REDCap Change Log

Version 14.1.4 (released on 2024-01-30)

CHANGES IN THIS VERSION:

Major security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered on the "Importing instrument from the REDCap Shared Library" page in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into input elements on the page. The user must be authenticated into REDCap in order to exploit this. Bug exists in all REDCap versions for the past 10 years.
Major security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered in the Database Query Tool in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into saved queries on the page. The user must be an admin and must be authenticated into REDCap in order to exploit this. Bug emerged in REDCap 12.3.0.
Major security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered on the Alerts & Notifications page in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into parameters in certain AJAX requests. The user must be authenticated into REDCap in order to exploit this. Bug emerged in REDCap 9.0.0.
Major security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered on the confirmation page displayed for users who have put in specific requests to the REDCap administrator (e.g., requested a project be moved to production) in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into the URL. The user must be authenticated into REDCap in order to exploit this. Bug exists in all REDCap versions for the past 10 years.
Medium security fix: A Broken Access Control vulnerability was discovered in which a logged-in user who is not a REDCap administrator could create Custom Application Links and have those open on the left-hand menu for any and all projects in the system. Only admins should be able to create, modify, and delete Custom Application Links in the Control Center. This could be used to trick users into navigating to potentially malicious websites.
Medium security fix: Lower-level REDCap administrators (e.g., with "Manage user accounts" rights) could potentially escalate their own admin privileges by utilizing information from certain tables in the database via the Database Query Tool page. Going forward, only administrators with 'Admin Rights' privileges, 'Modify system configuration pages' privileges, or 'Access to all projects and data with maximum privileges' privileges are allowed to access the Database Query Tool.
Medium security fix: There is a possibility in very specific situations that a malicious user might be able to reactivate another user's session and take it over after the other user has logged out of REDCap. This would require obtaining the other user's session ID.
Minor security fix: Cross-site Request Forgery (CSRF) protection was mistakenly not applied to the user action of deleting arms on the Define My Events page.
Minor security fix: If a logged-in user has specific knowledge of the REDCap system, they might be able to manipulate the parameters of a specific AJAX endpoint in order to send custom crafted emails impersonating any email sender (i.e., they can set the email's From address to anything they wish).
Major bug fix: On certain pages/dialogs, the calendar datepicker popup might mistakenly fail to be displayed when expected (e.g., when composing survey invitations). Bug emerged in the previous version. (Ticket #223277)
Bug fix: A fatal error would occur when using Azure AD authentication. Bug emerged in REDCap 14.1.2. (Ticket #223173)
Bug fix: The Rapid Retrieval caching feature might mistakenly cause some API calls to hang and eventually time out. (Ticket #223083)
Bug fix: Since Microsoft will soon be deprecating their Azure Storage PHP client libraries that are currently used by REDCap, the Azure Storage library has now been replaced in REDCap with new custom-built methods for making calls directly to the Azure Blob Storage REST API. (Ticket #216356)
Bug fix: If the first instrument in a project is taken as a public survey, it can end up with two different (but equally valid) return codes, assuming the survey has "Save & Return Later" enabled. However, it could be confusing for users to see two different return codes and think something is wrong. For consistency, the return code on the data entry form will now match the return code displayed to the participant on the survey page. (Ticket #208079)
Bug fix: In very specific situations when using branching logic on a multi-page survey that is a repeating instrument/survey, some survey pages might get mistakenly skipped if the repeating instance number is greater than "1" when all fields on the page have branching logic that references field values on the current repeating instance. (Ticket #223126)
Bug fix: For Step 2 when editing an alert and setting "Send it how many times?" to "Multiple times on a recurring basis", the number interval of the recurrence could mistakenly only be 4 characters long at the maximum. (Ticket #223020)
Bug fix: When a REDCap administrator has limited data export privileges in a project and then calls the Export Report API method, REDCap would mistakenly remove many of the fields in the resulting data set, which should not happen to administrators. (Ticket #223259)
Bug fix: When using Multi-Language Management, certain types of fields (yesno, truefalse, matrix field choices) would fail to be properly piped when the fields do not exist on the same form. (Ticket #222446)
Bug fix: In some situations, it might be possible for a user or admin to duplicate the process of moving a project to production status, which would inadvertently cause the project to end up in Analysis/Cleanup status instead. (Ticket #222935)
Bug fix: When using the @if action tag on a survey question, in which the participant is returning to the survey via their "Save & Return Later" return code, the @if logic might mistakenly not get evaluated correctly on the page to which they return, thus possibly utilizing the wrong action tags for the field. Note: This does not occur for subsequent pages in the survey after returning to the survey but only to the initial page loaded upon their return. (Ticket #223291)

Version 14.1.3 (released on 2024-01-25)

CHANGES IN THIS VERSION:

Bug fix: When downloading an Instrument Zip file or various CSV files, the process might crash due to a fatal PHP error if the user has Space or Tab as their preferred "Delimiter for CSV file downloads" (as defined on their Profile page). (Ticket #222524)
Bug fix: The simultaneous user prevention check on data entry forms would mistakenly prevent multiple users from accessing and editing different repeating instances of the same record-event-instrument in a project.
Bug fix: When using Clinical Data Pull for CDIS, the CDP cron job might mistakenly miss some records when fetching EHR data in the background.
Bug fix: When using multiple EHR systems with Clinical Data Pull for CDIS, the incorrect FHIR base URL was being used for data retrieval during the background fetch process of CDP projects. This error not only hindered the data fetch process when fetching EHR data, but it also led to the internal FHIR token manager inadvertently deleting valid access tokens for users.
Bug fix: When using Multi-Language Management, floating matrix headers were not aligned properly on surveys for right-to-left languages. (Ticket #222689)
Bug fix: When upgrading from a version prior to REDCap 14.0.1, an SQL error might occur during the REDCap upgrade with regard to an "alter table" statement for the database table "redcap_outgoing_email_sms_log".
Bug fix: When viewing the "Stats & Charts" page for any report that has one or more Live Filters selected on the page, and then the user selects an instrument and/or record in the Display Options box near the top of the page, all Live Filter selections would mistakenly get reset back to a blank value. (Ticket #222699)
Various updates and fixes for the External Modules Framework, including 1) Fixed a module setting race condition when using a “Read Replica” database server, and 2) Displayed logged parameters on the View Logs page for External Modules.
Bug fix: When using Multi-Language Management, the Forms/Surveys tab on the MLM setup page might fail to load due to a JavaScript error.
Bug fix: If a file in the Recycle Bin in the File Repository is permanently deleted by a REDCap admin, the file would be marked as having been permanently deleted but would mistakenly still exist in the file storage system. (Ticket #222787)
Bug fix: When using CDIS, an issue might occur if REDCap is using Azure AD OAuth2 & Table-based authentication method, particularly during an EHR launch for Clinical Data Pull.
Bug fix: When using the text "month", "day", or "year" followed by an opening parenthesis inside quotes in a @CALCTEXT equation, the calculation would not get parsed correctly, thus resulting in a calculation error on the survey page or data entry form. (Ticket #222973)
Bug fix: When using CDIS, a project's Edit Project Settings page might be missing a Save button if the REDCap server lacks configurations for at least one FHIR system. (Ticket #222919)
Bug fix: When the calendar datepicker popup is displayed near the rich text editor, in some situations part of the calendar might mistakenly get covered up by the editor's toolbar. (Ticket #223011)
Bug fix: When Rapid Retrieval is disabled, REDCap might still be creating *.rr cache files in the temp folder. (Ticket #223076)
Bug fix: If an administrator is not a user in a project but clicks the "Create API token now" button on the project's API page, the token would not be created (as expected) but it would mistakenly log the event "Create API token for self" as if it was created. (Ticket #222977)

Version 14.1.2 (released on 2024-01-18)

CHANGES IN THIS VERSION:

Major bug fix: When a user views a report and modifies the "report_id" parameter in the URL while on the report's "Stats & Charts" page or when editing the report, in which the report_id is changed to the report_id of a report in another project to which the user does not have access, the user would mistakenly be able to view the report name and the number of results returned from that report from the other project. Note: No identifying data or record names from the other project are able to be accessed using these methods; only the report name and the total count of results returned from the report can be extracted.
Change: The "Copy Project" page now contains more informational text when copying a project containing surveys. The new text explains that when copying all records, the survey completion time for any survey responses will not be copied with the normal project data because the completion times are considered to be equivalent to project logging, which never gets copied during this process. (Ticket #222256)
Bug fix: When viewing the Record Status Dashboard when Data Access Groups exist in a project, in certain situations the RSD page might load a bit slowly due to an excessive amount of SQL queries being run. This was fixed in the previous version, but it only covered specific situations. (Ticket #221998b)
Bug fix: When upgrading to REDCap 14.1.1 from any earlier version, an SQL error might occur in some rare cases when performing the REDCap upgrade process due to a foreign key constraint in the redcap_ehr_user_map database table. (Ticket #222084)
Bug fix: When using Clinical Data Mart in CDIS, there were issues in the list of mappable items within CDM projects, in which the following condition types were not mappable as generic entries: encounter-diagnosis-list, problem-genomics-list, problem-medical-history-list, and problem-reason-for-visit-list.
Bug fix: If a user was given "Edit Access" rights to a specific report, but they have been given "Add/Edit/Organize Reports" user privileges for the project, if they append "&addedit=1" to the URL when viewing the report, it might appear that they can edit the report. However, clicking the "Save Report" button on the page would actually do nothing and would forever say "Working". So while they aren't able to bypass any report access privileges, it could be confusing because it appears as though maybe they could. (Ticket #222150)
Bug fix: If a project is being moved back to Production status from Analysis/Cleanup status, the process of moving it back to Production would mistakenly not clear out the "inactive_time" timestamp in the backend database for the project. This issue has no impact on the application. (Ticket #222175)
Bug fix: When using Multi-Language Management, instruments with matrix fields would fail to load due to a JavaScript error. This bug was introduced in the previous version. (Ticket #222211)
Bug fix: When using Clinical Data Pull in CDIS, some CDP projects with the auto-adjudication feature enabled might display the adjudication count as a negative number. (Ticket #134564)
Various changes and fixes for the External Modules Framework, including fixing a bug that was preventing link editing in rich text module settings caused by a conflict between Bootstrap dialogs and TinyMCE.
Bug fix: When using Clinical Data Pull in CDIS, an out-of-memory error could occur when handling large volumes of data being pulled from the EHR.
Bug fix: When erasing all data in a project or deleting all records when moving a project to production, the process might take a disproportionately large amount of time to complete (or it might get stuck) if the project contains a large amount of data points (i.e., several million or more rows). The process now deletes data from the redcap_dataX table in smaller batches rather than attempting to delete all rows with a single query.
Bug fix: When saving the Survey Login settings in the Online Designer, the confirmation dialog would mistakenly not be displayed due to a JavaScript error.
Bug fix: When erasing all data in a project or deleting all records when moving a project to production, the process might mistakenly not delete the 'Survey Login Success' and 'Survey Login Failure' logged events in the project if the Survey Login feature is being utilized. (Ticket #222429)
Bug fix: When using Clinical Data Mart in CDIS, the CDM data fetching process might fail when using specific versions of MySQL/MariaDB, specifically MySQL versions prior to 8.0 and MariaDB versions prior to 10.2.1. (Ticket #219308)

Version 14.1.1 (released on 2024-01-11)

CHANGES IN THIS VERSION:

Major security fix: Several Reflected XSS (Cross-site Scripting) and Stored XSS vulnerabilities were discovered in which a malicious user could potentially exploit them by inserting custom JavaScript in a specially crafted way into specific URLs or POST parameters in several places, including the Data Quality page, Custom Application Links, Report Folders, and other places. The user must be authenticated into REDCap in order to exploit these in a project. Bugs exist in all REDCap versions for the past 10 years.
Major security fix: An SQL Injection vulnerability was found on a Calendar-related page, some MyCap-related pages, the Define My Events page, the Online Designer, the Record Home Page, and other places, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. In order to exploit these, the user must be logged in as a REDCap user. Bugs exist in all REDCap versions for the past 10 years.
Major bug fix: The Clinical Data Mart in CDIS might mistakenly not work at all and thus might not allow users to pull any data from the EHR. Bug emerged in REDCap 14.1.0 Standard.
Improvement: If a user has a sponsor, their sponsor's username, name, and email will be listed at the top of their Profile page. (Ticket #138684)
Bug fix: The upgrade process might unexpectedly stop due to an SQL error in the upgrade SQL script when upgrading to or higher than REDCap 14.0.1 in some cases.
Various CDIS-related bug fixes, especially related to EHR user mapping when using multiple EHR systems
Bug fix: In certain situations when using Clinical Data Pull for CDIS, the process might stop with a fatal PHP error for some PHP version.
Bug fix: When using Multi-Language Management, in which the highlighting feature for untranslated items is enabled, some items would mistakenly be highlighted on the page that should not be highlighted. (Ticket #221418)
Bug fix: An error might occur during the “refresh token” process in CDIS. If an HTTP error occurred while refreshing the token, it was not correctly caught and handled.
Bug fix: If a record contains multiple consecutive spaces in its record name, some things might not display correctly on certain pages when viewing the record, such as the floating table of repeating instances when clicking on the "stack" status icon for a repeating instrument on the Record Home Page or Record Status Dashboard.
Bug fix: When using Clinical Data Pull in CDIS, conditions or medications were not shown in the CDP adjudication dialog unless a specific status was specified.
Bug fix: During the cache file creation process for Rapid Retrieval, concurrent write attempts could lead to PHP errors and potentially high CPU usage in some specific cases. (Ticket #221459)
Bug fix: The “Create new API token for user” dialog might mistakenly display the option “External Modules API”, which is not a published feature yet. (Ticket #221904)
Bug fix: When using Clinical Data Mart in CDIS, the CDM auto-fetch feature was not properly scheduling a fetch process.
Bug fix: When viewing the Record Status Dashboard when Data Access Groups exist in a project, in certain situations the RSD page might load a bit slowly due to an excessive amount of SQL queries being run. (Ticket #221998)
Bug fix: When using Multi-Language Management, the MLM setup page might not sort the choices of multiple choice fields in the correct order as seen in the Codebook and Online Designer. (Ticket #221888)
Bug fix: Usernames with apostrophes could not be added to a project or assigned to a user role through the user interface on the User Rights page. (Ticket #221933)
Bug fix: When using the Survey Queue, in which survey participants are added initially via the Participant List, if neither the Designated Email field nor the Participant Identifier is used in the project, and the Survey Response Status is "Anonymous*", the Survey Queue's "Get link to my survey queue" popup would mistakenly display the participant's email address, thus breaking the participant's anonymity in the project. Going forward, it will no longer display the participant's email address in that popup in this situation. (Ticket #221804)
Bug fix: When using the Background Data Import process, in which an error occurs, if a user goes to download the CSV file containing the list of errors for the import batch, the first letter of the error message in a given row might be missing.

Version 14.1.0 (released on 2024-01-04)

CHANGES IN THIS VERSION:

New Multi-EHR functionality for Clinical Data Interoperability Services (CDIS) - Multiple electronic health record systems (EHRs) can now be defined on the CDIS page in the Control Center, whereas in previous versions only one could be defined. This will allow users to pull clinical data from many different EHR systems, if they desire. After a REDCap administrator has defined one or more EHR systems on the CDIS page, any given REDCap project can utilize a specific EHR connection. Note: A project can only be connected to one single EHR. The first EHR connection will serve as the “default”, and thus whenever CDP or Data Mart is enabled in a project, it will initially point to the default connection, but this can be changed after the fact to point to one of the other EHR connections that are defined in the Control Center. As previously, all users attempting to pull data from any EHR connection will need to have signed in through the EHR (either using the Standalone Launch or CDP’s EHR Launch) in order to obtain a FHIR access token for that specific EHR. Thus the user must still have a valid account for each EHR from which they are attempting to pull data.
Improvement: New “Read Only” user privilege for the User Rights page - Users and roles can now be given “Read Only” access to the User Rights page, which will allow users to view the page but not be able to take any actions on the page. Note: If a user is in a Data Access Group while viewing the page, it is still the case that they can only view users from their own DAG on the page.
Improvement: Performance improvement when using iMagick (i.e., rendering PDF attachments for Descriptive fields as images embedded inside REDCap-generated PDFs) by using a new internal image cache. Whenever a PDF attachment for a Descriptive field is rendered as an image via iMagick, the image of each PDF page will be cached and stored separately so that the next time the PDF attachment is being rendered inside a PDF, it will use the cached image(s) rather than perform a real-time conversion of the PDF to images every time, which can be time consuming. Note: The image cache of the PDF attachment will be stored and used for up to 30 days, after which it will be automatically deleted from the system.
Change/improvement: A notice was added on the Database Query Tool page so that when exactly 500 rows are returned from a query that does not contain a "limit" clause, it notes that more rows might exist that are not being displayed on the page. This is because "limit 0,500" is always appended to any query that lacks a "limit" clause. This will reduce confusion for admins who might assume that they are viewing the full results of a query when they might not be.
Bug fix: When using CDIS in certain contexts where data is being pulled for specific research studies, the FHIR ID of a research study might not be found.
Bug fix: When importing alerts via a CSV file, if the file contains some mangled characters due to incorrect encoding, the file might fail to upload and would mistakenly not produce any error message.
Bug fix: When using CDIS, issues might occur when fetching “conditions” data having a status other than "active". Additionally, new FHIR resources were inadvertently excluded from mapping in CDP projects. This includes the following mappable resources: encounter, coverage, procedure, device, and all conditions (including their status).
Bug fix: If using file-based storage for Rapid Retrieval, in which an alternative storage directory has been defined, in certain cases many of the cached files in the alternative directory would mistakenly not get deleted after the 5-day expiration time.
Bug fix: The REDCap::evaluateLogic() developer method's documentation mistakenly did not include information about the current_context_instrument parameter, which is required for the correct evaluation of logic that contains certain Smart Variables. This parameter should be provided to the method if the logic is being evaluated within the context of a specific instrument (e.g., while on a survey page or data entry form). This parameter has been added to the method's documentation. (Ticket #220861)
Bug fix: When enabling Twilio in a project, it is possible in certain cases to enter the same Twilio phone number (if it is a U.S. number) for more than one project. This could be done by entering the phone number in one project with the U.S. country code, and then entering it in another project without the U.S. country code. (Ticket #221468)
Bug fix: When using the functions day(), month(), or year(), more than once inside a calculation, it might not parse the calc correctly, thus possibly returning incorrect results. (Ticket #221544)

Version 14.0.4 (released on 2023-12-28)

CHANGES IN THIS VERSION:

Medium security fix: The AWS SDK PHP third-party library contained a medium security vulnerability that would mistakenly allow an attacker to possibly perform URI path traversal. The library was updated to the latest version.
Major bug fix: The API Delete Users method was mistakenly not checking if a user had User Rights privileges in the project in addition to API Import/Update privileges in order to successfully make a call to the API method.
Change/improvement: When using the eConsent Framework on a survey, the certification page now says "Working..." until the inline PDF finally loads on the page. This will reduce confusion for participants in case the PDF takes an abnormal time to load. (Ticket #221228)
Bug fix: When using Multi-language Management, the "Initialize a new language from available system languages" option was mistakenly checked (while also disabled) even when no system languages are available, leading to a JavaScript error when "Continue" is clicked. (Ticket #221273)
Bug fix: In specific situations where multiple File Upload fields are piped onto a page in a specific way, it may cause a JavaScript error that prevents the instrument from loading. (Ticket #221225)
Bug fix: If Form Display Logic or Survey Queue Logic references a specific repeating instance of a field, specifically instance "1", "first-instance", or "last-instance", when the field exists on a repeating event that currently contains no data for a given record, the logic might mistakenly not evaluate correctly. (Ticket #221229)
Bug fix: Direct links to the FAQ in certain places throughout REDCap were not working. They would merely take the user to the top of the Help & FAQ page instead of to a specific item. Bug emerged in REDCap 13.4.0. (Ticket #221329)

Version 14.0.3 (released on 2023-12-21)

CHANGES IN THIS VERSION:

Improvement: The Unicode Transformation process (found via the Configuration Check page if your installation was installed prior to REDCap 8.5.0) now contains a “Step 2 Alternative” method, which utilizes a project-by-project Unicode Transformation process using a cron job. Previous versions required that SQL be run over all projects at the same time (which might take quite a while) while REDCap was offline.
- If your REDCap installation was installed roughly 8 years ago or if it contains more than 1000 projects, it is recommended that you use Step 2 Alternative to minimize server downtime during the Unicode Transformation process.
- After performing Step 1, Step 2 Alternative will provide some SQL to enable the cron job. Once initiated, you may refresh the page to view its project-by-project progress until all steps appear green on the page after it has finished.
- Note: Step 1 will still need to be run in real time while REDCap is offline. Thus downtime is unavoidable for Step 1. But the benefit of Step 2 Alternative is that it allows one to complete the remaining steps of the Unicode Transformation process without any downtime.
Improvement: If a report has been set as "public", a link icon will appear next to the report title on the left-hand project menu. If a user clicks the link icon, the public report will open in a new tab.
Improvement: If a project dashboard has been set as "public", a link icon will appear next to the project dashboard title on the left-hand project menu. If a user clicks the link icon, the public project dashboard will open in a new tab.
Improvement: When in a project context when the Read Replica feature is enabled, the Read Replica's utilization will now be maximized by referencing the last time a "write event" occurred in the project's Logging (such as data being saved or the project being modified in some way) when being compared with the replica's lag time (rather than merely using a static maximum lag time of 3 seconds as the cutoff). This means that, for example, if a project has not had any logged "write events" in the past 5 minutes, the replica will be used on specific pages in that project so long as the replica's lag time (i.e., behind the primary database) is less than 5 minutes. Whereas in previous versions, the replica would only be utilized if the replica's lag time was 3 seconds or less. This increases the utilization of the replica, thus improving overall system performance.
Major bug fix: When checkbox field values are being imported during a data import (via the API or Data Import Tool), in which some calculated fields in the project reference the checkbox field in their calculations, the calc fields might mistakenly not get updated during the import process. (Ticket #221111)
Change: Some help text was added to the Form Display Logic and Survey Queue instructions to inform users that their conditional logic will be evaluated at the record level and not within the context of an event or a repeating instance, which means that it is not possible to use relative instance or relative event Smart Variables - i.e., those with the name 'current', 'next', or 'previous', such as [next-instance] or [previous-event-name].
Bug fix: When piping a field on the same instrument on which it is located, the piping might mistakenly not work in a repeating instrument or repeating event context. (Ticket #220610)
Bug fix: When calling the Rename Record API method, the API request would mistakenly get logged as "Switch DAG (API)" when it should instead be logged as "Update record (API)".
Various bug fixes and improvements to the External Module Framework:
- Added the isModulePage() and isREDCapPage() module methods (courtesy of Andrew Poppe)
- Added the dashboard-list module setting type (courtesy of Andrew Poppe)
- Added the visibility-filter option for the dashboard-list and form-list module setting types (courtesy of Andrew Poppe)
- Removed survey-list module setting type in favor of form-list with a visibility-filter option
- Misc. security scan script improvements
Bug fix: In rare cases, a database query run on the Participant List page might cause the page to load very slowly or even time out. (Ticket #211469)
Bug fix: When renaming a record in a multi-arm longitudinal project, in which the new record name already exists in another arm but in another case (e.g., renaming a record to "aa3" in arm 1 when there is already a record "AA3" in arm 2), issues can occur when trying to access the record in either arm in the user interface afterward. When this occurs going forward, the new record name will be forced to be the same case as the existing record in the other arm. (Ticket #217809)
Bug fix: When uploading a data import file via the Background Data Import, in which the process somehow gets stuck during the initialization phase, the upload would mistakenly appear with a "queued" status. Going forward, if any imports are stuck in the initialization phase for more than one hour, they will be automatically cancelled by the system. (Ticket #220714)
Bug fix: When uploading a data import file via the Background Data Import, in which the process somehow gets stuck processing for a long period of time, the upload would mistakenly appear with a "processing" status forever. Going forward, if any imports are stuck in the processing phase for more than one day, they will be automatically cancelled by the system.
Bug fix: When performing an API Export Records call with type=eav, in some rare cases the record ID field might mistakenly have duplicate rows for some records in the exported data. (Ticket #220860)
Bug fix: In the Online Designer, when a field has a section header immediately above it, and the field is then moved to be directly above that section header, the field would mistakenly revert back to its original position.
Bug fix: When entering data on a data entry form or survey while using a mobile device, in which a text field on the page has field validation and the user has entered a value that will throw a field validation error, if they click the "Add signature" link or "Upload file" link for a signature or file upload field, respectively, while their cursor is still in the text field, then they would get stuck in an infinite loop of popups and not be able to continue data entry on the page. (Ticket #219569)
Change: The length of time in which the record list cache will be automatically reset has been increased from 1 week to 2 weeks. This was done because the record list cache has seen years of stability and can now be trusted to be accurate for longer periods of time. This change will reduce how often the cache will need to be rebuilt for an active project, which should improve overall system performance.
Bug fix: A warning might mistakenly be encountered during the extraction of an identifier from a FHIR request within a CDIS project. The adjustment involves ensuring that the returned identifier is a single value rather than an array.
Bug fix: In some cases when exporting the Project XML file for a project, the process might mistakenly crash with a fatal PHP error when using PHP 8. (Ticket #221097)
Bug fix: When using Google Cloud Storage for file storage in the system, and the "Organize the stored files by REDCap project ID?" setting is enabled, uploading a file on the main Send-It page (i.e., via the tab from the My Projects page) might cause a fatal PHP error when using PHP 8. (Ticket #221098)
Bug fix: Using the function isblankormissingcode() in branching logic would not always return the correct result if the field used in the function is numeric. (Ticket #218984)
Bug fix: If fields are embedded into the field label of a File Upload field or Signature field, the "Upload file"/"Add signature" dialog would mistakenly display the embedded fields as editable, whereas it should instead display them as read-only since their values cannot be modified there inside the dialog. (Ticket #221137)
Bug fix: The “Insert a dynamic variable” feature on the Email Users page in the Control Center would mistakenly never work, in which the variables would not get successfully replaced in the email body when sending the emails.

Version 14.0.2 (released on 2023-12-14)

CHANGES IN THIS VERSION:

Improvement: The Rapid Retrieval caching feature is now utilized for data exports and also for the API methods Export Records and Export Report, whereas in previous versions Rapid Retrieval was only utilized on report pages and the record status dashboard page.
Improvement: If the Read Replica feature is enabled, all API export methods will now utilize the Read Replica, whereas in previous versions the only API methods that utilized the Read Replica were the Export Records, Export Report, and Export Logging methods.
Improvement/change: For projects with the "Delete a record's logging activity when deleting the record?" setting enabled on the Edit Project Settings page, a request to the API Delete Record method may now include the parameter delete_logging=0 if the user wants to prevent the record's logging activity from being deleted when the record is deleted. If the setting is enabled in the project, then the default value will be '1' for delete_logging (to maintain the existing behavior in previous versions), and if the project-level setting is not enabled, the default value will be '0'. If the project-level setting has been enabled, this API parameter must be provided with a value of '0' in order to prevent the record's logging activity from being deleted when the record is deleted (Ticket #96300)
Change: The PID number for a project is now displayed on the My Projects page for all user types, whereas in previous versions it was only displayed for admins (users with some kind of Control Center access). (Ticket #220689)
Major bug fix: When exporting a report (including using the API Report Export method) in CSV, XML, or JSON format, in which the report does NOT have "order by" fields, the resulting exported data might mistakenly contain duplicate rows, some of which might appear empty while others have the expected data for the given record/event. (Ticket #219392b)
Bug fix: The EHR patient portal for CDIS might mistakenly fail to accurately display whether a patient was already associated with a given project. Bug emerged in REDCap 14.0.0.
Bug fix: When importing data (via API or Data Import Tool), in which the record name of the record being imported already exists in the project but has a different case (e.g., "101A" vs "101a"), it might cause extra logged events to be added during the data import process, even when no data is being modified. This issue does not seem to affect existing data in any negative way. (Ticket #219755)
Bug fix: On the Codebook page, collapsing of some tables on the page would not work in certain browsers.
Bug fix: When using CDP (Clinical Data Pull), data was mistakenly not being automatically fetched from the EHR and imported into a given CDP project as part of the CPD cron job. The issue was observed specifically in scenarios where certain records lacked a specified Medical Record Number (MRN).
Bug fix: When sending invitations through the Participant List via the Compose Survey Invitations dialog, in some rare cases the action of scheduling/sending the invitations might result in a fatal PHP error for PHP 8. (Ticket #220549)
Bug fix: In specific cases, the @richtext action tag might cause the Notes field’s rich text editor to be read-only when it should be editable on the page.
Bug fix: In a MyCap-enabled project, the MyCap participant install dates and baseline dates would mistakenly get carried over into copied projects and projects created via Project XML upload.
Bug fix: When using CDIS, a patient’s preferred language might not be correctly extracted from a patient’s FHIR payload. (Ticket #219743)
Various fixes and changes to the External Module Framework, including the following: 1) The getProjectsWithModuleEnabled() method begins included modules enabled via the “Enable module on all projects by default” setting as of framework version 15, and 2) Fixed copy/paste/cut issue in rich text editor.
Bug fix: When using Shibboleth authentication, the REDCap redirect URL was mistakenly not URL-encoded in the Shibboleth handler address, which might cause the user not to get redirected back to the correct place after returning from a successful Shibboleth login. (Ticket #220564)
Bug fix: When upgrading REDCap more than once in a single day, the "redcap_history_version" database table would mistakenly only list the last upgrade of the day. (Ticket #220627)
Bug fix: When clicking the increase/decrease font-size button at the top of survey pages, the speaker icons used for text-to-speech functionality would mistakenly not change size.
Bug fix: The Scheduling page would mistakenly never display the record drop-down list. Bug was originally fixed in version 13.8.3 but then reappeared again in 14.0.0. (Ticket #210446b)
Bug fix: When importing data via the Data Import Tool's background data import, if the CSV file contains any File Upload fields, even if they are empty columns, it would mistakenly display an error saying that some variable names in the file were invalid, which is confusing. File Upload fields will now be ignored for this field pre-check since ultimately they are ignored during the data import process since files cannot be uploaded using this method. (Ticket #218575)
Bug fix: Some example R code in the API Playground was syntactically incorrect and would cause errors if it was run in R as is. Bug emerged in 13.7.24 LTS and 14.0.0 Standard Release. (Ticket #219535b)

Version 14.0.1 (released on 2023-12-07)

CHANGES IN THIS VERSION:

Improvement: Improved user interface elements on the Codebook page. A new instrument table lists instrument names and also event designations, if longitudinal. The instrument and event tables are now collapsible. Additionally, the tables denote if an instrument is a repeating instrument or is designated to a repeating event, and the event table denotes if an event is a repeating event. All tables on the page are now collapsed by default. (Ticket #220221)
Improvement: For Descriptive Text fields on the Codebook page, the attachment's filename and its display format are now listed on the page if it has an attachment, and the media URL and its display format are now listed on the page if it has a media URL. (Ticket #220204)
Major bug fix: When exporting a report (including using the API Report Export method) in CSV, XML, or JSON format, in which the report is ordered by a field other than the record name and the total size of the exported data is fairly large (containing several hundred or thousand records), the resulting exported data might mistakenly be missing many rows of data. Bug emerged in the previous version. (Ticket #220275)
Bug fix: The administrator's browser time that is displayed at the bottom of the main Control Center page was not formatted correctly. (Ticket #219917)
Bug fix: If a proxy is specified on the General Configuration page in the Control Center, the username-password authentication for HTTP requests made during CDIS remote calls to the EHR system might not always work successfully under certain conditions. (Ticket #219039c)
Bug fix: The EHR Launch in CDIS might mistakenly fail due to a fatal PHP namespace error.
Various fixes and updates to the External Module Framework.
Bug fix: The query cache efficiency check on the Configuration Check page might mistakenly display a false positive saying that the MySQL query cache is not efficient when actually it is. (Ticket #220049)
Bug fix: When a project has been deleted, some orphaned rows for that project might still exist in certain database tables. (Ticket #220047)
Bug fix: If a survey does not have survey instruction text, and the participant navigates back to page 1 after being on page 2 of the survey, the page would mistakenly display the "View survey instructions" link under the survey title.
Bug fix: When using the Survey Login feature in a longitudinal project, in which a field referenced on the survey login page exists on a different event as the survey currently being taken, the logged event's description of the successful/failed login on the Logging page would mistakenly have the wrong event for the context of the survey login. (Ticket #220174)
Bug fix: When using Azure AD authentication with Endpoint V2, the setting "AD attribute to use for REDCap username" was mistakenly not using all of the options listed in the drop-down but would only use the "userPrincipalName" option, if selected. Now all options can be used in Endpoint V2. (Ticket #134789b)
Bug fix: When clicking the "Download metadata only (XML)" button on the Project Setup->Other Functionality page, it mistakenly would not log the file download. It now logs the download event as "Download REDCap project XML file (metadata only)" on the Logging page. (Ticket #220203)
Bug fix: Referencing a field from another instrument or another event inside the function month(), day(), or year() for a calculated field would mistakenly cause a calculation error to occur on the page. (Ticket #220405)
Bug fix: In some situations when copying a project, in which the records are also copied, the new project would appear not to have any records until the administrator clicked the “Clear all record and page caches” button on the Other Functionality page.

Version 14.0.0 (released on 2023-11-30)

CHANGES IN THIS VERSION:

New action tag: @SHOWCHOICE - When applied to a multiple-choice field, this action tag will hide all choices except for the ones listed in its argument. This action tag is useful if you wish to only show a subset of choices depending on some logic (e.g., depending on data access groups) via the IF action tag. The format must follow the pattern @SHOWCHOICE='??', in which the coded values should be inside single or double quotes for the choice(s) you wish to show. If more than one choice needs to be shown, then provide all the coded values separated by commas. For example, to show the choice 'Monday (1)', you would have @SHOWCHOICE='1', but if you wanted to additionally show 'Tuesday (2)', you would have @SHOWCHOICE='1,2'. NOTE: The @SHOWCHOICE action tag supports piping into its argument - e.g., @SHOWCHOICE=”[my_checkbox:checked:value]”.
New page-level caching feature: “Rapid Retrieval”
- REDCap now implements an automatic, transparent form of page-level caching (known as “Rapid Retrieval”) to help speed up certain pages that are known to be slow. Currently, Rapid Retrieval operates only on reports and on the Record Status Dashboard page. When a cache is being utilized, a note will appear at the top of the page that says “Page speed was boosted using Rapid Retrieval”. The Rapid Retrieval cache can be cleared for an entire project by an administrator using the “Clear the Record List Cache” button on the Project Setup->Other Functionality page, in which the button text now says “Clear all record & page caches.”
- On the Modules/Services Configuration page in the Control Center, the Rapid Retrieval functionality can be disabled for the whole system, if desired. It has two options: File-based storage (default, recommended) and Database storage. If set to 'File-based storage', the Rapid Retrieval feature will store all cached files in REDCap's 'temp' folder by default. If set to 'Database storage', they will be stored in the redcap_cache database table. When using File-based storage, there is an additional setting named “Alternative directory to store cached files” that is completely optional, in which you may set an alternate location on your web server for storing the cached files, whether for security or performance related reasons.
- Suggestion: The File-based storage method is recommended in most cases, such as on very active servers, because the Database storage method can tend to cause the database to be too busy, in which it may bog down the server and/or cause the MySQL binary log to grow too rapidly. You may try both options to see if one performs better overall. There is no harm in changing this setting at any time while the system is running.
- Additional notes: When using File-based storage, the cached files are completely encrypted (at rest) on the web server, and the files are quickly removed by a cron job once they have been invalidated and can no longer be utilized. This form of active pruning keeps the cached files from taking up too much space on the web server.
New feature: Additional “redcap_data” tables
- To help improve long-term server performance over time through horizontal scaling, REDCap now makes use of 3 new “redcap_data” tables named redcap_data2, redcap_data3, and redcap_data4. As new projects are created, they will be assigned to one of the four data tables, which will be the single place where that project’s data is stored. Utilizing more “data” tables will allow REDCap to maintain its speed and remain performant over time. The addition of these new tables is a completely automatic and transparent change that users will likely never realize or need to know about. However, administrators should be aware of it, especially in regard to the creation of Dynamic SQL fields (see below), which will be affected by this change. Note: No existing projects will be impacted by this change in v14.0.0; thus, it will only affect new projects created after upgrading to v14.0.0. Also, a project’s data table can always be obtained on the Edit Project Settings page after selecting a project, in which the table name will be listed at the top of that page.
- New [data-table] Smart Variable - Since a project’s data can be stored in any of the 4 data tables, writing queries for Dynamic SQL fields can be tricky. On the Add/Edit Field dialog on the Online Designer, it will note the current project’s data table after selecting “Dynamic SQL Field” in the dialog. However, instead of using the literal data table name in their SQL query, admins may instead use [data-table], which will be replaced with the current table’s data table name. If you wish to obtain the data table name for another project, append a colon and the PID of the other project - e.g., [data-table:7345], in which the PID of the other project is “7345”. It is advised that going forward, administrators should utilize the [data-table] Smart Variable for Dynamic SQL fields rather than using the literal data table name.
- New developer method REDCap::getDataTable($pid) - New REDCap class method for plugins/modules/hooks that will return the “redcap_dataX” database table name for a specified project by providing its project_id. If $project_id is null or not provided, it will return "redcap_data" by default. It is recommended that if any External Module developers have any EMs that reference the “redcap_data” explicitly in their EM code, they should replace it similar to how it is done in the code below:
  $data_table = method_exists('\REDCap', 'getDataTable') ? \REDCap::getDataTable($project_id) : "redcap_data";
  $sql = "select * from $data_table where project_id = $project_id";
- New “Move Project Data” page
  - This page allows REDCap administrators to move the data stored in a given REDCap project to another redcap_dataX table in the database in order to [hopefully] improve the general performance of the project. The performance improvement will depend greatly on the size and structure of the project and will also depend on many things in the overall system, such as the current size of the redcap_data table and the power of the database server.
  - Note: The data transfer process on this page will perform multiple checks to ensure that all data gets moved successfully, and if anything goes wrong, it will automatically roll back all changes.
  - How to find this page - The “Edit Project Settings” page in the Control Center contains a link to the “Move Project Data” page.
New feature: “Read Replica” Server
- To help offset server load if the REDCap system has been experiencing routine slowness, REDCap can connect to a read-only, secondary database server that uses MySQL/MariaDB replication to stay in sync with REDCap's primary database server.
- The Read Replica server will be utilized only for read-only operations in the following places in REDCap: viewing reports, exporting data (including API exports), viewing record status dashboards, viewing and exporting the project logging page (including API logging exports), using the data search tool, viewing the scheduling page, executing data quality rules, viewing project dashboards, and viewing the Control Center's System Statistics and User Activity Log pages.
- The effort of enabling the Read Replica functionality is very minimal once a replica server has been created and is successfully replicating from the REDCap primary database server. Most of the work will be simply setting up the replica server. Instructions for setting up the Read Replica can be found near the top of the General Configuration page in the Control Center.
- NOTE: The Read Replica is only recommended for use if you have been experiencing performance issues with your REDCap server, such as a routine or off-and-on slowness. Before enabling the Read Replica feature, it is advised that you explore other ways to improve database performance first, such as adding more RAM and CPUs to your database server to see if that provides some improvement. If those things do not help, then using the Read Replica might be a good option.
Improvement: The @HIDECHOICE action tag now supports piping into its argument - e.g., @HIDECHOICE=”[my_checkbox:checked:value]”.
Improvement: The bottom of the main Control Center page now displays the current time of the user’s browser and the current time of the REDCap server (with its timezone).
Major bug fix: When exporting a report (including using the API Report Export method) in CSV, XML, or JSON format, in which the report is ordered by a field other than the record name and the total size of the exported data is fairly large (containing several hundred or thousand records), the resulting exported data might mistakenly contain duplicate rows, some of which might appear empty while others have the expected data for the given record/event. (Ticket #219392)
Bug fix: For certain REDCap installations, the events on the Define My Events page would not be ordered correctly. (Ticket #219188)
Bug fix: When opening certain dialog popups throughout the application, in which the dialog contains a lot of text, the page might mistakenly auto-scroll downward unexpectedly, thus causing the user to have to scroll back up in order to read the dialog contents.
Bug fix: If a proxy is specified on the General Configuration page in the Control Center, it was mistakenly not using username-password authentication for HTTP requests made during CDIS remote calls to the EHR system. (Ticket #219039b)
Change: When viewing the "View or Edit Schedule" tab on the Scheduling page when more than 10K drop-down options would be displayed in the already-scheduled drop-down list of records, in which the drop-down will display at all, the text on the page has been modified for better clarity since it was confusing regarding how to view an already-scheduled record in this situation.
Bug fix: Issues related to copy, paste, and cut in the TinyMCE 6 rich text editor. (Ticket #219212, #219274, #218550, #219286)
Bug fix: The "Upcoming Scheduled Survey Invitations" popup on the Record Home Page might not display all the upcoming invitations scheduled in the next 7 days but might mistakenly omit some. (Ticket #218769)
Several fixes and improvements for the External Modules Framework, including 1) Added the report-list and survey-list EM setting types, and 2) Resolved a queryLogs() bug when referencing username in WHERE clauses (Ticket #217622).
Change: When downloading the Survey Queue settings via CSV file, the CSV filename now contains the project title and timestamp of the download.
Bug fix: When downloading the Survey Queue settings via CSV file, the download action was mistakenly not being logged.
Bug fix: When uploading the Survey Queue settings via CSV file, the upload action was mistakenly being logged multiple times.
Bug fix: Some example R code in the API Playground was syntactically incorrect and would cause errors if it was run in R as is. (Ticket #219535)
Bug fix: When a datediff() function has a literal date value (e.g., "22-07-2023") for the first or second parameter in the function, in which the date value is in DMY or MDY date format, the datediff might mistakenly not perform the calculation correctly in some instances - most specifically server-side processes, such as auto-calculations, data imports, and Data Quality rule H. (Ticket #219662)
Bug fix: When using the RICHTEXT action tag for a field on a data entry form that is disabled/readonly (due to limited user rights or when viewing a survey response that is not in edit mode), the field’s rich text editor would mistakenly not appear disabled/readonly and would allow users to type and modify its content, even though the page is not able to be submitted. (Ticket #219212b)
Bug fix: In some rare cases when using nested IF action tags for a field in which spaces or line breaks appear in specific places in the IF's logic, the IF action tag might mistakenly not evaluate correctly.
Bug fix: Form Display Logic might mistakenly not be evaluated correctly on the Record Home Page when a record has not been created yet but is in the process of being created. (Ticket #219883)

Version 13.11.4 (released on 2023-11-18)

CHANGES IN THIS VERSION:

Major bug fix: When a user is uploading a project's Survey Queue settings via a CSV file in the Online Designer, in certain situations, the process might mistakenly erase the Survey Queue settings of *ALL PROJECTS* in the entire system. This bug affects only Standard Releases 13.11.0, 13.11.1, 13.11.2, and 13.11.3. If you are on an affected version, it is advised that you upgrade ASAP. Additionally, this fix in 13.11.4 has also been backported to all affected versions so as to prevent further damage. (Ticket #219088)

Version 13.11.3 (released on 2023-11-16)

CHANGES IN THIS VERSION:

Improvement: New MLM-related Action Tags - If using Multi-Language Management, the LANGUAGE-SET action tag can now be selectively applied to data entry forms via LANGUAGE-SET-FORM) or surveys via LANGUAGE-SET-SURVEY.
Improvement: When using MyCap in a longitudinal project, a more streamlined process is provided for helping users add new active tasks and designate them for specific events in the project. This process is now much less confusing and less disjointed than in previous versions.
Improvement: A new parameter was added to the method REDCap::storeFile() to allow one to set the filename of the file being stored. In previous versions, the filename would be extracted from the file path itself. This new parameter is useful to assign a filename to files that have a temporary filename, such as when resulting from a file upload.
Bug fix: If the Mosio SMS Services have been enabled in a project, the configuration step for Mosio on the Project Setup page would mistakenly not be displayed if the system-level Twilio feature (rather than the system-level Mosio feature) had been left disabled on the Modules/Services Configuration page in the Control Center.
Bug fix: The Data Viewing Rights & Data Export Rights might not be set correctly for user roles after adding a new instrument to a project while in production. When adding a new instrument, the rights would always get set to "No access" for that instrument for all roles, despite the fact that the setting "Default instrument-level user access..." on the User Settings page in the Control Center might be set otherwise. Note: This does not affect individual users' rights but only user roles. (Ticket #218708)
Bug fix: When a Table-based user navigates into a project, after which the Password Expire Warning popup is displayed if their password is about to expire soon, and then the user clicks the "Change my password" button, they are mistakenly taken to a blank page. This issue only occurs if the Password Expire Warning popup is displayed while they are inside a project (as opposed to on the My Projects page). (Ticket #218606)
Bug fix: If using Multi-Language Management, under certain circumstances the language preference of a logged-in user was mistakenly overwritten by a browser cookie. (Ticket #218766)
Minor changes and improvements to the External Module Framework.
Bug fix: If a proxy is specified on the General Configuration page in the Control Center, it was mistakenly not being utilized for HTTP requests made during CDIS remote calls to the EHR system. (Ticket #219039)
Bug fix: When merging two records while using Double Data Entry (DDE), the merging process might mistakenly replace specific characters with HTML entities in the values of the third record that was created. (Ticket #218547)
Bug fix: In some situations, the AWS SDK might mistakenly fail when attempting to store or retrieve files from S3. The AWS SDK for PHP has been updated to the latest version in order to resolve this.
Bug fix: When piping a value onto a form/survey from outside the current context, in certain situations the piped value might mistakenly get wrapped in invisible HTML "span" tags when output onto the page, which should only occur when the field being piped exists on the same page. (Ticket #219031)
Bug fix: When using a designated email field (whether project-level or survey-level), there might be some inconsistency with regard to saving the email field if the field exists on multiple events or on a repeating instrument/event, in which REDCap attempts to keep all values the same for the field in all places in the record. One of the worst side effects is that it might mistakenly create extra repeating instances on a record when the email field exists on a repeating instrument when multiple repeating instances already exist for another instrument on the same record. (Ticket #217938)
Bug fix: When performing a data import on the Data Import Tool page when using PHP 8, a fatal PHP error might mistakenly occur. (Ticket #212225b)

Version 13.11.2 (released on 2023-11-09)

CHANGES IN THIS VERSION:

Improvement: When using the "Erase all data" feature on the Other Functionality page, it now lists the total number of records in the dialog so that the user is aware. (Ticket #218329)
Change: The "variable auto-naming" feature found in the "Add New Field" popup in the Online Designer can now be disabled/hidden for all users by toggling a new system-level setting. The User Settings page in the Control Center now contains a setting where this feature can be 1) Disabled for all users, 2) Enabled for all users (default), or 3) Enabled for administrators only. (Ticket #215153)
Bug fix: When using Multi-Language Management, the project-level overrides of some admin settings would mistakenly get ignored.
Change/bug fix: In a MyCap-enabled project, the MyCap Invitation Text has been updated for projects that are not yet converted to the new MyCap mobile app. This text change is to reduce confusion regarding the transition from the MyCap Classic app to the new app.
Bug fix: When using Multi-Language Management, the comments at the top of CSV export files from the MLM page mistakenly had a comma hard-coded as the CSV delimiter, which could lead to the file not being importable when a delimiter other than comma was chosen and depending on the type of software used to edit the file.
Bug fix: The "Map of Users" page in the Control Center might mistakenly not call the "redcap_control_center" hook under specific circumstances. (Ticket #218502)
Change: When copying a project on the Copy Project page, if the project being copied contains one or more Dynamic SQL fields, a notice will be displayed near the bottom of that page to inform the user that they may want to consider if the SQL query for the field(s) needs to be modified in order to work correctly in the new project.
Bug fix: External Module language files were mistakenly being overwritten by the Language::getLanguage() method, leading to the loss of module-specific language keys. This problem manifested when the tt function, used for internationalization within EMs, was called, particularly affecting pages that utilized the redcap_control_center hook. (Ticket #218492)
Bug fix: The DbHealthCheck cron job might mistakenly fail when the web server is using PHP 8. Bug emerged in REDCap 13.11.0.

