has record auto-numbering enabled and a user opens a data entry form to create a new record but instead clicks the Cancel button, then it would mistakenly skip a record number in the sequence when the next record was created.

Version 6.6.0 - codename "Frosted Sugar" (released 05/29/2015)

New features:o Twilio telephony/IVR services (SMS surveys and phone surveys)

Other changes in this version:

o Bug fix: When using Rule H in the Data Quality module and clicking the "Fix calcs now" button, it would mistakenly not exclude any results that the user had explicitly excluded for that rule.

o Bug fix: When using Rule H in the Data Quality module, in which one or more results had been excluded and then the rule was run again at a later time, then if the user clicked the "view" link in the results popup to view the exclusions, the "Fix calcs now" button would fail to work if the user tried to click it afterward.

o Bug fix: When utilizing the Randomization module in a project that has UTF-8 encoded field labels for the randomization field or the strata fields used (especially if multi-byte characters are used in the label), then on certain occasions the Randomization Dashboard page would not display correctly.

o Bug fix: When survey participants returned to a partially completed survey, in which it displayed the "Start Over" button to allow them to erase their current responses and start the survey over from the beginning, it was too easy for them to accidentally click this button without realizing the repercussions of data loss. It now gives them an extra confirmation dialog that they must click so that they more fully understand the repercussions before starting the survey over.


Medium security fixes: Several cross-site scripting vulnerabilities were found on various pages throughout REDCap, in which these vulnerabilities could possibly be exploited by a malicious user (who is a valid REDCap user) who knows how to craft specific HTTP requests to such pages or can trick other authenticated users to navigate to specifically-crafted URLs.


Major bug fix: For surveys that have the survey option "Allow respondents to return and modify completed responses?" enabled for a multi-page survey, then some responses might appear to be completed (i.e., they appear in the Completed Responses drop-down list of records) even though they have not truly been completed (they appear as "[not completed]" in the drop-down list). This fix will retroactively fix the existing records and will also prevent this issue from occurring in the future.

Bug fix: The <tbody> HTML tag was mistakenly not whitelisted as a safe HTML tag to utilize in field labels, survey instructions, etc. This would inadvertently cause the tag to get HTML-escaped and thus get displayed to the user on the page.

Bug fix: When viewing the "Data History" popup for a File Upload field on a data entry page, it would mistakenly not display the logged event(s) where a file was uploaded for that field.

Bug fix: When using the hook/plugin method REDCap::logEvent() in a hook, it would mistakenly not display correctly on a project's Logging page.

Bug fix: If there exist two or more adjacent Text fields on a survey or data entry form, in which those Text fields have some form of field validation with min/max range validation, then there is the possibility that if the validation error message gets displayed for a field and then later gets displayed again for another field below it, it may mistakenly display multiple popup messages on top of each other so that it makes it impossible for the user to close them all. This can result in the inability to return to data entry on the page, thus forcing the user to have to reload the page, possibly losing any data entered.

Bug fix: If a user purposefully injects HTML tags into a survey's title for styling purposes, then those tags would mistakenly get displayed literally (e.g. "<b>My Survey Title</b>") in certain places in the project, such as the survey list in the Participant List, Survey Invitation Log, and Survey Queue.


Bug fix: If executing Rule F on the Data Quality page, it may mistakenly provide false positives in the discrepancy list that is returned. In particular, this would occur if a field had branching logic that referenced a checkbox field that had no values saved (was left all unchecked) for a given record.

Bug fix: When using the REDCap::getData() method in a plugin or hook, if the parameter $combine_checkbox_values is set to TRUE and $exportAsLabels is also set to TRUE, then it would mistakenly not export the multiple choice option labels correctly for checkbox fields if more than one checkbox was being returned. In the case of multiple checkboxes being returned, it would inadvertently use the checkbox option labels from another checkbox field rather than the option labels for that field itself.

Bug fix: An error would mistakenly be displayed if a user attempted to use the Send-It module to send a file to a person having an email address that contains an apostrophe, and thus it would prevent the user from sending a file to that person.

Bug fix: When creating or editing a report in a project and using a multi-select drop-down (e.g. when using a filter for filtering events or data access groups), it would not always be possible to deselect an option in the multi-select once the option had already been selected. (Ticket #1034)


Bug fix: When editing the record ID in the Online Designer, it would mistakenly not display the Field Note option to allow the user to add/edit the Field Note for the record ID field.

