OpenO EMR 2026.1.0-RC1 Release#188
Merged
warrendennis merged 51 commits intoopen-osp:mainfrom Feb 20, 2026
Merged
Conversation
…ocument acknowledgment access
- Use a single session attribute "EctSessionBean" for all demographics. - Update all java and jsp files to reflect this change.
… owasp encoding throughout)
…moved query result logger line
…Drug3, ShowAllergies2, StaticScript, SideLinks, RxSearchAllergy2Form)
…ute/Inactive/External, fixed undefined error when clicking Longterm/Acute/Inactive/External due to the element being checked before its checked to exist
- Change fax account dropdown from id="letterheadFax" to id="faxAccount" - Update form field name from letterheadFax to faxAccount - Change option value from faxNumber to ID to match backend logic - Remove unnecessary span wrapper around select element This fixes duplicate HTML IDs that were causing JavaScript and fax functionality issues. The faxAccount dropdown now correctly matches the backend expectations (CoverPage.jsp compares account.id with requestScope.faxAccount) and JavaScript references (getElementById).
…Exception' Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
…ta.java Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…ew Exact behaviour to match production and moved the new Exact as the first radio button option
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
This commit fixes multiple security vulnerabilities and code quality issues identified during PR #1872 review: Security Fixes: - Fix XSS vulnerabilities by adding OWASP encoding in JSP files - WriteScript.jsp: Use Encode.forJavaScript() for drug names in JS context - ListDrugs.jsp: Use Encode.forHtmlAttribute() for comment TITLE attribute - StaticScript.jsp: Use Encode.forJavaScript() for regionalIdentifier and cn - PrintDrugProfile2.jsp: Use Encode.forHtml() for drug outline display - RenalDosing.jsp: Use Encode.forUriComponent() for demographicNo in URL - Fix log injection in Scratch2Action by encoding user-controlled values - Add input validation for id parameter in Scratch2Action.showVersion() - Fix null pointer risk in Scratch2Action.delete() by checking for null result Code Quality Fixes: - Fix String comparison using == instead of .equals() in: - RxPrescriptionData.java line 460 - DrugDaoImpl.java line 257 - Fix incomplete error message in RxDrugRef.java (remove trailing #) - Fix invalid CSS comment syntax in allergies.css (remove HTML --> marker) Documentation: - Add comprehensive JavaDoc to ScratchPadDao interface - Add comprehensive JavaDoc to FavoriteDaoImpl class and methods - Include @SInCE tags based on git history per CLAUDE.md guidelines Reviewed Items (No Changes Needed): - Drug.java GCN_SEQNO: Already correctly defined as String (intentional migration) - ScratchPadDaoImpl.java JPQL: MySQL-specific functions are supported by custom OscarMySQL5Dialect All fixes follow OpenO EMR security standards with OWASP encoding and proper validation as required by CLAUDE.md guidelines. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
…java Move inline comment '// not custom - safe GCN' from end of if statement to its own line above the if statement, following Java coding guidelines that discourage same-line comments. Location: src/main/java/ca/openosp/openo/prescript/data/RxPrescriptionData.java:461-462
…nData Add comprehensive JavaDoc documentation to getDrugPrescribed() and setDrugPrescribed() methods in the Prescription inner class. Documentation explains the purpose of the drugPrescribed field: tracking the exact prescribed drug name for accurate prescription records, particularly important for distinguishing between generic and brand name prescriptions. Location: src/main/java/ca/openosp/openo/prescript/data/RxPrescriptionData.java:682-710
Added detailed JavaDoc documentation to the verify() method including: - Method purpose and functionality description - Complete @return documentation with Map keys and their meanings - @throws documentation for service availability issues - @SInCE tag with accurate date (2026-01-21) The documentation clarifies that this method performs a health check on the drug reference service and retrieves system metadata including last update time, database identifier, and version information. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Co-Authored-By: LiamStanziani <liamstanziani@yahoo.com>