Version 13.11.1 (released on 2023-11-03)

CHANGES IN THIS VERSION:

Major bug fix: When upgrading to REDCap 13.11.0, the upgrade SQL script might mistakenly fail on certain versions of MySQL (but not MariaDB), thus preventing some folks from successfully upgrading to v13.11.0.
Bug fix: Two-factor verification would mistakenly fail for users when the 6-digit 2FA code has a leading zero. (Ticket #218277)
Bug fix: When using Clinical Data Pull, the "View" link to view the adjudication popup would mistakenly not appear at the top of the data entry page after having opened the page the first time. (Ticket #218182)

Version 13.11.0 (released on 2023-11-02)

CHANGES IN THIS VERSION:

New feature: New FHIR resources are available for Clinical Data Interoperability Services (CDIS) for extracting new types of data from a patient’s chart. (Note: If using Epic, your institution will first need to upgrade to version 3 of the REDCap app in the Epic App Orchard/Vendor Services in order to use these new resources.) Below is a list of the new resources available:
- Appointment Endpoints - Appointments, Scheduled Surgeries
- Condition Endpoints (Epic Only) - Dental Finding, Genomics, Infection, Medical History, Reason for Visit
- Additional Endpoints - Coverage, Device: Implants, Diagnosis, Procedure
Additional CDIS enhancements:
- Refactored “Mapping Helper”- The user interface has been simplified for ease of use. The workflow is adjusted so that data for all resources can now be fetched in one action, reducing the number of clicks needed.
- Clinical Data Mart - There's now an option to apply date ranges to specific resources individually, providing more granular control during data retrieval. Also, the existing background fetch feature within CDM has been extended to the "search" feature. This means when you're using the search functionality, particularly with individual MRN selections, the system can perform data fetches in the background, freeing you up to work on other tasks.
- Clinical Data Pull - You can now map conditions to a specific clinical status. This is particularly useful for instances requiring detailed condition data.
New special functions for date/datetime fields:
- year() - Returns the year component of a date/datetime field - e.g., year([dob]).
- month() - Returns the month component of a date/datetime field - e.g., month([visit_datetime]).
- day() - Returns the day component of a date/datetime field - e.g., day([visit_date]).
New piping parameters for date/datetime fields:
- :year - Returns the year component of a date/datetime field - e.g., [dob:year].
- :month - Returns the month component of a date/datetime field - e.g., [visit_datetime:month].
- :day - Returns the day component of a date/datetime field - e.g., [visit_date:day].
Improvement: Survey Queue Import/Export - Users can now export and import their Survey Queue settings via a CSV file in the Online Designer. After clicking the “Survey Queue” button on the page, it will reveal a drop-down list of options to 1) edit the SQ, 2) download the SQ as a CSV file, or 3) upload the SQ as a CSV file. This new feature will make it much easier for users to make modifications to their Survey Queue when they have many instruments and/or events that they wish to utilize in the SQ.
Improvement: Form Display Logic Import/Export - Users can now export and import their Form Display Logic settings via a CSV file in the Online Designer. After clicking the “Form Display Logic” button on the page, it will reveal a drop-down list of options to 1) edit the FDL, 2) download the FDL as a CSV file, or 3) upload the FDL as a CSV file. This new feature will make it much easier for users to make modifications to their Form Display Logic when they have many instruments and/or events that they wish to utilize in the FDL.
Improvement: The rich text editor has been updated to TinyMCE v6.
Improvement: The "Help & FAQ" page has been updated with new content (thanks to the FAQ Committee).
Improvement: If using the Mailgun Email API, an optional Base URL setting has now been added to allow institutions to specify the Base URL that should be called for the Mailgun Email API. By default, "https://api.mailgun.net" is used, but those in the EU region may alternatively set it as "https://api.eu.mailgun.net" in the Mailgun section of the General Configuration page. (Ticket #206369)
Improvement: When using Multi-Language Management, it is now possible to preset the language of a survey by supplying the URL parameter "__lang", which must be set to a valid (active) language id (and is case-sensitive). Example: https://redcap.vanderbilt.edu/surveys/?s=ABC123&__lang=es. When used, this will override both a survey respondent's previous choice (stored in a browser cookie) as well as the language preference field. The @LANGUAGE-FORCE action tag will still take precedence, though. (Ticket #124976)
Bug fix: When using the @CALCDATE action tag in which the Daylight Saving Time barrier is crossed when calculating the resulting date, in specific cases the result might mistakenly be one day off (if a date field) or one hour off (if a datetime field). Similarly, when using the datediff() function in which one date/datetime exists in DST while the other does not, in some cases the result might be off by one hour when using units of "h", "m", or "s". (Ticket #32022, #73668, #103913, #126830, #129720, #137174, #215534, #216566)
Bug fix: Fixed an issue affecting the behavior of custom CDIS mapping in the Clinical Data Pull (CDP) mapping interface, in which custom CDIS mapping fields were incorrectly designated as 'primary,' thus preventing users from utilizing them as intended. (Ticket #217391)
Bug fix: In certain situations, the cron job for the Background Data Import might fail with a fatal PHP error when using PHP 8. (Ticket #212276b)
Bug fix: If a REDCap server is configured to use AAF authentication and that site has enabled the option to identify locals based on their AAF eduPersonScopedAffiliation, a user that should have been identified as a local would mistakenly not be identified as such, leading to them not being automatically granted project creation/copy rights upon account creation. This bug was introduced in REDCap 13.10.4.
Bug fix: The setting "Custom text to display at top of Project Home page" would mistakenly not display in the project if it did not contain actual text but only contained an image or an HTML “style” tag. (Ticket #217972)
Bug fix: In certain situations, the WebDAV file storage check on the Configuration Check page might mistakenly fail with a fatal PHP error. (Ticket #217684)
Bug fix: When attempting to save a calc or @CALCTEXT field in the Online Designer, in which the calculation contained a Smart Variable, it would prevent normal users from saving the field and would just get stuck saying "Saving...". However, administrators would be able to save the field successfully.
Bug fix: In certain situations while on a survey page, a participant might be able to submit a survey when they should not, such as if the Save button is hidden on the survey page. (Ticket #217159)
Bug fix: A user would be unable to close the field validation error popup (specifically in iOS or Android) when the field with the validation error is followed by a signature field. (Ticket #217572)
Bug fix/change: When using MyCap in a project, in which the project has not been transitioned to use the new MyCap app (but instead is using the MyCap Classic app), if a user exports the project XML file to create a new project on the same server or on any server on REDCap 13.11.0 , that new project will also be using the MyCap Classic app. In previous versions, the new project would always be using the new MyCap app, which could cause issues in specific situations.
Bug fix: When exporting and importing Automated Survey Invitations using a CSV file in the Online Designer, the import process might fail with a blank error message due to an inconsistency in the CSV delimiter used in the file. (Ticket #217941)
Bug fix: When using Multi-Language Management, the choice labels of multiple choice fields would not be piped correctly in some cases if the choice labels contain HTML. (Ticket #217955)
Bug fix: Users would mistakenly be allowed to define Missing Data Codes where some of the codes could be duplicated in different cases (case sensitivity-wise). For example, "na" and "NA" would both be allowed as Missing Data Codes. Note: This issue cannot be fixed retroactively but will be prevented going forward when users attempt to create or modify Missing Data Codes on the Project Setup page. (Ticket #216818)

Version 13.10.6 (released on 2023-10-26)

CHANGES IN THIS VERSION:

Change/improvement: The Configuration Check page now has a new MySQL 8 specific check to ensure that the "Generated Invisible Primary Keys" (GIPK) setting in MySQL has been disabled on the database server. If not, it recommends to set sql_generate_invisible_primary_key=OFF in the my.cnf (or my.ini) configuration file. Additionally, this check has been added to the REDCap install page in order to prevent anyone from installing REDCap with this feature enabled. If the GIPK setting is left enabled, it will forever display false positives for the "Database Structure is Incorrect" check in the Control Center when in fact there is nothing wrong with the database structure.
Change: When using MyCap, some REDCap server configuration info is now included in the MyCap configuration JSON that gets pulled by the MyCap mobile app when refreshing the MyCap configuration on the participant’s mobile device. This server info will be stored on the mobile device and used only for troubleshooting purposes when any issues occur in the mobile app.
Bug fix: An issue may occur with a CDIS-related cron job in which certain records are not processed due to MemoryMonitor interruptions, and thus records would mistakenly not get queued for future processing to pull their clinical data from the EHR. This fix ensures that these unprocessed records are correctly queued for the next execution of the cron job, preventing data loss and ensuring more robust processing.
Bug fix: When a user lacks the instrument-level user privilege to modify survey responses for a given instrument, then they open a data entry form that has been enabled as a survey, and before they submit the form, a survey response has already been started or completed by a participant, it would mistakenly allow the user to unwittingly overwrite the survey response when they submit the form. It now returns an error message in this specific scenario and prevents the user from making changes. (Ticket #217157)
Bug fix: When a user is assigned to a Data Access Group and views a project's Logging page when no records exist in their DAG yet, the Logging page might crash and display an error message saying that an SQL query failed. This appears to only occur for certain versions of MySQL/MariaDB. (Ticket #217372)
Bug fix: Certain tables, such as the Record Status Dashboard and reports, might mistakenly not display with the correct width based on the current screen size, in which the table may display its scroll bar off the right side of the page (i.e., initially not visible) instead of it being visible after the page loads.
Bug fix: If the MyCap External Module is enabled in a project, the built-in MyCap feature would mistakenly have its “Enable” button as a clickable button on the Project Setup page. That button is now disabled/grayed out if the MyCap EM is already enabled in a project.
Bug fix: When using CDIS, specifically Clinical Data Mart, an intermittent issue in CDM projects would occur where searches for specific Medical Record Numbers (MRNs) would occasionally return duplicate results. The fix ensures that each MRN appears only once in the search outcomes.
Bug fix: When using Multi-Language Management, the "only one selection per column" notice on matrix fields was mistakenly not translatable via the MLM setup page. (Ticket #217480)
Bug fix: When adding or editing a multiple choice field via the Online Designer, the text in the section "How do I manually code the choices?" mistakenly contained a line break in the text rather than actually displaying the HTML tag "
" as visible in the text.
Bug fix: When an alert is set to trigger "When conditional logic is TRUE during a data import, data entry, or as the result of time-based logic", in which a data value from a repeating instrument or repeating event is added via a data import, if the repeat instance number is "1" for the field being imported (or if the value is "new" when no repeating instances exist yet for that field), the import process might mistakenly not trigger the alert. (Ticket #214855)
Bug fix: When a checkbox field has a multiple choice option whose raw code is the same as a missing data code in the project, the report page might mistakenly display the error "DataTables warning: table id=report_table - Incorrect column count" when trying to view a report that contains such a checkbox. (Ticket #217249)
Bug fix: When hovering over the “view list” link on the Alerts & Notifications page for a given alert, the popover dialog would mistakenly not be hidden again if the user moves their cursor off of the popover. To remedy this, the user must now click the “view list” link to see the popover, after which the popover will hide if manually closed or if the user clicks on anything outside of the popover on the page.
Bug Fix: When importing records that are assigned to a Data Access Group, in which records for other DAGs exist in the redcap_data table with a blank record name (due to an older bug that caused the name to be blank), this would mistakenly prevent the data import process from importing the records. (Ticket #217724)

Version 13.10.5 (released on 2023-10-19)

CHANGES IN THIS VERSION:

Major security fix: A Stored Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into specific POST parameters of an Online Designer related URL so that the custom JavaScript could be injected into the calculations of calc fields, @CALCTEXT, and @CALCDATE fields. Thus the custom JavaScript could be executed whenever anyone opens the data entry form or survey page. This could lead to privilege escalation if a malicious user tricks an administrator into viewing the instrument, thus potentially becoming an administrator themselves and able to access all projects and data. The user must be authenticated into REDCap and must have Project Design rights in order to exploit this in a project. Bug exists in all REDCap versions for the past 10 years. Note: This bug was supposedly fixed in the previous version but mistakenly was not.
Medium security fix: Malicious users might be able to bypass the "Restricted file types for uploaded files" feature (if being utilized on the REDCap server) by uploading a file with an incorrect file extension into the File Repository of a project, and then changing the file's extension using the "rename file" feature. For example, an attacker could take a file named "exploit.exe", rename it to "image.jpg" on their local device, upload the file into the File Repository, rename the file to "image.exe", and then trick another user into downloading it and executing it locally. Now, REDCap prevents users from modifying the file extension of any files uploaded into the File Repository. Note: The vulnerability does not pose a risk to the REDCap server since REDCap itself never executes any uploaded files, but this only poses a risk to users who may unwittingly download and execute the file. Also, the malicious user must have File Repository privileges inside a project in order to exploit this.
Minor security fix: When using Two-Factor Authentication, in which users are logging in and entering a 6-digit one-time passcode (OTP), there was no limit placed on the number of passcode submissions that can be attempted for a given user within a specific window of time. Thus, the passcode verification process was subject to brute force hacking (so long as the attempts did not exceed the general Rate Limiter setting in REDCap). This has been changed so that the passcode verification process cannot be utilized more than 10 times per minute. If exceeded, it will now return an error.
Major bug fix: When a survey participant clicks the "Save & Return Later" button on a survey, REDCap would mistakenly not always find the participant's email address (from a designated email field or from the participant list) when loading the page that displays the return code. In some cases, another participant might be sent an email containing the original participant's survey link for completing the survey. Note: Despite sending the survey link to the wrong participant, the other participant would not be able to see the original participant's responses because they do not have the Return Code. (Ticket #140765, #217097)
Security improvement: If no value has been set for the system setting "Restricted file types for uploaded files" at the bottom of the Security & Authentication page, the following value will be set for that setting to prevent harmful files from being uploaded to the system: "ade, adp, apk, appx, appxbundle, bat, cab, chm, cmd, com, cpl, diagcab, diagcfg, diagpack, dll, dmg, ex, exe, hta, img, ins, iso, isp, jar, jnlp, js, jse, lib, lnk, mde, msc, msi, msix, msixbundle, msp, mst, nsh, php, pif, ps1, scr, sct, shb, sys, vb, vbe, vbs, vhd, vxd, wsc, wsf, wsh, xll".
Improvement: When using the Field Bank in the Online Designer to search specifically within the NIH CDE Repository, a new checkbox option exists in the search utility called "Search NIH-Endorsed CDEs". If this search option is checked, REDCap will search only for fields that are "NIH-Endorsed" in the NIH CDE Repository. NIH-Endorsed CDEs have been reviewed and approved by an expert panel, and meet established criteria.
Change/improvement: When using OpenID Connect authentication in specific situations, such as with Azure B2C, an optional "additional scope" value might need to be provided in order for authentication to function correctly. A new "Additional scope" setting has been added to the OIDC section of the Security & Authentication page for this, if needed. (Ticket #214076)
Bug fix: When using Multi-Language Management, a JavaScript error might occur when piping calculated fields under specific conditions.
Bug fix: When using Twilio or Mosio, it would mistakenly not send SMS messages to U.S. phone numbers with an 445 area code. (Ticket #216751)
Bug fix: When using Multi-Language Management, the option to “Create from file/from scratch” would mistakenly not be available on the Control Center MLM setup page when the corresponding language creation was disabled for projects.
Bug fix: The language variable "design_1054" mistakenly existed twice in the file "English.ini".
Bug fix: If the settings "Allow normal users to edit their primary email address on their Profile page?" or "Allow normal users to edit their first name and last name..." are set to "Do not allow editing", a user that knows how to make a specially-crafted POST request to a specific end-point or knows how to manipulate the Profile page's user interface in a specific way would be able to modify their first/last name and/or email address, respectively.
Bug fix: When a user imports data via the Background Data Import option, the data import would get logged under the generic user "SYSTEM" since the import is literally performed by the REDCap cron job. However, this creates ambiguity in the logging with regard to which user initiated the specific import batch. To reduce ambiguity in all future imports performed via the Background Data Import, the logging page will now list the user as "SYSTEM" appended in parentheses by the user that initiated the import - e.g., "SYSTEM (john.doe)".
Bug fix: When a user imports a Project XML file that is truncated (for whatever reason) and is thus does not represent properly structured XML, in some situations REDCap might still attempt to process the XML fully without any error message, which might result in some things not getting set correctly in the resulting project, possibly unbeknownst to the user. It now attempts to do a better job of detecting if the XML is properly structured, and if not, returns an error message explaining this.
Bug fix: When using "Azure AD OAuth2 & Table-based" authentication, users clicking the "Logout" link in REDCap would mistakenly not be successfully logged out of Azure AD. (Ticket #216423b)
Bug fix: When using Twilio or Mosio, it would mistakenly not send SMS messages to U.S. phone numbers with certain newer area codes, including 531 and 726. (Ticket #216751b)

Version 13.10.4 (released on 2023-10-11)

CHANGES IN THIS VERSION:

Major security fix: A Stored Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into specific POST parameters of an Online Designer related URL so that the custom JavaScript could be injected into the calculations of calc fields, @CALCTEXT, and @CALCDATE fields. Thus the custom JavaScript could be executed whenever anyone opens the data entry form or survey page. This could lead to privilege escalation if a malicious user tricks an administrator into viewing the instrument, thus potentially becoming an administrator themselves and able to access all projects and data. The user must be authenticated into REDCap and must have Project Design rights in order to exploit this in a project. Bug exists in all REDCap versions for the past 10 years.
Medium security fix: A user with Calendar privileges in a given project that knows how to make a specially-crafted POST request to a specific end-point might be able to edit or delete a calendar event in another project to which they do not have access.
Medium security fix: A user with Data Access Group privileges in a given project that knows how to make a specially-crafted POST request to a specific end-point might be able to rename or delete a DAG in another project to which they do not have access.
Change/improvement: When adding/editing a Descriptive Text field in the Online Designer, the text in the "Optional file attachment, image, audio, or video" section of the popup has been modified to instruct the user that the "Embed an external video" feature can be used for more than just videos but for websites and surveys too (i.e., the "Magic Box" feature, as some call it). The text has been changed to "Optional media to embed or attach:" and "Embed media (video, website, survey, etc.)", respectively. Other relevant text in the popup has also been modified to refer to "media" more generically rather than "video".
Improvements to AAF Authentication:
- Clearer instructions are provided to admins when setting up AAF authentication on the Security & Authentication page.
- AAF authentication now allows administrators to define multiple eduScopeTarget attributes that identify an authenticating user as a 'local', thus allowing sites to enable users from multiple institutions to create projects.
- AAF authentication now allows administrators to control which users are added to the Email Users page. Previously this was either Yes (all users) or No (no users). Now, the options are All Users, None, and Locals Only.
- When a user logs in for the first time via AAF, the Organization Name of their Identity Provider is now added to the Institution ID field in their User Profile. This change is not retroactive; existing users will not have their organization added to their profile automatically.
- When an AAF user logs in for the first time, it now logs the event.
Bug fix: When using Multi-Language Management, REDCap’s auto-logout feature would mistakenly not work on the MLM setup page in some circumstances. (Ticket #216234)
Bug fix: When using MyCap, the "No Fields” error might mistakenly not be displayed in the Online Designer if non-MyCap fields are added at the end of an instrument.
Various updates and fixes for the External Module Framework, including 1) Avoided additional eval false positives during scans, 2) Added scan support for local paths to zip files, and 3) Improved constructor scan output.
Bug fix: When printing an instrument via the option "Download this survey with saved data (via browser's Save as PDF)", a vertical line/shadow would mistakenly appear on the left side of the resulting PDF.
Bug fix: When using Multi-Language Management, a specific warning was mistakenly not translatable via the MLM setup page.
Bug fix: When using "OpenID Connect & Table-based" authentication, users clicking the "Logout" link in REDCap would mistakenly not be successfully logged out of OIDC. (Ticket #216423)
Bug fix: When using Multi-Language Management, “style” HTML tags that span over multiple lines would mistakenly not work as expected when MLM is active.

Version 13.10.3 (released on 2023-10-05)

CHANGES IN THIS VERSION:

Improvement: When setting up recurring Alerts & Notifications, users can now set the repeating interval value as a number with a decimal (in previous versions, the value could only be an integer). This will allow users to approximate the interval of a monthly recurring alert as 30.44 days since it is currently not possible for recurring alerts to be scheduled on exactly the same day and time each month. To help users, a note has been added in the repeating survey section of the alert setup dialog to inform them how to approximate a month as 30.44 days. (Ticket #215860)
Major bug fix: A user with “Alerts & Notifications” privileges in a given project that knows how to make a specially-crafted POST request to a specific end-point used for "Alerts & Notifications" functionality might be able to delete any general uploaded file that belongs to the project, whether it be an attachment uploaded via the rich text editor, a file uploaded to a File Upload field, a Descriptive Text field attachment etc. This user could potentially delete the stored edoc file for any of those such places in the project. However, it is important to note that the user can only delete files within their own project to which they have access. They cannot delete files in other projects to which they do not have access.
Major bug fix: If survey invitations have been scheduled manually (i.e., not via ASI) with one or more reminders, the unsent/scheduled reminders would mistakenly not be automatically removed whenever the participant completes the survey. (Ticket #203090)
Change: In Multi-Language Management, the "Default" language term has been renamed to "Base Language" on the MLM setup page and in various documentation for improved clarity regarding the purpose and function of the Base Language in MLM.
Change: When using MyCap in a project, the instructional text in the individual “Invite Participant” popup has been modified slightly to cater better to whether the project has been transitioned to use the new MyCap mobile app or not.
Bug fix: The end-points used for deleting instruments and fields in a project were mistakenly using a GET request (rather than a POST request), which could make it easier for a user to get tricked into unwittingly deleting an instrument or field if a malicious user sent them a specially-crafted link to click. Such a situation would not cause any permanent damage (e.g. no data would ever be deleted), and it could be easily fixed by re-adding the instrument/field back.
Bug fix: When using a CDIS service (CDM or CDP) to pull data from an EHR, when dealing with date values used in the FHIR requests to the EHR system, some dates might mistakenly be converted to the current timezone. This has been fixed to ensure that the date conversion only occurs in the response received from the FHIR system.
Bug fix: When using the Protected Email Mode feature, in which an alert is set up with an attachment file and the alert is set not to send immediately but at some later time, after the alert is triggered and the email is sent, when the recipient views the email on the Protected Email Mode page, the attachment would mistakenly not be downloadable on the page but would display an error when attempting to be download it. (Ticket #212760)
Bug fix: The hook functions "redcap_survey_page_top" and "redcap_survey_page" might mistakenly be provided with an incorrect DAG group_id value for records that have not yet been created, such as when viewing the first page of a public survey. In these cases, it would provide the DAG group_id of record "1" in the project if there exists a record named "1" when instead the group_id should be NULL. (Ticket #215884)
Bug fix: The Unicode Transformation process might mistakenly not convert data in some database tables that have a "project_id" column in which the project_id value in the table is NULL. (Ticket #215615)
Bug fix: Several PHP 8 compatibility issues when using certain MyCap pages/processes.
Bug fix: When uploading a CSV file using the Background Data Import, in which the record ID field is included in the data file but many rows in the file have no value provided for the record ID field (i.e., it's blank), the import process could mistakenly go into an infinite loop until the script times out, which might cause the process to get stuck in "Initialization" status and thus can't be canceled or removed.
Bug fix: In specific cases where the REDCap::saveData() method is being called, including data imports from the new MyCap mobile app, the process might mistakenly crash when using PHP 8. (Ticket #215928)
Change: A note was added to the Smart Variable documentation, specifically for the charts, to denote that when using multiple fields in the chart, the data used in the chart will be naturally grouped from the same event and/or repeating instance. For example, if you're plotting age vs weight in a scatter plot in a longitudinal project, it will only create points in the plot where both the age value and weight value exist on the same event. If one or both values are missing from a given event in a record, then no point can be plotted for that given record.
Bug fix: The @NOW-SERVER action tag would mistakenly not set the correct value for many time-validated field types, such as a Text field with "time_hh_mm_ss" validation, whenever an instrument/survey is loaded. Instead, it might set the value as the user/participant's local time (according to their browser). (Ticket #216135)
Bug fix: When using Multi-Language Management, for Yes/No and True/False fields, "No"/"False" was mistakenly shown instead of their associated translation in some places (e.g., Codebook). (Ticket #216265)
Bug fix: Several different features in REDCap, in which an AJAX call returns JSON-encoded data, might get misinterpreted and thus would fail because the request failed to have the "Content-Type: application/json" header set. This would only occur for certain web server configurations. (Ticket #214401)

Version 13.10.2 (released on 2023-09-28)

CHANGES IN THIS VERSION:

Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a specially crafted way into the URL on the Data Import Tool page. This bug only affects REDCap 13.8.0 and higher.
Improvement: The Logic Editor is now utilized when an administrator is adding/editing the SQL query for a Dynamic SQL Field.
Change/improvement: A new check was added to the Configuration Check page that will alert the administrator if the PHP.INI configuration file used by the REDCap cron job has a timezone setting that differs from the timezone setting in the main PHP.INI file used by the web interface (but only if more than one PHP.INI is utilized). If the timezone settings differ, it warns that one must be changed so that they are the same, otherwise the cron job may not run correctly.
Bug fix: When renaming a record, the record name would mistakenly not get renamed on the Email Logging page. This would not cause any issues other than the Email Logging saying that an email belongs to the wrong record. (Ticket #215100)
Bug fix: The Unicode Transformation process might mistakenly not display correct information regarding whether or not some specific steps in the process need to be completed.
Bug fix: The "field suggest" feature when using the Logic Editor was mistakenly no longer appearing as of REDCap 13.7.13 LTS and 13.9.3 Standard Release. (Ticket #215285)
Bug fix: When using the Clinical Data Mart design checker's "fixDesign" process, a fatal PHP error might occur in certain situations.
Bug fix: Some project pages might fail with a fatal PHP error when using PHP 8 due to the calling of an undefined PHP constant in the External Module Framework. (Ticket #215348)
Bug fix: When transitioning a MyCap-enabled project to use the new MyCap mobile app, some survey-related settings might mistakenly not be updated during the process (assuming they were being used to store the participant QR code and/or direct link), specifically the survey confirmation email body and the ASI email body.
Bug fix: When using Multi-Language Management, the "Access Denied!" a message that appears on data entry forms when a user has no access was mistakenly not a translatable element in MLM. (Ticket #215504)
Bug fix: In a MyCap-enabled project, slider labels (displayed above or next to the slider) were not displaying correctly in the MyCap config JSON and thus might cause issues in the MyCap mobile app.
Bug fix: When using MyCap in a project while publishing a new MyCap app version, in which a task exists with non-fixable errors, the success message popup will display a warning along with a success message that some tasks were not published due to errors.
Bug fix: When using the Data Resolution Workflow along with Data Access Groups in a project, if a user attempts to assign a data query to a user, in some situations the drop-down list of assignable users would mistakenly list users that are not currently eligible to be assigned to the data query because they are not currently assigned to the record's DAG. It should only list users that are currently in the record's DAG (or users not in any DAG) if the record itself is assigned to a DAG. (Ticket #213770)
Bug fix: When using CDIS, the SMART on FHIR authentication process was causing incorrect scope levels to be applied, specifically impacting Cerner users. The issue prevented the proper assignment of the "user" level during authentication, thus potentially leading to authorization errors.
Bug fix: The auto-fill form/survey feature for administrators might mistakenly fail for most/all time validated fields. (Ticket #215684)
Bug fix: When an [X-event-name] Smart Variable is prepended to a field variable (especially in combination with an [X-instance] Smart Variable) in logic, calculations, or piping, it might cause the evaluation of the logic/calc/piping not to be performed successfully. For example, for [previous-event-name][field], the direct previous event might be used when instead the previous designated event for that field's instrument should be used. (Ticket #214317, #213503)
Bug fix: If using an HTML "style" tag inside user-defined text (e.g., field label, survey instructions), the CSS styles inside the tags might mistakenly not work on the page if line breaks or carriage returns occur anywhere inside the opening and closing style tag. (Ticket #215693)

Version 13.10.1 (released on 2023-09-22)

CHANGES IN THIS VERSION:

Improvement: The MyCap Help document has been updated, and a new Transition Guide has been added to help inform users regarding the process of transitioning to the new MyCap mobile app from MyCap Classic (the guide is linked in the popup that notifies users about transitioning). Additionally, a new PDF displaying a list of all MyCap app features has been linked in several places where MyCap documentation is located, in which the PDF compares the features of the new MyCap app with the previous MyCap Classic app.
Major bug fix: When using randomization while in production status, if a user is uploading a new allocation table to be appended to the existing production allocation table, in which the development allocation table happens to exactly match all the production allocations after the allocation upload has occurred, all the production allocations would mistakenly be erased, which would also remove the "randomized" status for any already randomized records. This is extremely rare, but is extremely destructive and difficult to restore back to its previous state.
Change/improvement: Slight performance improvement when loading the Logging page in some projects.
Change/improvement: In the External Module Framework, the $module->redirectAfterHook() after hook method was added.
Bug fix: When viewing the MyCap participant list, the Baseline Date might mistakenly be displayed in an incorrect date format.
Bug fix: A user that does not have Project Setup privileges in a project could potentially exploit a missing user rights check on the endpoints where field attributes are modified in the Online Designer by crafting special HTTP requests to those specific endpoints. This does not allow the user to do anything other than add new fields or edit the attributes of existing fields.
Bug fix: When viewing the Record Status Dashboard in certain cases when using PHP 8, the page might crash with a fatal PHP error. (Ticket #214370)
Bug fix: When users make API requests, the full API token was mistakenly being logged in the redcap_log_view table for each request. This is not typically an issue because such values in that table are not exportable via the front-end user interface but are only accessible via direct database access. However, if some institutions are sending the full export of their redcap_log_view table to their local security office, the logging of the API token in that table could be problematic. The API token will now be redacted in the redcap_log_view table. (Ticket #214322)
Bug fix: When users delete or regenerate their API token in a project, the value of the old token was mistakenly not being logged on the project's Logging page.
Bug fix: Fixed issue with the CDIS "Break the Glass" feature. When attempting to restore a serialized list of patients, an error is thrown due to the DateTime class not being listed within the "allowed_classes" parameter of the unserialize function. (Ticket #214670)
Bug fix: An administrator with only “Install, upgrade, and configure External Modules” admin privileges might not be able to view certain External Module pages or perform certain External Module operations, such as accessing the EM Manage page in the Control Center. (Ticket #214721, #214722)
Bug fix: An issue might occur when downloading a file from a File Upload field when REDCap is hosted on Google Cloud Platform due to the usage of an unnecessary project_id prefix for Google bucket file storage.
Bug fix: The notification for the Unicode Transformation process on the Configuration Check page might mistakenly not be displayed on the page anymore after step 2a of the process has been completed. It should not go away until all 4 of the steps are completed.
Bug fix: When attempting to access the "App Data Dumps" on the REDCap Mobile App page in a project, if any of the data dump files somehow can't be found in the file system (which would be unexpected), the page would crash with a fatal PHP error. From now on, it will merely skip any files in this situation. (Ticket #215007)
Bug fix: When date or datetime fields are piped into the choice label of a drop-down field, in which the date/datetime field has MDY or DMY date format and also exists on the same page as the drop-down field, the date/datetime values might not get piped in the correct format but may appear in the drop-down as a mangled date/datetime value.
Bug fix: Minor MyCap-related bug fixes and UI changes.

Version 13.10.0 (released on 2023-09-08)

CHANGES IN THIS VERSION:

New feature: Longitudinal functionality for MyCap-enabled projects - In previous versions, longitudinal projects could not utilize MyCap (the feature would be disabled automatically). Now with the release of the new MyCap mobile apps on Android and iOS, longitudinal functionality is possible and is supported in the new MyCap mobile app. For any projects currently using MyCap, there will be a “transition” button on the MyCap Participants page that will allow the users to transition the project and any existing participants to use the new MyCap mobile app (note: this transition process is completely optional and not required unless wanting to use longitudinal functionality and other new MyCap features). The older MyCap mobile apps will still be available and updated in the Apple App Store and Google Play Store for the time being.
Medium security fix: The Chart.js JavaScript library that is included in REDCap contains a bundled version of the Moment.js library, which contains a security vulnerability in that specific version. The bundled Moment.js library has been removed. It does not need to be replaced since REDCap already has the latest version of Moment.js included separately already.
Improvement: Enhancements to the Codebook page - For longitudinal projects, a table of all events names is displayed near the top of the page. If events and/or missing data codes exist, the table of them may be included in or excluded from the page printout via a checkbox at the top right corner of their table. Also, in the printout of the page, the time and project title are now displayed.
Bug fix: The newer background process that helps prune abandoned/zombie database processes might mistakenly be preventing some important processes from finishing, such as data fetching for CDIS (both CDM and CDP), data exports, and also the Easy Upgrade process.
Various updates and fixes for the External Module Framework
- Miscellaneous security scan improvements.
- Replaced the setRoleForUser() implementation with UserRights::updateUserRoleMapping() so that logging would be included automatically.
- Control Center module list improvements: 1) Sorted the list of modules to enable by name, 2) Improved module list load time when modules with updates are not enabled anymore, 3) Displayed modules that are still enabled even though their directories are missing, and 4) Cached settings to improve module list load time.
Bug fix: When using Azure AD V1 for authentication, the setting "AD attribute to use for REDCap username" on the Security & Authentication page mistakenly listed the employee ID attribute as "employeeID" when it should instead be "employeeId". This could prevent proper authentication if that option was selected. (Ticket #213619)
Bug fix: When using the Survey Login feature and a survey participant begins a new survey while their survey login session is still active, the survey instructions would mistakenly not be displayed on the page by default. (Ticket #212987)
Bug fix: When exporting a project as a Project XML file and then creating a new project from the XML file, if the Survey Login feature had been utilized and the Survey Settings checkbox had been checked when exporting the XML file, the Survey Login settings would mistakenly not get transferred into the newly created project. (Ticket #212987)
Bug fix: When using the Custom Record Label on a multi-arm longitudinal project, if an "ad hoc" calendar event is created and is attached to a specific record, the Custom Record Label might mistakenly not be displayed when viewing the calendar event in the calendar popup window. (Ticket #23367b)
Bug fix: When adding a new instrument in a MyCap-enabled project, the Online Designer page might mistakenly crash with a fatal PHP error when using PHP 8. (Ticket #213817)
Bug fix: When enabling Mosio SMS Services on a project, it would mistakenly allow users to enter a Mosio API Key that is already being used by another REDCap project. This should not be allowed. It will now prevent a user from entering a Mosio API Key if that key is already being used by another project. Additionally, if two projects already are using the same Mosio API Key before upgrading to this REDCap version, the Mosio configuration popup will auto-disable the SMS Conversation option to prevent both projects from using the same Mosio API Key, which could cause issues specifically when using the "Initiate survey as SMS conversation" option. (Ticket #213376)
Bug fix: An error was thrown during the deserialization of CDIS messages. The issue was caused by the DateTime class not being included in the list of allowed classes for deserialization.
Bug fix: When using Multi-Language Management, branching logic based on a field set by the action tags LANGUAGE-CURRENT-FORM/-SURVEY would mistakenly not work when the field is a text box field.
Bug fix: REDCap's internal function for copying files would mistakenly fail to copy files when using Google Cloud Storage as the file storage system. (Ticket #213946)

Version 13.9.3 (released on 2023-08-31)

CHANGES IN THIS VERSION:

Minor security fix: A DOM-based Cross-site Scripting (XSS) vulnerability was discovered on all project-level pages that could possibly be exploited if a malicious user is able to manipulate the JavaScript "location" interface/variable in specific ways.
New action tag: @MC-PARTICIPANT-CODE - This action tag is a MyCap annotation that can be used with Text fields. When using this action tag on a field, the field will capture the MyCap participant’s participant code whenever they join a project via the MyCap mobile app. NOTE: This is used only for the MyCap mobile app. The field’s value is not generated when viewing the data entry form but only when the MyCap app is making a call to REDCap when the participant joins the project. Additionally, while this action tag can be added to a new field in already-existing MyCap projects, a field with this action tag will be auto-added to any projects where MyCap is enabled in the project after the fact and for any new projects created using the MyCap project template.
Improvement: When viewing the Survey Access Code dialog on the Public Survey Link page, users may now click a button to copy the QR code to their clipboard. Additionally, users may now click the QR code to download it or click a link below the QR code to download it in the higher resolution SVG format, if desired.
Bug fix: When pulling data from an EHR system via CDIS, date filters were not being correctly applied when fetching temporal data. (Ticket #212894)
Bug fix: FHIR stats were mistakenly counted in DDP (Dynamic Data Pull) projects when using CDP (Clinical Data Pull) auto-adjudication.
Bug fix: When using Table-based authentication and a user has somehow been granted access to a project and added to a user role (e.g., via user role CSV upload) despite the fact that the username does not exist as a real user account in the system, it would be impossible to remove the user from their role, to re-assign them to another role, or ultimately to remove them from the project. (Ticket #207764)
Bug fix: When viewing the Online Designer in a MyCap-enabled project, the "Enable" button for enabling MyCap for a given a data collection instrument would mistakenly be disabled, thus preventing users from enabling the instrument as a MyCap task, if the instrument's first field was part of a matrix of fields. (Ticket #213075)
Bug fix: When viewing the Stats & Charts page for a given report and clicking the "Missing" link to view a list of missing values, it might mistakenly display many false positives of repeating instances that do not really exist in the data. (Ticket #211913)
Bug fix: When clicking the "Enable color-blind accessibility" displayed below a pie or donut Smart Chart on a data entry form or survey page, it would send the user/participant to a non-existent page, thus resulting in a 404 error. (Ticket #211920)
Bug fix: When using “Azure AD OAuth2 & Table-based” authentication together with Duo two-factor authentication (2FA), after a user successfully logs in via Table-based authentication, they would mistakenly not be redirected to the Duo OAuth2 page for two-factor authentication. (Ticket #211697)
Bug fix: When using the Azure Communication Services Email API, the email functionality would fail to work if the Services Endpoint value did not end with a slash ("/").
Bug fix: When using Multi-Language Management, the text "(Place a mark on the scale above)" that is displayed below Slider fields was mistakenly not translatable via MLM. It has now been added.

Version 13.9.2 (released on 2023-08-25)

CHANGES IN THIS VERSION:

Major bug fix: If a repeating Automated Survey Invitation has been enabled in a project in which one or more records have triggered the ASI initially, if the ASI was then disabled for a certain amount of time and then re-enabled later, after which a user or participant triggered an ASI in any project in which the ASI is set to send immediately, it would mistakenly cause the repeating ASI in the original project to send/schedule hundreds or thousands of invitations for each record that was originally triggered in that original project. This issue was caused by the invitation-sending function being called recursively when an individual record triggers an ASI. (Ticket #210378)
Change/improvement: When executing Data Quality rules, the Logging page now lists the specific DQ rule by name that was executed in the logged event, whereas previous versions merely stated "Execute data quality rule(s)" generically in the Logging. (Ticket #207900)
Change/improvement: If a longitudinal project contains one or more records, and a user moves a field to a different instrument via the Online Designer, a warning will be displayed saying that moving fields to other instruments might potentially cause the orphaning of data, in which it tells the user to double-check their instrument-event mappings to ensure that no orphaning/data loss has occurred. And if it has, it tells the user that they can move the field back to its original instrument to restore any orphaned data. (Ticket #211829)
Bug fix: In certain instances, the "Download PDF of instrument(s) via browser's Save as PDF" feature may mistakenly not show all the text for Notes Box fields in the resulting PDF if the Notes Box fields contain a lot of text. (Ticket #211228)
Bug fix: The feature to compare data dictionaries/revisions on the Project Revision History page might produce unexpected results in which the comparison does not display the correct results. (Ticket #208391)
Bug fix: Descriptive Text fields would mistakenly not be returned when a user searches for fields via the Field Finder on the Codebook page. (Ticket #212763)
Bug fix: After modifying the schedule of an existing record on the Scheduling page, the logged events of schedule modifications would correctly appear on the Logging page by default, but some of the schedule-related logged events would not appear on the Logging page when using the "Filter by record" option for that specific record. Note: This will be fixed for all schedule modifications going forward, but all existing logged events for schedule modifications cannot be fixed retroactively. (Ticket #208481)
Bug fix: When calling the API Export Records method to retrieve data in "odm" format from a project that contains data for repeating events, if the "fields" parameter is provided in the API call and does not contain any field utilized on a repeating event, the resulting XML might mistakenly be malformed and not structured correctly. (Ticket #208787)
Bug fix: Administrators that have "Perform REDCap Upgrades" privileges would receive an error message when attempting to use the Easy Upgrade feature if they did not also have some other admin privileges. This has been fixed so that only "Perform REDCap Upgrades" privileges are needed to perform an upgrade. (Ticket #211957)
Bug fix: When using the @DOWNLOAD-COUNT action tag in which the field being referenced by the action tag exists on the same page, if users or participants download the file using their browser's right-click "Save as" option (as opposed to directly clicking it), it would mistakenly not register as a download to be incremented for the count field on the page. Although the server-side call to download the file via "Save as" would increment the counter field's value on the back-end, the front-end value would now be out of sync. There's no way to change the counter on the page from being temporarily out of sync, but REDCap will now auto-fix the value after the form/survey is submitted in order to reconcile the true count value and save it to the counter field. In summary, this fix should ensure that the counter field's value is correct whether or not someone downloads the file with a normal click or via the right-click "Save as" option.
Bug fix: When modifying any of the drop-down fields in the Survey Design Options section of the Survey Settings page for a given instrument, it would cause the Cancel button at the top or bottom of the page to no longer work unless clicked many times. (Ticket #211204)
Bug fix: Several files located in the /redcap/webtools2/pdf/ subdirectories are no longer compatible with PHP 8.2.0 and higher. In addition to fixing the compatibility issues with PHP 8.2, all the files in /redcap/webtools2/pdf/ have now been incorporated directly into the REDCap version directory so that they can be kept up to date on an ongoing basis with future versions of PHP. (Ticket #211377)
Bug fix: If the File Storage method for REDCap is set to "Google Cloud Storage using API Service Account", downloading the Instrument Zip file of an instrument that is enabled as a survey and contains a survey logo would mistakenly fail due to a fatal PHP error. (Ticket #212967)
Bug fix: When entering a non-URL value (e.g., field variables, Smart Variables) into the "Embed an external video" text box while editing a Descriptive Text field in the Online Designer, it would mistakenly prepend "http://" to the beginning of the value entered.
Bug fix: Public reports and public project dashboards might not display optimally when viewed on mobile devices, such as images appearing too large or the report table going outside of its parent box.
Bug fix: In certain situations, the Background Data Import feature might mistakenly cause the cron job to fail with a fatal PHP error when running PHP 8. (Ticket #213086)

Version 13.9.1 (released on 2023-08-18)

CHANGES IN THIS VERSION:

Bug fix: When using the Designate Instruments page in a longitudinal project while running PHP 8, editing the event grid may result in an error message, preventing the edits from being saved. This issue was supposedly fixed in a previous issue but mistakenly was not. (Ticket #212677)

Version 13.9.0 (released on 2023-08-17)

CHANGES IN THIS VERSION:

New text string functions
- replace_text (haystack, search, replace) - Replaces parts of a text value with a specified replacement text value - Finds text ("search") inside another text ("haystack") and replaces all found occurrences with the given text ("replace"). For example, assuming [field1] has a value of "Paul Taylor, Rob Taylor", replace_text([field1], "Taylor", "Harris") would result in "Paul Harris, Rob Harris". Note: This function performs a case-sensitive replacement. Additionally, you can search for line breaks (e.g. in Notes fields) with "\n".
- concat_ws (separator, text, text, ...) - Joins the text from multiple text strings with a separator - This works exactly like concat but inserts the separator in between each concatenated item. For example, concat_ws(" and ", [veggie1], [veggie2], "Tomatoes") might result in "Peas and Carrots and Tomatoes".
New math functions
- mod (dividend,divisor) - Modulo - Returns the remainder of the (integer) division (modulo) dividend/divisor. Both values must be integers. E.g. mod(10,4) will result in 2 because 2 is the remainder of 10 divided by 4.
- exponential (number) - Exponential of e - Returns "e" (Euler's Number) raised to the power of a number: e^x. Note: The value of the exponent x must be a number. E.g. exponential(1) will return 2.718281828459045.
New feature: Azure Communications Email API Integration
- As an alternative for sending outgoing emails from REDCap (rather than using the standard settings in PHP.INI to send them natively from the web server), you may use Azure Communications Email API, which is a third-party paid service that can send emails on behalf of REDCap.
- The option can be configured on the General Configuration page in the Control Center. You merely have to provide the API key and services endpoint for your Azure Communications account, and it will begin using the Azure Communications Email API to send all emails going out of REDCap. Note: This email service must be used together with REDCap’s Universal “From” Address (located on the General Configuration page) using an authorized sender address in one’s Azure account.
- Limitations: Due to limitations in the implementation of this API by Microsoft/Azure, this email-sending method is not able to display inline images in the body of emails, but any inline images will instead be represented as regular attachments. Additionally, the true sender’s email address and display name are not able to be displayed to the recipient in their email client, thus the recipient will only see the REDCap Universal 'From' Address as the sender with no corresponding display name.
Improvement: The full file name of a file uploaded to a File Upload field will be displayed when a user hovers over the file download link. This is helpful when the file name is very long and is thus not displayed in full on the page. (Ticket #93790)
Improvement: CDIS now has the ability to check the system capabilities of a FHIR conformance statement retrieved from a FHIR server. Based on the capabilities mentioned in the conformance statement, REDCap will dynamically disable any FHIR resources that are not available. Without this new check, users might not be aware of the resource availability on a particular FHIR system, and they could inadvertently select resources that are not supported, which could result in errors when attempting to fetch these unsupported FHIR resources.
Change/improvement: When performing a bulk import of new Table-based users via CSV file in the Control Center, the CSV file will now use the user’s preferred CSV delimiter as specified on their Profile page. In previous versions, the page only accepted comma-delimited CSV files.
Change/improvement: When using Multi-Language Management and exporting CSV files of the MLM translations, a byte-order mark (BOM) is now added to all CSV files to allow them to be opened successfully in Excel.
Bug fix: When using the EHR launch window for Clinical Data Pull, the REDCap page embedded in the EHR might mistakenly not display any CDP projects for the user for the relevant patient. (Ticket #211654)
Bug fix: When using CDIS, while REDCap is processing a bundle of FHIR resources, a PHP warning could be thrown if the FHIR bundle has no entries.
Bug fix: In certain places throughout REDCap, the rich text editor might mistakenly display the "Insert/edit media" button on the editor toolbar. This was added unintentionally, and in most (if not all) cases, attempting to add media using that button would not be successful. That media button has now been removed from the editor. (Ticket #211132)
Bug fix: Certain pages in REDCap were mistakenly no longer compatible with iPads/Mobile Safari. Bug emerged in REDCap 13.8.3. (Ticket #202806d)
Bug fix: When using the Designate Instruments page in a longitudinal project while running PHP 8, editing the event grid may result in an error message, preventing the edits from being saved. (Ticket #211983, #211837)
Various updates and fixes for the External Modules Framework, including preventing deleted, completed, and in-analysis projects from appearing in module setting dropdowns.
Bug fix: When using Multi-Language Management, the MLM page in the Control Center might mistakenly not export the MLM usage stats in a way that the file can be opened successfully in Excel. (Ticket #211875)
Bug fix: For certain server configurations, Send-It might cause some files to be corrupted when downloaded by the recipient. (Ticket #212072, #208036)
Bug fix: When a user is running Data Quality rule A or B, it might mistakenly return checkbox fields as discrepancies. As noted by the single asterisk at the bottom of the Data Quality page, rules A and B note that "checkbox fields are also excluded since an unchecked checkbox is itself often considered to be a real value." (Ticket #212048)
Bug fix: When performing an API Metadata Import, a data dictionary snapshot would mistakenly be taken after the new metadata was saved via the API call when instead the snapshot should be taken immediately beforehand during this metadata import process.
Bug fix: In certain edge cases that involve the Records::getRecordList() method being called by a REDCap plugin, a fatal PHP error might occur when using PHP 8 if the "pid" parameter does not exist in the current URL but has been set as $_GET['pid'] manually by the plugin itself. (Ticket #212232)
Bug fix: If a checkbox field contains a choice coding that contains a period, in which there exists another choice coding with the same value if the period is excluded (e.g., "2" vs "2."), those two choices would get mistakenly conflated as the same import/export version of the checkbox variable name, which could cause issues with data exports and reports not displaying correctly. From now on, any periods existing in a checkbox coding will be converted to an underscore in the resulting import/export variable name, whereas in previous versions the period was removed completely from the variable name. (Ticket #211904)
Bug fix: In certain situations, the Background Data Import feature might mistakenly cause the cron job to fail with a fatal PHP error when running PHP 8. (Ticket #212276)
Bug fix: When importing a missing data code for a field that has a min/max validation range, the data import process would mistakenly return an error saying that the missing data code value was out of range. Instead, it should allow the missing data code value to be imported. (Ticket #211903)
Bug fix: Using the function isblankormissingcode() in a calculation for non-numeric missing data codes might mistakenly cause the server-side rendering of the calculation (e.g. Data Quality rule H) to return an incorrect value. (Ticket #212145, #212178)
Bug fix: If a field has the @CALCTEXT action tag and also has date/datetime validation, server-side processing of the calculation (e.g., Data Quality rule H) might mistakenly fail to save a new/correct value for the @CALCTEXT field. (Ticket #211780)
Bug fixes and changes for CDIS: A patient’s address might not be parsed correctly in the FHIR payload, and PHP 8 related errors were occurring when pulling Observations data.
Bug fix: When exporting a PDF of an instrument containing data via the API, the Logging page would mistakenly display the project ID in place of the record name in the Action column of the Logging table for this logged event. This will be fixed so that it will resolve this issue for both past logged events and future logged events. (Ticket #212245)
Bug fix: Some folders in the File Repository might mistakenly not display due to a DataTables error caused by the JSON-encoding of mangled UTF-8 characters in the descriptions and attributes of the files being displayed in the file list. (Ticket #208637)
Bug fix: If a Notes field is embedded inside a checkbox field's choice label on a survey that has "enhanced radio buttons and checkboxes" enabled, the checkbox choice would mistakenly get unchecked whenever the participant clicked or focused their cursor on the Notes field. Note: This does not affect embedded Text fields but only Notes fields. (Ticket #210763)
Bug fix: If the query of a Dynamic SQL field begins with "select" followed immediately by a line break or carriage return (as opposed to a space), the Dynamic SQL field would not return any results and would not display any drop-down options. (Ticket #212474)
Bug fix: If using an HTML "style" tag inside user-defined text (e.g., field label, survey instructions), the CSS styles inside the tags might mistakenly not work on the page if line breaks or carriage returns occur anywhere inside the opening and closing style tag. (Ticket #211394)
Bug fix: When using an [aggregate-X] smart variable in a calculation or CALCTEXT field, depending on the context the calculated value might not always get saved successfully, and additionally the Logic Editor might note the calculation to have errors when it in fact does not. (Ticket #211063)

Version 13.8.5 (released on 2023-08-03)

CHANGES IN THIS VERSION:

Improvement: New background process that will help prune abandoned/zombie database processes (e.g., long-running queries that continue running on the database after a user has left the page on which the query is being run) that might decrease the overall performance of the database server. This process is performed every couple minutes by a cron job. This may or may not result in a noticeable database performance improvement.
New action tag: @MC-PARTICIPANT-JOINDATE - This action tag is a MyCap annotation that can be used with Text fields with date/time validation. When using this action tag on a field, the field will capture the install date/time of the MyCap participant whenever the participant joins a project via the MyCap mobile app. NOTE: This is used only for the MyCap mobile app. The field’s value is not generated when viewing the data entry form but only when the MyCap app is making a call to REDCap when the participant joins the project. Additionally, while this action tag can be added to a new field in already-existing MyCap projects, a field with this action tag will be auto-added to any projects where MyCap is enabled in the project after the fact and for any new projects created using the MyCap project template.
Improvement: The Data Import Tool page now provides options in Step 1 to download the Data Import Template with alternative delimiters, such as tabs and semicolons.
Change/improvement: The favicon was updated to a higher resolution image.
Change/improvement: The Send-It page now checks the filesize of the file before the user attempts to upload it in order to ensure the file is not larger than the max allowed size. In previous versions, its filesize would only be checked after it had been uploaded.
Change/improvement: Better memory management for some CDIS-related cron jobs.
Bug fix: If a user has created a File Repository folder that is Data Access Group restricted or User Role restricted, and then a user deletes the DAG or User Role to which the folder is restricted, the folder would mistakenly be deleted, after which all of the files in the folder would be automatically moved into the main top-level folder in the File Repository. This has now been changed so that if a folder is restricted to a User Role, the folder will no longer be deleted when the User Role is deleted, but the folder and its files will remain as not restricted to any role. And if the folder is restricted to a DAG, users will simply be unable to delete the DAG until all its DAG-restricted folders are deleted first. (Ticket #210829)
Bug fix: If a user is utilizing the "Upload users (CSV)" method to update user privileges on the User Rights page, in which a user is being assigned to a Data Access Group or is being removed from a DAG, the upload process would mistakenly not log the DAG assignment/removal on the Logging page. (Ticket #210831)
Bug fix: If a longitudinal project is in production, a normal user with Project Design privileges on the "Designate Instruments for My Events" page could possibly remove an Instrument-Event mapping (i.e., uncheck a disabled checkbox in the mappings table), which they are not allowed to do to projects in production, if they know how to manipulate the webpage in specific ways and then click the Save button.
Bug fix: When using the Calendar Sync feature, calendar events that do not have a time specified (but only a date) might reflect an incorrect start time and end time in some external calendar applications. (Ticket #211137)
Bug fix: When using an HTML5 video tag in user input text (e.g., field labels, survey instructions), in which the tag contains the "controls" attribute, the attribute would mistakenly be renamed to "cremoved" in the resulting HTML. (Ticket #211141)
Bug fix: For CDIS, fixed issues related to properly handling the absence of a valid FHIR access token, such as FHIR logs being saved with a “wrong format” error and also scenarios where the absence of a user ID caused unexpected behavior.
Bug fix: When using Multi-Language Management and exporting general settings as a file, the data entry form and survey active states would mistakenly be swapped in the export file. (Ticket #211172)
Various fixes and changes for the External Module Framework, including 1) miscellaneous security scan improvements, and 2) action tag documentation may now be added to an EM’s config.json for display in the list of action tags available on a project.
Bug fix: When a user is using the User Access Dashboard to delete or expire a user's access in a project, in some cases the action would mistakenly not get logged on the project's Logging page (although the action would be logged in the redcap_log_event database table, which might not be used by the project, thus making the logged event not accessible on the project's Logging page).
Bug fix: When using Missing Data Codes in a project, in which a Text field with field validation has the @nomissing action tag, users would be able to manually hand-enter Missing Data Codes into the Text field, even though the value entered failed the field validation.
Bug fix: When performing a data import that contains blank values for a Slider field, in which the import is set to allow blank values to overwrite existing saved values, the import process would mistakenly return an error message saying that the value must be an integer. It should instead not return any error message in this situation. (Ticket #211075)
Bug fix: When a user has an apostrophe in their username, and the user goes to create a new project, they may not be able to access the project they just created. (Ticket #210832)
Bug fix: The act of creating or editing an alert on the Alerts & Notifications page would get logged on the Logging page. However, the Logging page would represent the alert's "trigger_on_instrument_save_status" attribute incorrectly, displaying "any_status" when the alert is set to be triggered when an instrument is saved with Complete status only and as "complete_status_only" when set to be triggered on any form status. Note: The alert itself would be saved correctly, but the logged event for creating/editing the alert would merely be inaccurate. (Ticket #210832)
Bug fix: In some cases when an external module is being used, a fatal PHP error might occur for certain PHP versions. (Ticket #211611)
Bug fix: When a field variable is being piped or used in logic, and the field is prepended with the Smart Variable [first-event-name] or [last-event-name], in which the current context is a different instrument on which the field itself is located, the event field pair might result in a blank value or an incorrect value. (Ticket #210930)

Version 13.8.4 (released on 2023-07-28)

CHANGES IN THIS VERSION:

Bug fix: When using Twilio, it would mistakenly not send SMS messages to U.S. phone numbers with an 934 area code. (Ticket #90686b)
Bug fix: If the system-level setting "ENABLE FILE UPLOADING FOR THE FILE REPOSITORY MODULE" is set to "disabled", users would still be able to upload files into the File Repository in any project. Bug emerged in REDCap 13.1.0. (Ticket #210765)
Bug fix: The documentation for using reports as filters in Smart Charts, Smart Tables, or Smart Functions was confusing and has been updated for clarity. It notes now that when referencing a unique report name in Smart Charts, Smart Tables, or Smart Functions, no other filtering parameters can be used (e.g., DAGs, events) with the report filter and thus any other filters will be ignored. If users wish to additionally filter by DAGs and/or events, it is recommended that they add such filtering to the report itself by editing the report. The wizard on the Project Dashboard page has also been updated to reflect this.
Bug fix: When using the @Wordlimit or @charlimit action tag on a Text field, the first field on the page that uses either action tag might have its "X characters remaining" label or "X words remaining" label, respectively, duplicated multiple times below the field itself. (Ticket #208658)
Bug fix: The example Perl code in the API Playground for making Curl calls was outdated and would not run successfully for some users.
Bug fix: When using MyCap in a project, a blank Menu might be displayed for participants when using the MyCap mobile app, specifically for iOS devices.