Bug fix: If a user steps away from their computer/device when logged into REDCap, after which the autologout time elapses, then even though the automatic logout alert popup displays on the page saying that the user has been logged out, sensitive data may still be visible momentarily on the page underneath the popup after the user clicks the "Log In" button. This was supposed fixed in version 6.5.16, but was only partially fixed.


Bug fix: In some projects that utilize the public survey option together with the designated email field option, it might mistakenly display blank values for each participant in the participant list of the first survey in the project when it should display the email addresses.

Bug fix: If a user creates a record that contains a double space in the middle of the record name, then if someone uploads a file for a File Upload field or saves a signature for a Signature field on a form or survey, it would mistakenly create another record containing only that uploaded file/signature in which the new duplicate record will contain a single space in its record name rather than a double space. However, when viewed in most places in the project (e.g. Record Status Dashboard), the two record names will appear identical when viewed next to each other, thus causing even more confusion about how a duplicate record exists and how it was created.



Major security vulnerability: It was discovered that SQL Injection might be possible on certain authenticated pages as well as via the API if a malicious user knows how to send a specifically-crafted request to REDCap to exploit the vulnerability.

Major bug fix: If a field's variable name somehow contains a double underscore, which should not be allowed, and then after the project is in production, a user modifies the field in Draft Mode via the Online Designer, there is a chance that it may replace the double underscore in the variable name with a single underscore, thus mistakenly renaming the variable and causing data to get orphaned as if the original field had been deleted.

Bug fix: If a user in a project has been set to receive email notifications whenever a participant has completed a survey, they would still mistakenly receive the emails even if the user was suspended from REDCap.

Bug fix: Small typo fixed on the Project Setup page. Bug fix: If a user steps away from their computer/device when logged into REDCap,

after which the autologout time elapses, then even though the automatic logout alert popup displays on the page saying that the user has been logged out, sensitive data may still be visible on the page underneath the popup.

Bug fix: If a survey invitation has been scheduled for an existing record but then the invitation was deleted via the Survey Invitation Log, then it would still mistakenly display the timestamp of the deleted invitation at the top of the data entry form for that record.

Change: The API is now more strict with regard to the validation of API tokens sent in API requests. In previous versions, if the token was longer than 32 characters, it would truncate the token to 32 characters (which is the expected length). It no longer truncates the token if longer than expected but merely returns an error message.

Minor security fix: A page in the Control Center was found to be susceptible to SQL injection if a super user was tricked into following a custom-created URL by a malicious user. However, the likelihood of occurrence is low and the difficulty is high.

Bug fix: If the API is returning an error message in JSON format, some messages might mistakenly not get JSON-encoded correctly.

Bug fix: If a user does not have "Create Record" user privileges, then it would mistakenly display the "Add new record" button on the data entry form in a project with record auto-numbering enabled. However, it would not allow them to create a new record, so at worst, this would merely cause confusion to the user.

Bug fix: The data dictionary upload page would mistakenly allow variable names containing a double underscore, even though the Online Designer would prevent it. It now replaces any double underscores with single underscores.

Bug fix: In some random cases when loading a CAT survey, it would mistakenly attempt to determine if the page should be skipped based upon branching logic. Since it should never check this for CATs, it now ensures that it skips that logic check, which makes the survey page load much faster for those affected.

Change: The "Brief Overview" video was updated. Bug fix: In the downloaded PDF export of an instrument, it would not display Field

Notes correctly for Notes fields and Signature fields, in which it might run off the page or not display at all, either due to field type and custom alignment values.

Bug fix: PDFs containing Japanese or Chinese characters (when project encoding is set to Japanese or Chinese) would not get rendered correctly and would basically be unable.

Bug fix: The "Submit Changes for Review" button on the Online Designer when in Draft Mode would not display correctly for certain languages (e.g., French).

Bug fix: When using the Dynamic Data Pull (DDP) module, clicking the "Remove unused DDP data" button on the Other Functionality page would mistakenly not get logged properly.

Bug fix: When upgrading from version 5.X, if any fields in a report have a "not =" operator with a blank limiter value, then that limiter would mistakenly get lost and not migrated into the version 6.X report format.

Bug fix: If the Dynamic Data Pull (DDP) module is enabled, then the System Statistics page in the Control Center might mistakenly report incorrect DDP stats, in which they might be overinflated.

Version 6.10.11 - (released 3/18/2016) Web viewBug fix: When adding/editing an SQL field, if the SQL...

Documents

Transcript of Version 6.10.11 - (released 3/18/2016) Web viewBug fix: When adding/editing an SQL field, if the SQL...