Add comprehensive null and format validation for variables in Scratch2Action:
- Validate h.get("text") is not null before calling trim()
- Validate h.get("id") is not null/empty before parsing
- Validate request parameter "id" is not null/empty before parsing
- Add NumberFormatException handling with proper error responses
- Set appropriate HTTP status codes (400/500) on validation failures
- Log errors without exposing PHI using OWASP encoding
Addresses CodeRabbit review comment on PR #1872 requesting null validation
for variables at lines 92-99.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Remove redundant 'vertical-align: text-top' declaration from td#allergiesColumnTwoRowTwo selector. The second declaration 'vertical-align: top !important' was overriding it anyway, causing potential confusion for maintainers. Co-Authored-By: Liam Stanziani <liam@stanziani.ca> Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Apply Encode.forJavaScriptAttribute() to drug.genericName on line 174 to prevent XSS vulnerability where malicious drug names could break out of JavaScript string context and execute arbitrary code. Fixes XSS vulnerability identified in PR review. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…escriptionData Added complete JavaDoc documentation to getGCN_SEQNO() and setGCN_SEQNO(String) methods in the Prescription inner class. Documentation includes: - Description of GCN_SEQNO as drug reference system identifier - @param tag for setter with type specification - @return tag for getter with type specification - @SInCE tag based on git history (2022-12-16) This addresses CodeRabbit review feedback on PR #1872 regarding missing JavaDoc for public accessor methods. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Openosp main
…changes Resolve Missing changes from OpenOSP main before dogfish merge (PR 68: Bugfix - preventing acknowledments on documents on behalf of another user)
…changes Resolve Missing changes from OpenOSP main before dogfish merge (PR 52: Remove demographic-specific EctSessionBean keys from Session)
…-changes Resolve Missing changes from OpenOSP main before dogfish merge (PR 124: refactor hibernate session handling for dashboard queries)
…changes Resolve Missing changes from OpenOSP main before dogfish merge (PR 61: Tweak - Show MRP in document view)
…ed td structure - Add Encode.forHtmlAttribute() for status variable in class attributes (lines 283, 301) - Add Encode.forHtml() for patient variable output (line 315) - Fix invalid nested <td> HTML structure by properly closing service cell before opening specialist cell - Addresses security vulnerabilities identified in code review Co-authored-by: Michael Yingbull <yingbull@users.noreply.github.com>
…-changes Resolve Missing changes from OpenOSP main before dogfish merge (PR 109: Use bootstrap datatables for DisplayDemographicConsultationRequests.jsp)
…sting Fix: resolve JavaScript/Java errors in oscarRx prescription module (Search Drug3, ShowAllergies2, StaticScript, SideLinks, RxSearchAllergy2Form)
23 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
OpenO EMR 2026.1.0-RC1 Release
Summary
This PR brings the
openo-beta/Open-Ostaging branch (staging/01232026) changes to the upstreamopen-osp/Open-Omain branch. Tagged as 2026.1.0-RC1, this release includes critical bug fixes for the oscarRx prescription module, security enhancements, Ocean eReferral integration fixes, extensive merge conflict resolutions with code quality improvements, and synchronization of missing upstream changes.Statistics: 209 files changed, 23,873 insertions(+), 6,509 deletions(-)
Upstream PR Cross-References
This release builds upon and includes work from the following upstream PRs that have already been merged to
open-osp/Open-O:Key Changes
1. Merge Conflict Resolution & Code Quality Improvements (Critical)
When integrating upstream code from
open-osp/Open-O mainintoopeno-beta/Open-O develop, extensive merge conflicts were encountered and resolved. During this integration process, AI-assisted code review identified opportunities for additional security hardening and code quality improvements, which have been applied and are included in this package for upstream benefit.Files with Merge Conflicts Resolved
The following files had merge conflicts that required careful resolution:
Java Source Files:
FavoriteDao.java,FavoriteDaoImpl.java- Favorites managementRxWriteScriptForm.java,RxWriteScriptAction.java- Prescription form handlingAllergy.java,Drug.java,Favorite.java- Model classesRxDrugData.java,RxPrescriptionData.java- Prescription data handlingRxAddAllergyAction.java,RxSearchAllergyAction.java,RxChooseDrugAction.java,RxSearchDrugAction.java- Rx actionsPrescriptionMedicationManager.java,PHRMedication.java- Medication managementImportDemographicDataAction4.java- Demographic importJSP/CSS Files:
AddReaction.jsp,AddReaction2.jsp,ChooseAllergy2.jsp- Allergy UIListDrugs.jsp,SearchDrug3.jsp,ShowAllergies2.jsp- Drug search UIViewScript2.jsp,getAllergyData.jsp,prescribe.jsp- Prescription UIallergies.css,styles.css- StylesheetsTest Files:
ProgramDaoTest.java,OntarioMDSpec4DataTest.javaIssues Resolved During Integration
The following issues were identified and resolved during the merge integration process:
response.setContentType("application/json")headers${pageContext.request.contextPath}renderRxStage()to AjaxonSuccesscallbackSecurity & Code Quality Enhancements from PR Review
During the AI-assisted PR review of the integrated code (#1872), opportunities for additional security hardening and code quality improvements were identified and applied:
XSS Hardening Applied:
Encode.forJavaScript()Encode.forHtmlAttribute()Encode.forJavaScript()Encode.forHtml()Encode.forUriComponent()Code Quality Improvements:
==.equals()==.equals()-->)Related PRs: #1872
2. oscarRx Prescription Module Bug Fixes (Critical)
Problem: Multiple JavaScript errors and parsing issues were breaking core prescription functionality including allergy search, favorites handling, and drug filtering.
Fixes applied:
toggleSectionhandler for AJAX-loaded content; removed conflicting jQuery click bindinguseFav2()function with OWASP-encoded favorite IDwindow.prompt()to prevent errors on cancel@JsonIgnoreProperties(ignoreUnknown = true)to prevent JSON parsing failuresdrugSearchfor DrugRef unavailabilityRelated PRs: #1863, #1861
3. Ocean eReferral Integration Fix
Problem: When importing sent eReferrals from Ocean into EMR, an incorrect warning message was displayed: "Ocean has not received a confirmation...".
Root Cause: The demographic search REST endpoint was returning DOB in
yyyy-mm-ddstring format when Ocean expected epoch timestamp (number) format.Solution: Added
@JsonFormat(shape = JsonFormat.Shape.NUMBER)annotation to thedobfield inDemographicSearchResultto restore Struts 1 legacy behavior.Related PRs: #1860
Related Issues: #1830, #1831
4. Consultation Fax Account Fix
Problem: Duplicate HTML ID (
letterheadFax) in consultation form fax account dropdown prevented proper fax functionality. JavaScriptgetElementById("faxAccount")calls failed, and fax account selection didn't persist.Solution:
id="letterheadFax"→id="faxAccount"name="letterheadFax"→name="faxAccount"faxConfig.getFaxNumber()(as expected by backend)Encode.forHtmlAttribute()for XSS protectionRelated PRs: #1874
Related Issues: #1873 (priority: high)
5. EForm Email Integration Enhancement
Feature: Pass eForm ID (fid) from eForm submission to email compose page for custom integration support.
Changes:
Encode.forUriComponent()encodingRelated PRs: #1902
Related Issues: #1901
6. Missing OpenOSP Changes Restoration
Several changes from the
open-osp/Open-Omain branch before the "dogfish" merge were missing inopeno-beta. These have been restored:Additional security improvements applied during restoration:
7. Security Enhancements
Related PRs: #1902, #1850, #1863
8. Documentation Improvements
Complete openo-beta PR List
All PRs from
openo-beta/Open-Oincluded in this release (merged since 2026-01-17):Bug Fixes
Upstream Sync & Missing Changes
Security
CI/CD & DevContainer
Documentation
Dependency Updates
Related Issues
Issues addressed or referenced by commits in this release:
Fixed Issues
Open Issues for Future Work
Test Plan
make install --run-testsBreaking Changes
None expected. All changes maintain backward compatibility.
Deployment Notes
Migration Notes from Upstream PRs
This release includes all changes from the following upstream PRs. If you have local customizations, review these for potential conflicts:
Summary for Upstream Maintainers
This work package from
openo-beta/Open-Orepresents collaborative improvements including:🤖 Generated with Claude Code