Version 13.8.3 (released on 2023-07-21)

CHANGES IN THIS VERSION:

Major bug fix: When a user has File Repository user privileges in a project with the e-Consent Framework enabled on one or more instruments, the user would mistakenly be able to download the e-Consent PDF files stored in the PDF Survey Archive folder in the File Repository, even when the user does not explicitly have "Full Data Set" data export rights for the given instrument. In order to download the e-Consent PDFs, the user should have "Full Data Set" data export rights for the given instrument. (Ticket #210214)
Bug fix: Some MyCap-related pages that deal with PROMIS instruments (auto-scoring and adaptive) might mistakenly crash due to a fatal PHP error when using PHP 8.
Bug fix: If the Online Designer displays an error icon next to a MyCap-enabled instrument, it would allow the user to click the icon and attempt to try to fix the errors when the project is in production mode; however, it would fail to fix it and just re-display the error. Instead, it will now inform the user that errors exist but that they must put the project in draft mode first before they can fix the errors. (Ticket #210179)
Bug fix: When using Duo two-factor authentication, if the system is set to "Offline", it would mistakenly prevent administrators from successfully logging in via Duo 2FA. (Ticket #202197)
Bug fix: When a user is updating a language on the Multi-Language Management setup page, some import settings, such as the "Keep existing translations" option, would mistakenly not be honored during the language update process. (Ticket #210395)
Bug fix: When attempting to upload a CSV data file via the Data Import Tool using the background import process, in which the CSV headers (i.e., variable names) in the data file are wrapped in quotes, REDCap would mistakenly return an error message saying that the headers are not formatted correctly. (Ticket #210299)
Bug fix: In longitudinal projects with multiple arms, certain actions (such as deleting a record, renaming a record, and others) would mistakenly execute SQL queries that were not structured correctly and thus might make the database server unnecessarily slow due to long query times.
Bug fix: The Scheduling page would mistakenly never display the record drop-down list. Bug emerged in the previous release: 13.8.2. (Ticket #210446)
Bug fix: When using certain action tags on a field where the value on the right side of the equal sign in the action tag definition is not wrapped in single quotes or double quotes and additionally other annotation text follows after the action tag in the Field Annotation text (e.g. @charlimit=8 More text here), the action tag might not be interpreted successfully and thus might not get enforced. (Ticket #210175)
Bug fix: If a survey is using a system-level theme or a user-saved custom theme, the theme colors would mistakenly not get preserved in the Project XML file if a user exports the Project XML file and then creates a new project with it. (Ticket #210371)
Bug fix: When using the Data Resolution Workflow feature, if a user executes Data Quality rule H, fields that have been marked as "Verified data value" would mistakenly appear in the list of discrepancies (they should not appear there by default) and would not appear as "verified" in the DQ popup. (Ticket #209447)
Bug fix: Using an [X-event-name] Smart Variable in combination with an [X-instance] Smart Variable in logic, calculations, or piping might cause the evaluation of the logic/calc/piping not to be performed successfully. (Ticket #208887)
Bug fix: When using the Clinical Data Pull, the EHR Launch process might mistakenly fail. (Ticket #210523)
Bug fix: The CDIS messaging feature might mistakenly display the phrase “invalid date” where the date/time of the message should be.

Version 13.8.2 (released on 2023-07-14)

CHANGES IN THIS VERSION:

Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in the File Repository in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way inside the filename of an uploaded file. The user must be logged in to REDCap and also must have File Repository privileges in the project in order to exploit this. (Ticket #210134)
Bug fix: When an instrument has an embedded field that is immediately followed by a piped field or by another embedded field (with no space between them), the field/value might mistakenly not be rendered in the exported PDF of that instrument. (Ticket #210165)
Change: In longitudinal projects with Scheduling enabled, the "View or Edit Schedule" page will no longer render the record drop-down list of already-scheduled records on the page if the drop-down would contain more than 10,000 options. This is to prevent the page from becoming very slow for projects that contain lots of records that have been scheduled already. Users will still be able to view the schedule of individual records on the page though.
Bug fix: A fatal PHP error might occur related to specific CDIS processes.
Bug fix: A fatal PHP error might occur related to CDIS when performing the Standalone launch inside REDCap. (Ticket #209840)
Bug fix: When viewing the PDF Survey Archive files for the e-Consent Framework in the File Repository, if the system-level e-Consent setting "Capture the IP address..." is set to "Do NOT capture IP address", the table header in the File Repository would mistakenly say "IP Address" instead of "Identifier (Name, DOB"). (Ticket #209302)
Bug fix: When using the Control Center page to update the database tables to support full Unicode, in some situations the resulting SQL might mistakenly contain a double comma, which would result in SQL errors and prevent the process from completing successfully. (Ticket #209856)
Bug fix: When using Multi-Language Management and using the Right to Left (RTL) setting when there are multiple choice fields with horizontal alignment, the choices might not always display correctly. (Ticket #209612)
Bug fix: In certain scenarios, the Background Data Import cron job might mistakenly crash without finishing. (Ticket #209911)
Bug fix: In certain scenarios when selecting to use the background process for the Data Import Tool, it might not allow the user to upload a CSV data file because it mistakenly thinks that the last field variable in the CSV file is not a real field name. (Ticket #209823)
Bug fix: When taking a survey while using a mobile device, the page would auto-scroll unnecessarily after completing a multiple choice field that has one or more visible fields embedded inside it. In this case, the page should not auto-scroll when the field contains embedded fields. (Ticket #208523)
Bug fix: When a user selects the option "Remove all date and datetime fields" when exporting data, or if that option is automatically imposed upon the user due to having De-Identified data export rights, survey completion timestamp fields would mistakenly not be removed from the resulting data export file. (Ticket #208758)
Bug fix: When a project is in Analysis/Cleanup status and the current user does not have Project Design & Setup privileges, the Project Home page and Project Setup page would mistakenly display a "Modify" button in the yellow section at the top of the page describing if users can modify records or not. This button should only be displayed for users with Design rights. Clicking the button would not actually change anything though, so this issue is more of an aesthetic issue that could cause confusion. (Ticket #107257)
Bug fix: If an unclosed HTML comment (i.e, "<!--" without quotes) exists in user-defined text that is displayed on the page (e.g., field label, survey instructions, a piped value from a Text field), it would mistakenly cause the page content to be truncated, thus preventing the user from seeing any of the page after where the text is located. (Ticket #207897)
Bug fix: A missing LOINC code was added to the CDIS mapping features.
Bug fix: If the URL of another REDCap server exists in user-defined text that is displayed on the page (e.g., field label, survey instructions, a piped value from a Text field), the REDCap version number in the URL would mistakenly be replaced with the REDCap version number of the current server. It should never replace the REDCap version number in any URLs unless the URL corresponds to the current REDCap server. (Ticket #208528)
Bug fix: When using Twilio or Mosio for a survey implemented as an SMS conversation, Yes/No fields and True/False fields would not have their field labels rendered correctly in the conversation. Instead of their field label, it would display "No" or "False", respectively. (Ticket #209624)
Bug fix/change: The @DOWNLOAD-COUNT action tag documentation has been updated for clarity to explain that if a field with @DOWNLOAD-COUNT also utilizes @inline or @INLINE-PREVIEW and displays an inline PDF that has been uploaded, if a user downloads the file via the inline PDF controls (which are generated by the browser and not by REDCap), the download will not get properly counted via @DOWNLOAD-COUNT. This is to clarify that @DOWNLOAD-COUNT only works when users/participants click the file download link on the page. (Ticket #208354)
Bug fix: If an administrator does not specifically have "Modify system configuration pages" admin rights, the date field on the Cron Jobs page in the Control Center would mistakenly be disabled.
Bug fix: If an inline image was added to text on an instrument via the rich text editor and then the project was later copied, the image would display correctly on the data entry form in the project copy, but it would mistakenly not display when viewing the instrument as a survey in the project copy.
Bug fix: In certain scenarios, a couple fatal PHP errors might occur on survey pages when using PHP 8. (Ticket #210196)

Version 13.8.1 (released on 2023-07-07)

CHANGES IN THIS VERSION:

Bug fix: On certain occasions, the Control Center and/or Configuration Check page might mistakenly display the warning that "Some non-versioned files are outdated", which might be incorrect and a false positive.
Bug fix: A fatal PHP error might occur when using Duo for two-factor authentication.
Bug fix: A fatal PHP error might occur when attempting to send emails via the Email Users page, thus preventing the emails from being sent.
Bug fix: A fatal PHP error might occur related to CDIS when performing the EHR launch of the REDCap window inside the EHR user interface.

Version 13.8.0 (released on 2023-07-07)

CHANGES IN THIS VERSION:

New feature: Background Data Import
- In the Data Import Tool, users may now alternatively import data using an asynchronous background process (as opposed to the existing real-time process). The background process is better for large data files. The background process will email the user after the data file has been fully imported, and the email will note any errors that may have occurred during the import process.
- During the background data import process, which is performed by several simultaneous cron jobs, each record will be imported one at a time. If there is any error with a record being imported, none of that individual record’s data will be imported, after which the user will be able to view all the errors with the option to re-download the records/data that failed to import, thus allowing the user to fix the data and attempt to import it again.
- Note: The background data import works with the “Reason for Change” project-level feature, which requires a reason for any changes made to an existing record.
- The feature is currently only available in the user interface (not in the API), but it may be available for the API in the future.
- If the background data import has begun, the user who initiated the import (or an administrator) can cancel the import process at any time. However, any data that was imported by the import process prior to it being canceled will not be undone after it is canceled. All changes made by the process up until cancellation are permanent.
Critical security fix: A Blind SQL Injection vulnerability was found on data entry forms and survey pages, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. This bug affects all known REDCap versions.
Critical security fix: A PHP Deserialization Remote Code Execution vulnerability was found in which a malicious user who is logged in could potentially exploit it by manipulating an HTTP request to a specific CDIS-related page while manipulating a certain CDIS-related cookie in a specific way. If successfully exploited, this could allow the attacker to remotely execute arbitrary code on the REDCap server. This vulnerability exists in REDCap 13.0.1 and higher.
Critical security fix: A Blind SQL Injection vulnerability was found when calling certain API methods, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by entering specially-crafted data into a Text field, changing the field to a File Upload field, and then calling the Delete File or Import File API method. This bug affects all known REDCap versions.
Major security fix: An SQL Injection vulnerability was found on a MyCap-related page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. In order to exploit this, the user must be logged in as a REDCap user and must also have one or more instruments enabled as MyCap tasks.
Major security fix: A Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way on many pages that output user-defined text onto a REDCap webpage. This bug affects all versions of REDCap.
Bug fix: After unsuspending a user on the Browse Users page on the "View User List By Criteria" tab, the "Display only X users" drop-down would mistakenly get reset. (Ticket #208937)
Bug fix: A new Clinical Data Mart background process would not be scheduled if the current one was taking too long to complete.
Bug fix: PHP 8 related fix for the Data Import Tool. (Ticket #208086)
Bug fix: When using Multi-Language Management with the e-Consent Framework, some text on the e-Consent confirmation screen at the end of the survey was mistakenly not translatable.
Bug fix: When using Multi-Language Management, the language switcher and globe menu would not work on survey return pages when the survey is set up to show a logo and the option to "Hide survey title on survey page when display logo" is turned on. (Ticket #208961)
Bug fix: When using Multi-Language Management on a survey where Google reCAPTCHA is enabled, the Google reCAPTCHA text would mistakenly not be translatable. (Ticket #208797)
Bug fix: PHP 8 related issue on certain MyCap pages in project. (Ticket #208688)
Various fixes and changes for the External Module Framework, including 1) Documented sanitizeFieldName() method, and 2) Miscellaneous security scan & documentation improvements.
Bug fix: In some situations, the survey page might mistakenly throw a fatal PHP error for PHP 8. (Ticket #208147)

Version 13.7.2 (released on 2023-06-23)

CHANGES IN THIS VERSION:

Change: When performing a fresh installation of REDCap, the initial version will be included in the redcap_history_version database table. (Ticket #208590)
Bug fix: When using Multi-Language Management, when uploading a file on the MLM setup page to import translations into an existing language, the merging from file would mistakenly not be performed.
Bug fix: The "Design Checker" for the Clinical Data Mart might mistakenly fail with an error when attempting to fix the structure of a CDM project. (Ticket #207348)
Bug fix: PHP 8 related fixes for CDIS functionality.
Bug fix: When exporting a Project Dashboard as a PDF, some parts of the page that should not be included in the PDF were included.
Bug fix: More compatibility fixes when using Epic Hyperdrive for CDIS in the context of EHR launches.
Bug fix: Related to CDIS, unnecessary steps were removed for the Smart on FHIR OAuth2 process.

Version 13.7.1 (released on 2023-06-08)

CHANGES IN THIS VERSION:

Major bug fix: When using Multi-Language Management and uploading a file on the MLM setup page to import translations into an existing language, the process of merging from file would mistakenly not be performed.
Bug fix: When downloading a PDF of an instrument, the PDF would only download in the desired language if it was set to active for MLM in Data Entry mode. It should not require a language to be active in Data Entry mode to allow downloads of PDFs in that language.

Version 13.7.0 (released on 2023-06-08)

CHANGES IN THIS VERSION:

New features: New Multi-Language Management workflow for adding new languages to projects, plus many other improvements.
- Improved workflow and user interface for adding new languages to projects.
- Project languages can now "subscribe" to system languages (i.e., any changes/additions to UI translations made in the Control Center will automatically be visible in projects).
- Several new administrator options to control how new languages can be initialized in projects (independently allow/disallow initialization from system languages, language files, or from scratch). These (global) settings can be overruled on a project by project basis.
- Editing/updating of existing languages has been redesigned and split into separate edit (rename, etc.) and update (sync with system languages or import translations from files) dialogs.
- Added an option to download (empty - i.e. without data) PDFs of all or individual instruments.
- The default setting for the ASI Language Source is not "Language preference field" (instead of "User's or survey respondent's active language").
- Many user interface fixes related to the switch to Bootstrap 5 in REDCap 13.4.0.
Bug fix: MyCap push notifications might mistakenly not work when using a proxy for the REDCap web server. (Ticket #207578)
Bug fix: When using Multi-Language Management, the “:value” piping modifier would not mistakenly not work when performing piping on MLM-enabled forms and surveys. (Ticket #207629)
Bug fix: When using date-based or time-based [survey-X] Smart Variables in conjunction with a [X-instance] Smart Variable while also using the ":value" modifier (e.g., [survey-time-completed:my_survey:value][last-instance]), a blank value might mistakenly be returned instead of the expected value. (Ticket #206098b)
Bug fix: When using the Copy Project feature and selecting to copy the reports in a project, the resulting new project's reports would mistakenly not have the same unique report names. The unique report names of the new project should be exactly the same as the original project. (Ticket #207248)
Bug fix: When piping a data value into the choice label of a multiple choice field on a repeating instrument, the correct data value might mistakenly not get piped correctly when viewing the choice label on a report or in a CSV Labels data export. (Ticket #207193)
Bug fix: When using the Calendar Sync feature, the calendar feed or export might mistakenly be off by one hour for cities in specific time zones. (#206585b)
Bug fix: When importing and exporting user rights or user roles via CSV files on the User Rights page, some user privilege categories (e.g. Alerts & Notifications) might mistakenly not be found in the downloaded CSV user rights/roles files. (Ticket #206747, #207132)
Bug fix: When selecting files in the File Repository and clicking the Move button, the "folder" drop-down list in the dialog would mistakenly display folders that have been deleted. (Ticket #207763)
Bug fix: When viewing multi-page inline PDFs on the e-Consent certification screen on surveys when using certain devices, such as iPads, only the first page of the PDF might be viewable on the webpage. An option is now displayed near the bottom of the e-Consent certification screen on surveys to allow the participant to download and view the PDF in another browser tab if they are using a device that does not support multi-page inline PDFs. (Ticket #205407)
Bug fix: When exporting a project or project data as CDISC ODM/Project XML, a fatal PHP error might occur when using PHP 8. (Ticket #78389)
Bug fix: When using Multi-Language Management, the error dialog displayed when a user enters an invalid choice for an auto-complete drop-down field was mistakenly not available for translation on the MLM setup page. (Ticket #207825)
Bug fix: When using CDIS, the project menu was not hidden in an EHR launch context.
Bug fix: When downloading a PDF of an instrument that contains a Descriptive Text field with an inline PDF attachment, in certain cases the inline PDF might overlap the next field below it when instead it should begin a new page right after the inline PDF. (Ticket #206391)
Bug fix: Piping Smart Variables or field variables into the Data Entry Trigger URL would mistakenly cause "span" HTML tags to be inserted into the URL.
Updates to the External Module Framework: 1) Prevented uncaught exceptions in the PHP error log, and 2) Added system setting support in getSubSettings().

Version 13.6.1 (released on 2023-06-02)

CHANGES IN THIS VERSION:

Change/improvement: CDIS-related tasks now use a new memory monitoring feature to improve system stability by preventing out-of-memory crashes, in which it actively tracks memory usage and stops long-running, memory-intensive background processes when the PHP thread’s memory usage approaches a predefined threshold (75% by default).
Various fixes and changes to the External Module Framework.
Change/improvement: When searching for action tags in the Action Tag list/dialog, any action tags added to the dialog via an External Module would mistakenly not be included in the search as the user types in the search box. (Ticket #207364)
Bug fix: If a user does not have "Add/Edit/Organize Reports" privileges, "Report B" would mistakenly not appear for them on the "My Reports & Exports" page. (Ticket #206987)
Bug fix: When using DDP Custom, dates were not converted to strings in the JSON encoding process for the data web service. (Ticket #206063)
Bug fix: A non-existent CDP-related CSS file would get called on the Online Designer page and thus would throw a silent 404 error in the browser console. (Ticket #207222)
Bug fix: Medication statuses were mistakenly being ignored in CDIS mapping and thus were not being imported from the EHR.
Bug fix: When re-evaluating Alerts & Notifications, in which one or more alerts are recurring, the process might report an incorrect number of alerts that were removed/unscheduled during re-evaluation as a result of the alert's conditional logic no longer being True. This does not affect any behavior but only the count of alerts that were removed/unscheduled during the re-eval process. (Ticket #206980)
Bug fix: Data entry forms and survey pages might mistakenly crash due to a fatal PHP error in very specific scenarios when using PHP 8. (Ticket #207349)
Bug fix: On the MyCap-enabled project, the Online Designer might mistakenly crash due to a fatal PHP error in very specific scenarios when using PHP 8. (Ticket #207381)
Bug fix: In certain places throughout REDCap where the Logic Editor is used, when modifying the text in the editor, an error might appear saying "Odd number of single quotes exist" (or something similar) when apostrophes, quotes, parentheses, and some other characters are utilized in an "inline comment" (beginning with // or #) in the editor. (Ticket #207092)
Bug fix: When copying the MyCap generated invitation text, which would contain a REDCap version number in the URL of the QR code image, and pasting it onto a webpage in REDCap, such as in the survey completion text or in a field label, the QR code would mistakenly fail to load on the page if that older version of REDCap had been removed from the web server.

Version 13.6.0 (released on 2023-05-25)

CHANGES IN THIS VERSION:

New features for Clinical Data Interoperability Services (CDIS): New additions to the CDIS Configuration page in the Control Center.
- Custom Mapping: Institutions can now define their own mappings and specify additional LOINC codes for labs and vitals.
- Metadata Download: Users can download CSV files containing metadata for mapping FHIR data to REDCap's fields. Metadata files are available for DSTU2 and R4 versions.
- Custom FHIR Authentication Parameters: This new feature enables administrators to define custom HTML query parameters for the SMART on FHIR authentication process. By allowing institutions to specify key-value pairs along with context information, such as "standalone launch," "EHR launch," and "always," this enhancement provides increased flexibility during authentication. The user interface facilitates the specification of multiple entries, thus granting administrators greater control over the authentication process.
Minor security fix: An SQL Injection vulnerability was found on a MyCap-related page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. In order to exploit this, the user must be logged in as a REDCap user and must also have one or more instruments enabled as MyCap tasks.
Major bug fix: If a REDCap user knows the report_id of a report from another REDCap project to which they do not have access, they could manipulate the URL of a report in one of their own projects by replacing the report_id in the URL with the other project's report_id and thus be able to view (but not export) all the data from the other project's report. Note: The user would not be able to access anything else from that other project though. Additionally, the user must be logged in and must have access to at least one project in order to exploit this issue. Bug emerged in REDCap 12.2.0. (Ticket #206894)
Bug fix: When using the Calendar Sync feature, the calendar feed or export might mistakenly be off by one hour for cities in specific time zones. (Ticket #204252, #206585)
Bug fix: If using Multi-Language Management, if a radio or checkbox field exists on an MLM-enabled survey that also has the Enhanced Choice survey option enabled, in which another field on the survey page is embedded inside one of that field’s choice labels, the field would not be successfully embedded on the page but would display an error message saying that that field has been embedded multiple times on the page, which is not true. This bug was supposedly fixed in REDCap 13.5.2, but mistakenly it was not.
Bug fix: If a field has been piped into the min or max validation range of a Text field, in which the piped field does not have a saved value yet, a user attempting to import data will mistakenly get an error stating that the field "should not be greater than the field maximum" or "less than the field minimum", which would thus prevent the user from importing the data. (Ticket #203219)
Bug fix: When a user attempts to place a production project into draft mode, it might mistakenly just reload the same page with no changes, thus preventing the project from being put in draft mode. This often occurs when multiple users are changing things in the Online Designer near the same time while in production. (Ticket #6346b)
Bug fix: Some project-level features in the Additional Customizations popup were mistakenly not being added to the Project XML file when exporting->importing a project. These include the following features: Enable the Data History popup, Display the Today/Now button, Prevent branching logic from hiding fields that have values, and Require a 'reason' when making changes to existing records. (Ticket #206575)
Bug fix: When using the "Copy existing choices" feature for multiple choice fields in the Edit Field popup in the Online Designer, it would mistakenly strip out all HTML in the choice labels. (Ticket #206644)
Bug fix: When uploading an Instrument Zip file that contains survey settings, in which the survey theme of the survey does not exist on the current REDCap server, the upload would hang and never finish. Now, if the survey theme does not exist on the current REDCap server, the default survey theme will be used instead. (Ticket #206167)
Bug fix: When viewing the App Data Dumps tab on the REDCap Mobile App page and clicking an "Included Records" button, it would mistakenly not display the list of records from the data dump file. Bug emerged in REDCap 13.4.0.
Bug fix: When viewing the REDCap Mobile App's "App Data Dumps" page and clicking the "Import Data from File" button for a specific data dump file, it would mistakenly throw a fatal PHP error on the page when using PHP 8. (Ticket #137777b)
Bug fix: Fixed compatibility issue when using Epic Hyperdrive for CDIS in the context of EHR launches. It addresses a known issue where the cookie samesite policy conflicts with Hyperdrive. By detecting the Hyperdrive user agent, REDCap disables the samesite policy, ensuring seamless integration and functionality.
Bug fix: When an administrator uses the "Auto-fill" link on a survey with the "Enhanced Choices" option enabled, it might mistakenly fail to work for some checkboxes and radio button fields. (Ticket #206769)
Bug fix: CDIS-related processes might fail in specific cases due to PHP 8 incompatibility.
Bug fix: A missing LOINC code was added to the CDIS mapping features.
Bug fix: When deleting scheduled survey invitations on the Survey Invitation Log using the "Delete all selected" button, it might crash with a fatal PHP error if deleting only one participant at a time when using PHP 8.

Version 13.5.4 (released on 2023-05-22)

CHANGES IN THIS VERSION:

Major bug fix: Due to an unexpected issue with the deployment of 13.5.3, some fixes from 13.5.2 mistakenly did not get included in 13.5.3. Thus, 13.5.4 will stand as a replacement for 13.5.3.

Version 13.5.3 (released on 2023-05-19)

CHANGES IN THIS VERSION:

Major bug fix: When a participant completes the first page of a multi-page survey, it might mistakenly create a duplicate record that contains only the responses submitted on the first survey page. This does not affect single-page surveys. (Ticket #206613)
Major bug fix: When a participant clicks the “Save & Return Later” button on the first page of a multi-page public survey, and then returns to complete the survey later, it might mistakenly not update the original create but would instead create a duplicate record containing the values submitted on the last survey page. This does not affect single-page surveys. (Ticket #206623)

Version 13.5.2 (released on 2023-05-19)

CHANGES IN THIS VERSION:

Improvement/change: Improvements to the usability of "Email Users" page in the Control Center. Previously, the page featured buttons for selecting user groups and a separate "search" input field for table filtering. Now the buttons' functionality has been modified to filter the table directly, just like the "search" input, allowing admins to quickly filter the table by clicking on the buttons, and subsequently select all or specific users from the displayed list. This new behavior simplifies the user selection process, providing a more intuitive experience, and enabling efficient user filtering.
Major bug fix: If a field is required and is embedded in the choice label of a multiple choice field on a multi-page survey, in which the field itself has branching logic and is also used in the branching logic or calculation of another field on a separate survey page, the field's value might mistakenly get erased when submitting a survey page where the field does not exist but where the field is used in a branching logic or calculation.
Change: All errors in the redcap_error_log database table that are more than 30 days old will be automatically removed (to free up space) via a routine cron job.
Bug fix: Fixed issue with the “Navigate to page” feature when navigating to the Multi-Language Management page in the Control Center.
Bug fix: A JavaScript error would mistakenly get thrown on the Alerts & Notifications page when creating an alert. This may or may not cause other issues on the page.
Bug fix: A JavaScript error would mistakenly get thrown on the survey page after clicking the Save button on a multi-page survey, which might cause some things not to work on the survey. (Ticket #206073)
Bug fix: A JavaScript error would mistakenly get thrown on the Survey Settings page, but this would not affect anything on the page.
Bug fix: If using Multi-Language Management, the translated choice labels for Yes/No and True/False fields would mistakenly not display correctly on the Codebook page. (Ticket #206001)
Bug fix: When using an [X-instance] Smart Variable with other survey-related Smart Variables while using PHP 8, it might cause a fatal PHP error if no repeating instances exist yet for the targeted repeating instrument/event. (Ticket #206098)
Bug fix: When creating or editing a report, pressing the Enter key while in any text input (e.g., the Value text box in Step 3) would mistakenly cause the "List of users with access" popup to display. (Ticket #204875)
Bug fix: The login page for "Shibboleth & Table-based" authentication might not display the Shib and Table-based login options correctly. Bug emerged in REDCap 13.4.0. Bug was supposedly fixed in REDCap 13.4.3 and 13.4.9 but mistakenly was not. (Ticket #204025)
Bug fix: When a non-REDCap user receives a Send-It download link via email for a REDCap installation that is using a directory-based authentication method (e.g., Shibboleth), the recipient would never be able to download the file because it would mistakenly always require them to log in as a REDCap user.
Bug fix: If using Multi-Language Management, the same field could mistakenly be embedded multiple times on the same page when embedded via MLM translations. (Ticket #206370)
Bug fix: If using Multi-Language Management, if a radio or checkbox field exists on an MLM-enabled survey that also has the Enhanced Choice survey option enabled, in which another field on the survey page is embedded inside one of that field’s choice labels, the field would not be successfully embedded on the page but would display an error message saying that that field has been embedded multiple times on the page, which is not true.
Bug fix: When opening a data entry form or survey page in certain versions of iOS in Mobile Safari or in Internet Explorer, the page would never fully load due to a JavaScript error. This bug was supposedly fixed several versions earlier but mistakenly was not. (Ticket #202806c)
Bug fix: When downloading the Project XML file for a project, in some circumstances the process might fail with a fatal PHP error when using PHP 8. (Ticket #206404)
Bug fix: If a survey has "Save & Return Later" enabled and allows participants to return without needing a return code, but it does not allow them to return if the survey has already been completed, then in certain circumstances after a participant completes a public survey in this case, in which they have a unique survey link back to their response (e.g., from an email), they would mistakenly be allowed to modify their completed response. (Ticket #206154)

Version 13.5.1 (released on 2023-05-12)

CHANGES IN THIS VERSION:

Major bug fix: When using PHP 8, if any Custom Application Links have been created and thus appear on a project's left-hand menu, it would cause every project page to crash with a fatal PHP error. (Ticket #205890)
Bug fix: Fixed issue with the “Navigate to page” feature when navigating to the Multi-Language Management page in the Control Center.

Version 13.5.0 (released on 2023-05-11)

CHANGES IN THIS VERSION:

Major security fix: A Cross-site Scripting (XSS) vulnerability was discovered in a file download process in which a malicious user could potentially exploit it by inserting HTML/XML tags and/or JavaScript in a very specific way into an SVG file that is then uploaded into a File Upload field or as a Descriptive Text field attachment, and then having a logged-in REDCap user attempt to download that file using a specially crafted URL. This bug affects all versions of REDCap.
Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way on many pages that output user-defined text onto a REDCap webpage. This bug affects all versions of REDCap.
New feature: @INLINE-PREVIEW action tag - When this action tag is added to File Upload fields or Description Text fields, a preview button will be displayed next to the field on survey pages and data entry forms if the uploaded file is an image or PDF file. Clicking the preview button will immediately display the image/PDF inline on the page, after which it can be closed again, if desired. This allows users/participants to view the file without having to download it to their local device.
Improvement: Inline image support (via Descriptive Text field, INLINE or INLINE-PREVIEW action tag, or the “:inline” piping parameter) now works for SVG and WEBP image files.
Improvement: The "Contact REDCap Administrator" link/button on the left-hand project menu now supports the piping of Smart Variables in its URL if using the "Alternate URL for Contact REDCap Admin links..." setting, which is located on the General Configuration page in the Control Center. Note: Data entry specific Smart Variables (e.g., record-name, event-name) cannot be piped; only high-level project/user-related Smart Variables can be piped (e.g. project-id, user-email).
Improvement: All fatal PHP errors will now be logged in the "redcap_error_log" database table to aid REDCap administrators in tracking down the cause of certain PHP errors. On pages that do not disclose any details (for security reasons) about a fatal PHP error when it occurs, such as on surveys and when the user is not an administrator, the generic error message now adds the following text in small font: "REDCap Admins Only: Details of the error may be obtained by running the database query below. select error from redcap_error_log where error_id = X", which can assist administrators in reporting the error.
Improvement: If using Azure AD authentication (either Endpoint V1 or V2), you may now specify the tenant GUID on the Security & Authentication page, whereas in previous versions "common" was always used as the tenant value. This provides greater flexibility for those using Azure AD. (Ticket #121604)
Improvement: When viewing an inline PDF (whether via Descriptive Text field, INLINE or INLINE-PREVIEW action tag, or the “:inline” piping parameter), a PDF resizer option will appear immediately below the embedded PDF, allowing users to adjust the vertical size of the PDF displayed on the page. Clicking the center button on the resizer will set the PDF to be the full height of the browser.
Improvement/change: When EHR data that is fetched in a Clinical Data Pull (CDP) context is too big to be stored in the database, it will truncate the data and add the prefix “--- DATA TOO LARGE, TRUNCATED —”, which could happen when a patient has many medications, allergies, or conditions, for example.
Change: Survey completion timestamp fields will no longer return errors when a user attempts to import them via data import. Instead, they will merely return a warning, and their value will be ignored during the import process.
Bug fix: When using Multi-Language Management, the language switcher button displayed at the top of data entry forms would not be positioned correctly when compared to other buttons right next to it.
Bug fix: When using MyCap, the MyCap “getStudyImages” API test would mistakenly fail if the project has been copied or created via Project XML upload, in which the images zip file was not getting stored in the back-end database.
Bug fix: When using Multi-Language Management, snapshots would be created for all projects when approving DRAFT mode, even when MLM was not in use (no languages). Now a snapshot is made only when MLM is active (not disabled) AND there is at least one language defined. Additionally, there was no automatic snapshot taken when projects are moved to production initially. Now a snapshot is taken automatically (same rules as for DRAFT).
Bug fix: When opening a data entry form or survey page in certain versions of iOS in Mobile Safari or in Internet Explorer, the page would never fully load due to a JavaScript error. This bug was supposedly fixed two versions earlier but mistakenly was not. (Ticket #202806b)
Bug fix: When utilizing the "Include PDF of completed survey as attachment" option in the Confirmation Email section on the Survey Settings page for a survey that is using the e-Consent Framework, the PDF consent form that is attached to the email would mistakenly not include the e-Consent Type in the filename of the PDF. It should have listed the e-Consent Type as part of the filename for the email attachment.
Bug fix: When viewing an open conversation in REDCap Messenger, the "Actions" drop-down would mistakenly not open when clicked. Bug emerged in REDCap 13.4.0.
Bug fix: When performing randomization on a record, a JavaScript error might mistakenly occur, which would cause calculated fields on the current page not to be recalculated post-randomization. (Ticket #205428)
Bug fix: When using Multi-Language Management, the Survey Login page text might mistakenly not get translated. (Ticket #205427)
Bug fix: The DAG Switcher API method would mistakenly always return the message "ERROR: Invalid DAG" even when the API is being called correctly. Bug emerged in 13.1.27 LTS and 13.4.11 Standard. (Ticket #205557)

Version 13.4.13 (released on 2023-05-04)

CHANGES IN THIS VERSION:

Medium security fix: A Blind SQL Injection vulnerability was found on a MyCap-related page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. In order to exploit this, the user must be logged in as a REDCap user and must also have one or more instruments enabled as MyCap tasks. (Ticket #205078)
Medium security fix: A vulnerability was found in the "Save & Return Later" feature on survey pages, in which a malicious user could potentially exploit it by manipulating an HTTP request in a specially-crafted way that would allow them to email themselves the private survey link of another survey participant. If return codes are not required to return to the survey, using brute force methods the attacker might be able to view sensitive data that survey participants have entered. However, if return codes are required, then the attacker will not be able to view any survey responses. (Ticket #205081)
Major bug fix: The Project Setup->Other Functionality page might mistakenly crash due to a fatal PHP error when using certain versions of PHP 8.
Major bug fix: When using Multi-Language Management and saving MLM translations on the MLM setup page, all Action Tag translations and all choice label translations for multiple choice fields would be permanently lost upon save. Bug emerged in the previous release. (Ticket #205076, #205146)
Bug fix: When downloading the Project XML file for a project, in some circumstances the process might fail with a fatal PHP error when using PHP 8. (Ticket #204965)
Bug fix: For CDIS-related FHIR calls specifically to Epic, the FHIR coding systems have been updated to reflect the Epic FEB23 update.

Version 13.4.12 (released on 2023-05-03)

CHANGES IN THIS VERSION:

Critical security fix: A Blind SQL Injection vulnerability was found on survey pages, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request to the survey end-point in a specially-crafted way.
Improvement: More options for the new “Navigate to page” feature for administrators: 1) Admins can now navigate to Control Center pages via typing “cc”, 2) Help is context sensitive (project links are disabled and "cc" prefix is removed while in the Control Center), 3) Destinations in the popup are now clickable links (project links are not clickable when viewed on a Control Center page), 4) Holding CTRL while pressing ENTER or clicking a link will open in a new tab, and 5) External Module related pages support the EM framework’s alternate /external_modules/ directory location, if being used.
Bug fix: Hovering over the "view list" links to view scheduled/sent alerts on the Alerts & Notifications page would mistakenly not display anything. Bug emerged in REDCap 13.4.0 (Standard).
Bug fix: When using the [form-link] or [survey-link] Smart Variable with Custom Text while also having the [new-instance] Smart Variable appended to it, it would mistakenly return a blank string instead of a survey link.
Bug fix: Fixed more issues related to error checking for the Imagick PHP extension check on the Configuration Check page.
Bug fix: When exporting a PDF of a survey response in some specific ways, it might mistakenly return the word "ERROR" instead of outputting the PDF. Bug emerged in REDCap 13.4.9. (Ticket #204340)
Bug fix: If some Smart Variables are used in a calculation or conditional logic, in which the evaluation of the calculation/logic results in a blank/empty string (i.e., after applying the current context and the current data during the logic evaluation process), an incorrect value might be returned from the calculation/logic. For example, this could cause calculated fields and Data Quality rule H not to function as expected. (Ticket #203945)
Bug fix: When using Multi-Language Management, fields on a data entry form that are piped on the page would mistakenly disappear from the page immediately after the form has loaded. (Ticket #204372)
Bug fix: When using Multi-Language Management, the Form Complete status field on data entry forms would mistakenly not change to the correct translated text when switching languages on the page while using iOS. (Ticket #203189b)
Bug fix: When opening a data entry form or survey page in certain versions of iOS in Mobile Safari, the page would never fully load due to a JavaScript error. (Ticket #202806, #204332)
Bug fix: When a Survey Base URL is defined in the Control Center and a survey participant clicks the "Close survey" button after completing a survey, if the survey had been opened in the participant's browser from outside of REDCap, such as clicking a link in an email, in which the browser will not let the webpage close the tab but instead falls back to displaying the "You may now close this tab/window" message on the page, the participant would mistakenly not be taken to a URL beginning with the Survey Base URL but would instead be taken to the non-survey Base URL defined in the Control Center, which could be confusing to the participant. (Ticket #204422)
Bug fix: When attempting to upload Alerts & Notifications via CSV file, if the "email-to" field contains the value [survey-participant-email], REDCap would mistakenly return an error message saying the value isn't valid when it actually is. (Ticket #201256)
Bug fix: When using Multi-Language Management, in certain cases an error would occur when attempting to import MLM settings via CSV or JSON files, thus preventing the upload from completing.
Bug fix: If proxy server settings have been provided on the General Configuration page in the Control Center, those settings would mistakenly fail to be used by the internal MyCap API check on the MyCap Configuration Check page and thus could result in a false positive saying that issues exist.
Bug fix: When using Multi-Language Management and using the eConsent Framework, the footer of the eConsent PDF, when displayed at the end of a survey, would mistakenly not have its text translated by MLM. This issue was supposedly fixed in the previous version but mistakenly was not. (Ticket #204669)
Bug fix: When a user tries to send a MyCap announcement to their MyCap participants, the Announcement dialog would always mistakenly close before a message can be added. (Ticket #204571)
Bug fix: When using Multi-Language Management on a survey, the Font Resize buttons might mistakenly not display text for the correct/selected language when hovering over the buttons. Bug emerged in REDCap 13.4.0.
Bug fix: When clicking inside the "Deactivate" and "Permanently Delete" dialogs on the Alerts & Notifications page, the dialog would mistakenly close. In addition, the Cancel buttons were also not working in the dialogs. Bug emerged in REDCap 13.4.0. (Ticket #204799)
Bug fix: The Email Users page in the Control Center might become unusable and/or lock up when attempting to select users to email when lots of users (thousands or tens of thousands) exist in REDCap. (Ticket #203947)
Bug fix: The wrong language variable is used for the WebDAV file server check on the Configuration Check page. (Ticket #204838)
Bug fix: The Share->Copy Link functionality might stop functioning for files in the File Repository if attempting to perform the functionality in a specific way more than once while on the page. (Ticket #204876)
Bug fix: When utilizing the "Include PDF of completed survey as attachment" option in the Confirmation Email section on the Survey Settings page for a survey that is using the e-Consent Framework, the PDF consent form that is attached to the email would mistakenly have REDCap's back-end stored filename as the PDF filename rather than the intended user-friendly version of the filename. Additionally, the consent PDF was mistakenly not listed by name in the logged details of the event on the Logging page.

Version 13.4.11 (released on 2023-04-27)

CHANGES IN THIS VERSION:

Critical security fix: A PHP Deserialization Remote Code Execution vulnerability was found in which a malicious user who is not logged in could potentially exploit it by manipulating an HTTP request to a survey page while uploading a specially crafted file. If successfully exploited, this could allow the attacker to remotely execute arbitrary code on the REDCap server. This vulnerability exists only in the following REDCap versions: LTS 13.1.11 through 13.1.26 and Standard Release 13.3.0 through 13.4.10.
Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in a file download process in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way into an HTML file that is then uploaded into a File Upload field or as a Descriptive Text field attachment, and then having a logged-in REDCap user attempt to download that file using a specially crafted URL.
Major bug fix: Partially completed one-page surveys might mistakenly behave as if the participant has not started the survey if they return to the partially completed survey after having entered some data. (Ticket #204003)
Major bug fix: When a survey participant opens a public survey under certain conditions, such as when multiple participants are using the same device, the survey page (and/or subsequent pages) might mistakenly get populated with the previous participant's responses, thus allowing participants to see data they should not. This fix reverts functionality from Ticket #142376 (from REDCap 13.4.3 Standard and 13.1.19 LTS) that attempted to gracefully recover a participant's session if they used their browser's BACK button on a survey as a means of returning to a previous survey page. (Ticket #204164)
Improvement: When viewing PDF attachments on Descriptive Text fields on a data entry form or survey, in which the PDF is set to be displayed inline, the PDF frame is now adjustable at the bottom so that its vertical size may be modified by the user/participant for better viewing.
Improvement: Searching has now been added in the Action Tags popup and Smart Variables popup to allow users to find content faster in those popups.
Bug fix: When publishing a MyCap configuration in a project, some chart fields might not get stored correctly in the config and thus might affect participants using the MyCap mobile app on iOS.
Bug fix: When using Multi-Language Management, the @LANGUAGE-FORCE action tag (if being used on a field) would mistakenly not work as expected.
Bug fix: When using DUO as an option for two-factor authentication, the 2FA process would mistakenly redirect users to the REDCap home page after a successful login rather than redirecting them to the current page they were originally on. (Ticket #203337)
Bug fix: The “Field Finder” on the Codebook page might mistakenly display some HTML in the search results if the user begins the search with the letter “c”.
Bug fix: When using Duo two-factor authentication, the REDCap login page might mistakenly be blank when using Mobile Safari on an iOS device. (Ticket #203626)
Bug fix: If the first column of the Record Status Dashboard table is a sticky/floating column (because the table is very wide), the column's background color might mistakenly be transparent instead of a solid color, thus causing the table to look strange. (Ticket #203655)
Bug fix: When using Multi-Language Management and using the eConsent Framework, the footer of the eConsent PDF, when displayed at the end of a survey, would mistakenly not have its text translated by MLM.
Bug fix: Fixed issues related to error checking for the Imagick PHP extension check on the Configuration Check page. (Ticket #203313b)
Bug fix: Requests to the survey end-point that contained "__passthru" and "route" in the URL would mistakenly not get logged in the redcap_log_view table.
Bug fix: When using Multi-Language Management, some browsers might attempt to auto-translate part of the webpage when viewing a page translated via MLM. Such a browser action will now be prevented in order to allow the form or survey to be viewed exactly how the user intended. (Ticket #203925)
Bug fix: When viewing a Public Project Dashboard on PHP 8, the page might mistakenly crash due to a fatal PHP error. (Ticket #203634)
Bug fix: DDP Custom might mistakenly fail to pull and display data correctly due to internal field-mapping issues.
Bug fix: Some “popover” help text on various pages would mistakenly not display when a user’s cursor hovers over them. Bug emerged in REDCap 13.4.0 (Standard).
Bug fix: Fixed an issue with the auto-adjudication setting related to the use of email addresses in a CDIS project, in which it was causing the email addresses not to be fetched from the EHR.
Bug fix: During the MyCap EM to REDCap migration process, the migration popup was displaying the wrong "number of tasks" if there are any inadequately-enabled tasks on the EM side.
Bug fix: If the unique group name of a Data Access Group happens to be an integer and also happens to be the same value as the Group ID number of another DAG in the same project, users would mistakenly not be able to utilize the DAG Switcher if they attempt to move in and out of the DAG whose Group ID number matches the unique group name of another DAG. (Ticket #204033)
Bug fix: When using "&new" in a survey URL of a repeating survey, in which the URL also contains extra URL parameters for the purpose of survey pre-filling, those extra parameters would mistakenly be lost and thus will not be pre-filled after redirecting the participant to a not-yet-created repeating survey instance. (Ticket #204113)
Bug fix: When using Multi-Language Management, some browsers might attempt to display a popup to ask the user if the page should be auto-translated by the browser. In the previous version, the auto-translate action is now prevented, but this new fix now prevents the translation popup from displaying altogether in order to reduce confusion for users/participants when using MLM. (Ticket #203925b)
Bug fix: If the dates used together in a datediff() function or in a @CALCDATE action tag do not have the same date format, the resulting error message would mistakenly mention "Since the DATEFORMAT parameter was not provided as the fourth parameter in the equation, 'ymd' format was assumed". The date format parameter is a legacy feature and is no longer used or needed, so that specific part of the error message has been removed in these cases. (Ticket #204213)

Version 13.4.10 (released on 2023-04-20)

CHANGES IN THIS VERSION:

Major bug fix: When copying a project and all its records, any fields that have no action tags (i.e., have nothing in the Field Annotation) would mistakenly have their value converted into a MyCap participant code for all records/events. Additionally, some repeating instance data might get orphaned or not get copied over correctly. (Ticket #203436)
Bug fix: The MyCap mobile app might mistakenly crash in certain situations on the About page if the About page’s image for the app is stored incorrectly in the project’s MyCap configuration.
Bug fix: The Control Center's Configuration Check page might mistakenly display an incorrect message that the Imagick PHP extension is not installed correctly when in fact the issue was that Ghostscript was not installed correctly on the server. (Ticket #203313)

Version 13.4.9 (released on 2023-04-19)

CHANGES IN THIS VERSION:

Critical security fix: A Remote Code Execution vulnerability was found in the process whereby files are uploaded via File Upload fields and via the Data Import Tool, in which a malicious user could potentially exploit it by manipulating an HTTP request while uploading a specially crafted file on the Data Import Tool page, on a data entry form, or on a survey page. If successfully exploited, this could allow the attacker to remotely execute arbitrary code on the REDCap server. This vulnerability exists in all versions of REDCap.
Critical security fix: An Insecure Direct Object References (IDOR) vulnerability was found, in which a malicious user could potentially exploit it by manipulating an HTTP request in a specially crafted manner on a survey page. This could allow the attacker to export PDFs containing data of individual survey participants (potentially containing sensitive/private information). Any valid survey link (including a public survey link) could be used and manipulated in order to export a PDF containing data for any record within the project to which the survey link belongs.
Major security fix: A Blind SQL Injection vulnerability was found on the Alerts & Notifications page, in which a malicious user could potentially exploit it by manipulating an HTTP request on that page or indirectly via the survey page.
Medium security fix: A Path Traversal vulnerability was found in a specific endpoint relating to the Clinical Data Pull feature, in which a malicious user could potentially exploit it by manipulating an HTTP request on a specific CDP page.
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by entering an HTML "iframe" tag in a carefully crafted manner into the value of a text field on a form or survey. Additionally, that text field's value must be piped to another place on that same page in order to exploit it. This bug exists in all versions of REDCap, both LTS and Standard Release.
Improvement: New “Go to project page” feature for administrators only will appear on the top navbar (when not inside a project) and on the left-hand menu when inside a project. Entering the PID of a project and hitting Enter/Tab will navigate the admin directly to the project. Additionally, if the PID is followed by a specific 1-3 letter abbreviation, they can navigate to a specific page within the project - e.g., “181 an” to go to the Alerts & Notifications page in PID 181. To go to a specific record on the Record Home Page, also enter the record number - e.g., “34 rhp 999” to view record 999 on the Record Home Page of PID 34.
Change/Improvement: When a participant attempts to log in to a survey via the Survey Login feature, the attempt is now logged, in which the following things are recorded in the project logging: 1) whether the login attempt was a success or failure, 2) the project fields being utilized in the login attempt, and 3) the context (e.g., the record, survey, and event).
Bug fix: Long-running CDIS-related cron jobs might mistakenly prevent External Module cron jobs from running at their expected interval.
Bug fix: When two administrators are viewing the Multi-Language Management page in the Control Center at the same time, the second person to navigate there will not be able to view the page while the first person is still viewing it due to a fatal PHP crash. Bug emerged in the previous version. (Ticket #202782)
Bug fix: When using the "Compare" feature for data dictionaries and/or snapshots on the Project Revision History page, on certain occasions it would not perform the comparison correctly and thus would display incorrect results.
Bug fix: Due to various API changes in the third-party web service used by the Field Bank feature, the Field Bank would no longer return any results if a user searched for a field in the Field Bank dialog in the Online Designer. This affects REDCap versions 10.7.0 and higher.
Bug fix: When copying a MyCap-enabled project that contains records, in which the records are also being copied, the process would fail to copy the records into the MyCap Participant List in the new project. The records would get copied correctly but mistakenly not added to the MyCap Participant List.
Bug fix: When an administrator uses the "Auto-fill" link on a data entry form or survey, it might mistakenly fail on Text fields that lack field validation. Bug emerged in the previous version. (Ticket #202933)
Bug fix: If the two authentication settings "Number of failed login attempts..." and "Amount of time user will be locked out after having failed login attempts..." on the Security & Authentication page somehow have non-integer values, it could cause the REDCap login page to crash with a fatal PHP error when using PHP 8. (Ticket #202976)
Bug fix: After renaming a record in a longitudinal project and using the Form Display Logic feature, the Record Home Page might mistakenly give a fatal PHP error when using PHP 8. (Ticket #203014)
Bug fix: The DAG Switcher table might mistakenly display a bunch of up/down arrows below the table header row due to a CSS issue.
Bug fix: When using Multi-Language Management on form or survey, the choice label from radio button fields that are inside a matrix would fail to pipe successfully if on the page. (Ticket #201392)
Bug fix: CDIS-related bug that could cause issues when refreshing a user’s FHIR access token, in which the format of the date used to check for expiration was wrong.
Bug fix: When using Twilio telephony services for surveys, U.S. phone numbers having the area code "986" would mistakenly not work for SMS or voice calls unless the number has a "1" prepended to it. (Ticket #203044)
Bug fix: When clicking any of the table headers for the project list table on the My Projects page, it would mistakenly hide all the projects in the list except for those in the "Unorganized Projects" folder. Additionally, if any project folders were previously open, the user would find that all project folders had been closed after reloading the page. (Ticket #203046)
Bug fix: The login page for "Shibboleth & Table-based" authentication might mistakenly display both the Shib and Table-based login options under the Shib login tabs when using more than one Shibboleth login option. Bug emerged in REDCap 13.4.0. (Ticket #200919b)
Minor changes and improvements for the External Module Framework: 1) Prevented hidden settings from being stripped out of getSubSettings() calls, and 2) Added the isAuthenticated() method.
Bug fix: When using Multi-Language Management, the @LANGUAGE-FORCE action tag might not work as intended under specific conditions. (Ticket #202553)
Bug fix: When using an [aggregate-X] Smart Variable in a calculation or any kind of conditional logic or branching logic, in which the value returned for the [aggregate-X] Smart Variable is greater than "999", the logic might mistakenly not function as expected. (Ticket #203063)
Bug fix: When using Multi-Language Management on a data entry form, the MLM language switcher drop-down displayed on the form might mistakenly be obscured and/or not visible while using certain iOS devices. (Ticket #203189)
Bug fix: The link to the Training Videos on the login page would be incorrect in some situations. (Ticket #203245)
Bug fix: When an adaptive or auto-scoring survey that has been downloaded from the REDCap Shared Library is not the first instrument in the project and is set to "Redirect to a URL" on the Survey Settings page, the survey participant would mistakenly not be redirected to the defined URL after completing the survey. (Ticket #203316)

Version 13.4.8 (released on 2023-04-12)

CHANGES IN THIS VERSION:

Major security fix: A Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way on any page that outputs user-defined text, such as field labels, survey instructions, etc. This bug allows anyone to inject the "script" tag on any page that outputs user-defined text. In addition, the HTML "s" strikethrough tag can no longer be used as an allowed HTML tag, but instead it is preferred that users use the HTML "strike" tag as an equivalent replacement if users are hand-coding HTML on a page. This excludes the usage of the strikethrough button in the rich text editor, which is unaffected by this issue. This bug does not affect any LTS versions. Bug emerged in REDCap 13.4.3 Standard.
Major bug fix: The Simultaneous User Check, which ensures that two users cannot modify the same record/event/form/instance on the same project was mistakenly not working and would never display the warning to prevent users from being on the same instrument at the same time for a given record. Bug emerged in REDCap 13.2.0 (Standard). LTS is not affected by this bug.
Change/improvement: HTML "strike" strikethrough tags are now allowed in user-defined text, such as field labels, survey instructions, etc.
Bug fix: Several missing LOINC codes were added to the CDIS mapping features.
Bug fix: A CDIS-related database query could throw a fatal error when computing information for a DataMart revision.
Bug fix: When using MyCap, records might not appear in the MyCap Participant List if they were created while the MyCap feature was disabled in the project, after which MyCap was later enabled. (Ticket #202374)
Bug fix: The "Auto-fill Form" link for administrators to use on forms and surveys would mistakenly insert the wrong value for specific field validations, such as Number (1 decimal place), Number (comma as decimal), and other number types. (Ticket #202401)
Bug fix: When loading the first page of a multi-page public survey, in which no records exist in the project yet, the survey page might display a "REDCap crashed" error when running PHP 8. (Ticket #202648)
Bug fix: When downloading a PDF of an instrument that contains a Descriptive Text field with an inline PDF attachment, in certain cases an extra empty page might appear in the resulting PDF right before where the inline PDF is rendered. (Ticket #202598)
Bug fix: When using the Smart Variable [stats-table] and limiting its data via appending a unique report name, in which the report itself returns zero results, the stats table would mistakenly display statistics for all records in the project. (Ticket #201751)
Bug fix: The warning popup that is displayed when a user attempts to download a data dictionary when one or more of the instruments in the project have been imported from the REDCap Shared Library, in which the user must first agree to the Shared Library's Terms of Use, was mistakenly not being displayed when users also perform the following other relevant actions: download an instrument zip file, download a Project XML file, or copy the project.

Version 13.4.7 (released on 2023-04-07)

CHANGES IN THIS VERSION:

Change/improvement: Some performance improvements and minor changes for the Unicode Transformation page, such as the exclusion of specific database table columns since they do not need to be transformed.
Bug fix: If the REDCap database table structure has utf8mb4 collation while REDCap’s database connection is configured to use utf8[mb3], both the db_character_set and db_collation values in the redcap_config database table will be modified to ensure that the character set is aligned. This fix will occur during the upgrade process and will also be added to the Unicode Transformation page.
Change/improvement: When a cron job crashes and sends an email to the REDCap administrator, the email now includes a full stack trace of the error.
Bug fix: When piping a field variable that has an [X-event-name] Smart Variable prepended to it while also having an [X-instance] Smart Variable appended to it, it might mistakenly return a blank value rather than piping the correct value. (Ticket #142932)
Bug fix: When a @CALCTEXT field contains an if() function that has a plus sign ( ) inside of single quotes or double quotes, the resulting text would mistakenly have the text "*1 1*" replacing every plus sign. This would occur when viewing a @CALCTEXT field on a data entry form or survey but not via server-side calculation methods, such as Data Quality rule H. (Ticket #141653)
Change: Improved memory management for several CDIS-related processes, especially those performed by the cron job.
Bug fix: The modal dialog displayed when attaching a file via the rich text editor might not look correct because some CSS styles were mistakenly missing for certain elements in the dialog.
Bug fix: Some users that are accessing a CDIS project might find that project pages might take a very long time to load. This only affects certain users on CDIS projects, but it is unknown which users might be affected by this.
Bug fix: The tables that list the choices for multiple choice fields on the Codebook page were mistakenly missing some of their borders.
Bug fix: If using Multi-Language Management, the MLM "Change Language" tooltip might not display the correct mouseover text due to issues with Bootstrap 5. Related, the position and spacing of the language selector on data entry forms was off also.
Bug fix: If using Multi-Language Management, the @LANGUAGE-CURRENT-FORM action tag was working on (completed) surveys viewed on data entry pages, which should never have been the case.
Bug fix: The new instance button for repeating instruments on the Record Home might mistakenly not be disabled when the form icon is disabled by Form Display Logic.

Version 13.4.6 (released on 2023-04-03)

CHANGES IN THIS VERSION:

Major bug fix: Reverted the bug fix in Ticket #142759, which sought to provide server-side checking to prevent @READONLY fields from having their data values modified through the client side (e.g. JavaScript). This has been reverted because there appear to be too many scenarios in which this server-side checking was blocking legitimate data entry and thus some data was not getting saved properly. Most of these scenarios occurred when using certain action tags together with @READONLY, as described in Ticket #202226 (i.e., @CALCTEXT, @CALCDATE, @DEFAULT, @SETVALUE), but other scenarios, such as when performing survey pre-filling (via URL parameters or via POST requests) for @READONLY fields, could not easily be incorporated into the server-side checking. Therefore, the server-side checking for @READONLY fields (added to REDCap 13.1.20 LTS and 13.4.4 Standard) has been removed/reverted because it was preventing legitimate data entry on forms and surveys in various scenarios.

Version 13.4.5 (released on 2023-04-01)

CHANGES IN THIS VERSION:

Major bug fix: Opening a data entry form when using PHP 8 would crash the page with a fatal PHP error on certain occasions. Bug emerged in the previous version.
Change: When using the Unicode Transformation page, if a database table's row_format is COMPACT, it will now add ROW_FORMAT=DYNAMIC to the SQL transformation script so that this does not need to be done separately (can be time-consuming on its own).

Version 13.4.4 (released on 2023-03-31)

CHANGES IN THIS VERSION:

Bug fix: If using MySQL 8 for the REDCap database, admins might see false positives for the database structure check in the Control Center, in which it might mistakenly say “Your Database Structure is Incorrect” when it is actually correct. Bug emerged in the previous version. (Ticket #202144)
Bug fix: Fields that have a @READONLY action tag could have their data value modified on a survey page or data entry form by manipulating the webpage via JavaScript or via the web browser's developer console. (Ticket #142759)
Various CDIS-related fixes

Version 13.4.3 (released on 2023-03-31)

CHANGES IN THIS VERSION:

Major bug fix: If a user calls the "Export Records" API method and explicitly provides the "fields" API parameter as a comma-delimited text string (instead of an array), the API might mistakenly export the data for all project fields, including data for fields for which the API user does not have data export rights. (Ticket #200812)
Improvement: "Postal Code (UK)" was added as a new field validation. After upgrading, an administrator will need to enable it on the Field Validation Types page in the Control Center. (Ticket #201961)
Improvement/change: If a participant returns to the first page of a multi-page survey (e.g., by clicking the Previous Page button or returning via their Return Code), the survey instructions can be viewed again by clicking the "View survey instructions" link at the top of page 1. In previous versions, the survey instructions could never be viewed again after the survey had been started (i.e., the first page had been submitted). (Ticket #201430)
Improvement: When using the Google/Microsoft Authenticator option for two-factor authentication in REDCap, users will be able to enroll using their Google/Microsoft Authenticator app the very first time they log in to REDCap via 2FA, in which the enrollment QR code will be displayed there the first time they log in via 2FA. This allows institutions to utilize the Google/Microsoft Authenticator option for REDCap without necessarily having to offer the less secure Email option, which is often the fallback/default for when users initially log in via 2FA. In previous REDCap versions, users would have to use a 2FA option other than Google/Microsoft Authenticator the first time they logged in via 2FA. So this behavior change provides a more secure way to offer 2FA. (Ticket #141099)
Improvement/change: The main Control Center page now displays a warning if REDCap recognizes that your web server and cron job are using different PHP.INI files, as this can sometimes cause undesired side effects.
Change/improvement: HTML "s" strikethrough tags are now allowed in user-defined text, such as field labels, survey instructions, etc.
Bug fix: When following the directions on the page "Updating your REDCap Database Tables to support full Unicode", the process might mistakenly fail due to certain MySQL/MariaDB errors occurring when attempting to convert certain characters to utf8mb4 via the UPDATE queries provided on the page. If you have attempted to use this page previously and had to stop due to these errors, then after upgrading, we recommend you try it again using the new SQL provided on that page.
Bug fix: Small fixes for the page "Updating your REDCap Database Tables to support full Unicode".
Bug fix: The Configuration Check page had several checks that would mistakenly fail due to language strings not being escaped. This bug was introduced in the previous version. This issue was supposedly fixed in REDCap 13.4.2, but mistakenly it was not. (Ticket #201609)
Bug fix: Custom Survey Queue Text might mistakenly have many unnecessary line breaks, thus causing the text to have large, empty gaps. (Ticket #201330)
Bug fix: When user privileges are edited or when users are added to a project via the CSV file upload on the User Rights page, it would mistakenly not log the individual events of each user being edited or added, respectively. (Ticket #200514)
Bug fix: When the survey expiration date is saved in YMD date format on the first save of the Survey Settings page, the date format is corrupted and not saved correctly. (Ticket #201743)
Bug fix: If a participant is taking a multi-page public survey and uses their browser’s Back button to go back to the first survey page, then then afterward continues forward again on the survey, it would mistakenly create a duplicate response/record in the project (Ticket #142376)
Bug fix: Vertically-aligned checkboxes (and some other elements as well) might not display correctly (or might be invisible) on survey pages while using an RTL (right-to-left) translated language via Multi-Language Management. (Ticket #201476, #200785)
Bug fix: When taking an adaptive or auto-scoring survey that was imported from the REDCap Shared Library while the Survey Queue is being utilized, the Survey Queue might mistakenly fail to be displayed at the end of the survey or (if using auto-start) the next survey in the queue would fail to begin automatically. (Ticket #201816)
Bug fix: When taking an adaptive or auto-scoring survey that was imported from the REDCap Shared Library while the Survey Queue is being utilized, clicking the Survey Queue icon at the top right of the survey page might mistakenly not display the Survey Queue.
Bug fix: Floating matrix headers on data entry forms (but not on surveys) would mistakenly move too much to the right side of the page while floating.
Bug fix: If an alert is set to be triggered during a data import, in which it will send an alert for each new repeating instance of a repeating instrument, the alert would mistakenly fail to get triggered if the imported value of the "redcap_repeat_instance" field is literally "new" rather than an integer. (Ticket #200445)
Bug fix: If the record ID field has any kind of field validation, the validation would mistakenly fail to be enforced when renaming the record on the Record Home Page. (Ticket #200101)
Bug fix: The "Save & Mark Survey as Complete" button on data entry forms might mistakenly be displayed in situations in which it should not. (Ticket #142863)
Bug fix: The process that checks for errors in the REDCap database structure might have reported false positives if REDCap is running on newer MariaDB versions (10.3.37 , 10.4.27 , 10.5.18 , 10.6.11 , 10.7.7 , 10.8.6 , 10.9.4 , 10.10.2 , 10.11.0 ), in which the “SHOW CREATE TABLE” query in these newer MariaDB versions excludes a column's charset and collation if the column matches the default charset/collation of the table.
Bug fix: When creating a new project via the MyCap project template, the project creation process would mistakenly update the baseline date setting configuration before updating the project configuration, thus causing some things to be out of sync with regard to MyCap settings in the project in certain cases.
Bug fix: When using an ontology service (e.g., BioPortal) on a Text field, the cron job that sends Alerts and Automated Survey Invitations might mistakenly crash with a fatal PHP error if the field's value is piped into the email body of the Alert or ASI. (Ticket #201928)
Bug fix: The login page for "Shibboleth & Table-based" authentication might mistakenly display both the Shib and Table-based login options under the Shib login tab. Bug emerged in REDCap 13.4.0. (Ticket #200919)
Bug fix: When uploading a CDISC ODM XML file of data on the Data Import Tool page, in certain situations while using PHP 8, the page could crash with a fatal PHP 8 error. (Ticket #200728)
CDIS-related changes/improvements:

Created DTO (data transfer objects) for CDIS mapping to improve the code's reliability, readability, and maintainability.
Implemented the ability to include additional parameters in CDIS mapping using a specific syntax.

CDIS-related bug fixes:

Resolved an issue where an error during FHIR authentication prevented the complete log from being displayed.
Fixed a bug where fhir_identity_provider, a CDIS setting, was not given proper priority during the FHIR authentication process.
Addressed a bug where the "next" page of a bundle containing too many entries could have no reference to the FHIR resource, resulting in a logging error.

Bug fix: Some project-level pages would mistakenly appear too wide and would display a horizontal scrollbar when they should not. (Ticket #202024)
Bug fix: When composing an invitation for a repeating survey on the Participant List page, the Compose Invitations dialog would mistakenly pre-check the checkbox of participants in the dialog's participant list in which the participant row represents a placeholder for a not-yet-existing repeating instance of the survey. In this case, users might not wish to send an invitation to these placeholders, but they exist there in the participant list just in case they do wish to invite them. So leaving them pre-checked when the Compose dialog opens could cause users to mistakenly send another repeating survey invitation to the participant when the user did not intend to do that.
Bug fix: When two users are simultaneously on the same data entry form in a project about to create a new record, in which both users have been assigned the same tentative record name prior to the record being created, if the second user to click Submit is also locking the instrument, the second user's record would skip a number in the record creation sequence (e.g., user 1 creates record "101" while user 2 creates "103" instead of "102") while also mistakenly not locking the second user's new record. (Ticket #201814)
Bug fix: When a repeating instrument for a record has an instance 2 but not an instance 1 saved, the left-hand instrument menu might mistakenly display a gray status icon for the repeating instrument (as if no instances exist) when viewing other instruments within the record. (Ticket #202054)

Version 13.4.2 (released on 2023-03-24)

CHANGES IN THIS VERSION:

Major bug fix: When appending "&new" to the end of a survey URL for a repeating survey, it would mistakenly not redirect to the next not-yet-created repeating instance of the survey but would instead display the message that the survey had been completed.
Bug fix: When using Duo two-factor authentication, REDCap would mistakenly not honor when a user checked the checkbox to not prompt for the MFA login again for 7 days. (Ticket #201444)
Bug fix: When clicking the Check All button on the Email Users page in the Control Center, if some text had been entered into the Search filter beforehand, every user would mistakenly be selected rather than just the visible users in the table. This could cause the email to go to all users instead of just specific ones.
Bug fix: When the REDCap API has been disabled at the system level, the Tableau Export option on the "Other Export Options" page would mistakenly still appear. (Ticket #200248)
Bug fix: When copying a project or creating a project from a template, the creator of the project would mistakenly not have "Alerts & Notifications" privileges. (Ticket #201585)
~~Bug fix: The Configuration Check page had several checks that would mistakenly fail due to language strings not being escaped. This bug was introduced in the previous version. (Ticket #201609)~~

Version 13.4.1 (released on 2023-03-24)

CHANGES IN THIS VERSION:

Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered on survey pages in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way into the survey URL in order to pre-fill a Text field on the page, in which the field must have the @DEFAULT action tag and must also be piped somewhere on the current page. (Ticket #201503)
Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in the File Repository in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way inside the “comment” text of an uploaded file. (Ticket #200457)
Minor security improvement: The "Clickjacking Prevention" feature is now always automatically enabled on the Password Recovery page (when using "Table-based" or "X & Table-based" authentication).
Improvement: New option for Form Display Logic: “Hide forms that are disabled”. When enabled, all forms that are disabled will also be hidden (not visible) on the Data Collection menu and on the Record Home Page.
Improvement: The text for the setting “Require a 'reason' when making changes to existing records” is now available for translation on the Multi-Language Management page.
Improvement: The Database Query Tool page in the Control Center now has a text box to easily filter database tables in the table list.
Bug fix: The borders of table cells for tables created by the rich text editor might mistakenly be invisible when they have been set to be displayed with a border.
Bug fix: The admin-only “auto-fill” button on surveys and data entry forms might not be located in the correct position on the page after resizing the webpage.
Bug fix: The survey auto-continue feature might mistakenly not work with PROMIS computer adaptive test (CAT) surveys but instead would just display the text "Thank you for your interest, but you have already completed this survey". (Ticket #200757, #200621)
Bug fix: Some matrix headers might mistakenly disappear when scrolling down on a survey or data entry form.
Bug fix: Some dialog popups on MyCap-related setup pages might mistakenly close when clicking inside them.
Bug fix: When using Multi-Language Management, the proper language would not get used for the e-Consent PDF in certain situations (Ticket #200944).
Bug fix: When using Multi-Language Management, the survey acknowledgement page might not show the appropriate language.
Bug fix: When using Multi-Language Management, the image upload and file attachment modals might not work on the MLM setup page.
Bug fix: When a PDF file is attached to a Descriptive Text field and is set to display inline, it might not always get positioned in the correct place in the resulting PDF that is generated.
Bug fix: When a PDF file is attached to a Descriptive Text field and is set to display inline, the inline PDF might be displayed with too low a resolution inside the resulting PDF that is generated. Its resolution has been increased from 120 DPI to 200 DPI to make it more readable. (Ticket #200582)
Bug fix: When a PDF file is attached to a Descriptive Text field and is set to display inline, the inline PDF might mistakenly be too large for the page and might run off the page if more than one or two lines of text exist for the Descriptive Text field's field label. The resulting PDF that is generated will instead begin the inline PDF on a new page by itself in this scenario. (Ticket #200582b)
Bug fix: The onhover action of the gear icons on the User Activity Log page in the Control Center would mistakenly not work and would not display the project title, as expected. (Ticket #200729)
Bug fix: When clicking inside the "Preview message by record" dialog on the Alerts & Notifications page, the dialog would mistakenly close.
Bug fix: In a classic/non-longitudinal project, when navigating directly to a data entry form prior to choosing a record (via the form list under "Hide data collection instruments" on the left-hand menu), the page would mistakenly be too narrow.
Bug fix: Small tweaks and fixes for the page "Updating your REDCap Database Tables to support full Unicode".
Bug fix: Piping in a survey's Survey Completion Text would always fail to work. (Ticket #200909)
Bug fix: Floating matrix headers on survey pages and data entry forms might mistakenly move all the way to the left side of the page while floating.
Bug fix: The footer (gray box) at the bottom of all project pages might mistakenly not appear in the correct position but might be too far left. (Ticket #200912)
Bug fix: In some situations, a required field that is embedded inside another required field hidden by branching logic might mistakenly not be able to have its value removed when a user deletes the value and then clicks Save on a survey or data entry form. The value would reappear again if the page was reloaded.
Change: Reworded the "Tip for min/max limits" text in the Online Designer for greater clarity.
Bug fix: In some rare scenarios when a participant submits the first page of a public survey, the page might result in a "too many redirects" error, thus preventing the user from completing the survey. (Ticket #200351)
Bug fix: When composing a survey invitation, in which the Smart Variable [survey-link:instrument] or [survey-url:instrument] is used (i.e., with an instrument name) inside the body of the invitation, the dialog titled "Invitation text is missing [survey-link] variable" would mistakenly appear when it should not. (Ticket #200914)
Bug fix: When submitting the first page of a public survey, in which an MDY or DMY formatted date/datetime field was submitted, the survey might mistakenly display the "invalid values entered!" dialog saying that the field's submitted value was incorrect, which is not true.
Bug fix: Several missing LOINC codes were added to the CDIS mapping features.
Change: Hundreds of phrases and words of static text were abstracted in the REDCap code to allow them to be translated via the Language Updater. (Thanks to Hugo Potier for all his help with this task.)
Bug fix: Fixed typo in Multi-Language Management logEvent() method. This does not seem to affect anything though.
Bug fix: When embedding a matrix field and using the ":icons" notation, the balloon and history icons would mistakenly not be displayed for the embedded matrix field.
Bug fix: If a horizontally-aligned checkbox is embedded inside the choice label of another checkbox that is vertically-aligned, the first checkbox of the embedded field might mistakenly not be visible. (Ticket #201393)

Version 13.4.0 (released on 2023-03-10)

CHANGES IN THIS VERSION:

New feature: Mosio SMS Services

REDCap has the capability to send SMS text messages for surveys and for Alerts & Notifications by using a third-party web service named Mosio (www.mosio.com). In this way, users can invite a participant to take a survey by sending them an SMS message, in which the data would be collected in REDCap directly from their phone without having to use a webpage. There are two ways REDCap currently works with Mosio: 1) Surveys – Sending survey invitations and also sending questions and getting replies via text message, and 2) Alerts - Sending one-way Alerts & Notifications via text message.
The Mosio Two-Way Text Messaging (SMS) Services work exactly the same as the current Twilio functionality, with the exception of the Voice Call features. Mosio can only send and receive SMS messages. If a user wishes to switch a project from using Twilio to using Mosio, the only thing that needs to be done is for them to get a Mosio account and API key, then disable Twilio and enable Mosio in their REDCap project using their API key. That’s all that needs to be done to migrate from Twilio.
If you wish to disable the Mosio functionality at the system-level so that users do not see the feature on the Project Setup page, an administrator may do so on the Modules/Services Configuration page in the Control Center (similar to the Twilio settings there).
For more information and to get a Mosio account, visit https://www.mosio.com/redcap. Mosio specializes in research communications automation, helping researchers improve engagement, adherence, and data collection in studies. The service is both HIPAA and 21 CFR Part 11 compliant and willing to sign BAAs.

Change: The Internet Explorer web browser is no longer supported in REDCap.
Change: The third-party package named Bootstrap that is embedded inside REDCap has been upgraded from Bootstrap 4 to Bootstrap 5. Most external modules should be unaffected by this change since most of the deprecated Bootstrap 4 classes and conventions have been backported into this version to make the transition as seamless as possible.
Major bug fix: If the Automatic Upgrade (blue button on the Upgrade page), Easy Upgrade, and/or Auto-Fix options are available in your REDCap installation (regardless of whether you have actually used those options or not), it could be possible for someone that is not logged in to REDCap to directly access the upgrade page of an older version sitting on the web server (e.g., https://.../redcap_v11.1.0/upgrade.php) and click the blue Upgrade button for the Automatic Upgrade, which would mistakenly revert the system back to that version. Note: Doing this would not run any other SQL but only the few queries that change the "redcap_version" in the redcap_config database table (and a couple of other minor things). If either the Automatic Upgrade or Easy Upgrade option is available on your system, then it is recommended that you additionally go and remove EVERY ugprade.php file that exists inside all previous REDCap version folders. This is just a one time thing, and is not necessary to do in the future. (Ticket #200338)
Change: Replaced all hard-coded links to REDCap Community pages to point to the new REDCap Community website hosted on the Vanderbilt REDCap server. Previous links pointed to the old AnswerHub site.
Change: The project PID was added to the email subject of all "Request to Move Project to Production" emails that are sent to REDCap administrators. (Ticket #76956)
Bug fix/change: Inline PDF attachments on Description Text fields were mistakenly not being rendered as inline in PDF exports.

Last year when the inline PDF feature was added for attachments on Description Text fields, in which in previous REDCap versions only images could be displayed as an inline attachment on the web page and in the exported PDF file, the feature was mistakenly not fully implemented because the PDF attachment was not rendered inline inside the resulting exported PDF file for a form or survey. To fix this, any PDF attachments that are set to be displayed as inline on a Descriptive Text field will now correctly be rendered as inline in the PDF of the form/survey in order to be consistent with how inline images have always been treated in PDFs.
Additionally, the ImageMagick PHP extension is required for this fix to work. It is a common but not universal PHP extension. A new check has been added to the Configuration Check page to detect if this extension has been enabled on the REDCap web server, and if not, the page will provide a link with instructions for installing it, if desired.
NOTE: If administrators wish to disable this setting so that inline PDF attachments are not rendered as inline inside the PDF files, they may disable this functionality at the system level on the Modules/Services Configuration page in the Control Center.

Bug fix: When the min or max validation range of a date- or number-formatted Text field contains certain Smart Variables, the min/max range check might mistakenly not work on a form or survey due to a JavaScript error. (Ticket #143298)
Bug fix: When a user deletes all the data in a single event for a record (in the UI or via the API), the resulting logged event seen on the Logging page would mistakenly note that it happened to the first event instead of to the specified event.
Bug fix: When the Record ID field has the @HIDDEN-PDF action tag, the field would mistakenly not get hidden in the downloaded PDF when clicking the PDF option "This data entry from with saved data (via browser's Save as PDF)" while on a data entry form. (Ticket #111718b)
Bug fix: While the ability of individual projects to have their own authentication method was removed in REDCap 13.1.2, this setting was mistakenly not removed from the Edit Project Settings page (in which changing its value on that page does nothing to affect anything). (Ticket #200379)
Bug fix: When copying a MyCap-enabled project, it would mistakenly copy the MyCap tasks into the new project, even when the MyCap copy option is not checked.
Bug fix: When migrating a project using the MyCap external module to begin using the native MyCap feature, the migration process might mistakenly not process certain MyCap tasks correctly that were not adequately enabled in the MyCap EM.
Bug fix: The Smart Variables [survey-time-started], [survey-date-started], [survey-time-completed], [survey-date-completed], [survey-duration], [survey-duration-completed] might mistakenly return the value for record "1" in a project (if record "1" exists) when these Smart Variables are used in a calculated field, @CALCTEXT field, or branching logic on the first page of a public survey. These would, however, work correctly if used in a field label, choice label, etc., if used on a non-public survey, or if used on survey page 2 or higher of a public survey.

Version 13.3.4 (released on 2023-03-03)

CHANGES IN THIS VERSION:

Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in the @CALCTEXT action tag in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way inside the text of the @CALCTEXT action tag.
Minor security fix: An SQL Injection vulnerability was found on the Database Activity Monitor page, in which a malicious user could potentially exploit it by manipulating an HTTP request on another page while an administrator views the Database Activity Monitor page.
Change: HTML "style" tags are now allowed in user-defined text, such as field labels, survey instructions, etc.
Change/improvement: On the Calendar page, the year selection drop-down list now extends to 10 years in the future by default, and if the year is changed via the drop-down, the drop-down's option will extend to 10 years in the future of either the current year or the selected year (whichever is largest). (Ticket #143067)
Bug fix: Several missing LOINC codes were added to the CDIS mapping features.
Bug fix: When REDCap is sending a confirmation email to a survey participant after completing a survey, it might mistakenly cause a fatal PHP error on the page. (Ticket #143145)
Bug fix: When piping a File Upload field with “:link” or “:inline” in the body of outgoing emails (e.g., alerts, ASIs), the piping would mistakenly not be successful under certain circumstances. (Ticket #143158)
Bug fix: The Stats & Charts page might mistakenly crash in certain situations due to a fatal PHP error when using PHP 8. (Ticket #143019b)
Bug fix: When using Multi-Language Management, in which an Automated Survey Invitation has been translated, the ASI might mistakenly not be sent in the desired language when there are conflicting things (or none) dictating what the language should be for the ASI. To prevent this issue regarding language ambiguity in ASIs, a new MLM setting had to be added to allow users to define the language source of a given ASI at the survey level (but not at the survey-event level), in which users may choose the “Language preference field” or “User's or survey respondent's active language” as the ASI Language Source on the MLM setup page. (Ticket #143119)
Bug fix: When using Multi-Language Management, in which an Automated Survey Invitation has been translated, the ASI might mistakenly be sent out in the fallback language in some cases. (Ticket #143119b)
Bug fix: Any HTML tags used inside the equation of a @CALTEXT field would mistakenly not display correctly in the View Equation popup on data entry forms. (Ticket #143228)
Bug fix: An issue specific to PHP 8.1 might cause some features of the Clinical Data Mart to crash with a fatal PHP error.
Bug fix: When using comments in calculations or logic, if the comment contained a quote or apostrophe, it would mistakenly get included in the check to ensure that there is always an even number of quotes/apostrophes in the calculation/logic. This would sometimes throw an error and prevent users from being able to add or edit the calc/logic. (Ticket #143367)
Bug fix: Large configurations for Multi-Language Management might mistakenly get truncated in the database when saved. The configuration columns in the MLM database tables were increased to handle this. (Ticket #143355)
Bug fix: The embedded PDF on the e-Consent certification page of a survey with the e-Consent Framework enabled would mistakenly look squished (have incorrect dimensions) when taking the survey on an iPad. (Ticket #143212)
Bug fix: In some cases after a participant has completed a survey, if they return to the survey using a private survey link (i.e., not a public survey link) while the survey has "Save & Return Later" disabled, the participant might mistakenly be allowed to modify the existing survey response. (Ticket #143400)

Version 13.3.3 (released on 2023-02-24)

CHANGES IN THIS VERSION:

Major bug fix: On public surveys where the participant fails to enter a value for a required field on the first page of the survey, in which the survey page has dozens or hundreds of fields, the survey page might mistakenly crash with an HTTP 414 error (URL Too Long) after being submitted, thus preventing the participant from completing the survey. Bug emerged in REDCap 13.1.11 (LTS) and 13.3.0 (Standard). (Ticket #142829)
Bug fix: The Azure AD (V1) authentication was mistakenly displaying “samAccountName” as an option to use for “AD attribute to use for REDCap username” when instead it should have been using “onPremisesSamAccountName”. (Ticket #134789)
Bug fix: When re-evaluating an Automated Survey Invitation for a repeating survey that has been set up with a repeating ASI, the re-evaluation process might report that some invitations were scheduled when they were not.
Bug fix: In some cases, images that were added via the rich text editor to a project dashboard, to custom text on a report, or to survey components (instructions, questions, etc.) would mistakenly not display on the public version of the dashboard, on a public report, or on the survey, respectively, unless the person viewing it was currently logged in as a REDCap user. (Ticket #142302)
Bug fix: If Automated Survey Invitations have been set up for a survey, in which some invitations have already been scheduled for a record, if the survey instrument gets marked as "Complete" via normal save operations on the data entry form (with the exception of clicking the "Save & Mark Survey as Complete" button), the scheduled invitations would mistakenly get automatically deleted. They should only get deleted if the survey has been completed via the survey page or by a user clicking the "Save & Mark Survey as Complete" button on the data entry form. Bug emerged in REDCap 9.3.7. (Ticket #142989)
Bug fix: When creating a Table-based authentication user or when adding a user to a project, if the username that was entered contained illegal characters, the error message would fail to note that the @ symbol is allowed in usernames. (Ticket #142999)
Bug fix: The Stats & Charts page might mistakenly crash in certain situations due to a fatal PHP error when using PHP 8. (Ticket #143019)
Bug fix: When using Duo two-factor authentication, if the system is set to "Offline", it would mistakenly prevent administrators from successfully logging in via Duo 2FA. (Ticket #143003)
Bug fix: The admin detection on survey pages might mistakenly fail in certain situations and thus fail to display the “Auto-fill survey” link at the top-right of a survey page whenever an administrator is viewing the survey.
Bug fix: When piping instance-related Smart Variables into the email text of a survey's Confirmation Email, the resulting piped text might mistakenly not be formed correctly. For example, appending [new-instance] to the [survey-link] Smart Variable, in which survey-link contains custom display text, would output the survey URL instead of the survey link with the custom text. (Ticket #143059)

Version 13.3.2 (released on 2023-02-17)

CHANGES IN THIS VERSION:

Bug fix: When a record is correctly assigned to a Data Access Group, it might not appear to be assigned to its DAG while viewing the Record Status Dashboard, the Add/Edit Records page, and reports if data values for the record somehow got stored incorrectly in the backend redcap_data table in multiple/mixed cases (e.g., "101a" vs "101A"). Un-assigning and then re-assigning the record back to its original DAG might fix this issue temporarily, but the bug would arise again whenever the project's internal "Record List Cache" was cleared/rebuilt. (Ticket #141329, #142544) NOTE: If the issue still exists after the upgrade, click the “Clear the Record List Cache” button on the Project Setup->Other Functionality page.
Bug fix: When exporting CSV files in various places throughout REDCap, the process might mistakenly fail for PHP 8 under specific unexpected conditions.
Bug fix: The cron job used for the Clinical Data Mart or Clinical Data Pull might mistakenly fail due to the user ID being used instead of the username when creating a new instance of the job.
Bug fix: Over 20 missing LOINC codes were added to the CDIS mapping features.
Bug fix: The "resources" link in the MyCap informational dialog on the Project Setup page mistakenly pointed to the wrong URL. (Ticket #142514)
Bug fix: The CSV file upload for importing Automated Survey Invitations (ASIs) in the Online Designer would mistakenly fail with an error if the user's preferred CSV delimiter was not set to "comma" via their user profile. (Ticket #142555)

Version 13.3.1 (released on 2023-02-10)

CHANGES IN THIS VERSION:

Change/improvement: Added a new internal service check to the Configuration Check page that checks REDCap's ability to make server-side HTTP calls to its own survey end-point. For some server/network configurations, this kind of HTTP call was failing silently and causing some survey pages to timeout sporadically. This check will help administrators become aware of this issue if it exists.
Bug fix: When performing certain actions in the File Repository, such as uploading files, an error message would mistakenly be displayed afterward saying that there is a DataTables warning. Bug emerged in REDCap 13.3.0 (Standard).
Bug fix: When using the page "Updating your REDCap Database Tables to support full Unicode", some REDCap installations (depending on their specific database configuration) might experience a few minor SQL errors during the unicode transformation process.
Bug fix: The "System Statistics" page in the Control Center did not display the label correctly for the count of projects utilizing the Clinical Data Pull feature.
Bug fix: Data values imported for a patient’s “birth-sex” via FHIR using the Clinical Data Operability Services might mistakenly get converted into an incorrect value (“UNK”) in some specific cases. (Ticket #141976)
Bug fix: If using the e-Consent Framework with the setting "Allow e-Consent responses to be edited by users?" enabled, users with edit privileges would mistakenly be prevented from modifying the data on the consent form via a data import. (Ticket #140846)
Bug fix: The Survey Queue page might crash due to a fatal PHP error when using PHP 8. (Ticket #142125)
Bug fix: When using the @RICHTEXT action tag on a Notes field, changing the text in the editor (i.e., the field's value) might mistakenly not trigger calculations or branching logic accordingly. (Ticket #142127)
Bug fix: When using the rich text editor to translate a survey's survey instructions on the Multi-Language Management setup page, any images uploaded via the rich text editor would mistakenly not load when viewing the translations on a survey page (that is, unless the person viewing the survey is a REDCap user and is currently logged in to REDCap). (Ticket #141658b)
Bug fix: If a user that has "read-only" user privileges for a specific instrument is viewing the Data History of a File Upload field on that instrument, the "Delete" link next to each file/revision would mistakenly be displayed in the Data History popup. Users with read-only instrument-level privileges should not be able to delete older revisions of a File Upload field. (Ticket #141709)
Bug fix: If a repeating instrument has been enabled as a survey, but the survey setting "(Optional) Repeat the survey" has not been enabled on the Survey Settings page, then when viewing the participant list, a placeholder instance might mistakenly not be displayed in the participant list to represent a not-yet-taken instance of the repeating survey. There should always be at least one untaken placeholder instance displayed for each record in the participant list for repeating surveys because this allows users to open a new instance of the survey or email the participant a link to that new survey instance. (Ticket #141545)
Bug fix: When creating/editing a report, the explanatory dialog for Step 3's "Show data for all events for each record returned" checkbox was outdated and mistakenly did not mention anything about the setting's usage in projects containing repeating instruments/events. (Ticket #141953)
Bug fix: When the "Text-To-Speech" feature is enabled on a survey, the speaker buttons would mistakenly not appear next to the field labels of fields in a matrix, thus preventing participants from utilizing the feature there. (Ticket #141787)
Bug fix: In very specific situations where a field is a required field and is embedded in another field, in which the container field is hidden by an @HIDDEN action tag while the field embedded inside it also has an @HIDDEN action tag, the user would mistakenly get prompted by the Required Field dialog for a hidden embedded field if the container and/or embedded fields have @HIDDEN-SURVEY while on a data entry form *or* if they have @HIDDEN-FORM while on a survey page. (Ticket #142212)
Bug fix: If a whole record has been locked or if a data entry form has been locked for a given record, any survey participant who happened to have opened their survey prior to the record/instrument being locked would mistakenly still be able to submit and save their survey response, and as a result, possibly overwrite any existing data on the locked record/form. (Ticket #139555)
Bug fix: When downloading a data dictionary or an instrument zip file, any Dynamic Query (SQL) fields that contain "\\n" in their SQL query would mistakenly have the text "\\n" replaced with "|" in the resulting downloaded file. (Ticket #141734)

Version 13.3.0 (released on 2023-02-02)

CHANGES IN THIS VERSION:

New feature: Administrators will now see an “Auto-Fill Form” or “Auto-Fill Survey” button at the top right of forms and surveys, respectively. Clicking the button will auto-fill all visible fields on the entire instrument. This is to help with testing or troubleshooting data collection.
New feature: Embedding file attachments in text & emails
- Users may now attach one or more files into the text of a survey invitation, an alert, or a field label on a form/survey, among other things, by clicking the file attachment (paperclip) icon in the rich text editor and then by uploading a file from their local device.
- This feature is available for every rich text editor *with the exception* of non-project pages (e.g., the Email Users page) and also any field with the @RICHTEXT action tag.
- If administrators wish to disable the ability to embed attachments in text via the rich text editor, they may disable this functionality at the system level on the Modules/Services Configuration page in the Control Center. Note: This setting operates independently from the other setting “File Repository: Users are able to share files via public links” (found on the File Upload Settings page in the Control Center); thus, even if public file sharing has been disabled globally, users can still upload file attachments via the rich text editor so long as its associated setting has been enabled globally.
- Note: All files uploaded via the rich text editor will be represented in the text of the editor as a public file-sharing link, which allows the file to be downloaded in any context (e.g., on surveys, on authenticated REDCap pages, and in public areas like emails and public dashboards). This means that if anyone has possession of this link, they will be able to download the file (at least, until the file has been deleted). All files uploaded via the rich text editor will be automatically stored in a special “Miscellaneous File Attachments” folder in the File Repository where they can be accessed and/or deleted, if necessary. If any such file is deleted from the “Miscellaneous File Attachments” folder in the File Repository, the associated download link for the file will cease to be active and thus will become a dead link wherever it has been used.
Improvement: A new "preformatted code block" button was added to the toolbar of all rich text editors.
New feature: New one-way messaging system for Clinical Data Interoperability Services (CDIS) that is designed to provide secure communication to users who are utilizing asynchronous CDIS processes, such as background data pulling via a cron job. This new system has been developed to address the need for a secure means of communication outside of REDCap Messenger, particularly for messages that contain protected health information (PHI). Emails were not a viable option for these types of messages, as they do not provide the necessary level of security to protect PHI from unauthorized access. The system utilizes encryption techniques to ensure the confidentiality and integrity of all messages exchanged.
Bug fix: When using comment lines inside the Field Annotation for a @CALCTEXT field, Data Quality rule H would mistakenly not perform the calculation successfully. (Ticket #141558)
Various updates and fixes for the External Module Framework.
Bug fix: Fixed PHP 8 related error when an administrator tries to hide the blue Easy Upgrade box in the Control Center. (Ticket #141539)
Bug fix: When using "now" as the min/max for a date field or using "today" as the min/max for a datetime field, the validation range check would mistakenly not detect an out-of-range value. (Ticket #141646)
Bug fix: When using the rich text editor to translate a label on the Multi-Language Management setup page, the image icon was mistakenly missing from the editor's toolbar interface, thus preventing users from uploading alternative images into the translated text.
Bug fix: When using the rich text editor to translate a label on the Multi-Language Management setup page, any images uploaded via the rich text editor would mistakenly not load when viewing the translations on a survey page (that is, unless the person viewing the survey is a REDCap user and is currently logged in to REDCap). (Ticket #141658)
Bug fix: When a survey participant enters data on a public survey, in which some required fields are left blank, it is possible for the participant to re-submit the page in the browser (via the browser Back/Reload button) and thus cause duplicate records to be created. This can especially happen for certain browsers, such as Mobile Safari on iOS devices, when minimizing the browser and then re-opening the browser later. (Ticket #141012)

Version 13.2.5 (released on 2023-01-27)

Improvement: Comment lines can be added to calculations and logic to serve as annotations to explain various parts of the logic/calc. Thanks to Günther Rezniczek for helping add this new feature.
Improvement: When setting up the Survey Queue or an individual Automated Survey Invitation, the survey drop-down for the “When the following survey is completed” setting in the dialog now has a built-in search feature to easily find a specific survey in a long list. Additionally, if the survey title does not match the instrument title, the drop-down list will also display the user-facing form name for the survey, which should help users find the right survey quicker in certain cases.
Bug fix: In some cases, images that were added via the rich text editor to a project dashboard would mistakenly not display on the public version of the dashboard unless the person viewing it was currently logged in as a REDCap user.
Updates for the External Module Framework, including: 1) Added arguments allowing $module->getProjectsWithModuleEnabled() to return projects in analysis/cleanup status and with completed dates, and 2) Miscellaneous scan script updates and unit test updates.
Bug fix: When creating a project using the MyCap project template included in REDCap, in some cases the resulting project might result in errors when a participant loads the project on their MyCap mobile app.
Bug fix: A fatal PHP error might occur for PHP 8 on a project using the Clinical Data Pull feature, in which a user clicks the "Delete data for THIS FORM only" button at the bottom of a data entry form. (Ticket #141230)
Bug fix: When using Clinical Data Pull and launching the CDP REDCap page embedded inside of Epic Hyperspace (this does not affect other EHRs but only Epic), the embedded page would not function correctly due to incompatibilities with Internet Explorer, which is the embedded browser utilized by Hyperspace. This bug emerged in the previous REDCap version.
Bug fix: When exporting a project’s data to SAS, in which the project is using Missing Data Codes and also the exported data set contains Text or Notes fields, the resulting SAS syntax file might mistakenly be missing an underscore at the end of the variable name for the “format” attribute for the Text and Notes fields. (Ticket #103142)
Bug fix: The replacement function utf8_encode_rc() for PHP's utf8_encode() might prevent certain users from logging in successfully, in which this ultimately is caused by certain unknown web server configurations. (Ticket #140393)
Bug fix: When using the Randomization page while a project is in production status, a REDCap administrator is unintentionally able to erase the randomization model of the project, which should only be allowed while in development status (even for admins). The "Erase randomization model" button will now stay disabled for everyone when a project is in production. (Ticket #141286)
Bug fix: If a required field's field label contains a lot of HTML, in which the field value is left empty when submitting a survey page or data entry form, the "Some fields are required" dialog that is displayed would mistakenly not look correctly on some occasions due to the HTML in the label. To prevent this issue and to make the field label more readable, the required field dialog will now strip all HTML from the field label when displaying it. (Ticket #141262)
Bug fix: Bug fix: When MyCap is enabled in a project, on some rare occasions when migrating a project using the MyCap external module, the process might fail due to an SQL error. (Ticket #138168b)
Bug fix: Importing data for a patient’s race via Clinical Data Interoperability Services (CDIS) might mistakenly fail in cases where the patient has more than one race listed in the EHR.
Bug fix: When a user is viewing the field drop-down for the Data Search feature on the Add/Edit Records page in a project that has more than 20K records, the note text in the first option of the field drop-down would mistakenly be truncated, thus preventing the user from being able to read it. (Ticket #141317)
Bug fix: When uploading a CSV file of user privileges on the User Rights page, the "lock_records" privilege would mistakenly return an error if its value is set to "2", which is a valid value. (Ticket #141141)
Bug fix: When changing an existing alert from sending "immediately" and "every time" to sending not immediately (e.g., "Send on next X at time Y") without explicitly clicking the "Just once" radio option in Step 2B after doing so, these changes made to Step 2 would mistakenly not get saved when saving the alert. (Ticket #140491)

Version 13.2.4 (released on 2023-01-20)

Improvement: When using the built-in MyCap feature, users can now explicitly define the title of the project as seen by participants in the MyCap Mobile App. A new button has been added near the top of the “MyCap App Design” to allow users to set the project title that is displayed in the app. If not defined, it will default to using the user-facing title of the REDCap project, which was how it behaved in previous versions of REDCap.
Major bug fix: In certain situations where survey invitations get scheduled for a repeating Automated Survey Invitation, in which the record's data is later modified, the repeating invitations that were scheduled might mistakenly get unscheduled. (Ticket #140851)
Major bug fix: If a user is creating a new record on a data entry form, in which record auto-numbering is enabled in the project and the form is submitted by the user with a required field that has no value, if the project's internal Record List Cache (a secondary list of records in the database for improving performance) had not been built yet or was recently cleared (which is done automatically by REDCap internally), the user submitting the form might trigger the Record List Cache building process, which might inadvertently create multiple identical records instead of just creating the one record.
Bug fix: If a checkbox field has a large amount of choices, thus causing the checkbox options to become a scrollable box, the overall height of the scrollable box would mistakenly be too short on surveys that have the "Enhanced radio buttons and checkboxes" feature enabled. Since the enhanced radios/checkboxes are much larger than regular radios/checkboxes, the scrollable area has been made twice as tall in these cases in order to provide a less confusing user experience to survey participants.
Bug fix: The Multi-Language Management page in the Control Center might incorrectly denote a translated language as being 100% complete when it is only 99.9% complete. (Ticket #140724)
Bug fix: Various issues related to checkbox fields with many options, such as displaying a horizontally-aligned checkbox field as too wide in Firefox. Also, the new feature added in the previous version that would cause a long list of checkbox options to become scrollable has now been completely removed since so many users complained about it being problematic for them. (Ticket #140759)
Bug fix: When piping a Notes field that has the @RICHTEXT action tag, the HTML formatting in the field's value might mistakenly not render correctly on the page, especially if the value contains HTML tables. (Ticket #140910)
Bug fix: When a datetime field is using "now" as the min or max validation range, and the user clicks the "Now" button next to the field after having been on the page for more than one minute, the "out of range" popup would mistakenly display.
Bug fix: When using Multi-Language Management, if some slider fields do not have their slider label values translated, it could cause some parts of the survey page or data entry form not to display all its translated text successfully. (Ticket #140871)
Bug fix: Some LH-aligned radio buttons might mistakenly cause the page to be too wide if a radio choice label is very long. Unfortunately, the only way to fix this issue fully is to revert a change in the previous version that improved the text wrapping of the choice labels of horizontally-aligned checkbox fields.
Bug fix: If a survey participant clicks the "Save & Return Later" button on a survey, which has no survey title (i.e., it was left blank), the email sent to the participant might be slightly confusing because it displays only two double quotes where the survey title should be. It now displays slightly different text if the survey title has not been defined.
Bug fix: If a project title contains some UTF-8 encoded characters, the project title would mistakenly display as garbled when viewing it on the My Projects page on a mobile device. (Ticket #140814)
Bug fix: If a repeating Automated Survey Invitation has reminders enabled, the Survey Invitation Log might mistakenly display a bell icon and number (representing a reminder) next to a recurring invitation that is not actually a reminder.
Bug fix: When using the Randomization page and downloading an example allocation table in Step 2, for certain randomization models, the CSV file produced may become too large to be processed, which might throw an error, and/or it might take an abnormally large amount of time to output the CSV file. To prevent these situations, the example allocation tables now will only output a maximum of 50,000 rows regardless of the randomization model set up in the project. (Ticket #140909)

Version 13.2.3 (released on 2023-01-13)

Bug fix: If a Project Template has Form Display Logic, new projects created from that Project Template would mistakenly not have the Form Display Logic settings copied over. (Ticket #140489)
Bug fix: If REDCap is using an external file storage method (e.g., AWS S3, Azure Blob Storage) for storing all files in the system, the Project Revision History's version comparison feature would mistakenly fail, and it would result in a fatal PHP error when using PHP 8. (Ticket #140551)
Bug fix: If a participant email address contains one or more capital letters and is added manually to the Participant List multiple times, the Participant List would mistakenly fail to display a number and parentheses immediately before the email address on each row (e.g., "1) rob@aaa.com") to help differentiate the multiple instances of the same email address. (Ticket #140466)
Bug fix: When using Duo two-factor authentication, some important debugging information would mistakenly not get output to the page when an error occurred, in which it prevented admins from effectively troubleshooting certain network-based configuration issues that could cause Duo not to work dependably for users.
Bug fix: If a checkbox field has a large amount of choices, it could cause the field to mistakenly take up a disproportionate amount of the survey page or data entry form, thus resulting in a bad user experience. In this case now, the whole list of checkbox options will instead become scrollable so that the checkbox field does not become too unwieldy while still allowing the user to see all the choices.
Bug fix: Checkbox fields that are horizontally-aligned might mistakenly have a choice’s checkbox and its label appear on two different lines due to text wrapping. Instead, an individual choice’s checkbox and label now no longer wrap to the next line but instead stay together on the same line. (Note: This fix does not apply when viewing a form/survey on a mobile device.)
Bug fix: In very specific situations where a field is a required field and is embedded in another field, in which the container field is hidden by an @HIDDEN action tag while the field embedded inside it does not have an @HIDDEN action tag but does have a @DEFAULT action tag, the default value added to the embedded field via the @DEFAULT action tag would mistakenly not get saved when saving the page.
Bug fix: Various fixes related to issues with using Duo two-factor authentication, including issues caused by the use of a proxy with the REDCap web server. (Ticket #140186, #137099)
Bug fix: Clicking the "View Equation" link for a @CALCTEXT field on a data entry form or survey page while the project is in production status but not in draft mode would mistakenly display an error message instead of displaying the calculation. (Ticket #140645)
Bug fix: When downloading a CSV file of either users or user roles on the User Rights page, the form-level viewing rights and form-level export rights in the CSV file might mistakenly contain instruments that have been deleted from the project. (Ticket #140668)
Bug fix: If PDF files had been stored in the File Repository's "PDF Survey Archive" folder, after which the Auto-Archiver and/or e-Consent Framework had been disabled for all surveys in the project, the "PDF Survey Archive" folder would mistakenly no longer be visible in the File Repository, thus preventing users from accessing previously-saved files. That folder will now be displayed if the Auto-Archiver and/or e-Consent Framework is enabled or if any files already exist in the folder. (Ticket #140435)

Version 13.2.2 (released on 2023-01-06)

Bug fix: In certain situations in which REDCap or an External Module executes a specific parameterized query to the database, the query might mistakenly fail due to an "illegal mix of collations".
Bug fix: Unless using the latest version of the REDCap Mobile App, a @CALCTEXT field might mistakenly not function correctly in the Mobile App if its calculation contains multiple nested IF() statements.
Bug fix: When a participant is viewing their survey queue, if they click the "Get link to my survey queue" button and then click "Send" to email the survey queue link to themselves, the Email Logging page would mistakenly not associate the email with a record in a project when searching for emails on that page. This can make it very difficult to find this email via the Email Logging page. In the future, this action will associate the email with a specific record on the Email Logging page.
Bug fix: A SQL query might mistakenly not get formatted correctly and thus might fail when CDIS is sending a notification to a user via REDCap Messenger regarding the completion of an asynchronous CDIS task.
Bug fix: The "How do I format the equation?" link in the "Edit Field" dialog in the Online Designer would mistakenly open the wrong question on the "Help & FAQ" page.
Bug fix: If a user assigned to a Data Access Group views a report that has DAG filtering imposed via "Step 3: Additional Filters" in the report settings, in which the user's DAG is not one of the selected DAGs of the Additional Filters, the report might mistakenly display some records from the user's DAG when instead it should not return any records in the report. A similar behavior might also occur for a user that is not assigned to a DAG when viewing the same report, but instead occurring when using the DAG Live Filter to select a DAG that is not one of the selected DAGs of the Additional Filters. (Ticket #140302)

Version 13.2.1 (released on 2022-12-29)

Major bug fix: If using AAF authentication or any of the "X & Table-based" authentication methods (excluding "LDAP & Table-based"), the login process might not function correctly and might appear as if the authentication has mistakenly reverted to only "Table-based" authentication. Bug emerged in REDCap 13.2.0 (Standard). (Ticket #140065)
Bug fix: Certain Font Awesome icons might mistakenly not display correctly on survey pages.

Version 13.2.0 (released on 2022-12-29)

New feature: “Azure AD & Table-based” authentication method - The “Security & Authentication” page contains a section of custom settings for using the Azure AD authentication method in REDCap. All the existing Azure AD settings apply to this new authentication method, with the addition of a new custom button text for the “Azure AD” button on the login page.
Important change: New option displayed on the Configuration Check page to update the REDCap database tables to support full Unicode. REDCap installations that were initially installed using a version prior to REDCap 8.5.0 will have an older, legacy type of database collation/encoding and charset (character set). If your REDCap installation is affected, it is *highly* recommended that you follow the steps detailed on the page that is linked on the Configuration Check page in order to update your database. Please note that this is NOT an urgent issue, but it is something we recommend you address sooner rather than later since your current database collation and charset (UTF8 or UTFMB3) have been deprecated in the latest versions of MySQL/MariaDB and thus will eventually be removed altogether in future versions of MySQL/MariaDB. The full process of updating your database tables may take many minutes or possibly hours to run all the pertinent SQL to convert both the table structure and table data. Please follow the instructions on that page carefully, and make sure you perform a database backup before starting the process. (Thanks to Tony Jin for his help with this effort.)
Important change: Dropped support for PHP 7.2. Only PHP 7.3.0 and higher are now supported in REDCap.
Bug fix: The user privilege for "Alert & Notifications" was mistakenly not getting copied for project users when using the "Copy Project" feature while electing to copy the current users into the new project. (Ticket #140023)
Bug fix: The Cron Jobs page in the Control Center might crash with a fatal PHP error for certain versions of PHP if the "exec" function is disabled in PHP as a "dangerous" function on the REDCap web server. (Ticket #140034)

Version 13.1.4 (released on 2022-12-28)

Improvement: The "Help & FAQ" page has been updated with new content (thanks to the FAQ Committee).
Bug fix: When the system-level setting "Allow reports to be made 'public'?" has been set to "No", administrators are still allowed to make reports public, which is expected; however, when anyone attempts to view the report using the public link, it displays an error saying that it cannot be displayed. Anyone with the public link should be able to view the report. (Ticket #132901b)
Bug fix: When testing a calculation using the "Test calculation with a record" drop-down for a calculated field in the "Edit Field" popup on the Online Designer, there are certain situations where the process might mistakenly crash with a fatal PHP error when using PHP 8. (Ticket #139955)
Bug fix: If the value of a Text or Notes field contains an email address that is immediately followed by a line break/carriage return, the email address would mistakenly not get converted into a "mailto" link properly when displayed on a report. (Ticket #139960)
Bug fix: The user privilege for "Alert & Notifications" was mistakenly not getting copied for project users when using the "Copy Project" feature while electing to copy the current users into the new project. (Ticket #140023)
Bug fix: Text describing that piping can now be used in the URL of a Data Entry Trigger and the URL of an external video for a Descriptive Text field was mistakenly not added in the previous version. It has now been added in order to inform users that piping can be used in these places now.

Version 13.1.3 (released on 2022-12-22)

Major bug fix: An error would occur when enabling External Modules on PHP 7, thus preventing modules from being successfully enabled. Bug emerged in REDCap 13.1.2 (Standard).

Version 13.1.2 (released on 2022-12-22)

Improvement: Users may now pipe Smart Variables or field variables into the Data Entry Trigger URL.
Improvement: Users may now pipe Smart Variables or field variables into the External Video URL for Descriptive Text fields.
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered on the User Rights page where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way inside a CSV file when importing user privileges or user roles on that page.
Change: PHP 8.2 is now supported in REDCap. Note: The release notes of REDCap 13.1.0 (Standard) mistakenly noted that PHP 8.2 was supported in REDCap 13.1.0, which was only partially true because PHP 8.2 was not yet supported by the External Module Framework, which is a part of REDCap.
Change: REDCap no longer supports individual projects having their own authentication method that is different from the system-level authentication method. Going forward, every project will automatically assume the same authentication method of the system as defined on the "Security & Authentication" page in the Control Center. (Note: The "auth_meth" column name in the "redcap_projects" database table has not been removed in order to be backward compatible with any custom scripts that might be specifically querying that column in an SQL query.)
Improvement: When setting up an alert, Step 2's sub-section “When to send the alert?” now contains the new drop-down choice "the day (beginning at midnight) that the alert was triggered" in the sub-option “Send the alert X days Y hours Z minutes before/after [drop-down]”. This new choice in the drop-down allows users to schedule the notification based on the day the alert was triggered and provides greater control and precision with regard to when exactly the notification will be sent. For example, if this new drop-down option is selected along with setting it to “send the alert 1 day 8 hours after…”, this will cause the notification to be scheduled to be sent at exactly 8:00am the next morning. In previous versions, it was not possible to get this level of precision for the notification send-time based upon the alert trigger-time unless you used a date field’s value as a reference. (Note: This new option is very similar to the one added for Automated Survey Invitations in REDCap 12.5.0.)
Improvement: When exporting the project logging via CSV file or via API, the record name is now included as a separate column/attribute "record" in the resulting output if the logged event is record-centric (and if not, the record value will be left blank). (Ticket #132246)
Improvement: The on/off switches on the Multi-Language Management setup page now have green/red coloring to more clearly denote their on/off state. (Ticket #139703)
Various changes and improvements for the External Module Framework:
- PHP 8.2 is now supported.
- Added the methods $module->disableModule(), $module->isSuperUser(), and $module->escape().
- Added the allow-project-overrides and project-name setting options.
- New feature to hide external modules from non-admins in the list of enabled modules in a project.
- Made the scan script warn when system hooks are used.
- Miscellaneous scan script improvements.
- Fixed a bug where escaped HTML displays in field list values.
Change/improvement: The Database Activity Monitor page now specifies if a specific request is an instance of the REDCap cron job.
Change/improvement: When a user creates, edits, copies, or deletes a report, the logged event of this specific action now contains the list of all fields in the report. This improves the granularity of the audit trail for reports. (Ticket #139193)
Bug fix: In very specific cases when a report is set to only display the record ID field, in which the report has filter logic that contains fields on a repeating instrument/event, the resulting report might mistakenly include grayed out columns that correspond to the fields (or to the form status fields of the fields' instrument) that are used in the filter logic. (Ticket #139584)
Bug fix: Users with instrument-level locking privileges could inadvertently bypass locking controls and modify data on a locked data entry form if they have another browser tab open of that same data entry form before it was locked, and then saved that form within 30 seconds of locking the form in the other tab. (Ticket #139555)
Bug fix: If Two-Factor Authentication is enabled in REDCap, and a user is using Clinical Data Pull, in which they are viewing a REDCap window specifically inside Epic Hyperspace, a JavaScript error might be displayed on the page. Bug was introduced in REDCap 12.5.7. (Ticket #139775)
Bug fix: If a project is created using a Project XML file, in which the XML file contains public reports, the unique public report link/hash of any public reports in the original project would mistakenly get duplicated and attributed to the newly created project. This would not cause any noticeable problems for the user because the public report link would always point to the original project and not to the new project created.
Bug fix: When using the Clinical Data Mart, a patient’s Medical Record Number (MRN) might get stored as an empty string in the FHIR logs table, thus causing the Data Mart to crash.
Bug fix: REDCap might fail with a fatal PHP error on various pages when using PHP 8 under very specific conditions. (Ticket #139416)
Bug fix: If a user shared a public link to a file in the File Repository, that public link would still be functional and active even after an administrator has disabled the "File Repository: Users are able to share files via public links" setting in the Control Center. (Ticket #139899)
Bug fix: The @IF action tag would mistakenly not function correctly for fields in PDF exports. For example, @IF([field]="", @HIDDEN-PDF, "") would not function correctly to show/hide the field in the resulting PDF export.

Version 13.1.1 (released on 2022-12-16)

Improvement: Descriptive Text fields can now have inline PDF attachments that display as an embedded PDF on the page (rather than just displaying a download link).
Change: HTML tags are no longer stripped out of Project Dashboard titles as displayed in the "My Project Dashboards" list on the left-hand menu or on the Project Dashboards page. Additionally, the title of Project Dashboards are no longer limited to 150 characters.
Bug fix: The "Data Collection Strategies for Repeating Surveys" informational dialog would mistakenly not open.
Bug fix: A fatal PHP error would occur when using DDP Custom in a project for PHP 8. (Ticket #138771b)
Bug fix: When using MyCap in a project and with a Custom Participant Label that utilizes the piping of fields (rather than selecting a single field from the field drop-down list), the Custom Participant Label would mistakenly not be displayed on the MyCap Participant List page.
Bug fix: If a user is adding an external video URL to a Descriptive Text field, in which they mistakenly paste some Embed HTML or an invalid URL into the field's video URL attribute, if REDCap doesn't recognize it as a Vimeo or YouTube link, REDCap might mistakenly try to output the text directly onto the page as-is without verifying that it is a valid URL. (Ticket #139291)
Bug fix: When using the date/time picker widget to select a value for a date or datetime field on a survey page or data entry form, and then later on the same page the user uses the time picker on a "Time (HH:MM)" or "Time (HH:MM:SS)" validated field, after selecting the value for the Time field, the page would mistakenly scroll back to the last date/time field on that page where the date/time picker was used, which could be very confusing and disorienting to the user. (Ticket #139201)
Bug fix: The Standalone Launch process for Clinical Data Interoperability Services might mistakenly fail for some server configurations due to a duplicate slash (“/”) in the link to the page.
Bug fix: When a user performs a data export containing fields from an instrument for which they have "De-identified" data export rights, and the user selects the de-id option to "Shift all dates" (rather than "Remove all date and datetime fields") in the export dialog, the date fields would not be date shifted but would mistakenly be completed removed from the resulting exported data set. Bug emerged in REDCap 12.2.0. (Ticket #139392)
Bug fix: When a user creates a new project, either as an empty project or using a Project XML file, the project creator's user rights would mistakenly be missing the "Alerts & Notifications" privilege.
Bug fix: When using Clinical Data Pull, in which a user is accessing an embedded REDCap page inside of Epic Hyperspace, some parts of the page might mistakenly not work due to JavaScript errors.
Bug fix: A field with the @CALCTEXT action tag, in which the calculation contains text strings with line breaks, might mistakenly cause calculation errors to appear on the page and prevent the @CALCTEXT from working.
Bug fix: Some calculations or branching logic might mistakenly fail to work and would display an error if they are substantially long. Bug emerged in the previous version. (Ticket #127140)
Bug fix: Surveys that are set to use Comic Sans as the font for the survey text would mistakenly not display correctly when viewing the survey on iOS devices. (Ticket #95086)
Bug fix: In very specific situations where a field is a required field and is embedded in another field, in which both fields have branching logic, if the container field is hidden by branching logic while the field embedded inside it has branching logic that evaluates to True (meaning that the embedded field would otherwise be visible if the container field itself were visible), REDCap would mistakenly display an error saying that the embedded field is required and thus needs a value, which is incorrect since the embedded field is not even visible on the page. (Ticket #139582)
Bug fix: When piping a field value for a field on a repeating instrument/event, in which the piped value originates from another repeating instance (e.g., [field][previous-instance]), the current instance's value might mistakenly be piped instead of the value from the desired instance. (Ticket #139581)
Bug fix: When an image is embedded (via the rich text editor) in an email for a survey invitation or alert, in which the Protected Email Mode is enabled in the project, the page where the recipient would view their email in REDCap might mistakenly not display the embedded image on the page but would show a broken image placeholder. (Ticket #139648)
Bug fix: If a user uploaded a Project XML file for a Clinical Data Mart project, it would mistakenly enable the Data Mart feature in the newly created project even when the CDM feature is disabled at the system level. This would cause some errors to occur in the project. (Ticket #139577)

Version 13.1.0 (released on 2022-12-09)

New feature: Redesign of the File Repository
- Overview: The File Repository page has been redesigned to make it easier to store, organize, and share the files in your projects.Users now have the ability to create folders and sub-folders to help organize their files more effectively. If using Data Access Groups or user roles, users may optionally limit access to a new folder so that it is DAG-restricted and/or role-restricted. Uploading multiple files is much faster with a new drag-n-drop feature that allows for uploading dozens of files at a time. Sharing files is better too, in which users may obtain a public link to conveniently share a file with someone. New API methods also exist that allow users to upload, download, and delete files programmatically using the API. Additionally, the File Repository has a new built-in Recycle Bin folder that makes it easy to restore files that have been deleted. Users can upload as many files as they wish. There is no limit. Additionally, there is no limit to how many folders and sub-folders that can be created (or how deep that they can be nested within other folders).
- Sharing: Files can be shared via Send-It or using a public link. If you do not want users to be able to share files using the public link functionality, this may be disabled on the File Upload Settings page in the Control Center. Once disabled, users will only be able to share files using Send-It.
- File storage limit: Admins may optionally set a file storage limit that applies to all projects so that users cannot upload too many files in an abusive fashion. The value can be set in MB on the File Upload Settings page in the Control Center. There is also a project-level override for the file storage limit on the Edit Project Settings page for any given project. Note: Files in the starred folders (e.g. Data Export Files, e-Consent PDFs, Recycle Bin) do not count toward the overall file space usage of the project.
- Recycle Bin: Files that are deleted from the File Repository will be put in the Recycle Bin folder where they will be kept for up to 30 days before being permanently deleted. Any file in the Recycle Bin can be restored back to its original location (so long as doing so does not surpass the project’s file storage limit, if enabled). Administrators can “force delete” any file in the Recycle Bin, which deletes it immediately and permanently.
- New API methods for the File Repository: 1) Create a New Folder in the File Repository, 2) Export a List of Files/Folders from the File Repository, 3) Export a File from the File Repository, 4) Import a File into the File Repository, and 5) Delete a File from the File Repository.
Security improvement: Restricted file types for uploaded files - At the bottom of the “Security & Authentication” page in the Control Center, administrators may now provide a list of all disallowed file types/extensions (e.g., exe) in order to prevent users from uploading files of these types into REDCap (often for security purposes). When set, this setting will be applied to all places throughout REDCap where users are allowed to upload files.
Improvement: The “Alerts & Notifications” page now has its own separate user privilege. Previously, only users with “Project Design and Setup” privileges could access the Alerts & Notifications page. Now, users must explicitly be given “Alerts & Notifications” privileges in order to access the Alerts & Notifications page. Note: During the upgrade to REDCap 13.1.0 or higher, any users with "Project Design and Setup" rights will automatically be given "Alerts & Notifications" rights in order to keep continuity with their current access to the Alerts & Notifications page.
Improvement: For OpenID Connect authentication, the Response Mode (response_mode) authorization parameter can now be explicitly set in the OIDC authentication settings on the "Security & Authentication" page in the Control Center. This will allow admins to choose between "query (default)" and "form_post" for the response_mode OIDC setting.
New method for plugins/hooks/modules: REDCap::getFile - Returns an array containing the file contents, original file name, and mime-type of a file stored in the REDCap system by providing the file's doc_id number (the primary key from the redcap_edocs_metadata database table).
New method for plugins/hooks/modules: REDCap::addFileToField - Attaches a file to a File Upload field for a specified record when provided with the doc_id of an existing file from the REDCap system.
Improvement: New setting added to the User Settings page in the Control Center: "Notify the REDCap admin via email when a new account is created (excluding Table-based user accounts)?" When enabled, this setting can be used to notify admins whenever new users enter the system. Table-based users are not included because their accounts are created by an administrator. (Ticket #133382)
Improvement: New setting added to the User Settings page in the Control Center: "Send a "welcome" email to new users when they create a REDCap account (excluding Table-based user accounts) - i.e., when they log in the first time using an external authentication method?". The "welcome" email will consist of the following stock text: "You have successfully created an account in REDCap at https://your-redcap-server.edu/. Your REDCap username is "USERNAME". Please note that REDCap does not manage your password. If you have difficulty logging in, you should contact your local IT department. Welcome to REDCap!".
Improvement: When importing User Role assignments via CSV file uploads on the User Rights page or via the API, if the project contains Data Access Groups, users can now be assigned to a DAG during the User Role assignment import process by providing an extra parameter named "data_access_group" with a valid unique DAG name. This will allow users to be added to the project, assigned to a role, and assigned to a DAG all at the same time. Additionally, when exporting User Role assignments via CSV file or via the API, the "data_access_group" attribute will be exported for each user if the project contains DAGs (to be consistent with the Import User-Role Assignment format). (Ticket #119192)
Change: PHP 8.2 is now supported in REDCap.
Change/improvement: When importing User Role assignments via CSV file uploads on the User Rights page or via the API, users can now be assigned to a role if they do not currently have access to the project. In previous versions, only existing project users could not be assigned to a role via CSV file or via API. (Ticket #119192)
Major bug fix: A malicious user could potentially delete a file uploaded into a project to which they do not have access by manipulating an HTTP request on the Alerts & Notifications page in another project. (Ticket #138873)
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered on the Project Modifications page (where an admin would view a user's Draft Mode changes) where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way in a field's Field Label, Choice Labels, or Field Notes. (Ticket #139108)
Change/improvement: When setting the designated email field on the Project Setup page or when setting the survey-level designated email field on the Survey Settings page, if the selected field is utilized in more than one event and/or is utilized on a repeating instrument or repeating event, a warning message will be displayed in a yellow box immediately below the email field drop-down to inform the user that any update to the field on any event or repeating instance will change the value of the field in ALL events and repeating instances. This should help provide more transparency to users who might get confused by the fact that the field's value gets updated in all places if the designated email field is located in more than one context in the project. (Ticket #131999)
Bug fix: When both randomization and MyCap are enabled on a project, users would be unable to enable any instrument as a MyCap task in the Online Designer (excluding active tasks that were imported).
Bug fix: A fatal PHP error would occur when using DDP Custom in a project for PHP 8. (Ticket #138771)
Bug fix: A fatal PHP error would occur when certain Data Quality rules when using PHP 8. (Ticket #131294b)
Bug fix: The REDCap Mobile App page mistakenly noted that the mobile app does not support Field Embedding, which is no longer true. That warning message has been removed.
Bug fix: If one or more fields in a project utilize the @IF action tag, the REDCap Mobile App page would mistakenly fail to display a warning at the top of page to explain that the @IF action tag is not supported by the mobile app and thus fields with @IF might not function in the mobile app the same as they do on survey pages and data entry forms.
Bug fix: A couple REDCap pages that are served as AJAX requests via JavaScript mistakenly had their "Content-Type" header set as "text/html" when instead it should have been "application/json", which was causing these requests not to be loaded successfully in the REDCap user interface in certain server/network environments.
Bug fix: If a user on a data entry form clicks the PDF download option called "This survey with saved data (via browser's Save as PDF)", if some fields on the page have been modified but not yet saved, REDCap will display a confirmation to the user to ensure that they understand that the resulting PDF will not contain only saved data values but instead may contain both saved and yet-to-be-saved values. (Ticket #138777)
Bug fix: Language ID and display names on the MLM "Usage" page in the Control Center could mistakenly be mismatched in some cases. (Ticket #138808)
Bug fix: The MLM “Usage” page in the Control Center would mistakenly fail to render HTML special characters in project titles. (Ticket #138887)
Bug fix: If an external module calls a randomization-related method in a project that does not have randomization enabled, it might throw a fatal PHP error for PHP 8. (Ticket #138756)
Bug fix: Multi-line text used inside single quotes or double quotes in the @CALCTEXT action tag might mistakenly have some words mistakenly replaced in the resulting text if they look like JavaScript or PHP operators (e.g., "or", "and"). (Ticket #138785)
Bug fix: When using certain text or HTML inside the text of the @CALCTEXT action tag, the output value of the field might mistakenly be missing some spaces if text elements in the @CALCTEXT contained leading or trailing spaces. Additionally, text used in @CALCTEXT that contains HTML or single/double quotes might mistakenly get mangled and not display correctly on the page for the @CALCTEXT field. (Ticket #138396)
Bug fix: When using the Survey Auto-Continue feature, in which a participant clicks a survey link of an already-completed survey and is redirected 20+ times through a bunch of subsequent already-completed completed surveys, some browsers might mistakenly display a “too many redirects” error to the participant instead of properly redirecting them to the next unfinished survey. (Ticket #138914)
Bug fix: A malicious user could potentially view a deleted message in REDCap Messenger by manipulating the parameters and/or query string of an HTTP request performed by Messenger. Only administrators should be allowed to view deleted messages in the Messenger interface. (Ticket #138873)
Bug fix: A malicious user could potentially delete or edit a REDCap Messenger message, even when the user did not create the message and is not an administrator, by manipulating the parameters and/or query string of an HTTP request performed by Messenger. (Ticket #138859)
Change: Added full support for parameterized queries in REDCap’s db_query() function.
Change/improvement: Added a new option $project_id parameter for the developer method REDCap::getSurveyReturnCode().
Bug fix: When using the AAF authentication method, the PHP method User::updateUsernameForAaf() mistakenly would not update all the database tables that contain a "user" or "username" column. Four tables were missing from the list. Thus, some database tables would not get updated when the method is called. (Ticket #138396)
Bug fix: When creating a new project via a Project XML file, if the project is longitudinal and utilizes the Survey Queue and/or Automated Survey Invitations, the Survey Queue and ASI settings might mistakenly not get added from the XML file when the project is created. (Ticket #139035)

Version 13.0.2 (released on 2022-12-02)

Improvement: MLM Usage Page - A new “Usage” tab will be displayed on the Multi-Language Management page in the Control Center that will display a list of all projects using MLM and in what ways they are utilizing MLM, such as the number of languages in the project (and how many are active) and whether the following MLM options apply to the given project: Deactivated by user, Enabled by admin, Deactivated by admin, and Debug mode turned on.
Major bug fix: Several PHP 8 related issues for MyCap would sometimes prevent data from syncing correctly back to the REDCap server from the MyCap mobile app.
Major bug fix: When using certain external authentication methods, survey pages might sometimes mistakenly time out if the project's internal Record List Cache (a secondary list of records in the database for improving performance) had not been built yet, which is done automatically by REDCap internally. This would cause an internal API call to fail when it is made inline while loading survey pages, thus causing the survey page not to load. This was supposedly fixed in version 12.4.13 LTS and 12.5.6 Standard Release, but mistakenly was not. (Ticket #104761b)
Change/improvement: The path to the web server's PHP error log file is now listed at the bottom of the main Control Center page. This information will be useful to help admins locate their web server's error log, which can sometimes be difficult to find.
Bug fix: The calendar feed might mistakenly provide incorrect times of calendar events for certain geographical regions that do not observe Daylight Saving Time. (Ticket #130176)
Bug fix: When using the Clinical Data Pull, temporal fields were mistakenly not displayed in the CDP mapping table because REDCap metadata was incorrectly removed from the settings payload.
Bug fix: When using Clinical Data Pull, when launching from the EHR context, the button "Show record in project" would mistakenly not work if the record name was non-numeric.
Bug fix: Typo on OpenID Connect's login screen. (Ticket #138381)
Bug fix: When exporting a project as a Project XML file, the export process might mistakenly fail with a fatal PHP error for PHP 8. (Ticket #138389)
Bug fix: When creating a new project where a user selects a project template but then chooses to upload a Project XML file, REDCap might get confused about which option was selected and behave unexpectedly, such as creating the project without granting access to the initial user. (Ticket #138361)
Bug fix: When a calculated field uses the datediff() function, in which the first parameter is literally "today" while the second parameter is a datetime field, the calculation might mistakenly return a blank value. (Ticket #138033)
Bug fix: In some specific circumstances, the Data Import Tool might mistakenly crash due to a fatal PHP error for PHP 8. (Ticket #138527)
Change: The “Break the Glass” feature for Epic in CDIS has been updated to automatically refresh any expired BTG token. Previously, BTG tokens were short-lived and did not refresh, thus causing some issues with users.
Bug fix: Dozens of REDCap pages that are served as AJAX requests via JavaScript mistakenly had their "Content-Type" header set as "text/html" when instead it should have been "application/json", which was causing these requests not to be loaded successfully in the REDCap user interface in certain server/network environments.
Change: Added an MLM-related note at the top of the survey page where participants enter their survey access code. The note mentions that the language choices seen on that particular page might not necessarily be available on the survey that they are able to enter after entering their access code.

Version 13.0.1 (released on 2022-11-23)

Improvement: When setting up repeating Automated Survey Invitations, users can now set the repeating interval value as a number with a decimal (in previous versions, the value could only be an integer). This will allow users to approximate the interval of a monthly repeating ASI as 30.44 days since it is currently not possible for repeating ASIs to be scheduled on exactly the same day and time each month. To help users, a note has been added in the repeating survey section of the ASI setup dialog to inform them how to approximate a month as 30.44 days. (Ticket #136957)
Major bug fix: Regarding Multi-Language Management, if the system-level setting "Require admin activation of multi-language support in projects" is disabled, the "Multi-Language Management" left-hand menu link would mistakenly not be visible to normal users unless one or more MLM languages had already been created in the project. Bug emerged in REDCap 13.0.0.
Improvements for CDIS
- Expiration indicator for the “Break the Glass” feature: The new Break the Glass workflow uses tokens that expire in an hour from their creation. The interface will now show if a token is expired.
- Delete button for the “Break the Glass” feature: Users can remove entries from the list of Break the Glass protected patients using a button.
Improvement: A link to the Codebook page was added inside the Add/Edit Field dialog on the Online Designer. This will allow the user to open the Codebook in a new tab without having to close the dialog to do so. (Ticket #138300)
Bug fix: When using repeating Automated Survey Invitations, a record's Record Home Page might mistakenly say that there are upcoming scheduled invitations that will be sent in the next 7 days despite the fact that they are actually scheduled to be sent more than 7 days later. This only involves repeating ASIs that have been scheduled.
Bug fix: When entering a value for the "Domain allowlist for user email addresses'' setting on the User Settings page in the Control Center, it would mistakenly not allow top-level domains to be entered if they contain more than 4 characters (e.g., vanderbilt.health). It now appropriately allows top-level domains up to the maximum 63 characters. (Ticket #104291)
Bug fix: Using the “Break the Glass” feature in CDIS might mistakenly fail if the user has no access token.
Bug fix: The “Mapping Helper” feature in CDIS might mistakenly not appear or be usable in Data Mart projects.
Bug fix: When using the “Mapping Helper” feature or CDP Mapper for CDIS, some things might not load correctly because of some HTML needing to be escaped first in the resulting JSON.
Bug fix: If the RemoveTempAndDeletedFiles cron job happens to be running at the same time as the Easy Upgrade process is extracting a new REDCap version, on certain server configurations the cron job might mistakenly delete some of the REDCap files being deployed in the new version, thus leaving the new REDCap version directory missing some critical files. (Ticket #137910)
Bug fix: Bar charts and pie charts might mistakenly be displayed on Public Dashboards despite having an insufficient amount of data to display (based on the setting "Minimum number of data points required to display Smart Charts, Smart Tables, or Smart Functions on a *public* Project Dashboard..."). (Ticket #137411)
Bug fix: When performing field embedding on a survey page or data entry form, the page might crash due to a fatal PHP error if the project has a very large amount of fields.
Change: Slight tweak in the SQL queries used on the project Logging page to make the page load faster for older projects. (Ticket #138200)
Bug fix: When MyCap is enabled in a project, clicking the [?] link to the right of the green Publish button at the top of the Online Designer would mistakenly display an empty dialog when viewing/editing the fields in an instrument (but it looks correct when viewing the instrument list in the Online Designer). (Ticket #138146)
Bug fix: When MyCap is enabled in a project, on some rare occasions when migrating a project using the MyCap external module, the process might fail due to an SQL error. (Ticket #138168)
Bug fix: When viewing the MyCap Participant List, in which a baseline date is being used, the baseline date value seen in the table for each participant would mistakenly be displayed in the wrong date format or would appear mangled. (Ticket #138166)
Bug fix: When renaming an instrument in the Online Designer and then immediately creating a new instrument right after the renamed instrument, the new instrument might mistakenly get relocated to the first-instrument position after being created, and the record ID field might mistakenly get relocated to another position. Bug emerged in REDCap 13.0.0.
Bug fix: For a repeating Automated Survey Invitation that has conditional logic and has the "Ensure logic is still true" checkbox checked, if a record has invitations scheduled for the repeating ASI, and the ASI's conditional logic no longer evaluates as True for the record, the repeating invites will stop sending (as expected), but the repeating invites would mistakenly still be displayed on the Survey Invitation Log. This would give the false impression to the user that those invitations will be sent when, in fact, they will not. (Ticket #134780)

Version 13.0.0 (released on 2022-11-17)

New feature: Integration of the MyCap External Module
- Introduction: MyCap is a participant-facing mobile application (on iOS and Android) used for data collection and the automated administration of active tasks (activities performed by participants using mobile device sensors under semi-controlled conditions). All data collected in the MyCap app is automatically sent back to the REDCap server as soon as internet connection is available (i.e., it can also be used for offline participant data collection). MyCap is a no-code solution for research teams conducting longitudinally-designed projects or projects with frequent participant contact. MyCap also facilitates participant engagement and retention by providing quick access to project staff and two-way communications (e.g., messaging and announcements) within the app. MyCap is available on any iOS device (iOS v11.0+) and any Android device (Android v8.0+). For more information about MyCap, check out the MyCap website, publication, resources, and a list of MyCap use cases.
- System-level settings: The MyCap feature will be enabled globally by default after upgrading or installing REDCap, but it can be disabled (so that no users see the option in their projects) on the Modules/Services Configuration page in the Control Center. That page also contains a setting where, assuming MyCap is enabled globally, an admin can set it so that 1) users can enable MyCap in their projects on their own, or 2) users will need to click a button in their project to send a request requiring admin approval to enable MyCap in the project.
- Project-level settings: The ability to enable or request to enable MyCap in a project will be in the Main Project Settings section at the top of the Project Setup page. There is an informational dialog there that can be opened that contains helpful links to many resources, including the MyCap website, the MyCap Help document (a detailed 16-page instruction manual on setup and usage), and three videos.
- Project Utilization: Utilizing MyCap in a project consists of two main parts: 1) design, and 2) managing participants. The design portion is where users can enable instruments as MyCap tasks, import active tasks, and design the look and feel of the MyCap app (as the participant sees it). These things pertaining to design are performed in the Online Designer and thus require “Project Design and Setup” rights. The participant portion requires a new user right “Manage MyCap Participants” that appears on the User Rights page after MyCap has been enabled in a project. Having this privilege, a user will have access to the “MyCap Participant Management” page on the left-hand menu. This page will allow users to view, invite, and message their MyCap participants. In many ways, it is very similar to the “Survey Distribution Tools” page when using surveys.
- External Module Migration: If users have been using the MyCap external module, there is an upgrade path to import all the MyCap EM settings into the built-in MyCap feature. In projects with the MyCap EM enabled, users will see a “Migrate to REDCap” button on the left-hand menu, which opens a dialog with plenty of information about the new built-in MyCap feature. As the dialog will note, users themselves cannot perform the migration, but a REDCap admin must do so for them. The migration is fast and only requires a couple button clicks, after which it will disable the MyCap EM in the project. Note: Currently, the MyCap EM is planned to be supported only until June 2023, so it is recommended that users using the EM attempt to fully migrate well before that time.
- Smart Variables and Action Tags: Several new Smart Variables and Action Tags can be used with MyCap, some of which are a required, integral part of how users invite participants and also how MyCap imports data into a project. See the documentation for Smart Variables containing the prefix “mycap-” and Action Tags containing the prefix “@MC-”.
- Stats: System-level MyCap statistics can be seen on the System Statistics page in the Control Center.
Improvement:New Multi-Language Management option to require admin activation of multi-language support in projects
- Administrators may now change the behavior of the Multi-Language Management feature so that project users cannot view or use MLM in a project until a REDCap administrator has first enabled it explicitly in that project.
- This behavior can be changed on the Settings tab on the Multi-Language Management page in the Control Center where it says “Require admin activation of multi-language support in projects”. Note: Enabling that system-level setting will not affect any projects where multi-language support is already enabled (either because it had previously been enabled explicitly by an admin or there is at least one language already set up).
- Additionally, the following new admin-only options have been added to the Settings tab on the MLM setup page in each project, in which these options only appear to admins and only when the system-level setting has been set where only admins may enable MLM:
  1. “Enable multi-language support for this project” - Allows users with Project Setup and Design rights to see the MLM menu link and to use the MLM setup page.
  2. “Disable and hide multi-language support for this project” - Turning on this option will hide the MLM menu link and prevent access to Multi-Language Management for users even when there are languages defined. This overrides the Enable option above.
Improvement for the External Modules Framework: New "Developer Tools" section & "Module Security Scanning" link on the Control Center -> External Modules -> Manage page.
Change/improvement: New and improved workflow and user interface for the “Break the Glass” feature when using Clinical Data Interoperability Services (CDIS) with Epic.
Change: As a convenience, when deleting a conversation in REDCap Messenger, the user is no longer prompted to enter the word "delete".
Change/improvement: A new check was added to the Configuration Check page to detect if the Zlib PHP extension has been installed on the REDCap web server. (Ticket #137725)
Change/improvement: The path to the web server's PHP.INI configuration file is now listed at the bottom of the main Control Center page (below the date of the last REDCap upgrade). This information will be useful to help admins locate their web server's config file, which can sometimes be difficult to find.
Change/improvement: On the Alerts & Notifications page, users are now able to copy deactivated alerts. In previous versions, alerts could not be copied until they were first reactivated.
Bug fix: Certain versions of MariaDB do not output the "COLLATE" portion of a database table's column definition in the results of a "SHOW CREATE TABLE" query, thus causing false positives to display in the Control Center that say that the "database structure is incorrect". (Ticket #137551, #137575, #137321)
Bug fix: For some web server configurations, the server's session "garbage collection" might mistakenly not run or might not run very often, thus causing the redcap_sessions database table to become overly bloated. The garbage collection process is now run manually via a cron job to ensure this task gets performed regardless of server configuration. (Ticket #137675)
Bug fix: When more than ten completed surveys are displayed in a participant's Survey Queue, the "all surveys completed" row might appear in the wrong place in the table. (Ticket #137550)
Bug fix: An error message would be seen by a REDCap admin attempting to approve an External Module Activation Request for a user. (Ticket #137672)
Bug fix: For some users, the My Projects page might be unusually slow to load due to a change in REDCap 12.5.17 (Standard) that removed the usage of AJAX requests on the page. To fix this performance issue, the change from 12.5.17 has been reverted back to the old behavior.
Bug fix: When a user not assigned to a Data Access Group filters the results on the Logging page by DAG, the page might crash with an error if no users are currently assigned to that DAG in the project. (Ticket #137764)
Bug fix: When viewing the REDCap Mobile App's "App Data Dumps" page, in which a data dump file could not be found on the server for unknown reasons, it would mistakenly throw a fatal PHP error on the page for PHP 8. (Ticket #137777)
Bug fix: When using REDCap::saveData() in a plugin, hook, or external module, in which the "dataLogging" parameter is passed to the method as FALSE, the record list cache (i.e., the back-end secondary list of records) would mistakenly fail to get updated during this process. This means that if new records are being created via REDCap::saveData() with dataLogging=FALSE, those records would appear not to have been created until an admin clicked the "Clear the Record List Cache" button, after which the records would finally appear in the project, such as on the Record Status Dashboard, reports, and the Add/Edit Records page. (Ticket #137836)

Version 12.5.17 (released on 2022-11-11)

Change/improvement: If the monthly User Access Dashboard reminder emails are enabled, which are used to remind project users to keep their role-based access rights up to date, the emails will now be sent only during business hours. This is intended to help increase their visibility and thus improve response rates to these reminders.
Change/improvement: The "My Projects" page (and also the "Browse Projects" page in the Control Center) no longer loads the projects' count of records and fields via AJAX after the page has loaded but instead now loads the counts more efficiently in real time while rendering the page, which requires less HTTP requests.
Bug fix: When attempting to upgrade an external module from the main Control Center Notifications page, the process would mistakenly fail due to a JavaScript error. However, this process does successfully complete if performed on the External Modules Module Manager page in the Control Center. (Ticket #137243)
Bug fix: The Duo Universal Prompt utilized in the Duo two-factor authentication in REDCap might mistakenly not work for certain username conventions. REDCap now uses an updated algorithm to match the "simple" username normalization in Duo, in which "DOMAIN\username", "username@example.com", and "username" are treated as the same user. It will also consider aliases when matching the username. Bug emerged in REDCap 12.5.5 Standard. (Ticket #137039)
Bug fix: When using Multi-Language Management, the section header above a matrix of fields would mistakenly not display the translated text. (Ticket #137255)
Bug fix: When using CDIS/FHIR services to extract medications from the EHR, the values for the RxNorm code and RxNorm label were mistakenly switched.
Bug fix: Longitudinal projects might fail to load on the "Setting up Project" screen in the REDCap Mobile App. Bug emerged in REDCap 12.5.15 (Standard). (Ticket #137314)
Bug fix: CDIS related cron jobs were mistakenly running for projects in Analysis/Cleanup mode or marked as Completed.
Bug fix: When certain Smart Variables (specifically form-url, form-link, survey-date-completed, survey-time-completed, survey-date-started, survey-time-started, survey-duration, and survey-duration-completed) have [first-event-name] or [last-event-name] appended to them, an incorrect value might be returned from the Smart Variable.
Bug fix: When performing randomization on a record while on the first instrument, in which the user locks the instrument immediately after randomization has occurred, the record would get mistakenly duplicated after clicking the Save button on the page. (Ticket #137260)
Bug fix: The BioPortal API token stored in the redcap_config database table was mistakenly not encrypted at rest as other third-party tokens/keys are. (Ticket #137403)
Bug fix: When using Multi-Language Management, the language drop-down list was mistakenly being displayed on data entry forms even when only one language has been defined on the MLM setup page. It should only display the language choice list if there is another language to choose.
Bug fix: If a field is used in cross-form or cross-event branching logic, in which the value of the field contains double quotes, the branching logic may not function correctly on the page. (Ticket #136926)
Bug fix: A fatal PHP error might be thrown in some specific cases where the method Records::deleteEventInstanceByProject() is called in certain contexts. (Ticket #137376)
Bug fix: If a project is using record auto-numbering, and the highest-numbered record gets renamed so that it is no longer the highest-numbered record, after which a participant completes a public survey in the project, the new record created by the participant would mistakenly skip the appropriate record number and be assigned to one number higher than expected. (Ticket #125567)

Version 12.5.16 (released on 2022-11-04)

Bug fix: If the text in a Text field or Notes field contains an email address, it should display the email address as a clickable mailto link when viewing the data on a report. However, it would only do that if the field value contained only an email address and no other text. (Ticket #136735)
Change: Improved compatibility of Clinical Data Pull with Epic Hyperspace, which uses Internet Explorer.
Bug fix: When an Automated Survey Invitation has been set up in a longitudinal project, in which the ASI's conditional logic includes datediff()+today/now and has the "Ensure logic is still true" checkbox checked while additionally one or more of the variables in the logic are missing a prepended unique event name, the DateDiff+Today/Now cron job might mistakenly schedule a survey invitation that should not be scheduled, even though REDCap will ultimately unschedule the invitation right before trying to send it. This bug was supposedly fixed in REDCap 12.4.7 LTS and 12.5.0 Standard, but mistakenly it was not. (Ticket #136960)
Bug fix: The Multi-Language Management settings "Export or import general settings" were mistakenly being displayed on the MLM Control Center page when they should only be displayed in a project. (Ticket #136968)

Version 12.5.15 (released on 2022-10-27)

Minor security fix: An SQL Injection vulnerability was found in the Copy Field action on the Online Designer, in which a malicious user could potentially exploit it by manipulating an HTTP request on that page.
Minor security fix: An SQL Injection vulnerability was found in the "Import from Field Bank" action on the Online Designer, in which a malicious user could potentially exploit it by manipulating an HTTP request on that page.
Major bug fix: When a user clicks the "Generate API Token" button on the API page in a project, it would mistakenly return a vague/unhelpful error message saying that the token could not be created (or it would simply reload the page with no warning in some cases). This would happen if the user has API Import and/or API Export privileges but does not have Mobile App privileges. The only user permission that should be required to request an API token on this page are API Import or API Export privileges. Bug emerged in REDCap 12.4.20 LTS and 12.5.13 Standard Release.
Major bug fix: When renaming or deleting an instrument via the Online Designer while in development status, the instrument-level data viewing rights and instrument-level data export rights would mistakenly not always get updated to reflect the new instrument name for all the users and roles in the project. Note: While this fix will prevent the issue going forward, users will need to manually update a user's/role's permissions to fix any already affected users/roles. (Ticket #136038)
Major bug fix: When a field is embedded on a multi-page survey, in which the embedded field's container field is hidden by branching logic on a different page on which the container field is itself located, the embedded field's value might mistakenly get erased when the later survey page is submitted if the embedded field is a Required field.
Change/improvement: If the URL for a request on the To-Do List page contains an outdated REDCap version number (i.e., the request was made prior to the latest REDCap upgrade), the URL will now be auto-updated in the To-Do List to replace the old REDCap version number in the URL with the current REDCap version number. This will prevent 404 "Not Found" errors when processing To-Do List items in the case where the previous REDCap version directories have been removed from the web server after the latest REDCap upgrade.
Change/improvement: The "Export Events" API method now also returns the "event_id" for each event. (Ticket #135602)
Change: If a user cancels their own request to an admin that requests to move a project to production or to delete a project, the request no longer gets permanently deleted but gets marked as archived instead. This effectively has the same effect but preserves any comments or info associated with the original request, whereas deleting the whole request causes the comments/info to be permanently erased, which might not be ideal. (Ticket #136506)
Bug fix: When using Multi-Language Management, the Survey Login page text might mistakenly not get translated. (Ticket #136358)
Bug fix: When using Multi-Language Management, the choices for multiple choice fields would mistakenly not get imported when performing a CSV file import on the MLM setup page. (Ticket #136415)
Bug fix: When the authentication method is set to "OpenID Connect" or "OpenID Connect & Table-based", admins may define which OIDC attribute will serve as the REDCap user's username. However, the "preferred_username" attribute was mistakenly missing from the "Attribute to use for REDCap username" drop-down on the Security & Authentication page. (Ticket #132200)
Bug fix: If a user clicks the "Re-send Email" button for an email displayed on the Email Logging page in a project that has the "Protected Email Mode" feature enabled, that re-sent email would mistakenly not be sent using the Protected Email Mode but would be sent to the recipient as-is. (Ticket #120500)
Bug fix: The Duo Universal Prompt utilized in the Duo two-factor authentication in REDCap might mistakenly not work and would throw an error if the REDCap username is not all lower case. (Ticket #133020b)
Bug fix: If a text field on a data entry form or survey page is a required field and already has a saved value, if the field's value is manually removed (via backspacing) on the page and then the field is hidden by branching logic, upon saving the page, the "Some fields are required!" prompt might mistakenly get displayed for the field, which should not occur due to the fact that the field is hidden on the page. (Ticket #136520)
Bug fix: When using Multi-Language Management, the text in the title of the “Invalid values entered” popup on data entry forms and survey pages would mistakenly not be available for translation on the MLM setup page. (Ticket #136541)

Version 12.5.14 (released on 2022-10-22)

Major bug fix: When attempting to upgrade to REDCap 12.5.13 (Standard), the REDCap upgrade page would mistakenly redirect the user back to the REDCap home page, thus preventing them from actually completing the upgrade process. (Ticket #136337)
Major bug fix: When performing a data import (via API, Mobile App, Data Import Tool, or REDCap::saveData) that contains not-yet-created records, in which the import process will trigger Automated Survey Invitations immediately after creating the new records, the ASI invitations might mistakenly not get scheduled/sent. In this case, the ASIs would only get triggered when someone modified a record after the import or ran the "Re-evaluate Auto Invitations" process.
Bug fix: When exporting a Project XML file and creating a new project using it, if the project is not longitudinal but was longitudinal at some point in the past, in which the first event (while longitudinal) was named something other than "Event 1" on Arm 1, then any Automated Survey Invitation settings from the XML file might mistakenly fail to import correct into the newly created project. (Ticket #136254b)

Version 12.5.13 (released on 2022-10-21)

Change: The Configuration Check page now provides a suggestion for modifying any REDCap database tables that do not have the InnoDB attribute ROW_FORMAT set to DYNAMIC. For the greatest compatibility with future REDCap upgrades, all database tables are recommended to have Dynamic row format. If any do not, the Configuration Check page will output the necessary SQL queries for fixing these tables. Note: This is not a requirement but a suggestion to prevent possible issues with future upgrades.
Major bug fix: If a user is currently logged into REDCap and then opens and completes a survey in another browser tab, their non-survey user session would mistakenly get destroyed, thus causing the user to need to log in again when reverting back to the original tab after completing the survey.
Bug fixes and improvements to CDIS/FHIR launch workflows (EHR and Standalone launch)
- Fixed compatibility with Cerner system where auto-login was not working when launching from EHR.
- Fixed compatibility with certain external REDCap authentication systems.
- Workflow diagram and better logs added in case of error to help identify issues.
Bug fix: Reports that have filter logic might mistakenly display some records as being in multiple arms despite the fact that they only exist in a single arm (or exit in less arms than depicted in the report). If this occurs, the report will show the record with default values in the other arm. (Ticket #135620)
Bug fix: When exporting user roles via the API, the "unique_role_name" attribute of some roles might mistakenly be blank if the role had been recently created but not yet viewed in the user interface on the User Rights page. (Ticket #125602)
Bug fix: When upgrading REDCap to v12.1.0 or higher, some queries in the upgrade SQL script might mistakenly fail when specifically using MySQL 8 as the database. (Ticket #131519b)
Bug fix: When performing a fresh install of REDCap, the install page might output a 500 server error and might provide confusing error messages when valid database credentials have not been successfully added to the database.php file yet. (Ticket #128344)
Bug fix: The Duo Universal Prompt utilized in the Duo two-factor authentication in REDCap might mistakenly be preventing some users from successfully logging in to REDCap in certain situations. (Ticket #134514)
Bug fix: When a user/participant accesses a page utilizing Multi-Language Management for the first time, the auto language selection (via browser settings) might mistakenly not work correctly in certain cases, thus only displaying the correct language for some of the things on the page that were translated on the MLM setup page. (Ticket #135984)
Bug fix: When performing a data dictionary export in a project that is using "Japanese (Shift JIS)" for the "character encoding for exported files", the process might fail with a fatal PHP error for PHP 8.0+. (Ticket #136046)
Bug fix: Utilizing a forward slash "/" anywhere inside the @IF action tag would mistakenly cause the action tag not to function. (Ticket #135803)
Bug fix: The EHR Launch process for Clinical Data Pull might mistakenly result in a JavaScript error, specifically when using Epic, when a user attempts to add a patient to a project inside the REDCap embedded window in Hyperspace.
Bug fix: CDIS-related issue with FHIR version DSTU2 where date filters were mistakenly not applied to Observations data.
Bug fix: On the Other Functionality page when exporting the Project XML file ("metadata & data"), it would mistakenly always include all available project attributes in the resulting XML file despite the fact that some or all of the checkbox options for those project attributes were left unchecked on the page. This does not affect the "metadata only" XML file but only the "metadata & data" XML file.
Bug fix: Important documentation was missing from the Special Functions dialog and FAQ regarding the usage of date/datetime fields with MDY and DMY date formatting when used in text string functions in branching logic and calculations.
Bug fix: Fields in a project might randomly get out of order, which can be caused by a user on the Online Designer reordering the instruments in conjunction with some other action, such as copying an instrument immediately before the reordering and/or viewing an instrument immediately after the reordering. (Ticket #109041)
Bug fix: When using Multi-Language Management, the Automated Survey Invitation tab on the MLM setup page might mistakenly display as blank and prevent any translation of ASIs in certain cases, such as when some ASIs have been orphaned in the backend database and are not associated with a valid event in the project. (Ticket #136254)
Bug fix: The "Conditional logic for Survey Auto-Continue" would mistakenly not get copied into a new project's survey(s) when using the Copy Project feature on the Other Functionality page. (Ticket #136281)
Bug fix: When REDCap is using WebDAV for file storage, in which the WebDAV connection settings have not yet been defined, a fatal PHP error may occur on certain pages when using PHP 8. (Ticket #136289)
Bug fix: When a user clicks the "Request API Token" button on the REDCap Mobile App page in a project, it would mistakenly return a vague/unhelpful error message saying that the token could not be created (or it would simply reload the page with no warning in some cases). This would happen if the user did not have API Import or API Export privileges. The only user permission that should be required to request an API token specifically for the Mobile App is "Mobile App" user privileges. Bug emerged in REDCap 12.4.13 LTS and 12.5.6 Standard Release. (Ticket #135788)

Version 12.5.12 (released on 2022-10-07)

Bug fix: The Record Status Dashboard might load unnecessary slowly for projects that are not using Form Display Logic and have 1000+ records.
Bug fix: On some rare occasions in longitudinal projects, a report with filter logic might mistakenly not display its report headers on the page. Bug emerged in the previous version.
Updates and fixes for the External Module Framework, including a fix that prevents out of memory errors if a record is not specified for the getChoiceLabel() method.
Bug fix: When using Twilio telephony services for surveys, U.S. phone numbers having the area code "656" would mistakenly not work for SMS or voice calls unless the number has a "1" prepended to it.
Bug fix: Some pages might mistakenly not function correctly due to a JavaScript error when using Internet Explorer. For example, this can cause branching logic and calculations to fail to function on survey pages and data entry forms when using IE.
Bug fix: When performing a Data Search specifically on a project's record ID field on the "Add/Edit Records" page in a longitudinal project, some record names might mistakenly not be returned from the search, especially if no data has been saved in the first event for some of the records. (Ticket #135313)
Bug fix: The "Phone (North America)" field validation might not correctly recognize some valid 10-digit North American phone numbers, especially if the fourth digit is a "3". (Ticket #135444)
Bug fix: When using the Text-to-Speech survey feature, any fields initially hidden by branching logic on the survey would mistakenly not have the speaker icon displayed for it to allow participants to hear the question text audibly. (Ticket #135010)
Bug fix: If a project is using Missing Data Codes and is also using the Secondary Unique Field, setting a missing data code for the Secondary Unique Field on a survey or data entry form might mistakenly result in the "Duplicate Value" error dialog. The uniqueness check should instead be ignoring any missing data codes for the Secondary Unique Field. (Ticket #132779)
Bug fix: If a user is exporting data in EAV format for the Export Records API Method, and some of the data being exported exists on a repeating instrument or a repeating event, the record ID field might mistakenly get exported multiple times as identical rows, despite the fact that the first instrument is not a repeating instrument and does not exist on a repeating event. (Ticket #135154)

Version 12.5.11 (released on 2022-09-30)

New feature: Download all files on a report - When viewing a report (including public reports) that contains one or more File Upload fields or Signature fields, a “Download Files (zip)” button will appear on the page to allow users to easily download all the report’s uploaded files into a single zip file for those fields for the records in the report.
Improvement/change: The project API page now displays the user's API token in a text box with a button next to it that, when clicked, copies the API token to the user's clipboard. (Ticket #134577)
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way when uploading a CSV file of alerts on the "Alerts & Notifications" page. (Ticket #134640)
Major bug fix: If using certain versions of PHP 7, especially PHP 7.2, REDCap might result in only an unusable white page due to fatal PHP errors after upgrading to REDCap 12.5.9 or 12.5.10. (Ticket #134397)
Bug fix: The title of the "None of the Above" dialog on data entry forms and survey pages would mistakenly not display correctly. (Ticket #134326)
Bug fix: The dialog for the @NONEOFTHEABOVE action tag might mistakenly not display at all.
Bug fix: Uploading Automated Survey Invitations settings via CSV file might mistakenly mangle some of the timestamps in the file (e.g., "Send at exact date/time:") if they are in YMD date format when the user has an MDY or DMY date format preference set for their user account on the Profile page. The CSV import will now accept dates/times in either YMD date format or the user's preferred date format. (Ticket #133727)
Bug fix: When importing or exporting the user rights for users or roles (whether via the user interface or API), certain privileges would mistakenly be ignored, such as those pertaining to Randomization, Double Data Entry, and the Data Resolution Workflow. (Ticket #133179)
Bug fix: When assigning projects to a Project Folder on the "My Projects" page, the project list in Step 2 of the dialog would mistakenly list projects to which the user no longer has access. This would only happen if the projects had been assigned to that particular Project Folder sometime in the past. (Ticket #134503)
Bug fix: In the Online Designer, when saving a Text field that was previously a Calculated field, the calculation might mistakenly not get removed from the field after being changed to a Text field, thus possibly causing issues when rendering the field on a data entry form or survey. (Ticket #134303)
Bug fix: A calculation error might occur on a data entry form or survey page whenever a calculated field utilizes one of the [aggregate-X] Smart Variables while also utilizing other Smart Variables that result in a text string (as opposed to a number - e.g., [record-dag-label]). (Ticket #134589)
Bug fix: When exporting a Project XML file and creating a new project using it, if the project is not longitudinal but was longitudinal at some point in the past, in which the first event (while longitudinal) was named something other than "Event 1" on Arm 1, then any Survey Queue settings from the XML file might mistakenly fail to import into the newly created project. (Ticket #134837)
Bug fix: The "Advanced Link" option for Project Bookmarks might mistakenly return data from the API even though the user's REDCap session is no longer active. If the session has ended, the API should instead return only a value of "0".
Bug fix: When viewing a Custom Record Status Dashboard in a longitudinal project, in which the filter logic references fields that might exist on events that contain no data for certain records, those records with no data for the event might mistakenly not get displayed on the dashboard. (Ticket #134055)
Bug fix: When editing an alert on the Alerts & Notifications page and clicking the keyboard Enter button right after entering an invalid email address into the "manually enter emails" text boxes for the Email To, CC, or BCC settings, the error dialog would mistakenly never close but would keep popping up endlessly. This would prevent the user from fixing the email address entered and ultimately could only be resolved by refreshing the page. (Ticket #135021)

Version 12.5.10 (released on 2022-09-16)

Bug fix: The "Add Participants" dialog on the Participant List page would mistakenly be missing some text that displays the name of the currently selected arm (only for longitudinal projects that have multiple arms). (Ticket #134086)
Various fixes and updates for the External Module Framework, including:
- The enable-email-hook-in-system-contexts flag must now be set to true in config.json for the redcap_email hook to run in system contexts (when a project ID is not specified).
- External Module Framework unit tests have been refactored to significantly improve performance.
Bug fix: When new records are being created via a data import that will trigger the scheduling of an Automated Survey Invitation that contains the Smart Variable [survey-queue-url] or [survey-queue-link] in the ASI email body, the Smart Variable would mistakenly be blank in the resulting email that gets scheduled. This does not affect existing records but only those created via data import. (Ticket #101536)
Bug fix: Appending the Smart Variable [aggregate-count:record_id] with a parameter to filter the results by one or more specific Data Access Groups (using the either unique DAG names or "user-dag-name") would mistakenly have no effect on the result. (Ticket #132676)
Bug fix: When opening a Calendar event, the popup might crash due to a fatal PHP error in PHP 8.0+. (Ticket #134180)

Version 12.5.9 (released on 2022-09-09)

Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way for calculated fields on data entry forms and survey pages. (Ticket #132986)
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way for certain features of REDCap Messenger.
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way for a certain feature on the Project Setup page and Copy Project page.
Improvement: Various changes and improvements for the External Module Framework, including a new module AJAX request feature (thanks to Günther Rezniczek and Mark McEver). While it has always been possible to make AJAX requests via module code, using this new framework method makes it easier and more secure. Note that for framework version 11+, logging in non-authenticated contexts must be explicitly allowed by setting the “enable-no-auth-logging” flag in “config.json”.
Bug fix: When renaming records, the record name would mistakenly get double-decoded during the process, which is not necessary and might cause issues depending on the specific characters inside the record's record name. (Ticket #133650)
Bug fix: Using "now" or "today" as the first parameter in the @CALCDATE action tag might mistakenly not work while viewing a data entry form or survey page if the @CALCDATE field has DMY or YMD date format. (Ticket #133677)
Bug fix: When using the Randomization feature and randomizing a record in a project that has record auto-numbering enabled, in which the record is being randomized before the record has first been created, right after the record has been randomized, the left-hand menu link to the record's Record Home Page might mistakenly point to a new not-yet-created record instead of the record that was just randomized. (Ticket #133678)
Bug fix: When using the biomedical ontology searching mechanism on a data entry form or survey, results in certain ontologies might not return the expected "notation" or "cui" attribute (because they do not have those attributes), thus defaulting to the using the label itself for the data value of the field. It should instead attempt to use the "@id" attribute (if available) as a tertiary measure before defaulting to using the label. (Ticket #133550)
Bug fix: When using "OpenID Connect" or "OpenID Connect & Table-based" authentication and logging in to the server at a specific URL outside the main REDCap Home page, the user would always mistakenly be redirected back to the Home page instead of the original URL. This could cause issues in certain cases, such as when clicking the email address validation link from an email. (Ticket #133729)
Bug fix: When using WebDAV for file storage in REDCap, very large files might be able to be uploaded into File Upload fields, but attempting to download the same large files might mistakenly result in a fatal PHP error due to memory constraints. (Ticket #133638)
Bug fix: When viewing the dialog of Upcoming Scheduled Survey Invitations for a record on the Record Home Page, the survey title (if long) might mistakenly be truncated inside the dialog. (Ticket #133813)
Bug fix: The "Other Export Options" page was mistakenly displaying the Tableau Export dialog contents near the top of the page instead of only displaying it inside the dialog after clicking the blue "View export instructions" button. (Ticket #133813)
Bug fix: When using Multi-Language Management, in which a survey’s text is translated, the survey might crash with a fatal PHP error in specific scenarios when using PHP 8. (Ticket #133892)
Bug fix: When using the Data Resolution Workflow and either opening/responding to/closing a data query or verifying/de-verifying a value via the results of a Data Quality rule on the Data Quality page, that specific result's button in the Data Quality dialog might not correctly get updated with the new status icon/number of comments if the project is longitudinal but instead would incorrectly display the icon/comment count for another event's result for the same record. (Ticket #131878)

Version 12.5.8 (released on 2022-09-02)

Minor security fix: The third-party JavaScript libraries Handlebars and Moment.js were updated to the latest version because they contained some security vulnerabilities.
Major bug fix: When using Multi-Language Management on a survey with the e-Consent Framework enabled, the PDF displayed inline on the page to the participant at the end of the survey would mistakenly not be in the participant's chosen language but instead would be in the default language. Note: This does not affect the e-Consent PDF being stored in the File Repository, which is correctly stored in the participant's language.
Bug fix: Fix for fatal PHP 8 error when viewing the Participant List page in specific circumstances. (Ticket #132555)
Bug fix: The Email Logging page would mistakenly not return any logged emails if the search filter was set to return emails of type "Alerts & Notifications". This was due to emails not getting stored in the email logging database table with the correct category attribute. Thus, when using the type filter "Alerts & Notifications" going forward, it will only return results of emails sent after upgrading to this version of REDCap. (Ticket #133222)
Bug fix: When creating a report and adding a date, datetime, or number field as a report filter in Step 3, if the field has a min or max range validation set and the user enters a value for the filter field that was outside of the field's min/max range, it would mistakenly display the out-of-range warning. This out-of-range warning is not necessary when building reports but only when entering data. The out-of-range check has been removed for report filter fields. (Ticket #133203)
Bug fix: When a user in a Data Access Group is viewing the Logging page or calling the API Export Logging method, if the "Filter by event" filter (or "logtype" parameter in the API) was set to a record-oriented value (e.g., Record created only), certain logged events might mistakenly not be returned if the logged events were not performed by a user that explicitly belongs to the current user's DAG (e.g., a non-DAG user or a survey participant). (Ticket #133203)
Bug fix: While reordering an event on the Define My Events page of a longitudinal project, the black popup that appears temporarily would mistakenly be located in the wrong place on the page. (Ticket #133296)
Various updates and fixes for the External Module Framework, including:
- Logged a stack trace instead of displaying it to avoid exposure of file paths
- Prevented redcap_module_link_check_display() from running on surveys
- Miscellaneous documentation updates
- Miscellaneous Psalm scanning improvements
- Fixed miscellaneous PHP 8 warnings
Bug fix: A space was mistakenly missing before the URL in the "Super API Token has been deleted" email sent to the user. (Ticket #133345)
Bug fix: When adding a new instrument to a project in development status, all users in the project would mistakenly not automatically be given "Full Data Set" data export rights to the new instrument. In certain circumstances when a new instrument is added, users would receive De-Identified export rights mistakenly, and in other situations, they would not appear to have any export rights at all for the new form until they logged in to REDCap and entered the project. This could additionally cause confusion where it might appear that the user's form-level export rights had changed if the user had not accessed the project during the time in which the new instrument was created and then the project was moved to production. (Ticket #133306)
Bug fix: When using Multi-Language Management, the MLM setup page might mistakenly crash with a fatal PHP error in specific circumstances due to UTF-8 characters being present in some text. (Ticket #133305)
Bug fix: When creating/editing an alert on the Alerts & Notifications page, the "Show Advanced SendGrid Settings" link inside the alert dialog would mistakenly be displayed when the SendGrid Template option is not selected and also when the SendGrid Template setting is not even enabled in the project or whole REDCap system. Bug emerged in REDCap 12.5.6 (Standard).
Bug fix: The Duo Universal Prompt utilized in the Duo two-factor authentication in REDCap might mistakenly crash with a fatal PHP error in certain situations. (Ticket #133318)
Bug fix: Added 11 missing LOINC codes for Clinical Data Interoperability Services (CDIS) mapping.
Bug fix: Clicking the "Project Owners" button on the Email Users page in the Control Center might mistakenly select some users that should not be selected, especially if the users had been project owners on projects that had been marked as completed or were recently deleted.
Bug fix: When using Azure AD authentication, specifically V1 of Azure AD, the username or email address for a B2B collaboration user object might contain an "#EXT#" identifier as text inside it in certain cases. This is problematic to have the character "#" in a user's username and email. If this occurs, the text "#EXT#" will be automatically removed. (Ticket #121605c)
Bug fix: When a user has User Rights privileges in a project and has also been assigned to a Data Access Group, if the user goes to edit their own rights on the User Rights page and clicks "Save", it would mistakenly remove them from their current DAG without warning. (Ticket #133313)
Bug fix: When using Twilio for sending SMS messages for survey-related activities, in some cases the Survey Invitation Log might not correctly report that the participant had opted out of receiving SMS messages. In these cases, in which the Twilio API returns the specific error message "Attempt to send to unsubscribed recipient", the invitation log now correctly notes that the invitation did not send because the participant opted out. (Ticket #105253)
Bug fix: When a user clicks the "Delete data for THIS FORM only" button at the bottom of a data entry form, in which the form exists on a repeating event where no other forms have data (i.e., all other form status icons are a gray color), the repeating event would mistakenly still appear in reports when in fact it should no longer appear in reports. (Ticket #131790)

Version 12.5.7 (released on 2022-08-26)

Minor security fix: Several Cross-site Scripting (XSS) vulnerabilities were discovered where a malicious user could potentially exploit them on specific pages by inserting HTML tags and JavaScript event attributes or by manipulating parameters in the URL, specifically when editing Project Dashboards, when uploading and viewing inline images files on forms/surveys, and when entering Missing Data Codes of the Project Setup page.
Change: When performing a data export, the dialog now mentions more REDCap publications that might need to be cited in published manuscripts relating to the current REDCap project. Such publications would include those for MyCap, the REDCap Mobile App, the e-Consent Framework, and CDIS.
Change: The Configuration Check page now suggests that the MySQL setting "max_allowed_packet" be increased to 128 MB or higher (preferably to 1 GB) if it is currently less than 128 MB. In previous REDCap versions, it only made this recommendation if its value was less than 16 MB, which proved to be too small for certain very large projects to function normally.
Bug fix: When the system-level setting "Allow reports to be made 'public'?" has been set to "No", administrators would mistakenly not be allowed to make reports public. Regardless of this setting, admins should always be able to make any report public. (Ticket #132901)
Bug fix: Clicking the "View export instructions" for the Tableau Export option on the "Other Export Options" page might mistakenly fail to open the dialog, thus resulting in a JavaScript error.
Bug fix: When changing the system-level language on the General Configuration page in the Control Center, the page would mistakenly not change over to the new language immediately after submitting the page but only when the page was refreshed afterward.
Bug fix: The new Duo Universal Prompt utilized in the Duo two-factor authentication in REDCap might mistakenly not work for certain devices/OSs, such as iPhones and iPads. Bug emerged in REDCap 12.5.5 Standard. (Ticket #133020)
Bug fix: When using Multi-Language Management, single-instrument PDF downloads would mistakenly not occur in the user's preferred language but would always be rendered in the default language. Bug emerged in REDCap 12.5.2 Standard. (Ticket #133121)
Bug fix: If a user knows specific paths for the PHPQRCODE third-party library in REDCap, they could call it many times at a specific URL, which might cause the web server's storage to fill up with lots of temporary files. (Ticket #132432)
Bug fix: When using Form Display Logic in a longitudinal project, in which the logic references one or more fields on an event that currently has no data for a given record, the Form Display Logic would mistakenly fail to work correctly.
Bug fix: When piping a date or datetime field into the max validation range check for another date/datetime field, if the field being used as the max exists on a different instrument or survey page, it would mistakenly not throw an out-of-range warning if the value was above the maximum. Note: This does not affect the min range check but only the max. (Ticket #124222b)

Version 12.5.6 (released on 2022-08-19)

New Feature: SendGrid Template Advanced Settings for Alerts & Notifications
- Introduction - A new “advanced settings” section was added to the Alerts & Notifications interface when building an alert using the relatively new SendGrid Template alert type that gives users more control over the underlying SendGrid API call being made when REDCap triggers a SendGrid Template alert. Note that all of the advanced settings are optional, and they are all disabled by default. If “SendGrid Template email services for Alerts & Notifications” are enabled for a project on the Project Setup page, then these advanced settings will appear in the alert creation dialog after selecting “SendGrid Template” as the alert type. The new advanced settings are all listed in detail below.
- SendGrid Unsubscribe Groups - SendGrid can allow recipients of its emails to unsubscribe from all emails being sent from a sendgrid account, or from emails associated with specific unsubscribe groups in a sendgrid account. To take advantage of custom unsubscribe groups, you can create unsubscribe groups in your sendgrid account then associate them with alerts in your REDCap project. When a recipient unsubscribes from an email that has been associated with a specific unsubscribe group, they get added to that unsubscribe group's list and any future emails that are associated with that unsubscribe group will not be delivered to them. An alert can be associated with at most one unsubscribe group. Here is SendGrid's documentation on unsubscribe groups: https://docs.sendgrid.com/ui/sending-email/unsubscribe-groups.
- SendGrid Categories - SendGrid allows you to associate arbitrary categories to each email you send from your account, effectively giving you the ability to tag each individual email sent with different metadata about the email like the email type. Unlike unsubscribe groups, categories don't have to be made in your sendgrid account before associating them with an alert in REDCap. You can define your categories in REDCap as you create your REDCap alert, and your sendgrid account will automatically detect new categories as emails get sent with them. In your SendGrid account's Category Stats page, you'll be able to see data about your emails by category. You can associate up to 10 unique categories per email, and a category name cannot be longer than 255 characters.
- SendGrid Mail Settings - Full documentation for the SendGrid bypass settings can be found at https://docs.sendgrid.com/ui/sending-email/index-suppressions#bypass-suppressions.
  1. Bypass List Management - When enabled, your email will be delivered regardless of any other existing suppression management control in your account. For example, if a recipient is in an unsubscribe group or the global unsubscribe group, they will still receive the email if bypass list management is enabled. Bypass List Management can't be combined with any other bypass option.
  2. Bypass Spam Management - Allows you to bypass the spam report list to ensure that the email is delivered to recipients. Some email services allow recipients to mark emails as spam. In some cases, sendgrid will be notified when a recipient marks an email as spam and will maintain a spam report list.
  3. Bypass Bounce Management - Allows you to bypass the bounce list to ensure that the email is delivered to recipients. A bounce occurs when a receiving mail server rejects an incoming email. This can happen if the recipient address is bad, for example. If sendgrid sees too many bounces happening, it will add that recipient to a bounce list and it will stop trying to send mail to that recipient. Enabling this will bypass that bounce list and force sendgrid to retry delivery.
  4. Bypass Global Unsubscribe Management - When enabled, your email will be delivered even if the recipient is on your account's global unsubscribe list.
  5. Sandbox Mode - Sandbox mode lets you check for errors in the SendGrid API call used to send an email without the potential of delivering the email. If you're unsure about your sendgrid configuration, you can run a test by enabling sandbox mode for an alert and triggering it. If your project's logs state that the alert was sent successfully and you don't see any errors, then your configuration is good to go. However, since sandbox mode was enabled for that alert, an email was not actually sent. After you're satisfied with your tests, you can disable sandbox mode and start sending real emails with your alert.
- SendGrid Tracking Settings
  1. Click Tracking - SendGrid has the ability to detect when a recipient clicks on links in an email. The count of clicks for a given email can be seen in the email activity section of your sendgrid account.
  2. Open Tracking - SendGrid has the ability to detect when a recipient opens an email by embedding a single pixel image in an email. Enabling this setting will make sendgrid include this tracking pixel in your emails. You can view the count of opens for a specific email in the email activity section of your sendgrid account.
  3. Subscription Tracking - If subscription tracking is enabled and configured on your sendgrid account, this setting lets you choose whether or not you want to include the global unsubscribe link associated with the subscription tracking feature in your emails. Note that you can utilize unsubscribe groups without using the more general subscription tracking feature. I believe subscription tracking is disabled by default on a sendgrid account. Here is some documentation from sendgrid about unsubscribe methods: https://support.sendgrid.com/hc/en-us/articles/1260806604209-Unsubscribe-Methods
- Miscellaneous Additions
  1. Added an External Service Check for https://api.sendgrid.com/v3 in the Control Center's Configuration Check page.
  2. Added a line in the Modules utilized section of the Systems Statistics page to keep track of how many non-practice projects are utilizing sendgrid for Alerts & Notifications.
- Additional SendGrid API Token Requirements - To fully support SendGrid Advanced Settings, the SendGrid API token used in the project's setup needs the permission for getting an account's unsubscribe groups through the API. This permission is mapped to the asm.groups.read scope. You can add this permission to your existing API token by editing its permissions in your SendGrid account and giving it Read Access to Unsubscribe Groups in the Suppression section.
Improvement: When utilizing Multi-Language Management in a project, the Field Finder on the Codebook page now supports searching in translated field labels.
Improvement: The date of the most recent REDCap upgrade for the system is now displayed near the bottom of the main Control Center page. (Ticket #69036)
Improvement: "Project 5 (COVID-19)" was added as a new classification that is selectable under the NIH CDE Repository catalog for the Field Bank feature in the Online Designer. Project 5 (COVID-19) is a classification of NIH-Endorsed CDEs (Common Data Elements).
Major bug fix: When exporting a PDF that contains a multiple choice field that has been flagged as an Identifier field, if the user has De-Identified data export rights for the field's instrument, the data for the field would mistakenly not be removed from the resulting PDF. (Ticket #132190)
Major bug fix: When clicking the “Forgot your password?” link on the login page and then entering the username of a valid REDCap user, the password of the username entered would mistakenly be reset immediately after being entered, which could lock out the user if a malicious user is randomly entering usernames to try and discover a valid username. It now only resets the user’s password after they click the password reset link in the email that they receive. Additionally, in order to prevent malicious users from discovering valid usernames, the password reset page now returns the exact same message in all situations, whether the username entered is a real username or not. In the case when using one of the “X & Table-based” authentication methods, if the user entered is an external user (i.e., not a Table-based user), they will also receive an email that will inform them that they must reset their password using an external resource outside of REDCap (or it will instead display the custom password reset text that has been defined in the Control Center). (Ticket #132595)
Major bug fix: When using certain external authentication methods, survey pages might sometimes mistakenly time out if the project's internal Record List Cache (a secondary list of records in the database for improving performance) had not been built yet, which is done automatically by REDCap internally. This would cause an internal API call to fail when it is made inline while loading survey pages, thus causing the survey page not to load. (Ticket #104761)
Bug fix: The Codebook page can become very slow in certain situations when lots of fields exist in the project, especially when utilizing languages for Multi-Language Management. (Ticket #132349)
Bug fix: When using Multi-Language Management in a project, some translations might get mistakenly overwritten when importing a CSV/JSON translation file due to an issue with case sensitivity with the language ID (e.g., “es” vs “ES”). (Ticket #132443)
Bug fix: Some of the text inside the dialog displayed to an administrator when a project has been marked as Completed was changed in order to be less confusing about the project's status after the admin has restored it. (Ticket #132499)
Bug fix: When using Azure AD authentication, users might mistakenly not have their first/last name and email auto-populated into their user profile after initially logging in to REDCap. This bug was supposedly fixed in the previous version but mistakenly was not. (Ticket #130664b)
Bug fix: When using the Data Resolution Workflow feature and creating data queries based on the results of Data Quality rules, the results of the Data Quality rules might not display the correct number of comments for a given discrepancy unless it belongs to a repeating instrument. (Ticket #131878)
Bug fix: When a user's date/time format user preference on the Profile page is set specifically to "YYYY-MM-DD and 24-hour time", some timestamps displayed in the REDCap user interface (e.g., Most recent activity on Project Home, Email Logging sent time) would mistakenly display the "seconds" component of the datetime when it should only display hours and minutes. (Ticket #132678)
Bug fix: When using Azure AD authentication, the username for a B2B collaboration user object might contain an "#EXT#" identifier as text inside it in certain cases. This is problematic to have the character "#" in a user's username. If this occurs, the text "#EXT#" will be automatically removed from the user's username. (Ticket #121605b)
Bug fix: By manipulating URLs and/or JavaScript variables on a REDCap project page, a user might be able to request an API token for a project in which they do not explicitly have API rights (although they would have to have access to the other project in order to do this). Even if the administrator approved the token request via the To-Do List or via the email request, the user would not be able to obtain the API token that was created for them, nor would they be able to use the token even if they could somehow obtain it. So no real harm or privacy issues could result from this. (Ticket #132778)
Bug fix: When using Multi-Language Management and importing translations for survey settings via a CSV file, some survey settings would mistakenly fail to import successfully. (Ticket #132828)
Bug fix: When using Multi-Language Management, the “[Reminder]” text for Automated Survey Invitation reminders was mistakenly not translatable. It can now be translated on the User Interface > Survey > Survey Emails section on the MLM setup page. (Ticket #132868)

Version 12.5.5 (released on 2022-08-05)

Improvement: Admins can now provide an alternate URL that will be used for the "Contact REDCap Administrator" links on each project's left-hand menu. If admins are using a ticket system, for example, to collect questions/issues from users, they may enter the URL of the ticket system's page where new tickets can be submitted. The alternate URL can be entered on the General Configuration page of the Control Center. If left blank (its default value), the "Contact REDCap Administrator" links will function as they have in previous versions, in which clicking them will open a pre-formatted email in the user's native email client.
Improvement: The Duo two-factor authentication process has been upgraded to use the new Duo Universal Prompt. This will provide a better and more reliable user experience for those institutions using Duo for two-factor authentication in REDCap. (Ticket #130859)
Improvement: Two more fields (general_practitioner and managing_organization) were added to the Patient FHIR resource when using the Clinical Data Mart service for CDIS.
Major bug fix: When viewing and downloading files under the "Data Export Files" tab of the File Repository, users that do not have Full Data Set data export rights to every field contained within a given export file on that page would mistakenly be able to download the export file(s). REDCap will now check to ensure that the user has Full Data Set access to every field contained within the export file, and if they do not, the user will not be able to download the data export file(s), in which it will instead display the following message on the page: "NOTICE: You are not able to download the export files here because you have either none or partial data export rights to one or more fields contained within the data export file." This bug was introduced in REDCap 12.2.0 with the advent of instrument-level data export rights.
Bug fix: When a user attempts to submit an instrument to the REDCap Shared Library via the Online Designer, the descriptive text regarding this process mistakenly includes a dead hyperlink to a page that no longer exists. The hyperlink has been replaced with a modal dialog containing the same information. (Ticket #131617)
Bug fix: PHP compatibility issue in some circumstances might cause the PDF export to fail with a fatal error when using PHP 8. (Ticket #131673)
Bug fix: When using Multi-Language Management, some HTML and JavaScript might be inserted into the webpage source code too early when viewing the Survey Access Code page. (Ticket #131704)
Bug fix: The Codebook would mistakenly not display the min/max values of slider fields on the page if the min/max range values were never explicitly set (i.e., as 0 and 100, respectively). (Ticket #131065b)
Bug fix: When using Multi-Language Management, there might be an issue when attempting to import a system language (from the Control Center) into a project and also with exporting a language. (Ticket #131811)
Bug fix: A user creating a new project would mistakenly not receive "Full Data Set" data export privileges on all instruments in the new project.
Bug fix: When using the Survey Setting to provide custom text for the survey’s Submit button, in which a field variable is piped into the Submit button text, it might mistakenly cause the Previous page button not to function on the survey page. (Ticket #131937)
Change: When deleting a project via the Other Functionality page, it now displays the total number of project records inside the Delete Project dialog to give the user more context prior to deleting the project.
Bug fix: Viewing a report might cause the page to mistakenly crash with a fatal PHP error in certain situations when running PHP 8. (Ticket #132041)
Bug fix: If a participant is attempting to take an Adaptive or Auto-Scoring survey (i.e., downloaded from the REDCap Shared Library), in which the survey has the Survey Login feature enabled, after the participant has successfully logged in, the survey would mistakenly not display correctly because the first question and submit button would not be visible on the page, thus making it impossible to complete the survey (unless the participant refreshed the page in their browser, after which it would work correctly).
Bug fix: When using Multi-Language Management, if a user exports a CSV language file on the MLM setup page, edits it, and then imports it back again, in certain circumstances the uploaded changes might not take effect.
Bug fix: When using Azure AD authentication, users might mistakenly not have their first/last name and email auto-populated into their user profile after initially logging in to REDCap. (Ticket #130664)
Change: In the Action Tag documentation, a note was added about how to escape text returned from the @CALCTEXT action tag.
Bug fix: When using Multi-Language Management, if the survey setting checkbox “Store the translated version of the PDF” is not checked for the “Save a PDF of completed survey response to a File Upload field” setting on the Survey Settings page, the saved PDF of the response would mistakenly be stored in the language that the participant had chosen on the survey page instead of storing the PDF using the default language. (Ticket #131879)

Version 12.5.4 (released on 2022-07-27)

Major bug fix: When the Protected Email Mode is enabled in a project, and a recipient clicks the link in their email to view the original email content within REDCap, they would never receive the follow-up email containing the one-time code, thus preventing them from accessing the content of their email. (Ticket #131414)
Major bug fix: When an Automated Survey Invitation utilizes conditional logic with the "Ensure logic is still true" checkbox checked, and a survey invitation gets scheduled, after which the record's data is modified, thus invalidating the ASI conditional logic, the scheduled invitation would mistakenly fail to get automatically deleted. Bug emerged in REDCap 12.5.0 (Standard). (Ticket #131358)
Major bug fix: When using Google OAuth2 authentication with the User Allowlist enabled, the User Allowlist would mistakenly not prevent users from logging in who were not on the allowlist. (Ticket #131346)
Major bug fix: When simultaneous users are viewing the same data entry form for a record that has not yet been created, in which the same tentative record name is displayed at the top of the form for both users, if the second user attempts to lock the form after the first user has already saved the form and created the record, the second user will end up creating a record with another record name (as expected); however, instead of the second record's form getting locked, the first user's record would mistakenly be the one that gets locked. (Ticket #131431)
Bug fix: Various PHP errors specific to PHP 8 were fixed on the Data Quality page. (Ticket #131294)
Bug fix: Attempting to copy an instrument in the Online Designer when the instrument contains no fields (excluding the form status complete field) often results in the instrument not actually being copied or causes it to be half-copied (i.e., almost copying it but leaving some parts orphaned in the database backend). To fix this, users will no longer be able to copy an instrument if the instrument has no fields. If a user attempts to copy an instrument with no fields, a dialog will be displayed letting them know that they cannot copy the instrument until at least one field exists in the instrument. (Ticket #131273)
Bug fix: When using the Multi-Language Management feature, selecting a language as the Fallback language in the MLM setup might prevent the user/participant from switching to the Default language on a form/survey and would instead mistakenly display the Fallback language text on the page.
Bug fix: A fatal PHP error might occur when using a CDIS service. (Ticket #130928)
Bug fix: When using biomedical ontology searching for a Text field, certain specific codes for very specific ontologies (e.g., SNOMEDCT) might mistakenly return a slightly incorrect code/value (typically off by a value of "1"). This appears to be extremely rare and seems to be due to a limitation with regard to how JavaScript handles large numbers. (Ticket #131406)
Bug fix: If survey instructions or survey completion text is indented in specific ways (e.g., when the HTML tag has a padding style added to it), the indention would not appear on the survey page but only on the Survey Settings page. (Ticket #131479)
Bug fix: When two records are about to be created on a data entry form with the same tentative record name (as is displayed at the top of the form) by two simultaneous users, and the second record being created is created via the randomization process, then the project Logging page would mistakenly list the second record's record name with an incorrect value in the "List of Data Changes" column, although the real record name in the "Action" column would be correct for the record.
Bug fix: The “json-array” data format that was recently added to REDCap::getData might mistakenly not return the full data expected but might only return partial data when using REDCap::getData with “json-array” data format for large sets of data.
Bug fix: When using the Data Resolution Workflow feature and creating data queries based on the results of Data Quality rules, the results of the Data Quality rules might not display the correct number of comments for a given discrepancy if it belongs to a repeating instrument or repeating event. (Ticket #130207)
Bug fix: When upgrading to REDCap 12.1.0 or higher, in certain situations the resulting upgrade SQL script might contain some malformed "drop foreign key" queries in which the foreign key name is mistakenly blank, thus resulting in an SQL error during the upgrade. (Ticket #131519)
Bug fix: Fixed typo on the Publication Matching page in the Control Center. (Ticket #131581)
Bug fix: When the text of the survey Submit buttons have been translated (either via a language INI file or via the Multi-Language Management feature), the button text might mistakenly spill out of the button and not display correctly if the button text ends up being wider than 140 pixels. (Ticket #131545)

Version 12.5.3 (released on 2022-07-21)

Major bug fix: The "Export Logging" API method would mistakenly allow users to export a project's logging when they do not explicitly have "Logging" privileges in the project. Note: The method would still require API Export privileges to work. The method now requires both API Export privileges and Logging privileges. (Ticket #131089)
Minor security fix: The jQuery UI library was updated from v1.13.1 to v1.13.2 due to a Cross-site Scripting (XSS) bug.
Bug fix: When using Multi-Language Management and translating the alternative Stop Action text that appears when a survey ends via Stop Action, the alternative Stop Action text would mistakenly not appear in its translated form when displayed on the survey page. (Ticket #130689)
Various fixes and updates to the External Module Framework, including:
- Clarified that the button to delete modules applies only to the selected version, not all versions.
- Fixed issue with choice labels that have commas in them getting cut off.
- Expanded log() method docs.
Bug fix: When using Multi-Language Management, certain items would not be translated when only one language (which differs from what is set as the project language) is used. (Ticket #130688)
Bug fix: When an Automated Survey Invitations option "Send the invitation X before/after Y" in Step 3 is set to "the same day (beginning at midnight)...", the invitation would mistakenly not get scheduled in longitudinal projects if the survey of the invitation being scheduled exists on a different event from the event where the ASI is being triggered (e.g., if a pre-screening survey on the first event is supposed to trigger an ASI for a follow-up survey on a subsequent event). Note: There is no way for REDCap to automatically schedule any invitations that missed getting scheduled as a result of this bug, so the only way to get the invitation(s) scheduled appropriately is to run the "Re-evaluate ASIs'' option in the Online Designer or instead open each record and click the "Save" button on any data entry form (or wait for the datediff+today cron job to trigger it - this only happens if datediff+today/now is used in the ASI conditional logic). Most importantly, users may need to adjust the send-time of any new invitations that get scheduled that initially missed getting scheduled due to this bug (because their scheduled date might differ from what their scheduled date should have been originally). (Ticket #131024)
Bug fix: When using the "Save & Return Later" feature on a multi-page survey, in which the survey contains a non-hidden @CALCTEXT field whose value gets populated early in the survey, when a participant returns to the survey later, REDCap would mistakenly advance the participant to the page with the @CALCTEXT field, even if it occurs on a later page than where the participant left off. (Ticket #131056)
Bug fix: Any embedded images (added via the rich text editor) displayed on a public report or public project dashboard would mistakenly not display successfully on the page. (Ticket #130897)
Bug fix: Regarding the Text-To-Speech functionality for surveys, the "Arabic (Male)" voice was deprecated in the IBM Watson TTS service that is utilized by REDCap. That voice has now been removed as an option on the Survey Settings page, and any surveys using the "Arabic (Male)" voice will automatically have the Text-To-Speech functionality disabled.
Bug fix: The Codebook would mistakenly not display the min/max values of slider fields on the page if the "Display number value?" slider setting is not checked/enabled. (Ticket #131065)
Bug fix: When using one of the "X & Table-based" authentication methods, various processes (e.g., cron job for user auto-suspension due to inactivity) might not work correctly for some users in certain situations, and various user interfaces (e.g., Sponsor Dashboard) might not display all correct options or page elements for some users in certain situations.

Version 12.5.2 (released on 2022-07-15)

Major bug fix: If survey invitations are scheduled via the Participant List or via the Survey Options on a data entry form (i.e., not using an ASI), in which one or more invitation reminders are scheduled to be sent, the reminders would mistakenly not get automatically removed from the Survey Invitation Log after the survey had been completed. This would cause the reminders to be sent to the participant even after they had completed the survey. Bug emerged in REDCap 12.5.0 (Standard).
Improvement: Added “json-array” as a new option to the data formats for REDCap::getData and REDCap::saveData. It provides a way around the json data format, for the sake of computer cycles as well as for the sake of being able to pass large data structures. The “json-array” option represents the same flat data structure as decoded JSON data when using the “json” data format for these methods, but it avoids the encode/decode steps.
Change/improvement: All the language displayed in the CDIS popup dialog “Key differences between Clinical Data Pull (CDP) and Clinical Data Mart (CDM)” has been abstracted and is now translatable.
Bug fix: When a survey is set to use "Large" or "Very large" survey text size while some SPAN tags are located inside some H1, H2, etc. tags in the survey instructions, survey completion text, or in any other text displayed on the survey page, the text inside the SPAN tags would mistakenly appear as much smaller than they should on the page. (Ticket #130326)
Bug fix: When using Azure AD authentication, the user principal name for a B2B collaboration user object might contain an "#EXT#" identifier as text inside the user's email address. This is problematic to have the character "#" in a user's email and also (if using their email address as the user's username) to have it in the username. If this occurs, the text "#EXT#" will be automatically removed from the user's email address. (Ticket #121605)
Various fixes and changes for the External Module Framework, including…
- Made the "required" flag work for rich text modules settings.
- Hid the button to enable modules when config.json is missing (preventing a confusing error).
- Clarified the error when modules do not extend AbstractExternalModule.
Bug fix: When using the Multi-Language Management feature and translating the titles of surveys in a project, if a survey participant navigates to the survey queue page directly, the survey titles for the surveys listed in the survey queue would be correctly translated; however, when viewing the survey queue immediately after completing a survey, the survey titles would mistakenly not be translated into the participant’s selected display language. (Ticket #130429)
Bug fix: Outgoing emails would mistakenly get logged in the "redcap_outgoing_email_sms_log" database table even when the emails themselves failed to send successfully. This could cause the table to fill with emails that never actually sent, many of which might have a missing sender or recipient address in the table. (Ticket #130546)
Bug fix: If data is being imported (via API, Data Import Tool, Mobile App, or REDCap::saveData) for a slider field, an erroneous message might be returned in some situations regarding the slider field's min/max specific range settings.
Bug fix: If a user has instrument-level locking privileges but only has read-only data viewing privileges for an instrument when viewing the instrument that has been fully or partially completed as a survey response, the "Lock this instrument?" checkbox would mistakenly not be displayed at the bottom of the page, thus preventing the user from locking or unlocking the form. Users with locking privileges should always be able to lock or unlock a form despite whether they have edit privileges or read-only privileges for that instrument. (Ticket #130667)
Bug fix: A fatal PHP error might occur for longitudinal projects with no instrument-event designations when navigating to the Survey Distribution Tools page when using PHP 8. (Ticket #130743)
Bug fix: When an administrator attempts to use the Project Revision History link for a given project on the Browse Projects page in the Control Center, it would mistakenly not load and thus would not be usable.
Bug fix: When modifying Descriptive Text fields in the Online Designer, in which a field contains an inline image attachment, the image might mistakenly not display anymore in certain cases until the page is reloaded. (Ticket #130817)
Bug fix: When using Multi-Language Management, if a user removed the default text of an item (e.g., sets the text as blank for a field label, survey instructions, etc.) after having translated the item, the MLM setup page would mistakenly no longer display the item anymore, thus making it impossible to edit the existing translated text.
Bug fix: User input text (e.g., field labels, survey instructions) that is rendered in downloaded PDFs might get mistakenly truncated if the text contains the less-than character "<" immediately followed by certain special characters, such as "+", "-", "".", or "*". (Ticket #130761)
Bug fix: Embedding an image via the rich text editor into the text value of a field with the @RICHTEXT action tag on a private survey would mistakenly fail with a 404 error. (Ticket #130673)

Version 12.5.1 (released on 2022-07-08)

Improvement: When using the Multi-Language Management in a project where the languages created on the MLM setup page have Language IDs that correspond to language ISO codes, if a user or participant has not yet selected their display language via the MLM language-switching choices, REDCap will use their current browser settings to auto-detect and then auto-select their preferred display language. This is meant to be an added convenience to the user/participant. Note: This only occurs if project users have set up their MLM Language IDs as ISO codes.
Improvement/change: Updated the Font Awesome library from v5.15.4 to v6.1.1.
Improvement: Stop Actions (for multiple choice fields) and Video Display Format settings (for Descriptive Text fields with videos) are now included in Instrument Zip files when downloading or uploading them for an instrument in the Online Designer. In previous versions, stop actions were not included, and while the video URL was included, the setting that defines if the video is displayed inline or not was not included. (Ticket #124377)
Bug fix: When a field's action tags are displayed below it in the Online Designer, sometimes an apostrophe might mistakenly get displayed in the action tag name.
Bug fix: Fixed issue with example HTML not displaying correctly for an item on the "Help & FAQ" page.
Bug fix: When using the Multi-Language Management setup page, translation changes might mistakenly not get saved successfully (although they might appear to be saved) if the current user is an administrator that has “Access to all projects and data” system privileges but has not been explicitly given Project Design privileges within the project. (Ticket #130248)
Various fixes and changes to the External Module Framework, including…
- Improved the error message when firewalls prevent module downloads.
- Allow deleting old versions of enabled modules.
- Fixed a bug preventing modules containing symlinks from being deleted.
Bug fix: A fatal PHP error might occur when accessing the Data Quality page with PHP 8.0+. (Ticket #130364)

Version 12.5.0 (released on 2022-07-01)

New feature: Repeating Automated Survey Invitations (ASIs)
- Users can now set ASIs to send multiple times on a recurring basis for any repeating survey in a project. If the survey is a repeating instrument or if it exists on a repeating event, then users will see a new section "How many times to send it" in the ASI setup popup in the Online Designer. There users may set the ASI to send survey invitations repeatedly at a regular interval, in which it can repeat forever or a set number of times. This new repeating ASI feature works similarly to how recurring alerts have always worked for Alerts & Notifications.
- Note: If an instrument is not a repeating survey, then this new section will not appear for that survey in the ASI setup dialog.
- When an ASI is set up to recur for a repeating survey, the [survey-link] Smart Variable in the invitation text will always point to a different repeating instance of the survey for each time the invitation is sent. For example, if the ASI is set to recur daily, then the first day’s invitation will have a link pointing to instance #1 of the survey, the next day’s invitation will point to instance #2, then the next to #3, and so on.
New Smart Variable: [new-instance]
- This new Smart Variable [new-instance] can be appended to [survey-link], [survey-url], [form-link], and [form-url] to create a URL that points to a new, not-yet-created repeating instance for the current record. In this way, [new-instance] functions essentially as [last-instance]+1. This new Smart Variable works for repeating instruments and also for instruments on repeating events.
- [new-instance] can also be used as stand-alone, in which it will return an integer. But it will only work when used within the context of a repeating instrument or repeating event, in which it will essentially return [last-instance]+1 for the current repeating context.
- [new-instance] will auto-append “&new” to the end of the form link or survey link (when used with [form-link/url] or [survey-link/url]) and thus will cause the user/participant to be redirected to the next repeating instance if the current repeating instance (i.e., the instance number in the URL) already exists for the record. Thus, using [form-link] or [survey-link] appended with [new-instance] will ensure that you always end up on a new, not-yet-created instance. And if two participants arrive at the same repeating survey instance with both using the exact same link created by [survey-link][new-instance], then the second participant to submit the survey page will not override the first participant’s response. Instead, it will add the second participant’s response as another repeating instance that does not exist yet.
- TIP: One of the main intended usages of [new-instance] is to utilize it as [survey-link:instrument][new-instance] inside the text of a recurring alert to allow users/participants to enter data easily into a repeating survey. In this way, it works very similarly to a repeating ASI. However, repeating ASIs do not need their survey link appended with [new-instance] because it is already implied from the ASI setup.
New feature: Embedding images in text & emails
- Users may now embed one or more inline images into the text of a survey invitation, an alert, or a field label on a form/survey, among other things, by clicking the image icon in the rich text editor and then by uploading an image from their local device. Anywhere that the rich text editor is used, users may embed an image into its text (with one exception: the @RICHTEXT action tag on public surveys).
- If you wish to disable the ability to embed images in text via the rich text editor, you may disable this functionality at the system level on the Modules/Services Configuration page in the Control Center.
New method for plugins/hooks/modules: REDCap::storeFile - Stores a file in REDCap when provided with the full path of a file on the local REDCap web server. Returns the doc_id from the redcap_edocs_metadata database table for the stored file. The file will be automatically stored using the defined file storage method in the system (e.g., WebDAV, S3, local). Note: The original file on the server will *not* be deleted by this process.
New method for plugins/hooks/modules: REDCap::copyFile - Creates a new file in REDCap by copying a file already stored in the system when provided with the doc_id of the original file from the redcap_edocs_metadata database table in the REDCap system. Returns the doc_id for the newly created file. The new file will be automatically stored using the defined file storage method in the system (e.g., WebDAV, S3, local). Note: The original file whose doc_id is provided as a parameter will *not* be deleted by this process.
New method for plugins/hooks/modules: REDCap::addFileToRepository - Adds a file to a project's File Repository when provided with the doc_id of an existing file from the REDCap system. Warning: This method should not be used for files already stored for File Upload fields or as various attachments in the system because deleting the file from the File Repository will delete it in all places where the file is utilized. Ideally, this method is meant to be paired with the method REDCap::storeFile(). If you wish to add a file to the File Repository that is already being utilized elsewhere in REDCap (e.g., as an attachment or uploaded to a File Upload field), it is recommended that you first call REDCap::copyFile() to copy the original file, and then call REDCap::addFileToRepository() afterward.
Improvement: When setting up an ASI, the sub-section “When to send invitations AFTER conditions are met” now contains the new drop-down choice "the same day (beginning at midnight) that the automated invitation was triggered" in the sub-option “Send the invitation X days Y hours Z minutes before/after [drop-down]”. This new choice in the drop-down allows users to schedule the invitation based on the day the ASI was triggered and provides greater control and precision with regard to when exactly the invitation will be sent. For example, if this new drop-down option is selected along with setting it to “send the invitation 1 day 8 hours after…”, this will cause the invitation to be scheduled to be sent at exactly 8:00am the next morning. In previous versions, it was not possible to get this level of precision for the invitation send-time based upon ASI trigger-time unless you used a date field’s value as a reference.
Change/improvement: When setting up an Automated Survey Invitation, the setting to make the ASI “Active” or “Not Active” has been moved to the top right of the ASI setup dialog.
Various fixes and changes for the External Module Framework, including…
- Prevented return value warnings on external module hooks that shouldn't return values.
- Added tags to improve Psalm scanning.
Bug fix: The REDCap Cron Job might mistakenly output some SQL queries when running the QueueRecordsDatediffCheckerCrons job.
Bug fix: When an Automated Survey Invitation has been set up in a longitudinal project, in which the ASI's conditional logic includes datediff()+today/now and has the "Ensure logic is still true" checkbox checked while additionally one or more of the variables in the logic are missing a prepended unique event name, the DateDiff+Today/Now cron job might mistakenly schedule a survey invitation that should not be scheduled, even though REDCap will ultimately unschedule the invitation right before trying to send it. (Ticket #129893)
Bug fix: When a Vimeo video link is provided for the embedded video URL for a Descriptive Text field, the video would mistakenly not to be playable on the page if the URL contained extra alphanumeric characters that appear after the first set of numbers and slash in the video URL (e.g., https://vimeo.com/637116791/709509f375). (Ticket #118309)
Bug fix: Missing Data Codes could mistakenly not be saved to a File Upload field during a data import (e.g., API, Data Import Tool, REDCap::saveData) despite the fact that Missing Data Codes could be saved for File Upload fields via the web interface. (Ticket #82602)
Bug fix: If an administrator has "Manage user accounts" privileges but does not have "Access to all projects and data..." privileges, the Browse Users page might malfunction when they attempt to perform certain actions, such as suspending users, where it would mistakenly send an email to the user themselves as if they had made a request from the Sponsor Dashboard page (which they didn't). (Ticket #129830)
Bug fix: Fixed typo in Double Data Entry error message. (Ticket #130093)
Bug fix: If a project is using randomization with strata fields, in which the strata fields exist on the first instrument, and then a participant loads the first instrument as a survey via the public survey link, if the strata fields appear on the first page of the survey, the strata fields will mistakenly be rendered as disabled/read-only on the public survey page if the highest-numbered record in the project has already been randomized. (Ticket #130107)

Version 12.4.5 (released on 2022-06-27)

Bug fix: If the Custom Record Label is enabled in a project, and the current user is exporting a PDF of an instrument containing data, the fields in the Custom Record Label might all be replaced with the text [**DATA REMOVED**] at the top right of each PDF page if the user has De-Identified data export rights for just some of the fields. It would mistakenly either display the data for all the Custom Record Label fields or instead remove all of them, but not necessarily remove just some of them based on their form-level export rights. (Ticket #129822)
Bug fix: Using the Action Tag @NOW on a Text field with "Time (HH:MM:SS)" field validation would mistakenly return a full datetime value when the page loads rather than just the time in HH:MM:SS format. (Ticket #129882)
Bug fix: If a project is using randomization with strata fields, in which the randomization field and/or strata fields exist on a survey that has "Save & Return Later" enabled, if a participant completes part of the survey for a record that has already been randomized, then returns later to the survey but forgets their return code, then clicks the "Start Over" button on the survey, the randomization field and/or strata fields on the survey would mistakenly have their values erased. All the other field values on the survey should be erased, but the randomization field and strata field data should never get erased for records that are already randomized. (Ticket #129892)

Version 12.4.4 (released on 2022-06-24)

Improvement: The Multi-Language Management setup page now has an option to “Export or import general settings”. This includes which languages are set as active, default, or fallback, which fields and survey settings are excluded, as well as the settings on the Alerts tabs and Settings tab. Note: The export/import option will appear when at least one language has been created in the project. This option is available as a JSON file only for import/export.
Bug fix: When using the calendar feed with Outlook for calendar events containing both day and time components (as opposed to those without a time component), it might mistakenly display an error in Outlook relating to a "floating DTSTART" issue and would prevent the calendar feed from syncing properly. (Ticket #128842)
Bug fix: The popup about anonymous surveys on the Participant List page would mistakenly display some text meant to be seen only if the project is set up to use anonymous surveys. (Ticket #129540)
Bug fix: The calendar feed URL displayed on the Calendar page would mistakenly not display the URL of the impersonated user when an administrator uses the "View Project as User" feature but instead would display the calendar feed URL of the admin impersonating the user. (Ticket #129488)
Bug fix: The calendar feed generated from the [calendar-link] or [calendar-url] Smart Variable would mistakenly display the Data Access Group name (if the record is assigned to a DAG) in the title of the record's calendar event in the feed. The DAG name should never appear in the participant-facing calendar event feed. (Ticket #129475)
Bug fix: When an admin is using the Email Users page, some emails to users might mistakenly not be sent successfully due to some information being truncated (and thus corrupted) when being added to the backend database. (Ticket #129254)
Bug fix: When using Send-It to send a file from the File Repository or a file associated with a File Upload field on a record, although the email being sent would get captured in the backend email log, the email details would mistakenly not get captured in the project-level Email Logging page. (Ticket #129554)
Bug fix: In some specific cases when using Clinical Data Mart, normal users are not allowed to fetch data more than once.
Bug fix: When a record's Survey Queue contains more than five completed surveys, in which case it will hide all the completed surveys in the queue to conserve space on the page, the queue would mistakenly display the text "X surveys completed!" where X is mistakenly the total number of surveys in the queue and not the total number of completed surveys in the queue. (Ticket #128732)
Bug fix: On the System Statistics page, the stats for the number of data values pulled for both the Clinical Data Mart and Clinical Data Pull were not being calculated correctly and might have been previously reporting much lower numbers by mistake.

Version 12.4.3 (released on 2022-06-17)

Major bug fix: If a user attempts to delete a recurring alert on the Notification Log, the dialog would not close and would fail silently due to a PHP error.
Major bug fix: A change in the code for the Multi-Language Management setup page in the previous REDCap version might mistakenly cause certain tabs on the page not to get updated when saved.
Improvement: To improve page-loading performance of the Data Access Groups page, the DAG Switcher table at the bottom of the page will no longer be displayed when the page is initially loaded if the number of project users X the number of DAGs is greater than 5000. If the threshold is reached, then a big button saying "Display the DAG Switcher" will be displayed, and after clicking it, it will then display the DAG Switcher table. This will improve overall load time of the page in extreme cases. (Ticket #128578)
Change/improvement: The red "Action Tags" button was added inside the Logic Editor dialog to make it easier to reference the Action Tags documentation while the Logic Editor is open. (Ticket #120079)
Change/improvement: Below the instructional paragraph on the Participant List page, new text has been added that lists the "Survey Response Status" as being either "Anonymous*" or "Not Anonymous" along with a clickable help link that opens a dialog that discusses in-depth why/how survey responses in the project are being collected in an anonymous or non-anonymous fashion based on the project's current configuration settings. This text was added to provide more transparency and awareness to users who might not realize that they are collecting survey data in an anonymous or non-anonymous fashion, which could ultimately have implications on processes in their project later on.
Bug fix: UTF-8 encoded names would mistakenly not display correctly on the newly improved Email Users page in the Control Center. (Ticket #129209)
Bug fix: If a hook, plugin, or external module is calling the REDCap::saveData() method, in which parameters are passed to the method all in a single array (i.e., $params=[...]; REDCap::saveData($params)), the "dataAccessGroup" parameter's value would mistakenly be ignored if included in the parameter array. (Ticket #129203)
Bug fix: The data entry form page or Online Designer might mistakenly crash with a fatal PHP error in certain situations when using PHP 8.0+. (Ticket #129297)
Bug fix: Documentation of the datediff() function was mistakenly inferring that the "returnSignedValue" function parameter could be provided in all caps (e.g., TRUE). However, its value must always be lower case (e.g., true). The documentation has been changed to reflect this to reduce confusion. (Ticket #129332)
Bug fix: When using Twilio to send invitations via Automated Survey Invitations that utilize the "Participant's Preference" as the invitation type, if the ASI belongs to a survey that is a repeating instrument, it is possible that the participant's preferred invitation type might get stored incorrectly in the backend database, thus potentially causing some invitations to be sent to the participant using the wrong invitation type (e.g., sent via Email instead of via SMS). (Ticket #128878)
Bug fix: The API method "Export Logging" would mistakenly not return the extra text for the "Reason for Data Changes(s)" if the setting "Require a 'reason' when making changes to existing records" is enabled in the project.
Bug fix: The calendar feed or downloadable ICS file from the Calendar page might mistakenly not include calendar events that are not associated with any records if the current user belongs to a Data Access Group. All non-record calendar events should be exportable and viewable in the calendar feed so long as the user still has "Calendar" user privileges. (Ticket #129359)
Bug fix: If using one of the "X & Table-based" authentication methods, excluding "LDAP & Table" and "AAF & Table", the User Allowlist (if enabled) would mistakenly prevent Table-based users from accessing the system.
Bug fix: The "Survey Link Lookup" link would mistakenly still be displayed on the Control Center left-hand menu even if all survey functionality was disabled globally in the system via the "Enable the use of surveys in projects?" setting on the Modules/Services Configuration page.
Bug fix: If the custom survey width setting is set to a percentage width of the page and is set to less than 100%, it would cause less ideal user experiences when taking the survey on a mobile device. For mobile devices (i.e., narrow screens), the custom width setting is no longer applied but will instead display the survey at full screen width. (Ticket #129429)

Version 12.4.2 (released on 2022-06-10)

Improvement: New “Multi-Language Management” video (9 minutes) added to the MLM setup page and the Training Videos page.
Improvement: New and improved user interface for the Email Users page in the Control Center.
Improvement: A new option ("View & Edit / De-Identified") has been added to the system-level setting "Default instrument-level user access set for all project users' Data Viewing Rights and Data Export Rights whenever a new instrument is created while in production status" on the User Settings page in the Control Center. This new option will allow users to automatically have View & Edit viewing rights to all new instruments created while in production but will provide limits on their data export privileges for those new instruments.
Improvements for CDIS:
- Added RxNorm code and display fields in Clinical Data Mart (R4 and DSTU2).
- Updated the Clinical Data Mart templates to accommodate the new data.
Change/improvement: When using "OpenID Connect & Table-based" authentication, if the OIDC authentication process fails with an error that is returned to REDCap in the URL query string, the error description will now be displayed on the page for the user to see, whereas previously the error message might not be displayed on the page in certain situations. Additionally, if a Table-based user fails to successfully log in, as a convenience the login form will now automatically be displayed again without the user having to click the "Local REDCap Login" button. (Ticket #129023)
Bug fix: Piping would not work successfully in real-time for Dynamic SQL fields on a survey or data entry form when the displayed language is changed on the page via Multi-Language Management. (Ticket #128562)
Bug fix: The "Add Users (Table-based Only)" page in the Control Center would mistakenly not allow Administrators to create Table-based user accounts if using "OpenID Connect & Table-based" authentication.
Bug fix: The "Reset Password" button would mistakenly not display on the Profile page for Table-based users if using "OpenID Connect & Table-based" authentication.
Bug fix: Added 2 missing LOINC codes for the "social history" observation category in CDIS.
Bug fix: When changing a project's authentication method to "OpenID Connect" or "OpenID Connect & Table-based" on the "Edit A Project's Settings" page in the Control Center, it would appear not to save the new authentication setting, but it would. But if the page was reloaded and saved again, it might revert the authentication setting to another value. (Ticket #128576)
Bug fix: The up/down sorting arrows that appear in the headers of many tables displayed throughout REDCap might mistakenly display a smaller duplicate pair of arrows that are unnecessary. (Ticket #128758)
Bug fix: Slider fields would mistakenly not be active and functional when viewed in the Online Designer. (Ticket #128916)
Bug fix: Project-level external module settings would mistakenly not get deleted from the "redcap_external_module_settings" database table after a project has been permanently deleted. (Ticket #128909)
Bug fix: The Record Home Page in a longitudinal project would mistakenly display the column for an event when the current user has no access to any instruments that are designated for that event. It should instead hide the column on the page rather than displaying it as empty. (Ticket #127708b)
Bug fix: All rich text editors would mistakenly strip out any Font Awesome icons that were added to the source code HTML of the rich text editor.
Bug fix: When using Multi-Language Management, a piped label might fail to display its translated language when on a PROMIS instrument (adaptive, auto-scoring, or battery) that was downloaded from the REDCap Shared Library.
Bug fix: The Moment.js library was updated since it was out of date.
Bug fix: The Multi-Language Management setup page might mistakenly not load due to a JavaScript error in some very specific situations.
Bug fix: When using "OpenID Connect & Table-based" authentication in which a user clicks the "Forgot your password?" link on the login page, and then they enter a username that is not a real username when attempting to reset their password, REDCap would mistakenly not display the error message "You entered an invalid user name or password!" on the page after the login failed. (Ticket #129022)
Bug fix: When a user is attempting to reset their password via the "Forgot your password?" link on the REDCap login page, and the system is using one of the "X & Table-based" authentication methods, if they enter a valid username on that page in which the user is not a Table-based user but is a user from the external authentication system (e.g., LDAP, OIDC), REDCap would mistakenly fail to display the custom Password Recovery text or the stock text "The password cannot be reset due to one of the following reasons: 1) It is not a valid REDCap username, or 2) The password for this user is not able to be reset in REDCap because it can only be reset using an outside authentication resource at your institution." Bug introduced in REDCap 12.3.1.
Bug fix: When deleting the data of an entire instrument or of an entire event that includes survey responses, the survey start time (stored in the backend database) would mistakenly not get deleted along with the data, thus causing the Smart Variables [survey-date-started] and [survey-time-started] to return the start date/time of the original response(s), which not longer exist. (Ticket #129076)
Bug fix: Prepending [previous-event-name] or [next-event-name] to the Smart Variables [survey-time-X] and [survey-date-X] might mistakenly not return a value (e.g., [previous-event-name][survey-time-completed:followup_survey]). (Ticket #128662)

Version 12.4.1 (released on 2022-05-26)

Improvement: New two-factor authentication option - If using an "X & Table-based" authentication method, you can make non-Table-based users be exempt from 2FA. This can be set on the Security & Authentication page, in which a new setting "Enforce two-factor authentication ONLY for Table-based users?", which defaults to "No", can be enabled so that only Table-based users will have to go through the 2-step login process if the system is using an "X & Table-based" authentication method. This will be useful if 2FA is already implemented on the other non-Table authentication process - e.g., OpenID Connect, thus preventing the non-Table users from having to perform 2FA twice (once outside REDCap and then once inside REDCap). (Ticket #128474)
Change/improvement: The "sub" attribute was added to the "Attribute to use for REDCap username" drop-down in the OpenID Connect authentication settings in the Control Center to provide greater compatibility with OIDC providers. (Ticket #128417)
Change/improvement: When a user logs in to REDCap the first time via OpenID Connect authentication, it now automatically adds their first name, last name, and email address to their REDCap user account. (Ticket #128417b)
Bug fix: The datediff() function might not work as expected when using different data types in the parameters (e.g., date and datetime together) for PHP-based implementations of the logic evaluation process, such as the Survey Queue, ASI conditional logic, Data Quality rule logic, etc. (Ticket #128299)
Bug fix: If a survey that is a repeating instrument is displayed in the survey queue, if over 8 instances of the survey have been completed and the survey is to allow participants to return via Save & Return Later in order to modify completed responses, it would mistakenly display all 8+ survey instances as visible in the survey queue when instead it should display them as being collapsed on the page. (Ticket #128362)
Bug fix: If a Descriptive Text field has an inline image attachment, in which the image's file extension does not match its true mime type (i.e., someone has renamed its file extension to something incorrect prior to uploading the image), it would mistakenly cause the PDF export to run a long time and eventually time out when attempting to export a PDF of the instrument. (Ticket #128336)
Various updates and fixes for the External Module Framework
Bug fix: If using the [survey-link] Smart Variable with Custom Text and with an instance Smart Variable appended to the end (e.g., [survey-link:medications:Take this survey][last-instance]), the custom text would not display correctly but would include the unique instrument name at the beginning of the custom text by mistake.
Bug fix: The "OpenID Connect" authentication would mistakenly not work successfully if using a proxy server. (Ticket #127244)
Bug fix: The "Add Users (Table-based Only)" link would mistakenly not be displayed on the Control Center left-hand menu if using "OpenID Connect & Table-based" authentication, thus preventing admins from being able to create Table-based user accounts. (Ticket #128472)
Bug fix: When granting a user access to a project via the User Rights page, the new user's data export rights in the popup would mistakenly default to "Full Data Set" for all instruments when instead they should default to "De-Identified" if in development status and to "No Access" if in production status. (Ticket #128504)
Bug fix: The ":ampm" piping parameter would mistakenly not work for datetime fields that have DMY date format. (Ticket #128507)
Bug fix: Data Quality rule D "Field validation errors (out of range)" would mistakenly not process the min and max values for the out-of-range check correctly if a field's min/max was set as "today", "now", or as a piped variable (e.g., [other_date]).

Version 12.4.0 (released on 2022-05-20)

New feature: Calendar Sync
- Users may sync their REDCap project calendar or perform a one-time import of their project calendar events to external calendar applications such as Google Calendar, Outlook, Office 365, Zoho, Apple Calendar, or any application that supports iCal or ICS files. They may choose one of the two options below to sync or import their project calendar events to an external calendar application.
  1. Live calendar feed: Add calendar from URL/Internet - A unique web address will be displayed in a dialog on the Calendar page, in which the URL represents a real-time live feed of the REDCap project calendar. Users may copy the URL to paste it as the calendar URL in their calendar application using the option "Add calendar from URL/Internet". This will subscribe their external application to the REDCap project calendar. Privacy Note: This calendar feed URL on the Calendar page is unique to the user in the project. So if the user gets expired, removed from the project, or deleted from the system, their unique calendar feed will go blank and will not output anything anymore (for privacy purposes).
  2. One-time import: Download ICS file - Download and open the calendar ICS file below to import REDCap calendar events manually into the calendar application on your computer, or upload the file to a web-based calendar service. Notice: This is not a live feed but a one-time import. Thus, any new events added to the REDCap calendar in the future will not be automatically added to the external calendar application.
- Disabling: The Calendar Sync feature can be disabled at the system level on the Modules/Services Configuration page in the Control Center.
- Feed-syncing Notice: Different calendar applications have different refresh rates. So if new events are added to the calendar in REDCap, they may not immediately appear in the external application that is consuming the feed but will appear after the next refresh interval, which might be some time later that day or the next day (depending on the calendar application). Additionally, the calendar feed represents a one-way feed. This means that while changes made to the calendar in REDCap will automatically show up in the external calendar application, users will not be able to modify them in the external calendar application because they will be read-only.
- Privacy Note: When viewing events from the Calendar page’s feed or downloadable ICS file, any data from Identifier fields will be automatically removed from the feed/file (e.g., if identifier fields are included in the Custom Record Label or Secondary Unique Field, or if the record name is an identifier), in which their data will be replaced with the text “**DATA REMOVED**”.
- New calendar-specific Smart Variables
  1. [calendar-url] - The web address (URL) of the calendar feed or downloadable ICS calendar file belonging to the current record.
  2. [calendar-link:Custom Text] - The HTML web link that, when clicked, will navigate to the calendar feed or downloadable ICS calendar file belonging to the current record. 'Custom Text' is an optional parameter whereby you can specify the visible link text, and if it is not provided, it defaults to simply displaying the URL as the link text.
New feature: SendGrid Dynamic Templates for Alerts & Notifications
- SendGrid Dynamic Templates give users significantly more control over the style and design of emails when compared to the standard email alert type. Enabling this feature on the Project Setup page will give users another alert type to choose from on the Alerts & Notifications page called “SendGrid Template”. Thus, similar to Twilio, this feature is a project-level feature that users may enable on individual projects (or users can have administrators enable it for them).
- DISABLING: The SendGrid Dynamic Templates feature can be disabled at the system level on the Modules/Services Configuration page in the Control Center. There are also other additional features on that page that determine who can enable the SendGrid services in a given project.
- SETUP & CONFIGURATION: This integration requires that you have an account setup on sendgrid.com. After creating a SendGrid account, you'll need to configure senders for the account, create the dynamic templates you wish to use for REDCap alerts, and generate an API Key with appropriate permissions for REDCap to use. When configuring senders on your SendGrid account, you may specify individual senders, authenticate an entire domain so that any email address associated with that domain may be a sender, or both. Please refer to SendGrid's documentation on how to set up Domain Authentication and how to add individual Verified Senders. To create a dynamic template in your SendGrid account, login to your SendGrid account and use the sidebar to navigate to Email API→Dynamic Templates. Here you can create a dynamic template, give it a name, and associate an email design with it. Please reference SendGrid's documentation on Dynamic Templates and Handlebars to learn more about creating templates in your SendGrid account. Lastly, to create an API Key for REDCap, login to your SendGrid account and use the sidebar to navigate to Settings→API Keys. Here you can create a new API Key and specify its permissions. It is recommended that you create a Restricted Access API Key and only give the API Key the permissions REDCap needs to function. REDCap will need Full Access to Mail Send, Read Access to Sender Authentication, and Read Access to Template Engine. Once you have your API Key, you may use it to configure SendGrid Template email services for alerts & notifications through the REDCap Project Setup page.
- ALERTS & NOTIFICATIONS: The SendGrid Template alert type will allow you to specify a sender email address that's in your SendGrid account's list of Verified Senders or an email address that matches an Authenticated Domain associated with your SendGrid account. You'll also have an interface to choose which of your SendGrid account's dynamic templates you'd like to use for the alert as well as an interface to specify key/value pairs that will be used to populate your template with REDCap data. Lastly, choosing recipients for SendGrid alerts works the same way as choosing recipients for email alerts.
- COST: As REDCap makes API calls to SendGrid's Email API using your account's API Key, your SendGrid account will keep track of REDCap's usage and your SendGrid account will be charged accordingly. This is not done by REDCap but is done internally by SendGrid as you use its services. In this way, no monetary transactions are made by REDCap, and thus it is your responsibility to maintain the funds in your SendGrid account in order to ensure that the service continues to work for your REDCap project. If your SendGrid account runs out of funds, the SendGrid services in REDCap will cease to function. You may reference SendGrid's pricing page to get their latest pricing.
- Thanks to Remi Frazier and Kaizen Towfiq at University of California San Francisco for their code contributions, which made this new feature possible.
New feature: “OpenID Connect & Table-based” authentication
- Admins may enable this new authentication method on the Security & Authentication page. It functions exactly like “OpenID Connect” authentication, and has the added bonus of providing some users with the ability to log in via REDCap’s local Table-based authentication (if they will not log in via OIDC).
- Additionally, admins may optionally define the display name of the OpenID Connect system (e.g., Google, NIH), which gets displayed in a button on the login page that says “Log in using [X] or [Local REDCap Login]”. If a value is not provided for this setting, it will simply output "OpenID Connect" as the button text. Clicking that button will take the user to the OIDC login page.
Improvement: When the authentication method is set to "OpenID Connect" or "OpenID Connect & Table-based", you may define which OIDC attribute will serve as the REDCap user's username. Simply set the setting "Attribute to use for REDCap username" on the Security & Authentication page. It will default to "username" when installing/upgrading REDCap, but also provides the other options "nickname" and "email". Note: If the selected attribute does not have a value for the current user, it will revert to using the user's associated email address to serve as their username.
Improvement: New v2 endpoint for Azure AD authentication
- The “Additional OAuth2 Azure AD Authentication Settings” section on the Security & Authentication page now contains a new “Endpoint Version” setting, which can be set as “V1” (default) or “V2” to allow REDCap to utilize different versions of the Azure AD authentication. Previously, only V1 could be utilized in REDCap. Now V2 can also be used.
- Thanks to Paul Ryan (University of Hawaiʻi at Mānoa) and Eric Wagner (The Ohio State University) for their code contributions, which made this new feature possible.
Improvement: REDCap now implements a new version of the two “datediff” cron jobs that run frequently each day and are utilized for Alerts & Notifications and Automated Survey Invitations. Instead of having a single cron job for each that runs a very long time every 4 hours, the two cron jobs will now run more often in a batched mode to spread out the same amount of work in smaller batches over time. This allows the processes to be done more efficiently (and sometimes faster in many cases) without the risk of the cron jobs timing out, which has been a concern with them in the past.
Improvements: The following are enhancements for the Multi-Language Management system setup page in the Control Center:
- Additional column "Initial" - this governs the language that is initially shown on the translatable non-project pages (essentially, this is only the generic Survey Access page) when no browser cookie is set yet.
- Designates the "Default" column to identify the language that matches that from the active Language.ini file
- Adds popups with explanations to the various columns.
Improvement: When viewing a suspended user's account on the Browse Users page in the Control Center, it now displays the text "Suspended" in red next to the user's name and username to help admins more easily identify if the user is suspended or not.
Change/improvement: When defining the footer links on the Footer Settings page in the Control Center, if the administrator fails to enter the link values correctly by forgetting to add a label for each URL, the resulting link displayed in the project footer would not be clickable. In this case, it now displays the URL as the label and will be clickable.
Bug fix: When viewing an email using the Protected Email Mode feature, the page would mistakenly crash with a fatal PHP error if the Multi-Language Management feature is enabled in the project.
Bug fix: The Instant Adjudication process for the Clinical Data Pull feature would mistakenly not pull a value from the EHR system when there exists a perfect timestamp match for a data value whose field has been mapped using the Near, Earliest, or Latest preselection strategies.
Bug fix: The install page would mistakenly crash with a fatal PHP error if using PHP 8 when the database credentials in database.php are either not correct or they cannot successfully connect to the database.
Bug fix: When using the same field two or three times (i.e., from different arms) as a Survey Login field, clicking the "Show value" checkbox in the Survey Login dialog would mistakenly cause the field to duplicate itself inside the dialog.
Bug fix: If duplicate instances of the same cron job somehow exist in the redcap_crons database table, which should not happen, REDCap will now detect this issue automatically and remove the duplicate jobs from the table.
Bug fix: If the Smart Variables [form-link] and [form-url] have a literal instance number appended to them (e.g., [form-link:meds][3]), they would mistakenly not get parsed correctly and would always produce a link/URL that points to the first repeating instance. (Ticket #127042)
Bug fix: When using Multi-Language Management, @CALCTEXT and @CALCDATE fields would fail to have their values piped immediately on the page after a language switch. Additionally, when only a single language (out of multiple languages) was active on a survey, the language switch might actually fail to work.
Bug fix: If a participant clicks the “Start Over” button on a partially completed survey that happens to be a repeating instrument or on a repeating event, the Logging page would mistakenly not explicitly state the repeating instance number to which the survey response belonged, thus making it appear as if it references instance #1 always. (Ticket #128018)
Bug fix: When uploading a data dictionary that has calculations or branching logic that contain Smart Variables with a comma inside them (e.g., [aggregate-sum:age,age2], it would recommend stripping out the comma during the upload process, which would not be desirable.
Bug fix: When using CDIS services (CDP or CPM), the FHIR services might mistakenly not function successfully if the EHR endpoint contains custom port numbers in their URL (e.g., https://example.com:8888/FHIR/DSTU2/).
Bug fix: If a Project Bookmark is set to only be displayed for users in specific Data Access Groups, the bookmark would mistakenly fail to display for aa REDCap administrator that is using the "View Project As User" feature to impersonate a user assigned to one of those DAGs. However, the bookmark would display correctly for the DAG-assigned users themselves. (Ticket #128093)
Bug fix: The Survey Settings feature "Save a PDF of completed survey response to a File Upload field" would mistakenly fail to function if enabled for an Adaptive or Auto-Scoring survey that has been imported from the REDCap Shared Library. (Ticket #128156)
Bug fix: When certain field labels or section headers utilize the rich text editor on a survey that is set to display as very wide (e.g., 100% page width), the label text would mistakenly not extend to the full width of the survey table but would instead begin wrapping to the next line when the line reached a width of 850 pixels. (Ticket #128090)
Bug fix: In the API Playground, the Export Metadata API method would mistakenly display the Form Complete Status fields in the field drop-down list on the page. It should not display those fields in the drop-down because those fields are never included in the data dictionary, thus they would never return anything from this API method. (Ticket #127974)
Bug fix: Fixed rare issue where the fast refreshing of the main Control Center page would mistakenly display an issue where "redcap_ztemp_X" database tables exist and need to be deleted. (Ticket #128055)
Change: If a suspended Table-based user attempts to reset their password on the login page, it would send them the email for resetting their password, which is not useful since they can't actually log in to the system. It now tells them that an admin needs to first unsuspend them. (Ticket #128232)

Version 12.3.3 (released on 2022-05-12)

Improvement: If using Two-Factor Authentication, users can be allowed to use their 6-digit 2FA one-time PIN for e-signing processes in place of their password (e.g. performing an e-signature on data entry forms or when utilizing the 'File Upload' field enhancement feature when uploading a file on a data entry form - often used for 21 CFR Part 11 compliance for FDA trials). Normally, e-signing requires a username and password, but when this system-level setting is enabled while also having REDCap’s Two-Factor Authentication enabled, users can alternatively provide their username and 2FA one-time PIN to perform the e-signing. A user can obtain their one-time PIN from their Google Authenticator or Microsoft Authenticator app, or else there will be an option available to send the user the PIN via email and/or SMS whenever they need to enter it. Note: This setting is disabled by default but can be enabled in the “Two-Factor Authentication” section on the Security & Authentication page.
Change/improvement: Hyperlinks created in the rich text editor will now default to being opened in a new tab/window rather than defaulting to being opened in the current tab/window. This default value can be changed by the user when saving/inserting the link. (Ticket #124813)
Change/improvement: The rich text editor might be finicky when dealing with non-Latin characters, such as converting them to HTML character codes when enabling and then disabling the rich text editor in the Edit Field popup in the Online Designer.
Bug fix: Fix for an issue in the External Modules Framework that was mistakenly converting all HTML entities in some text and causing JavaScript errors when utilizing a specific EM method that might be used by an EM. (Ticket #126891)
Bug fix: Field labels containing HTML character codes (e.g., ä) would mistakenly not be displayed correctly on the X or Y axis of a [line-chart] or [scatter-plot] Smart Chart. (Ticket #127516)
Bug fix: On the "Modules/Services Configuration" page in the Control Center, the setting to globally disable the "Stats & Charts" page in every project was mistakenly still referring to the page by its old name "Graphical Data View & Stats", which was confusing for admins. (Ticket #127597)
Various changes and fixes to the External Module Framework, including the following: Modified the module setting export & import features to use names rather than IDs for the arm-list, event-list, user-role-list, and dag-list setting types
Bug fix: CDIS-related fixes
- Several missing LOINC codes were added to the CDP and CDM mapping.
- The field “Address (district/county)” in CDM was mistakenly missing as a field in CDM projects.
- The deceasedBoolean value in CDM was mistakenly not being saved if False.
Bug fix: If the value of the "report_id" parameter that is passed to the Export Reports API method does not belong to the current project whose API token is being used, if the user who owns the API token has access to the project to which the report_id belongs, the API would mistakenly not return an error but would instead return a list of record names from the other project. Note: No other data from the other project would be returned other than the record names.
Bug fix: When running PHP 8.0+, the Stats & Charts page might fail with a fatal PHP error if number/integer fields somehow contain non-numeric values. (Ticket #122604b)
Bug fix: When Multi-Language Management is disabled in a project, the process of a user's production draft mode changes being approved would inadvertently cause an MLM snapshot to be saved. (Ticket #127650)
Bug fix: If the system-level setting "Enable the Graphical Data View & Stats" has been disabled and then a user is granted access to a project, the user might mistakenly be able to access parts of the "Data Reports, Exports and Stats" page, even when they do not have any data export or reports privileges. (Ticket #127597)
Bug fix: The Record Home Page in a longitudinal project would mistakenly display the column for an event that has no instruments designated for it. It should instead hide the column on the page rather than displaying it as empty. (Ticket #127708)
Bug fix: When branching logic contains certain Smart Variables, especially [aggregate-X] Smart Variables, it would throw a branching logic error on the survey page or data entry form. (Ticket #127741)
Bug fix: When a user calls the API method "Export PDF file of instruments" in a longitudinal project, in which the "event" parameter is either blank or is not provided in the API request, it would return a PDF that mistakenly only contains the first event's data, when instead it should return a PDF with data for all events. (Ticket #127820)

Version 12.3.2 (released on 2022-05-06)

Minor security fix: An SQL Injection vulnerability was found when submitting the Create Project page, in which a malicious user could potentially exploit it by manipulating an HTTP request on that page.
Improvement: New field validation type: "Phone (UK)". This validation type supports phone numbers from the United Kingdom (e.g., +44 7911 123456, +447911123456). Note: This validation type will be disabled by default after installing or upgrading, but it can be easily enabled on the Field Validation Types page in the Control Center. Thanks to the Field Validation Committee for donating this.
Change: When deleting unsent/scheduled survey invitations on the Survey Invitation Log, the checkbox "Permanently cancel these invitations?" that appears in the delete invitation dialog now defaults to being unchecked. In previous versions, the checkbox was checked by default, which could sometimes lead to disastrous consequences if the user did not read all the text carefully before deleting the invitation. (Ticket #127156)
Bug fix: When using [aggregate-X] Smart Functions in branching logic or calculations, in which the value being returned from the function will be blank/null, it would mistakenly cause the popup error message to display on the survey page or data entry form saying that calculation errors or branching logic errors exist. (Ticket #115235b)
Bug fix: If an embedded date or datetime field has a @READONLY action tag, the field's Today/Now button and its clickable datepicker icon would mistakenly remain active and allow users/participants to modify the field's value.
Bug fix: If a field being piped into an outgoing email has the @RICHTEXT action tag, the resulting email body would mistakenly not look correct, such as containing too many line breaks or malformed tables. (Ticket #127174)
Bug fix: Some REDCap installations somehow missed the upgrade script from REDCap 9.7 that enabled the "redcap.link" URL shortener. It will now be enabled if not.
Bug fix: When using Twilio telephony services for surveys, U.S. phone numbers having the area code "332" would mistakenly not work for SMS or voice calls unless the number has a "1" prepended to it.
Bug fix: The Publication Matching feature in the Control Center might mistakenly fail with a fatal PHP error when using PHP 8. (Ticket #127359)
Bug fix: If a drop-down or radio button field on a survey has the @DEFAULT action tag, when the page initially loads, it would mistakenly scroll all the way down to the field with the @DEFAULT action tag (thus skipping the fields above it) if the participant was taking the survey on a mobile device. (Ticket #127406)
Bug fix: Fixed an issue pertaining to changes made to Multi-Language Management translations while projects are in draft mode, especially affecting Automated Survey Invitation translations, in which the submitted changes would mistakenly not save successfully.
Bug fix: If the conditional logic for an Automated Survey Invitation in a longitudinal project was mistakenly missing prepended event names for any field variables in the logic, the ASI might mistakenly not get triggered appropriately. (Ticket #127385)

Version 12.3.1 (released on 2022-04-29)

Improvement: New system-level option to disable the E-signature feature so that its checkbox option is not displayed at the bottom of data entry forms (immediately above the Submit buttons). You might wish to disable this feature if you are not using Table-based, LDAP, or LDAP+Table-based authentication since the e-signature feature will not function for certain external authentication methods (e.g., Shibboleth, OAuth2) due to its requirement for the user to re-authenticate. This feature is enabled by default but can be disabled on the "Modules/Services Configuration" page in the Control Center.
Improvement: In many places that display a drop-down list of records (e.g., Logging page, Email Logging, Field Comment Log, Data Quality page, ad hoc calendar event popup, Alerts & Notifications Log, Survey Notification Log), it will display a normal drop-down list if the project contains 5000 records or less, and if the project contains more than 5000 records, it will instead automatically revert to displaying an auto-suggest textbox to allow the user to manually enter the record name (rather than attempting to display an extremely long drop-down). This should make these pages load much faster and also make them easier to use in projects containing many records.
Improvement/change: Password recovery questions have been removed as a feature for Table-based authentication. Password recovery questions will no longer be utilized as a part of the process whereby Table-based users reset their password. They are an unnecessary part of that process, they only cause issues and confusion for users, and they do not add much security-wise.
Change/improvement: If an [aggregate-X] Smart Function is used inside a calculation or in branching logic, the function is no longer subject to the minimum data point threshold when viewing a survey page. In previous versions, under certain situations this could lead to a calculation/branching logic error on the survey page when too few data points had been entered. Note: If the Smart Function is being utilized for piping on a survey page, it is still subject to the minimum data point threshold though (i.e., different behavior for piping vs branching/calc). (Ticket #113901)
Change/improvement: A value of "0" can now be used for the setting "Minimum number of data points required to display Smart Charts..." on the system-level "User Settings" page and on the project-level "Edit a Project's Settings" page. Previous versions would not allow "0" but would allow "1" as the smallest possible value. (Ticket #113901)
Bug fix: The HTML tag "code" was mistakenly not included in the ALLOWED_TAGS list of HTML tags that are allowed to be used in user input (e.g., field labels, survey instructions).
Bug fix: When using the survey setting “Redirect to a URL” together with Multi-Language Management, the resulting URL would not be correct or would be malformed, thus preventing the redirection from working successfully. (Ticket #126791)
Bug fix: When uploading and then downloading a file for a File Upload field on the first page of a public survey, in which a record named record "1" already exists in the project prior to loading this survey, an erroneous message would be displayed along with some JavaScript errors on the page. (Ticket #125758)
Bug fix: When copying a project via the Copy Project page, many of the new survey features (e.g., custom width, font resize icons) added in REDCap 12.3.0 would mistakenly not get copied into the new project. (Ticket #126824)
Bug fix: The new survey-level settings added in REDCap 12.3.0 for defining custom text for the survey Submit buttons were mistakenly not incorporated into Multi-Language Management, thus the custom button text was not able to be translated in MLM.
Bug fix: When using the export->import process for Multi-Language Management via a JSON/CSV file, there might be issues with successfully importing Alerts and Automated Survey Invitations in the file.
Bug fix: If a drop-down field has the "auto-complete" setting enabled, in which the drop-down contains more than 200 choices, then when viewing drop-down on a survey page or data entry form, clicking the drop-down's down-arrow would mistakenly not open the full list of choices for the drop-down. (Ticket #125257)
Change: Added a "Contact REDCap administrator" link near the top of the project left-hand menu to provide a secondary place for users to easily contact their local administrator since the blue "Contact REDCap administrator" button at the bottom of the menu is often not visible on many pages if the menu is very long. Both the existing blue button and this new link function exactly the same. Note: The blue button was not removed but has been kept as a secondary way for users to contact their admin.
Bug fix: Calculated fields containing form status fields (i.e. form+"_complete") mistakenly do not fire when on a survey page. (Ticket #127009)
Bug fix: When importing data for a field that has the @FORCE-MINMAX action tag and also has a minimum or maximum range check value as "now", "today", or a piped variable name, out-of-range values in the data import file would mistakenly not be flagged as errors during the import process and would be saved. (Ticket #126862)
Bug fix: When a user requests that their project be moved to production, after the administrator approves their request, the user would mistakenly not receive a confirmation email of this approval if the "Enable email notifications for administrators" checkbox is left unchecked on the "To-Do List" page in the Control Center. (Ticket #127040)
Change: The context under which the redcap_module_configure_button_display() external module hook has changed from the module list pages to an AJAX request. Any modules implementing this hook should test it to make sure it still behaves as desired.

Version 12.3.0 (released on 2022-04-22)

New feature:Integration of the “MySQL Simple Admin” External Module
- The integrated version of this EM works exactly the same way, and additionally, has the bonus feature of being able to export the query results to a CSV file. Also, the page has been renamed to “Database Query Tool”.
- Note: The upgrade process contains a migration script that will auto-migrate all existing custom queries saved in the EM, after which it will disable the EM for the system.
New feature: OpenID Connect authentication method - The “Security & Authentication” page contains a section of new custom settings for using this new OpenID Connect authentication method in REDCap.
New feature:Integration of many features from the “Survey UI Tweaks” External Module
- Thanks to Andy Martin and his team at Stanford for their creation and support of the EM. Several (but not all) of the features in the Survey UI Tweaks EM have been integrated as-is. Some features from the EM have actually existed in REDCap for a while. As such, the Survey UI Tweaks EM will not be disabled for any projects or even at the system level when upgrading to this version.
- Improvement: If custom question numbering is used on a survey page in which no questions have a custom question number defined, the extra space on the left of the questions will be removed to give the questions more room for display on the page.
- Improvement: On the Survey Settings page, the setting “For Required fields, display the red 'must provide value' text on the survey page?” now has a new option: "Display only the red asterisk". This provides an additional option rather than having to choose between the binary options to hide or not hide the text.
- Improvement: When taking a survey while on a mobile device, the survey page will auto-scroll whenever selecting a value for a drop-down or radio button field to help the participant scroll down the page more easily.
- Improvement: New survey setting allows users to set a custom width of the survey displayed on the page between 50% and 100%. The default value for the setting is “Fixed width (default)”.
- Improvement: New survey setting allows users to display or hide the font resize icons at the top of the survey page. By default, it is set to display the font resize options.
- Improvement: New survey setting allows users to show or hide the Submit buttons displayed at the bottom of every survey page (including the 'Next Page' and 'Previous Page' buttons).
- Improvement: New survey setting allows users to provide alternative text for the 'Submit', 'Next Page', and 'Previous Page' buttons displayed at the bottom of every survey page.
Major bug fix: A field's question text on a survey page might mistakenly not get recognized by certain screen reading software. Bug emerged in REDCap 12.2.2 Standard and REDCap 12.0.14 LTS. (Ticket #122843)
Change: Renamed the “MySQL Dashboard” to "Database Activity Monitor" on the Control Center left-hand menu.
Change: The textbox for date, time, and datetime fields are no longer displayed with full width on data entry forms or survey pages where the whole page is disabled (e.g., when locked, when initially viewing a survey response) but instead are now displayed at their typical width.
Bug fix: The Record Status Dashboard page might crash with a fatal PHP error in specific cases when using PHP 8.0 or 8.1. (Ticket #126395)
Bug fix: When a checkbox is set as an Identifier field and is referenced in the body of an alert, which is set to remove all identifiers from the alert body when sent, it might throw a fatal PHP error in PHP 8.0+.
Bug fix: When using Twilio telephony services for surveys, U.S. phone numbers having the area code "346" would mistakenly not work for SMS or voice calls unless the number has a "1" prepended to it. (Ticket #126590)
Bug fix: When using Twilio telephony services for surveys, U.S. phone numbers having the area codes "220", "223", "458" would mistakenly not work for SMS or voice calls unless the number has a "1" prepended to it. (Ticket #126741)
Bug fix: Clicking certain hyperlinks on a survey page might mistakenly add the green highlighted background to the field if the link exists inside a field that is a container for embedded fields. (Ticket #105242b)
Bug fix: If a line-chart or scatter-plot Smart Variable contains a third field used for categorization, the plot might mistakenly not display but would appear blank if some choices for the categorization field are not all presented in the plot's data.
Bug fix: When importing data in JSON format (including via the REDCap::saveData method), if a single record is represented in the imported data as multiple items/rows (i.e., when importing longitudinal events or repeating instances), if one of the rows for a record contained a leading or trailing space in the record name while other items/rows for that same record did not, the spaces would mistakenly not get trimmed off of the record name but instead would cause the record to end up in a split state in the project, in which it would appear ultimately as separate records. (Ticket #126035)

Version 12.2.11 (released on 2022-04-15)

Improvement: The “Email Users” page in the Control Center now sends emails using a cron-job based queueing process. This means that emails are no longer sent in real time on the page, and thus there is no longer a need for the admin sending the email to stay on the page while all the emails are sent. This makes the process much faster and easier for admins using this page.
Improvement: When using S3 for file storage, you may now specify a custom S3 endpoint URL on the "File Upload Settings" page in the S3 section. This helps support the use of alternative S3 destinations. (Ticket #62790)
Bug fix: If using the Multi-Language Management feature, changing the language on the page would mistakenly not alter the URL of embedded video in a descriptive text field if a translated/alternative version of the video URL was provided for a language in the project. (Ticket #125502)
Bug fix: When the Survey Queue is enabled in a project, a fatal PHP error might occur in some specific cases when using PHP 8.0 or 8.1 while exporting the Project XML file or while performing other Survey Queue related activities. (Ticket #126079)
Bug fix: When one or more suspended users have access to a project that contains Data Access Groups, the User Rights page might mistakenly still display a placeholder for a suspended user's DAG assignment in the user/role table even if the users' usernames are hidden on the User Rights page. Bug emerged in REDCap 12.2.9. (Ticket #126081)
Bug fix: When a project’s language is set to be different from the system language, the popup dialogs in a project that display documentation for piping, field embedding, and special functions would mistakenly always be shown in the system language. (Ticket #126117)
Bug fix: Using the action tag @READONLY (including @READONLY-SURVEY and @READONLY-FORM) on a Notes field that also has the action tag @RICHTEXT would mistakenly cause the Notes field not to be disabled/readonly but would still be editable. Going forward, any of the @READONLY action tags will negate @RICHTEXT on a field. (Ticket #126097)
Bug fix: If a user assigned to a Data Access Group attempts to view a data entry form for a record not assigned to their DAG (e.g., by manipulating the URL in order to navigate to the record), it would mistakenly not display the "Record X belongs to another Data Access Group" error message and would display mostly a blank page due to a JavaScript error.
Bug fix: When using the Mailgun service for sending outgoing emails while utilizing the “Universal FROM Email Address” setting, the Reply-To header would mistakenly fail to be set correctly for all outgoing emails. (Ticket #126173)
Bug fix: If a user had downloaded an Adaptive or Auto-Scoring instrument from the REDCap Shared Library, they would mistakenly be allowed to translate the instrument via the Multi-Language Management setup page. Since Adaptive or Auto-Scoring instruments are validated, they should not be able to be translated because such would cause them to no longer be validated. So all Adaptive or Auto-Scoring instruments will be disabled on the MLM setup page, thus preventing users from translating them.
Bug fix: If a user has downloaded an instrument from the REDCap Shared Library, whether it was a curated instrument or not, it now displays a warning when attempting to translate the instrument on the Multi-Language Management setup page that the user should first check to see if the instrument is validated. And if so, they should not translate the instrument because such might cause it to no longer be validated.
Bug fix: When using Multi-Language Management, the survey termination option "Redirect to a URL" would mistakenly not use the translated URL. (Ticket #126255)
Bug fix: When creating a project via Project XML import, the process might crash with a fatal PHP error if using PHP 8.0 or 8.1. (Ticket #126268)
Bug fix: Fields with a @READONLY or @READONLY-X action tag would mistakenly not be disabled on the page if the fields were embedded. (Ticket #126276)
Bug fix: The @IF action tag will mistakenly not evaluate correctly on a survey page or data entry form if the record does not yet exist (e.g., when viewing the first page of a public survey).
Bug fix: The @IF action tag might mistakenly not get parsed correctly in certain instances when using Multi-Language Management.
Bug fix: When using Multi-Language Management, the UI text displayed below a field when using the @CHARLIMIT or @WORDLIMIT action tags would mistakenly not be translatable on the MLM setup page.
Bug fix: On the Survey Settings page, if the option "Send Confirmation Email" is enabled along with the option "Include PDF of completed survey as attachment" while using Multi-Language Management, the PDF of the survey response attached to the confirmation email would mistakenly always be in the default language when instead it should be in the language in which the respondent took the survey. (Ticket #126341)
Bug fix: When a user assigned to a Data Access Group is performing a data import for a project with Record Auto-Numbering enabled, in which the import setting "Yes, rename all records" has been set for the data import, the import process will mistakenly time out and never fully complete. (Ticket #126160)

Version 12.2.10 (released on 2022-04-08)

Major bug fix: Some contexts that employ a user rights check might mistakenly throw a fatal PHP error in some specific cases when using PHP 8.0 or 8.1. (Ticket #125951)

Version 12.2.9 (released on 2022-04-08)

Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way as user-defined text in various places. (Ticket #125900)
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it on the Data Quality page and Data Comparison Tool page by inserting HTML tags and/or JavaScript event attributes into the name of a record. (Ticket #125952)
Improvement/change: The Multi-Language Management setup page is slightly less restrictive now while in production status. For example, users may now export language configurations while in production even when not in draft mode.
Improvement/change: If any suspended users have access to a project, the User Rights page will display a button to easily show/hide suspended users on the User Rights page. Initially, all suspended users will be displayed, but if the button is clicked, then all suspended users will remain hidden on the User Rights page of *any* project until the button is clicked again. (Ticket #75652)
Bug fix: Several actions on the Multi-Language Management setup page were mistakenly not getting logged on the Logging page. (Ticket #125513)
Bug fix: When using Multi-Language Management, the piping of choices in a drop-down field works inside the same instrument but mistakenly does cross-pipe into different instruments in the same project. (Ticket #125546)
Bug fix: When using Multi-Language Management, the text for the "Duplicate Value" warning popup was mistakenly not available to be translated. (Ticket #125557)
Bug fix: When using Twilio telephony services for surveys, U.S. phone numbers having the area code "534" would mistakenly not work for SMS or voice calls unless the number has a "1" prepended to it. (Ticket #125591)
Bug fix: The API documentation for the "Delete User" method mistakenly had "dags" as a parameter when instead it should have said "users" as the parameter name. (Ticket #125497)
Bug fix: For full compatibility with all stats packages during a data export, the syntax file for data exports that contain a field with a blank field label will have the field variable name used in place of the field label. (Ticket #125436)
Bug fix: If the Secondary Unique Field is enabled and also has the @HIDDEN action tag, the AJAX call to check the uniqueness of its value might mistakenly get triggered if the field is the first field on a data entry form. (Ticket #125020)
Bug fix: If Twilio is enabled at the system-level, the phone number fields would mistakenly not be displayed on a user's Profile page unless Two-Factor authentication was enabled on the system. Even when not using Two-Factor, it will now display the phone number fields on the Profile page when Twilio is enabled in order to allow users to use their account-associated phone numbers for outgoing Alerts & Notifications via Twilio. (Ticket #124440)
Bug fix: An HTTP 500 error might occur in some cases when using PHP 8.1 if the database connection fails to the REDCap database server. This requires a replacement of the non-versioned file “redcap_connect.php”.
Bug fix: When a user clicks the "Erase all data" button or if deleting all records while moving the project to production, the log entries listed on the Email Logging page would mistakenly not be deleted during this process. It now properly deletes all items on the Email Logging page in both of these cases. (Ticket #125656)
Bug fix: Some contexts that employ a user rights check might mistakenly throw a fatal PHP error in some specific cases when using PHP 8.0 or 8.1. (Ticket #125914, #125923)
Bug fix: If a user selects a record from the drop-down list on the Logging page to filter by record, it might mistakenly display non-record related events on the page, such as events related to creating/editing/deleting user roles in the project. (Ticket #124825)
Bug fix: If a calc or @CALCTEXT field on a non-repeating instrument has a cross-form calculation that utilizes a calc/@CALCTEXT field from a repeating instrument, the calc/@CALCTEXT field on the non-repeating instrument would mistakenly not get triggered or calculated when performing manual data entry on a survey page or data entry form, although it would get calculated correctly when running Data Quality rule H. (Ticket #125456)

Version 12.2.8 (released on 2022-04-01)

Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the URL on the API Tokens page in the Control Center and also on the API page in a project.
Security improvement: REDCap now automatically enables HSTS (HTTP Strict Transport Security) headers if the REDCap web server is using SSL. This will help protect against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.
Minor security fix: Updated the Guzzle library due to a security vulnerability reported for that package. (Ticket #125337)
Improvement: Concurrent user checks have now been added to the Multi-Language Management setup page to prevent multiple simultaneous users from affecting each others’ work while on the page.
Bug fix: Minor issue with Medication data being pulled from the EHR using a CDIS service.
Bug fix: When using Twilio for surveys in a project, in which a participant is taking a survey and clicks the "Save & Return Later" button followed by clicking "Send survey link", an error would mistakenly be thrown if the preferred contact mode for the participant was set to SMS_INVITE_WEB (i.e., send the survey link via SMS). The phone number would mistakenly be used instead of a valid email in the "from" property of the email. (Ticket #124472)
Bug fix: When using PHP 8.0+ and an API Supertoken is used in the API to retrieve the REDCap version, an error would be thrown. (Ticket #124562)
Bug fix: The “RemoveTempAndDeletedFiles” cron job might mistakenly fail in certain cases with a fatal PHP error if using WebDAV as the File Storage method for REDCap. (Ticket #124802)
Bug fix: When using Multi-Language Management, if the @LANGUAGE-CURRENT-X action tag was used on a drop-down field, branching logic would mistakenly not fire after the value was changed. (Ticket #124748)
Bug fix: The Survey Queue’s UI text would mistakenly not display the translated text when using Multi-Language Management. (Ticket #124855)
Bug fix: When searching for users on the Browse Project page, typing the letter “b” might mistakenly cause HTML to be displayed in the auto-complete output. (Ticket #124935)
Bug fix: The @LANGUAGE-SET action tag would mistakenly not get applied when the corresponding survey field is prefilled from a url parameter. (Ticket #124976)
Bug fix: Using the datepicker widget on a survey page or data entry form might allow users to bypass the field validation on the field if immediately switching to using the datepicker widget on another field on the page. (Ticket #124909)
Bug fix: In some specific scenarios, such as when symlinks exist in the file system on the REDCap web server, the System Statistics page in the Control Center might mistakenly throw a fatal PHP error or be real slow when making the AJAX request to obtain the web server space usage. (Ticket #124710)
Bug fix: Apostrophes that occur in the output of Smart Variables like [user-role-label], [user-dag-label], and [record-dag-label] would mistakenly not get escaped and thus cause JavaScript errors to occur when used in calculated fields. (Ticket #125187)
Bug fix: Fixed typo in @READ-ONY action tag description.
Bug fix: Leading/trailing pipe characters "|" in the choice option column of an uploaded data dictionary would mistakenly create empty/null multiple choice options. (Ticket #125166)
Bug fix: IP addresses in IPv6 format for users would mistakenly get logged as NULL in the redcap_log_view database table. (Ticket #124944)
Bug fix: When using the @CALCDATE action tag with PHP 8.0+, the correct value may be seen as calculated on the survey page or data entry form, but the value may mistakenly get erased upon saving the page afterward. (Ticket #124619)
Bug fix: When a field is embedded and is a required field, the field's value might mistakenly not get saved when submitting a survey page or data entry form if the field also has an @HIDDEN action tag.
Bug fix: When a field contains the @IF action tag and also contains other non-action tag text inside the Field Annotation text, it might cause the @IF action tag not to get interpreted correctly. (Ticket #124974)

Version 12.2.7 (released on 2022-03-10)

Bug fix: When using Multi-Language Management, the text of field validation errors and their associated names/labels displayed in the error popup would mistakenly not be displayed in the translated language.
Bug fix: If an administrator is impersonating a user via the "View Project as User" feature, the admin would mistakenly see all Project Bookmarks on the left-hand menu when instead they should only see the Project Bookmarks that the user being impersonated should see. (Ticket #124021)
Bug fix: Permission-related issues for certain directories on the REDCap web server could lead to fatal PHP errors for some functions throughout REDCap that attempt to list files in specific directories.
Bug fix: A fatal PHP error might occur in certain situations when a participant is submitting a survey while using PHP 8.0+ on the web server. (Ticket #124146)
Bug fix: If a user uses the syntax [field:value] in logic or a calculation, even though this is not correct syntax for logic/calcs (because it is implied that only the raw value should ever be used), it is allowed for compatibility reasons. However, while this syntax works for calculated fields on the same page, it would mistakenly not work for data imports, nor would it work for cross-instrument or cross-event calculations. This syntax will now work in all contexts. (Ticket #124182)
Bug fix: When clicking a table header to sort the column in a DataTables table on any particular REDCap page, the up/down arrow icon in the column header would mistakenly disappear due to a CSS error. (Ticket #124177)
Bug fix: If a field has the @HIDDEN, @HIDDEN-FORM, or @HIDDEN-SURVEY action tag, it would fail to hide the field if the field is embedded in another field on the page.
Bug fix: 18 Laboratory fields and their associated LOINC codes were not originally included on the field mapping page for Clinical Data Pull and Clinical Data Mart.
Bug fix: Line breaks are mistakenly not preserved in the equation of a calculated field when saving the field via the Online Designer. (Ticket #124341)
Bug fix: When piping a datetime field into the min/max validation range check for another datetime field, if the fields being used as the min or max exist on the same page, it would mistakenly throw an out-of-range error if the datetime fields are in MDY or DMY format. Note: This issue does not occur for date fields but only for datetime or datetime w/ seconds fields. (Ticket #124222)

Version 12.2.6 (released on 2022-03-03)

Improvement: When scrolling down the page in the Online Designer when adding/editing fields, an up-arrow image will appear at the bottom right of the page that (when clicked) will quickly scroll the page back to the top.
Major bug fix: When a user is assigned to a Data Access Group and is attempting to import a record whose record name is the same as an existing record that belongs to another DAG, if the "force record auto-numbering" setting is not enabled as an option during the import process, the user would mistakenly be allowed to import the data with the record name as-is, thus overwriting data to the existing record that does not belong to their DAG. (Ticket #123593)
Bug fix: When using Multi-Language Management, there are scenarios when a form/survey is set to only a subset of languages (but not including the fallback), in the case of a missing translation, the default language would mistakenly be applied instead of the fallback language.
Change/bug fix: Performance improvements and improved cron job management for CDIS-related activities, especially the CDP Auto-Adjudication process.
Bug fix: If the "Email Logging" feature has been disabled at the system level, the Email Logging link on the left-hand project menu would mistakenly still be displayed. (Ticket #123563)
Bug fix: When Multi-Language Management is enabled for a specific instrument, and a user/participant fails to enter a value for all required fields, the "Some fields are required" popup would mistakenly fail to be displayed on the page after the page is reloaded. (Ticket #123641)
Bug fix: When using Multi-Language Management, the matrix field floating/stick headers would mistakenly not appear in the desired translated language. (Ticket #123704)
Bug fix: When a Smart Chart uses a unique report name as a parameter, in which a checkbox field is utilized in the Smart Chart and the report has the checkbox option "Combine checkbox options into single column..." checked, the resulting Smart Chart would not be displayed correctly. (Ticket #123574)
Bug fix: When viewing the Training Videos page while not logged in to REDCap, the tables and icons on the page would be displayed, but the text on the page would mistakenly appear invisible. (Ticket #123751)
Various bug fixes for Multi-Language Management.
Bug fix: A participant could inject some JavaScript code into their browser's console that would allow them to bypass the Required Field check (specifically for drop-down fields only), thus mistakenly allowing them to complete the survey page or complete the whole survey without actually entering a value for such drop-down fields. (Ticket #123585)

Version 12.2.5 (released on 2022-02-25)

Improvement: Sub-sections on the “Help & FAQ” page can now be accessed via hyperlinks near the top of each section. Previously there was a drop-down for this, which was slightly slower. Having sub-section links near the top of the page should make it faster for users to jump to a specific section.
Improvement: The Multi-Language Management setup page now displays a download option for each instrument under the Forms/Surveys tab to allow users to export->import the translations for that single instrument to another project that has the same instrument with the same fields and variable names.
Improvement: The Multi-Language Management setup page now displays the Default text above (rather than below) the input text box for each translatable item. This reversal appears to be more intuitive for users as they translate each element.
Improvement: In the "Compose Survey Invitations" dialog on the Participant List page, the Actions drop-down for auto-selecting checkboxes for participants in the participant list now contains a new option: "Check Not Responded and Partial Response".
Change: Minor updates to CDIS-related settings: 1) Updated the text of the automatic message sent to the user via REDCap Messenger when a CDIS cron job has no FHIR tokens that it can use for a specific project, and 2) When a CDIS automatic message is sent to the user via REDCap Messenger, in order to prevent possibly hundreds or thousands of messages from clogging up the user’s Messenger inbox, it now deletes all previous messages of the same type except for the last one.
Bug fix: In some specific scenarios while using PHP 8.0 or 8.1, the System Statistics page in the Control Center might mistakenly throw a fatal PHP error when making the AJAX request to obtain the web server space usage. (Ticket #123238)
Bug fix: If some branching logic, conditional logic, or calculations have incorrect syntax in a specific way, depending on the logic/calculation itself, it could result in a fatal PHP error when being processed. (Ticket #123229)
Bug fix: When using the Smart Variable [stats-table] in the content of an outgoing email (i.e., survey invitation or alert), the table would mistakenly be missing all the styling applied to it when viewed in the REDCap application. (Ticket #123207)
Bug fix: When using the Smart Variable [stats-table] in the content of an outgoing email (i.e., survey invitation or alert), the "Export table" link that is normally displayed below the table might mistakenly get included in the email body, which might occasionally cause the link to be removed from the email message by the email client or might cause the entire email message to be flagged as spam and therefore not received by the recipient.
Various fixes and updates for the External Module Framework.
Bug fix: When multiple choice fields have choice values of "0" and "00", and a record has either choice selected and saved on an instrument, if that instrument is then exported as a PDF with data, both choices would mistakenly appear checked as seen in the PDF. (Ticket #123282)
Bug fix: When using Twilio telephony services for surveys, U.S. phone numbers having the area code "667" would mistakenly not work for SMS or voice calls unless the number has a "1" prepended to it. (Ticket #123291)
Bug fix: When using a Custom Record Label that contains Smart Variables but not field variable names, the Custom Record Label would mistakenly not display at all in certain places where the record name is displayed. (Ticket #123187)
Bug fix: The Multi-Language Management setup page would mistakenly fail to load/display any fields on the instrument-level translation tab if a multiple choice field on the instrument contained zero choices. (Ticket #123371)
Bug fix: When exporting data via the user interface, API, or REDCap::getData(), depending on the structure of a project, an error might mistakenly be returned due to hitting the PHP memory_limit threshold and thus throwing a fatal PHP error. This was due to REDCap's internal batch process, which is completely transparent to the user, having too large a value for the size of a given batch.
Bug fix: When the "Filter by records in a DAG" drop-down filter has been selected on the Logging page, and the user then clicks the "Export all pages using current filters" button at the top of the page, the DAG filter would mistakenly not be applied in the resulting CSV export file. (Ticket #123472)
Bug fix: When a project is being created via a Project XML file, and the Secondary Unique Field in the XML file is a calculated field or a @CALCTEXT field, which are not allowed to be set as the Secondary Unique Field, it would mistakenly set the field as the Secondary Unique Field when creating the project. In this case it will now instead unset the Secondary Unique Field setting for the newly created project. (Ticket #123099)
Bug fix: The Multi-Language Management feature would mistakenly display Yes/No or True/False field choices as blank labels when viewing a survey page or instrument for a given translated language. (Ticket #123371b)
Bug fix: When using the Field Finder feature on the Codebook page, some random JSON might mistakenly appear in the search results in certain cases when UTF-8 encoded text is used in field labels.
Bug fix: Resolved issues where UTF-8 encoded text in field labels gets truncated and displayed in various places throughout REDCap, in which it would sometimes mistakenly display a black-diamond-with-question-mark character at the point of truncation in the label.
Bug fix: The logged event "Change participant invitation preference" (when using Twilio) would mistakenly not be tied to the record name when filtering the logging results by a specific record. (Ticket #123515)

Version 12.2.4 (released on 2022-02-21)

Improvement: When using Multi-Language Management, in which some of the Default language text has changed since the text was translated, the new “Review Changed Items” dialog on the MLM page will now display an “Export” option to export as JSON or CSV all the translated items that need to be reviewed and/or retranslated.
Improvement: If the Multi-Language Management feature is disabled for a project, it will now show a red notice at the top of the MLM page.
Major bug fix: When using Multi-Language Management, system-provided languages could not be successfully imported and/or might cause issues downstream, such as displaying all User Interface items mistakenly in the “Review Changed Items” dialog.
Bug fix: In some specific scenarios when using PHP 8.0 or 8.1 with some longitudinal project, the Online Designer might mistakenly crash with a fatal PHP error. (Ticket #123103)
Bug fix: When piping field variables into the value of a @PLACEHOLDER action tag, if the Multi-Language Management feature is enabled on that particular instrument, some HTML tags might mistakenly appear inside the placeholder text for that field.
Bug fix: When using Multi-Language Management and changing an enumerated value (e.g., choices, Action Tags), the "reference change tracker" was wrongly highlighting some items on the page.
Bug fix: When a Secondary Unique Field is designated in a project while its two display-related checkbox sub-options are left unchecked, then when viewing a data entry form for an instrument that was completed via survey (as opposed to via data entry form), the value and/or label of the SUF would mistakenly be displayed at the top of the data entry form. (Ticket #123127)

Version 12.2.3 (released on 2022-02-18)

CDIS NOTICE: If you are actively using any CDIS service (Clinical Data Pull or Clinical Data Mart), please be aware that this upgrade might take longer than usual (possibly 10-30+ minutes if you have several projects using CDIS) due to some back-end database changes related to CDIS. If you are not using CDIS, this upgrade will be fairly fast, as usual.
Minor security fix: A vulnerability was discovered where malicious user could potentially exploit it by manipulating an HTTP request for the project Calendar page popup, in which some minimal amount of data from the calendar event could be exposed to a REDCap user for a project to which they do not have access.
Improvement: The Codebook now contains a “Field Finder” to allow users to quickly search for a field by keyword or phrase in the field label or by variable name. Also, the gray "Instrument Name" rows in the table will float at the top of the page while scrolling so that it is always apparent the instrument to which a field belongs. Additionally, when scrolling down the page, an up-arrow image will appear at the bottom right of the page that (when clicked) will quickly scroll the page back to the top.
Improvement: When using Multi-Language Management, it will now display a list of possible issues to users when entering the page if any elements have been modified since they have been translated. For example, if a field label is translated, and then a user modifies the Default language text via the Online Designer, the MLM page will display a warning in a popup dialog that will ask the user to confirm that the current translation is okay or else to provide a new translation to match the updated Default text. This will help notify users about potential issues with their translations to keep them updated if they are still modifying the Default language text in the project.
Improvement: Piping can now be performed inside the value of the @PLACEHOLDER action tag - e.g., @PLACEHOLDER="[first_name] [last_name]".
Change/improvement: Two new LOINC codes added to CDIS mapping.
Various fixes and improvements for the External Module Framework.
Bug fix: A new system-level configuration setting was added to the User Settings page in the Control Center to allow admins to select the default instrument-level user access that gets set for all project users' Data Viewing Rights and Data Export Rights whenever a new instrument is created while in production status. The available options are "No Access" (default) and "View & Edit/Full Data Set". Many administrators have noted that the sudden change in REDCap 11.3.0 for default instrument-level user access for new instruments while in production has caused quite a lot of confusion for users and has thus greatly increased the support workload of administrators. Despite being a new system-level option, this is considered a bug fix because it serves to restore continuity with previous versions by allowing admins (if desired) to revert the behavior back to the way it behaved in pre-11.3.0 versions. (Ticket #120976)
Bug fix: Fixed some inaccurate instructional text at the top of the "Help & FAQ" page.
Bug fix: When processing REDCap logic, in some specific instances with specific logic, which may also be dependent upon PHP version, a fatal PHP error might occur and might crash the page. (Ticket #122418)
Bug fix: When using Multi-Languagement Management and defining a Fallback language that is different from the Default language, any User Interface text on a survey page or data entry form might mistakenly be displayed in the Fallback language when the Default language has been selected as the display language.
Bug fix: If an external module utilizes the "redcap_pdf" hook while the system-level "redcap_pdf" hook (in the hook functions file) is also being utilized to perform custom tasks on the server, the results returned from the EM PDF hook would mistakenly not get utilized downstream. (Ticket #122775)
Various fixes and improvements for Clinical Data Interoperability Services, including the following:
- Improved logs for all FHIR interactions with the EHR system.
- Better error messages for all CDIS apps.
- Mapping helper link in the CDIS panel (only for users allowed to use it).
Bug fix: The datepicker widgets used for the time window search on the Email Logging page in a project would mistakenly not stay visible in certain cases when trying to use them. (Ticket #122811)
Bug fix: The URL for the example Login Page logo used on the REDCap Install page mistakenly pointed to a non-existent image/URL.
Bug fix: When attempting to send outgoing emails (e.g., survey invitations, alerts), if the email subject is left empty, it might prevent the email from sending successfully.
Bug fix: In certain situations with longitudinal projects, the Form Display Logic might mistakenly not function correctly to enable/disable the right instruments. (Ticket #122974)
Bug fix: When creating a longitudinal project via a Project XML file, the form-event mapping might mistakenly not get saved during the project creation process.
Bug fix: When exporting and then importing a Project XML file to create a new project that has some Form Display Logic defined, if the project is longitudinal and has some Form Display Logic conditions that references an instrument on "[All Events]", those Form Display Logic conditions might mistakenly not get saved during the project creation process.
Bug fix: When viewing the table of user privileges on the User Rights page, the Data Viewing Rights column would mistakenly display "Hidden (No Access)" for any users that have "View & Edit" rights along with the "Edit survey responses" checkbox checked for one or more instruments. If the "Edit survey responses" checkbox is not checked, it would correctly display "View & Edit" in the table.
Bug fix: When editing an existing report that has fields selected via the drop-down lists in Step 3 (Filters), then the user clicks the "Use advanced logic" link, then the user clicks the "Use simple logic (choose fields from list)" link, then if they select a field in the first filter field drop-down (which has no field selected), it would mistakenly not display a new field/row immediately below that row. Thus, the user is not able to add more than one filter field for the report in this scenario unless they save the report and reload it to edit it again. (Ticket #18065)

Version 12.2.2 (released on 2022-02-11)

Improvement: Each tab on the "Help & FAQ" page now has a drop-down list of subsections that, when selected, will auto-scroll the webpage down to that subsection on the page.
New feature: When using the survey setting “Save a PDF of completed survey response to a File Upload field”, users can now optionally set this feature to store the translated version of the PDF if the Multi-language Management feature is being utilized for the survey. This can be enabled by checking the “Store the translated version of the PDF” checkbox below the “Save a PDF…” setting on the Survey Settings page for the desired survey. (Ticket #121955)
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the values of Text Box and Notes Box fields that are piped somewhere else on the same page as where the field exists. This does not occur if they are piped into a different instrument, different event, or elsewhere in the project.
Bug fix: A field's question text on a survey page might mistakenly not get recognized by certain screen reading software, especially if the survey has the "enhanced radio buttons and checkboxes" setting enabled. (Ticket #121765)
Bug fix: When attempting to upload a data dictionary with calculated fields or @CALCTEXT fields that contain Smart Variables inside their calculation, REDCap might mistakenly return an error message saying that the Smart Variables are not real variables, thus preventing the user from uploading the data dictionary.
Bug fix: In some edge cases when viewing the user table on the User Rights page, a user might mistakenly not have Data Export Rights for any instruments prior to modifying their privileges. In this case, it will simply revert them to having No Access export rights.
Bug fix: Too many Google services were mistakenly included during the recent bundling of the Google PHP API Client Services library, thus causing REDCap's resulting code to bloat unnecessary by an extra 15,000 files.
Bug fix: The contents of the email sent to a participant after clicking the “Save & Return Later” option in a survey were mistakenly not translatable via the Multi-language Management feature.
Bug fix: When adding a field to a project in production while in draft mode, an incorrect error message is displayed if the field is being added below a section header. (Ticket #122044)
Bug fix: A fatal PHP error might be thrown in very specific instances when using PHP 8.0+. (Ticket #122182)
Bug fix: Users that have "No Access" data export rights for a given instrument would mistakenly not be able to download a PDF with no data for that instrument either on the Online Designer or at the top of a data entry form when viewing the instrument.
Bug fix: A fatal PHP error may occur on the Online Designer page for PHP 8.0+ in certain situations. (Ticket #122108)
Bug fix: The table displaying user privileges on the User Rights page might mistakenly display incorrect counts under "Data Export Rights" and "Data Viewing Rights" due to some instruments having been deleted or orphaned.
Bug fix: Resolved some potential upgrade issues occurring with SQL queries failing in some particular situations when upgrading to REDCap 11.2.0 or higher. (Ticket #121952)
Bug fix: When a project has record auto-numbering enabled, and a user creates a record, renames it, and then deletes it, the next record to be created would mistakenly not have the same record name as the one deleted (assuming no other records had been created during the interim). It is assumed that the next record would have the same name as the deleted one. (Ticket #122090)
Bug fix: When piping the value of a MDY or DMY formatted date or datetime field into the min or max validation range attribute of another date or datetime field, in which the field being piped exists on a different instrument or event, the out-of-range error message would fail to display to the user when the value is out of range and would thus result in a JavaScript error. (Ticket #121964)
Bug fix: When adding hyperlinks into a field label, survey instructions, etc., in which the hyperlink URL contains "on" and also "=" somewhere inside it, the URL might mistakenly get mangled when output on the page in which "onXXXXX=" will be replaced with the word "replaced=". (Ticket #121691)
Bug fix: For date-validated Textbox fields that utilize the @FORCE-MINMAX action tag with "today" as the min or max range value, it might be possible to bypass the min/max range check if users/participants use the datepicker widget a specific way, such as clicking the calendar icon to open the datepicker but then click the submit button on the page.
Bug fix: When uploaded files are being copied on the server (e.g., when copying a project containing Descriptive Text fields with file attachments), if the file somehow can't be found or accessed on the server, it would throw a fatal PHP error in PHP 8.0+. (Ticket #122496)
Bug fix: When required fields are left empty on a data entry form that is submitted, thus displaying the required fields popup, and then the page is refreshed, it would mistakenly keep displaying the required fields popup to the user even when the required fields might have been given values in the interim. (Ticket #122480)
Bug fix: When using [survey-date-completed] or similar Smart Variables inside the conditional logic for Automated Survey Invitations, it might cause the page to crash when submitting a survey or data entry form, resulting in a fatal PHP error. (Ticket #122473)
Bug fix: If an instrument is exported as a PDF with data, in which the instrument contains slider fields that display the slider value next to it, the slider's value displayed in the box next to the field in the PDF would mistakenly always be normalized to be between 0 and 100, rather than displaying the literal value as-is. (Ticket #122035)
Bug fix: Data Quality rule F might mistakenly return false positives for fields that exist on repeating instruments in a longitudinal project, especially when the field's instrument is also utilized as a non-repeating instrument in another event. (Ticket #121343)
Bug fix: When running PHP 8.0+, the Stats & Charts page might fail with a fatal PHP error if number/integer fields somehow contain non-numeric values. (Ticket #122604)
Bug fix: When upgrading to REDCap 11.4.1 or higher, the SQL upgrade script might mistakenly crash with an error on a certain query. (Ticket #122565)
Bug fix: When using Multi-Language Management and translating a survey that has Stop Actions, the User Interface text for the title of the Stop Action popup (i.e., "End the survey?") would mistakenly not appear in its translated form. (Ticket #122644)
Bug fix: When importing the JSON or CSV language file for Multi-Language Management, labels might mistakenly not get updated to their translated form for option choices for some multiple choice fields. (Ticket #122636)
Bug fix: Some text was changed in the Tableau section of the "Other Export Options" tab on the "Data Exports, Reports, and Stats" page because it could be confusing to users if certain institutions have special licensing and/or policy with regard to the installation of Tableau. (Ticket #122618)
Bug fix: If a user is assigned to a Data Access Group, the "Select a previously sent email" drop-down list in the "Compose Survey Invitations" popup on the Participant List page would mistakenly not filter out previously-sent emails pertaining to records that belong to other DAGs. (Ticket #122495)
Bug fix: If more than 500 instances of the @IF action tag are used for a field, whether nested or used in parallel, all the @IFs listed after the 500th @IF would mistakenly not get processed, thus causing the @IFs not to function correctly on the field.
Bug fix: The “Break the Glass” feature in Clinical Data Pull (CDP) was mistakenly not able to perform a successful login for the user, thus was not able to break the glass for a record.
Bug fix: When creating a new project using a Project XML file with an API super token, in some particular use cases depending on the exact setup of the project and its data, the API request might mistakenly crash or might not complete the process if any record data exists inside the Project XML file. (Ticket #121579)
Bug fix: Clicking a slider field to initialize it would mistakenly not immediately trigger its value to be piped if the slider is piped elsewhere on the same page. It would only pipe if the slider’s value was modified after its initialization. (Ticket #122704)
Bug fix: A warning message would mistakenly be returned when attempting to upload a data dictionary containing checkboxes with a dot/period in a checkbox choice coded value, in which that checkbox choice was being referenced in a calculation or branching logic. Notes: Dots/periods are allowed in a checkbox choice code. (Ticket #122581)
Bug fix: When uploading a file for a File Upload field via the API Import File method, the resulting logged event on the project logging page would only display the field name when it should instead display the field_name and back-end edoc ID value for the file in the logged event description. This was changed because it was inconsistent with the logging produced when uploading a file via the user interface. (Ticket #122272)
Bug fix: Text Box fields with the @SETVALUE action tag would always display the red bar on the side of the field (regardless of the value) when instead the red bar should only be displayed when the saved value is different from the displayed value.

Version 12.1.1 (released on 2022-01-10)

Major bug fix: The new "Time (HH:MM:SS)" field validation might not have been stored correctly (and thus would not work successfully) if you previously upgraded to REDCap 12.1.0.
Major bug fix: Some installations (depending on MySQL/MariaDB version) might mistakenly have a database structure issue involving the table "redcap_log_view_requests" after upgrading to REDCap 12.1.0. (Ticket #120622)
Bug fix: The field drop-down for the "Designate a Secondary Unique Field" setting in the "Additional Customizations" popup on the Project Setup page would mistakenly not include some Textbox fields (notably those with no Action Tags or Field Annotation).
Bug fix: When using Smart Variables that utilize the parameters ":fields" or ":instrument" in a calculated field or @CALCTEXT field, if the user is entering data on a form or survey, the calculation might mistakenly not get updated if fields used inside the Smart Variable exist on a different instrument or event.
Bug fix: For certain server configurations, the REDCap cron job might mistakenly crash due to a floating point precision issue when creating a timestamp. This occurrence is fairly rare. (Ticket #120688)
Bug fix: When using certain Smart Variables inside a calculation or @CALCTEXT field, a calculation error message might mistakenly appear on the data entry form or survey page and thus would prevent calculations from occurring on that page. (Ticket #120660)
Bug fix: When a report contains data from a repeating instrument and/or repeating event, in which the report's checkbox setting "Include the repeating instance fields (redcap_repeat_instrument, redcap_repeat_instance) in the report and data export?" is not checked, viewing the Stats & Charts page for the report would display the charts and tables correctly unless a user selects a Live Filter for the report, in which it would mistakenly cause all/most tables and charts not to display at all on the page. (Ticket #120408)

Version 12.1.0 (released on 2022-01-07)

New feature: Conditional logic for Survey Auto-Continue - When enabling Survey Auto-Continue on the Survey Settings page for a survey, users may now optionally specify conditional logic to determine whether or not the auto-continue should be applied. As such, REDCap will auto-continue to the next survey *only* if the conditional logic is TRUE or if the logic textbox has been left blank. This new option can be used as a simpler alternative to the Survey Queue, which can require more complex instrument-event level configurations for longitudinal projects.
New feature: Dynamic min/max range limits for fields - Instead of using exact values as the minimum or maximum range of Textbox fields (e.g., "2021-12-07"), you may now also use "today" and "now" as the min or max so that the current date or time is always used. These can be used to prevent a date/time field from having a value in the past or in the future. Additionally, you can now pipe a value from another field into the field's min or max range setting - e.g., [visit_date] or [event_1_arm_1][age]. This can help ensure that a Textbox field (whether a date, time, or number) has a larger or smaller value than another field, regardless of whether the field is on the same instrument or not.
New action tag: @FORCE-MINMAX - The action tag @FORCE-MINMAX can be used on Textbox fields that have a min or max validation range defined so that no one will not be able to enter a value into the field unless it is within the field's specified validation range. This is different from the default behavior in which out-of-range values are permissible. Note: @FORCE-MINMAX is also enforced for data imports to ensure the value is always within the specified range.
New field validation: "Time (HH:MM:SS)" - This new time-based field validation (unique name "time_hh_mm_ss") will be added automatically and enabled by default during the upgrade process. This validation forces users/participants to enter a time value that contains the hour, minute, and second components. It also includes the usage of the "Now" button and the timepicker popup widget, both of which are displayed next to the field on the survey page or data entry form. Note: Fields with this field validation can be utilized inside the datediff() function. (Thanks to the Field Validation Committee for this addition.)
Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way as user-defined text in various places.
Minor security fix: If a field contains integer values (e.g., Textbox, Radio, Drop-down) for a record, and then the field is changed to be a File Upload field, viewing a data entry form or a report that contains that field might (depending on the pre-existing integer value of the field) mistakenly expose the filename of files that have been uploaded to other File Upload fields, including possibly those from other projects. Users are not able to download these uploaded files or view their contents, but can view the filename of the file on a data entry form or a report.
Minor security fix: A Blind SQL Injection vulnerability was found on the Cron Jobs page in the Control Center, in which a malicious user could potentially exploit it by manipulating an HTTP request on that page.
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the URL on the API Tokens page in the Control Center and also on the API page in a project.
Major bug fix: In a longitudinal project with Data Access Groups, importing data via the "Import Records" API method for an existing record that is assigned to a DAG, in which the API parameters format="json" and overwriteBehavior="overwrite" are used, if the JSON data being imported contains a non-blank value for the "redcap_data_access_group" field for one event while another event of data (for the same record) does not contain the "redcap_data_access_group" field at all in the JSON, REDCap would mistakenly perceive the absent "redcap_data_access_group" field as a blank value and thus would un-assign the record from the DAG (due to the overwriteBehavior="overwrite" parameter being used). When this occurs, the DAG unassignment event would also not get logged on the project Logging page.
Improvement: For projects using the Clinical Data Interoperability Services (CDIS), a new observation category “social history” was added for both CDM and CDP projects, thus allowing them to import this new type of EHR data into REDCap.
Improvement: New CDIS panel on the left-hand project menu to display information and links that are relevant to projects using either Clinical Data Pull or Clinical Data Mart.
Change: When using the Auto-adjudication feature in a Clinical Data Pull (CDP) project, in which it has been set to notify the user via REDCap Messenger whenever a record has been auto-adjudicated by the system, REDCap now automatically deletes all previous auto-adjudication Messenger threads for this project for the user. In previous versions, the user might receive thousands of Messenger notifications, which could cause REDCap itself to become sluggish for the user. Now it only keeps the latest notification for the user.
Various updates and changes to the External Module Framework, including a slight change to the EM link on the left-hand project menu (i.e., the "External Modules" link was replaced with "Manage" further down the project menu).
Change: In the database backend, the “redcap_log_view” database table will be renamed to “redcap_log_view_old”, and an empty replacement table (named “redcap_log_view”) will be created in its place. The old table and its contents will no longer be used in the application except for very specific, seldom-used functionality (e.g., viewing Page View events on a project’s Logging page). The new table will have a slightly different structure, such as a BIGINT primary key (instead of INT) and better/more indexes to improve query performance for the table. The retiring/renaming of the old table should not have any effect on plugin/hook/module developers unless you are performing direct queries on the “redcap_log_view” table to pull information from months or years in the past, in which case you would want to also query the “redcap_log_view_old” for such information. Note: During the upgrade process, the last 30 minutes worth of activity from redcap_log_view will be automatically transferred to the new table in order to maintain continuity within the application for before and after the upgrade, especially if the system is not taken offline during the upgrade.
Bug fix: Drop-down fields using the auto-complete option would cause the webpage to be slow/laggy when typing a value into the field's textbox or when clicking the down-arrow button for the field to view the full list of choices if the field has hundreds or thousands of choices defined. This slowness was due to the auto-complete feature not being set up correctly in the underlying JavaScript. Note: Clicking the down-arrow button for an auto-complete drop-down with 1000+ choices when the field has no value will now display a notice next to the field that the full list of choices cannot be displayed and instead encourages the user to type a value to search all options.
Bug fix: When referencing a Smart Variable inside conditional logic (e.g., Data Quality rules, ASI logic) in which the Smart Variable is appended with a colon+parameter while also being prepended with a unique event name (e.g., [event_1_arm_1][survey-date-completed:form_1]), the logic might fail to be successfully evaluated. This could cause Data Quality rules to throw an error or could cause survey invitations for ASIs not to get sent in specific cases. (Ticket #120543)
Bug fix: When a multi-page survey contains required fields that exist on pages after page 1, in some specific scenarios it might mistakenly display the "Some fields are required!" prompt for fields on later pages after submitting the first page. Note: The participant would still be allowed to continue to the next page after the initial submission of page 1. (Ticket #120518)

Version 12.0.7 (released on 2021-12-28)

Security improvement: Any third-party (i.e., external service) API keys/secrets that are currently stored in the redcap_config database table via a System Configuration page in the Control Center (e.g., AWS S3 secret key, Twilio Auth Token for two-factor authentication) will now have its value stored in encrypted format in the redcap_config table instead of being stored as plain text. This will occur automatically and transparently after upgrading. This will prevent anyone from obtaining these keys/secrets if they view the contents of the redcap_config table.
Minor security fix: Updated “Axios” third party JavaScript package due to reported vulnerabilities.
Change: The dialog that is displayed when editing a field's branching logic in the Online Designer, in which one or more fields have the exact same branching logic as the current field, contains different text to better explain what clicking "Yes" will do.
Bug fix: When using specific configurations of the Survey Queue while running a specific PHP version on the REDCap web server (PHP 8.0 or 8.1?), it might cause the survey page to suddenly crash with a fatal PHP error after completing a survey. (Ticket #120211)
Bug fix: A calculation error would occur (displaying the error popup) on a survey page or data entry form if the @CALCDATE action tag is used on an MDY or DMY formatted date or datetime field, in which the first parameter of @CALCDATE contains an if() function where the first field used inside the if() is not a date or datetime field. (Ticket #119510)
Bug fix: When an Ad Hoc calendar event is viewed in the calendar popup in a longitudinal project, it would mistakenly display the instruments designated for the first event in the Data Entry Forms list inside the calendar popup. Ad Hoc events should not display any forms in the calendar popup. (Ticket #120224)
Updates and various fixes for the External Module Framework, such as the following: Fixed multiple issues with survey & NOAUTH CSRF protection, Added support for hidden subsettings, Improved log display performance, and Added project IDs to error emails.
Bug fix: [scatter-plot] Smart Charts might not display their x-axis in correct numeric order for slider fields or some other fields with numeric data. Additionally, for this same situation [line-chart] Smart Charts might mistakenly display their x-axis as a categorical-type display rather than a linear-type display. (Ticket #120214)

Version 12.0.6 (released on 2021-12-23)

Change/improvement: New CDIS setting - “Identity provider (optional)” - If specified on the Clinical Data Interoperability Services page in the Control Center, the identity provider will be used in the OAuth2 authorization process to identify the server that will exchange the FHIR access token with REDCap. This setting should only be set if the real FHIR base URL of the EHR system is different from the one specified on this page (e.g., the EHR system is behind a proxy).
Bug fix: If database table structure issues exist, in which REDCap provides the SQL to fix the issue, the generated SQL might fail when executed on some versions of MySQL/MariaDB if the SQL contains queries to drop Primary Keys that are being used as Foreign Keys in other tables. The generated SQL now includes queries to drop the Foreign Key before dropping the Primary Key, and then also the SQL to re-add the Foreign Key after fixing the Primary Key.
Bug fix: When using Clinical Data Pull or Clinical Data Mart and utilizing the “Break the Glass” feature, an authentication error might occur when attempting to use one’s credentials to break the glass of a patient record, specifically when using LDAP authentication.
Bug fix: When using the ":value" modifier when piping a field value while also referencing the unique event name and an X-instance Smart Variable (e.g., [c_hmcadrc_visit_re_arm_1][cog_behav_status:value][last-instance]), the label of the multiple choice field option mistakenly might get piped instead of the value of the selected choice. (Ticket #119879)
Bug fix: Depending on the naming conventions of the records in the project, the records in the record drop-down list on the "Add/Edit Records" page might appear slightly out of order if Record Auto-Numbering was enabled after non-numerical record names had already been created in the project.
Bug fix: The @RICHTEXT action tag would mistakenly not work on survey pages. (Ticket #119996)
Bug fix: When making a call to REDCap::saveData() or to the "Import Records" API method to import record data for records that have been assigned to a Data Access Group, if the data being imported is for a longitudinal event that currently has no data for the record, then the project's Logging page might mistakenly denote the record as being created during the import process, despite the fact that the record already exists and has data in other events. In some very rare cases, this might additionally cause the record to get unassigned from its current DAG with no logging to indicate that this happened.
Bug fix: Fields with the @CALCDATE or @CALCTEXT action tags could mistakenly be chosen as the Secondary Unique Field in the project, although this should not be allowed because it could cause the field not to perform its calculation correctly, especially if the field exists on a repeating instrument/event. As calc fields have never been allowed for use as the Secondary Unique Field, neither should @CALCDATE or @CALCTEXT fields. (Ticket #119773)
Bug fix: Fields with the @CALCTEXT action tag might mistakenly (in specific situations) return an incorrect result if values with leading zeros are utilized in the equation, in which the value "007" would be returned as "7". This would mostly occur when evaluating radio or drop-down fields that have leading zeros for one or more choice codes but do not have any choice codes that contain letters. (Ticket #120024)

Version 12.0.5 (released on 2021-12-17)

New feature: New design for the “Help & FAQ” page.
New Smart Variable: [event-number] - The current event's ordinal number as listed on the Define My Events page that denotes the order of the event within a given arm. (Ticket #70973)
Improvement/change: The Define My Events page now displays a new column to display each event's Event ID number. Also, the Smart Variable corresponding to each column in the table on the Define My Events page (e.g., [event-number], [event-label) are displayed in small gray text below the header text in the table to help users more easily learn where the values of those Smart Variables originate. (Ticket #115791)
Improvement: When using OAuth2 Azure AD Authentication, you may now specify a different AD attribute whose value determines the REDCap user's username. By default, it uses the AD attribute "userPrincipalName", which often resolves to the user's email address. The Security & Authentication page has a new drop-down setting to allow admins to alternatively specify the AD attribute "samAccountName", which would resolve to something like "pharris", for example. This provides an option if the institution prefers not to use a user's email address as their REDCap username. Note that this setting does not change the Azure AD login name, which is still the user's email address / userPrincipalName. Administrators may want to select the samAccountName to help retain account usernames when transitioning from LDAP to Azure AD, or if samAccountName is considered an immutable (and thus more reliable) user ID at your institution.
Change: Although REDCap sets the cookie "samesite" attribute to "Lax" by default, the "samesite" attribute can be overridden by adding the following line of code in the REDCap database.php file on the web server: $GLOBALS['cookie_samesite'] = "None"; // Possible values: "None", "Lax", or "Strict".
Bug fix: After a participant clicks the "Save & Return Later" button on a survey and then attempts to send themselves the survey link for returning, the resulting confirmation dialog titled "Email sent!" would mistakenly have the word "undefined" inside the dialog rather than the correct stock language text "The email was successfully sent to:". (Ticket #119438)
Bug fix: Various JavaScript-driven messages displayed on data entry forms and survey pages would mistakenly display "undefined" instead of the correct text.
Bug fix: REDCap now automatically sets mysqli_report to OFF for better compatibility with PHP 8.1, which defaults this setting to MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT. Without setting this, PHP might fail with a fatal error whenever a query to MySQL fails, but this only occurs for certain configurations of PHP 8.1.
Bug fix: Typo in Shibboleth authentication settings in the Control Center.
Bug fix: When using OAuth2 Azure AD Authentication, the usernames set on the Security & Authentication page for Primary Admin and Secondary Admin were case-sensitive. They are now case-insensitive so that the admin usernames can be entered in any case and will still work.
Bug fix: When using certain versions of MySQL or MariaDB, the Easy Upgrade or Automatic Upgrade features might mistakenly not be allowed, in which REDCap might think that the REDCap MySQL user does not have "DROP" privileges for the database. (Ticket #119577)
Bug fix: If records are named a specific way in a project, they might appear out of order when displayed in certain contexts, such as if the record list spans multiple pages on the Record Status Dashboard. (Ticket #119189b)
Bug fix: When uploading an allocation file on the Randomization page, it might mistakenly allow the user to upload multiple allocation files while on the same page. This should not be allowed. (Ticket #119640)
Bug fix: When using the Multi-language Management feature to translate the choice labels of Yes/No and True/False fields, those choice labels would mistakenly not appear translated in downloaded PDFs of an instrument (both with and without data).
Bug fix: If a "<>" operator is used in a field's Field Annotation/Action Tags, then the operator would mistakenly not be displayed in the Codebook. (Ticket #119705)
Bug fix: In situations where slider fields should be disabled on a data entry form (e.g., user has read-only Data Viewing Rights for the instrument), sliders could mistakenly become editable on the page if clicked. Note: Since the user cannot submit the page in this situation, it does not affect data, but can be confusing. (Ticket #119760)
Bug fix: When utilizing [aggregate-X] Smart Variables in a calculated field or @CALCTEXT field, if the user is entering data on a form or survey, the calculation might mistakenly not get updated if fields used inside the [aggregate-X] Smart Variable exist on a different instrument or event. However, the calc/@CALCTEXT field would get correctly updated when running Data Quality rule H or when performing a data import.
Bug fix: An error message would mistakenly be displayed when attempting to pipe a field variable into the "Redirect to a URL" textbox on the Survey Settings page.
Change: Added user's REDCap username to the email subject for REDCap Messenger email notifications to help distinguish them if the same primary email address is used for multiple users.
Bug fix: The cron job that sends email notifications for REDCap Messenger might mistakenly send multiple emails repeatedly to users. (This is an additional fix to the same bug fix from one month ago.)
Bug fix: When using the Data Resolution Workflow, the DRW dialog would mistakenly not allow the user to reassign the data query to another user if the data query had been opened immediately after the field's data value had been "Verified". (Ticket #119758)

Version 12.0.4 (released on 2021-12-10)

Change/improvement: A link to the "Language File Creator/Updater" page was added to the Control Center's left-hand menu in the Administrator Resources section.
Change/improvement: When printing a report, the "Number of results returned" and "Total number of records queried" counts are now included in the printout of the page.
Bug fix: The "RTL" dialog on the Multi-Language Management page in the Control Center would mistakenly be empty instead of having the appropriate text.
Bug fix: A PHP fatal error would be thrown when attempting to edit a field in the Online Designer if using PHP 7.2. (Ticket #118919)
Bug fix: When using newer versions of MySQL or MariaDB, the Easy Upgrade or Automatic Upgrade features might mistakenly fail in certain instances if the REDCap MySQL user does not have "REFERENCES" privileges for the MySQL database. (Ticket #119033)
Bug fix: When pulling EHR data from the Conditions R4 endpoint for Clinical Data Pull or Clinical Data Mart, the condition’s date value might mistakenly fail to get imported into the REDCap project.
Changes and various bug fixes for the External Module Framework, including the following: Included cron start & end times in the cron log, Improved unit testing & psalm scanning (of the framework itself), and Improved performance of the "Logs" page.
Bug fix: The variable name displayed for fields on the Codebook page would mistakenly display a square bracket after the branching logic instead of before it. (Ticket #119302)
Bug fix: If a user is in a Data Access Group, the Participant List would display an incorrect count of how many visible participants are in the Participant List, and it might show some pages of the Participant List as being empty. (Ticket #119056)
Bug fix: If records are named a specific way in a project (e.g., ABC-1, ABC-2), they might appear out of order when displayed in certain contexts, such as if the record list spans multiple pages on the Record Status Dashboard. (Ticket #119189)
Bug fix: If a calculated field is using a datediff() function with a datetime field and with "today" as the first two parameters, it would mistakenly throw an error on the page that a calculation error exists. (Ticket #119049)
Bug fix: When sending an SMS via Twilio, in which the Twilio API returns the error message "violates a blacklist rule", the survey invitation log would mistakenly not flag this error correctly with reason_not_sent = 'PARTICIPANT OPTED OUT' but instead would revert to the default reason_not_sent of 'ERROR SENDING SMS'.
Bug fix: If HTML tags are used inside the Custom Labels for Repeating Instruments, whenever the dialog is reopened to edit the Custom Labels for Repeating Instruments, the HTML tags will have been automatically removed. It should not remove the HTML tags that have been already saved. (Ticket #119244)
Bug fix: When clicking the "export" link to download the results after running Data Quality rule A or B, it would be impossible to determine which field had the missing value for a given row/record if more than one field had a missing value for the whole set of results exported. To remedy this issue, the export file no longer lists each variable name as a separate column (like other DQ rules) but instead has a new "field" column that will list the variable name of the field with the missing value in each row. (Ticket #119276)
Bug fix: When upgrading to REDCap 12.0.0 or higher and when the Form Render Skip Logic external module is being utilized for one or more projects, the upgrade script to auto-migrate all the FRSL settings into the new Form Display Logic feature might be slightly incorrect for some FRSL configurations (only affecting longitudinal projects). If the FRSL checkbox setting "Restrict this rule to specific events" is not checked but one or more events have been selected (which is not expected), the resulting behavior from the Form Display Logic would cause the form to be disabled for the selected event, whereas the FRSL module beforehand would disable the form on every event. The auto-migration script now has been changed to match the behavior of the FRSL module for this particular misconfiguration of the FRSL module. (Ticket #118353)
Change: For new REDCap installations, the global setting "Minimum number of data points required to display Smart Charts, Smart Tables, or Smart Functions" has been changed from "11" to "5" since the previous default value was regarded as too conservative by many. For existing installations, this value can easily be changed on the User Settings page in the Control Center and additionally can be overridden for any project via the Edit A Project's Settings page.
Bug fix: When displaying Smart Charts on a public Project Dashboard, in which the chart is grouped via a secondary field, in some specific cases where data is missing for the first field in the chart but not for the grouping field, the chart might mistakenly get displayed (instead of displaying the message "[INSUFFICIENT AMOUNT OF DATA FOR DISPLAY]") even when it does not meet the minimum data point criteria. (Ticket #119348)
Bug fix: Custom Data Quality rules whose logic utilizes fields from repeating instruments might mistakenly return results that are duplicates or not relevant, such as displaying the base/non-repeating instance when all the fields in the logic exist on a repeating instrument. (Ticket #72996)

Version 12.0.3 (released on 2021-12-03)

Major bug fix: When the "Enable support for Survey Auto-Continue" option is checked in the Form Display Logic setup dialog, the feature might mistakenly fail to evaluate the logic correctly during the Survey Auto-Continue process. Thus, it could cause some surveys to get skipped unintentionally.
Improvement/change: When using Multi-Language Management on a survey, the current language name is now displayed next to the globe icon at the top right of the survey page so that participants more intuitively understand what the current language is and to click it to change the language.
Improvement/change: The Online Designer now denotes whether a field on the instrument contains embedded fields inside its label, choices, notes, etc. by displaying a blue box saying "Contains embedded fields", similar to the green "Field is embedded elsewhere on page" boxes for embedded fields themselves. This will provide users with visual cues to know when and where field embedding is occurring.
Improvement: The Design Checker feature for Clinical Data Mart now has improved descriptions of changes that will be made, including the severity of the design issue.
Bug fix: When using vertical sliders on forms/surveys, the “Change the slider above to set a response” text would have a translucent background that might mistakenly cover part of the text field displaying the number value. (Ticket #118330)
Bug fix: When using the Sponsor Dashboard or Browse Users->View User List By Criteria pages and clicking the "Time of latest password reset" link on the page, the resulting error message might be confusing if the user selects users in the table in which none of those select users log in via Table-based authentication (assuming the system authentication is LDAP+Table or Shibboleth+Table). More text has been added to the error message to inform the user that at least one Table-based authentication user must be selected in order to perform this action. (Ticket #118200)
Bug fix: If an admin has "Modify System Configuration Pages" admin rights but does not have "Access to all projects and data with maximum user privileges" admin rights, then if the system was taken offline, the admin would mistakenly not be able to restore the system back to online status. (Ticket #118540)
Bug fix: The “Save your changes?” prompt that is displayed when attempting to leave a Data Entry Form via closing the current window/tab might mistakenly cause a JavaScript error rather than displaying the prompt.
Bug fix: When using Missing Data Codes for an embedded field with the ":icons" parameter set (e.g., {field1:icons}), the list of Missing Data Codes would fail to display after clicking the "M" icon for the embedded field. (Ticket #118636)
Bug fix: When using Missing Data Codes for an embedded field with the ":icons" parameter set (e.g., {field1:icons}), in which the field is a Radio Button field, if the user clicks the "reset" link to reset the value of the field, it would mistakenly throw a JavaScript error. It would still correctly remove the value of the field and reset it, but it would appear to the user as if it did not.
Bug fix: The Smart Variables [survey-time-completed] and [survey-date-completed] might not get evaluated correct when used in Survey Queue conditional logic. (Ticket #118452)
Bug fix: When attempting to save a custom Record Status Dashboard in a non-longitudinal project, in which one or more instruments are selected for the "Select instruments" option, it would fail to save the selected instruments, thus resulting in displaying all instruments on the custom dashboard instead of only the selected ones.
Change: To the right of the REDCap/PHP/MySQL versions listed at the top of the main Control Center page, a "copy" icon was added to allow administrators to easily copy those that version information text so that they may paste them elsewhere, such as when posting a question or bug report on REDCap Community.
Bug fix: When a multi-arm longitudinal project does not have "arm 1" defined but has higher-numbered arms defined, it can cause certain things not to work correctly, such as branching logic, calculations, or action tags.
Change: In the "Add Field"/"Edit Field" dialog in the Online Designer, it is no longer possible to tab into the Action Tags text box. This was changed because users found it a bit jarring for the Logic Editor dialog to automatically display as they are tabbing through the fields inside the "Add Field"/"Edit Field" dialog.
Change: Light gray square brackets are now displayed around the variable name for each field on the Data Dictionary Codebook to aid users when searching for a specific field on the page (because it may sometimes be hard to find a field on the page if it is used in lots of branching logic or calculations).
Bug fix: When attempting to do a fresh install of REDCap on PHP 8.0, the install page might mistakenly crash with a blank white page.
Bug fix: When a public survey is completed and the "Save & Return Later" feature is not enabled for the survey, references to the survey link via the Smart Variable [survey-link] might mistakenly allow participants to return to the completed survey when instead it should prevent them and thus display the "Thank you for your interest, but you have already completed this survey" message. This could cause further confusion if a participant attempted to download a file for a File Upload field on that survey, in which it would prevent them from downloading it (via an error message); however, this might be confusing since the participant could access the survey page (via this bug) but not the downloadable file on the survey. (Ticket #118314)

Version 12.0.2 (released on 2021-11-29)

Change: The Control Center now recommends using PHP 7.4, 8.0, or 8.1, which are the only currently supported versions of PHP (by the PHP Team).
Bug fix: The "Add/Edit Records" page would display a green button with the incorrect text "Add new record for the arm selected above" for projects that do not have multiple arms. The button instead should say "Add new record".
Bug fix: When upgrading from a version prior to REDCap 11.4.1, the upgrade SQL script might mistakenly fail when dropping an index on the `redcap_user_roles` table.
Bug fix: When copying a project where Twilio is enabled, the various Twilio configuration settings would mistakenly not get copied. Note: The Twilio feature will still be disabled in the newly created project. (Ticket #118265)
Bug fix: When using a Project Bookmark as an "Advanced Link", the API call that should return the various parameters (e.g., username, project_id) would mistakenly default to "xml" as the return format when instead it should default to "csv" if the "format" API parameter is not provided in the API request.

Version 12.0.1 (released on 2021-11-23)

Major bug fix: When using Twilio SMS or Voice Call functionality on a survey, field labels or section headers might mistakenly not get included in the SMS message or Voice Call message unless one or more languages have been defined and are active on the Multi-Language Management page.
Bug fix: When using Twilio SMS or Voice Call functionality on a survey, the choices for some multiple choice fields would mistakenly not appear in the correct translated language when one or more languages have been defined and are active on the Multi-Language Management page.
Bug fix: When using Twilio SMS or Voice Call functionality on a survey, the survey instructions and completion text might mistakenly not appear in the correct translated language when one or more languages have been defined and are active on the Multi-Language Management page.
Bug fix: Some rare adaptive PROMIS instruments that contain checkbox or textbox field types (e.g., PROMIS Sexual Function v2 Brief Profile (Female)) would crash in certain instances and prevent the participant from completing the survey whenever a participant attempts to answer a checkbox or textbox field on the survey page.

Version 12.0.0 (released on 2021-11-22)

New feature: Multi-Language Management
- Summary: Users can create and configure multiple display languages for their projects for surveys, data entry forms, alerts, survey invitations, etc. Users can design data collection instruments and have them be displayed in any language that they have defined and translated so that their survey participants or data entry persons can view the text in their preferred language. This eliminates the need to create multiple instruments or projects to handle multiple languages. NOTE: The MLM feature will not auto-translate text, but provides tools so that users may easily translate them themselves.
- Usage: When entering data on a data entry form or survey, users and participants will be able to choose their language from a drop-down list or buttons on the page to easily switch to their preferred language for the text displayed on the page. This feature allows users to translate all text related to the data entry process, both for surveys and for data entry forms. Even various survey settings and email text can be translated. For users on data entry forms, if a language is selected, that selection is stored in the user’s user account settings internally (in the REDCap backend database), whereas a survey participant’s selected language will be stored in a cookie in their web browser as a way to remember their language preference if they return in the future (and also to maintain their selected language from page to page). The language can be pre-selected for a participant, if desired, using the “Language preference field” setting on the MLM page in the project or via the @LANGUAGE-FORCE action tags (seen below).
- User Rights: Users must have Project Design/Setup privileges in a project in order to see the link to the Multi-Language Management page on the left-hand menu.
- System-level Configuration: The MLM feature can be completely disabled at the system level, if desired, via the MLM page in the Control Center (on the Settings tab). On this page in the Control Center, admins can optionally seed any User Interface (i.e., stock language) translations for the entire REDCap installation, in which users could import any activated User Interface translations into their project. This will only import the User Interface elements (since those are universal to each project), but it can be a big time saver to prevent the user from having to translate those common elements in their project. These can be imported via the Create New Language process in a project (or via the Edit Language setting also).
- Note: The MLM feature works seamlessly with SMS messages sent via Twilio. Additionally, the MLM feature works with the e-Consent Framework, in which the archived PDF of the participant’s consent form will be stored in the File Repository in the same language in which the participant took the survey.
- Note: When a project is in production, the MLM page and all translations can only be modified when the project is in Draft Mode. So if the user desires to make edits or additions to their translations, they must first enable Draft Mode via the Online Designer, and then return to the MLM page to make translation changes while in Draft Mode. When the drafted changes are approved, their translation changes made while in Draft Mode will automatically be approved together with them.
- New Action Tags for Multi-Language Management
  1. @LANGUAGE-CURRENT-FORM - Allows you to capture the currently used language in projects where multilingual data is enabled on data entry forms. The @LANGUAGE-CURRENT-FORM action tag can be used on fields of type 'Text Box' (no validation), and 'Drop-down List', or 'Radio Buttons' (these need to have choices whose codes correspond to the IDs of the defined languages - e.g., 'en'). This action tag is only active on data entry forms and will always, when possible, set the field's value to the currently active language.
  2. @LANGUAGE-CURRENT-SURVEY - Same as @LANUGAGE-CURRENT-FORM, but works only on survey pages. For multi-page surveys, @LANGUAGE-CURRENT-SURVEY needs to be used on a field of each page where capture of the language is relevant (e.g. for performing branching).
  3. @LANGUAGE-FORCE - When used on a field, the data entry form or survey on which the field is located will be rendered in the specified language (which must have been set up using the Multi-Language Management feature). The format must follow the pattern @LANGUAGE-FORCE="???", in which the ID of the desired language should be inside single or double quotes - e.g., @LANGUAGE-FORCE="de". Piping is supported - e.g., @LANGUAGE-FORCE="[field_name]". When the language is forced successfully (i.e., it exists and is active), the language selector is hidden. Using this together with @LANGUAGE-CURRENT-FORM/SURVEY on the source field for @LANGUAGE-FORCE may be used to 'lock in' a user to their selected language.
  4. @LANGUAGE-FORCE-FORM - Same as @LANGUAGE-FORCE, but the effect is limited to data entry forms (i.e. this does not affect surveys).
  5. @LANGUAGE-FORCE-SURVEY - Same as @LANGUAGE-FORCE, but the effect is limited to surveys (i.e. this does not affect data entry forms).
  6. @LANGUAGE-SET - When used on a Drop-down or Radio Button field only, this action tag will allow the field's value to control the currently shown language (in the same way as switching the language via the buttons at the top of the page). Tip: When used in a survey, this field could be prepopulated (and thus auto-selected) by embedding a participant's language ID in the survey URL itself (for details, see the FAQ's "How to pre-fill survey questions" section).
- Thanks to Günther Rezniczek for all his work to help us build the new Multi-Language Management feature.
New feature: Form Display Logic
- Form Display Logic is an advanced feature that provides a way to use conditional logic to disable specific data entry forms that are displayed on the Record Status Dashboard, Record Home Page, or the form list on the left-hand menu. You might think of it as 'form-level branching logic'. Form Display Logic can be very useful if you wish to prevent users from entering data on a specific form or event until certain conditions have been met. The forms will still be displayed on the page, but they will be disabled in order to prevent users from accessing them. Below you may define as many conditions as you want. A form may be selected in multiple conditions, but if so, please note that the form will be enabled if at least one of the conditions is met. The Form Display Logic does not impact data imports but only operates in the data entry user interface to enable/disable forms. Additionally, Form Display Logic is not utilized by the Survey Queue at all but can affect the behavior of the Survey Auto-Continue feature if the checkbox for it is enabled in the setup dialog. The Form Display Logic setup can be found by clicking the “Form Display Logic” button at the top of the instrument list in the Online Designer.
- This feature serves as the official integration of the Form Render Skip Logic external module created by Philip Chase and his team. Thanks to them for their work on this module. Note: When upgrading REDCap to v12.0.0 or higher, if the Form Render Skip Logic is installed and is being used by any projects, all the configuration settings for the module will automatically be translated into the new Form Display Logic settings format, after which the external module will be disabled for each project and also for the entire system (since it will no longer be needed). This all happens automatically during the upgrade.
New feature: Design Checker for the Clinical Data Mart (CDM) - The “Data Mart Design Checker” is a new tool available in the Data Mart fetch page that will report any issue related to the design of the current Data Mart project. Based on the most recent Data Mart XML template available in REDCap, the tool will check, list, and fix any of these issues: missing forms, variables, revisions, or section headers, the lack/presence of repeatability in a form, variables included in the wrong form, etc. An administrator or a user with Project Setup/Design privileges can use the tool to review and automatically fix all reported issues. This tool will mainly be utilized when users have modified the structure of an existing Data Mart project or if new forms and data types have been added to the Data Mart feature itself since the users initially created their Data Mart project.
Improvement: Errors displayed in the Survey Invitation Log when sending SMS or Voice Calls via Twilio will now display the full error message returned by Twilio's API to provide the user with more information regarding why the SMS/Voice Call failed to send successfully.
Major bug fix: When a field is embedded on a multi-page survey, in which the embedded field's parent field is used in branching logic on a later page, the embedded field's value might mistakenly get erased when a later survey page is submitted if the embedded field is set as a Required field. (Ticket #117620)
Bug fix: The cron job that sends email notifications for REDCap Messenger might mistakenly send multiple emails repeatedly to users. (Ticket #97084b)
Bug fix: The x-axis of a [scatter-plot] Smart Chart would mistakenly not display in the correct sorted fashion. (Ticket #117202b)
Bug fix: Clicking the "Today" or "Now" button for a date or datetime field, respectively, would mistakenly add the green highlighted background to the field if that field is embedded. Embedded fields should never get highlighted as green like regular fields do. (Ticket #105242)
Bug fix: When using the "Copy multiple fields" feature in the Online Designer, on some occasions the process might mistakenly fail for some fields selected and would display them on the page as fields with empty variable names. (Ticket #117339)
Change: The text for the "Example code" link at the bottom of the API Playground was modified for clarity. (Ticket #117797)
Bug fix: When using specific PHP versions, the Clinical Data Pull (CDP) service might mistakenly throw a fatal PHP error when attempting to fetch data from the EHR. (Ticket #117953)
Change: When drafted changes are auto-approved in a production project, the "Changes Were Made Automatically" dialog now provides extra text reminding the user that if any new instruments were just added, by default no users in the project have access to any newly created instruments. Thus they might need to grant users access to the new instruments.
Bug fix: When creating a new project or copying an existing one, the users that are initially granted access to the project would mistakenly not get logged as having been added to the project on the project logging page, thus making it very difficult for an auditor to determine exactly when and by whom the initial users had been given access.
Bug fix: A fatal PHP error would occur that prevented an administrator from creating a Data Mart project on behalf of a user. (Ticket #117929)
Bug fix: When using the Data Resolution Workflow in a project, the Resolve Issues page would mistakenly display data queries for fields that exist on instruments to which the user does not have data viewing privileges. (Ticket #118026)
Bug fix: If a value is piped into a Descriptive Text field which is itself embedded in another field, then in some specific instances the Descriptive Text field's label would mistakenly not get embedded but only the piped value would get embedded. (Ticket #117925)

Version 11.4.4 (released on 2021-11-12)

Improvement: New parameter "repeat_instance" was added to the API method "Export PDF file of Data Collection Instruments" to allow users to export a PDF of an instrument for a specific repeating instance of a repeating instrument/event. (Ticket #117182)
Change/improvement: When a survey participant partially completes a survey that has the Save & Return Later feature enabled, and an email is then sent to the participant to remind them to finish their survey later, instead of sending that email from the system-level "Email Address of REDCap Administrator" (as in previous versions), the "From" email address of the "Survey partially completed" email will be set to the sender's address from the most recent survey invitation received by the participant. This will create more consistency and will reduce confusion for participants when attempting to reply back to the email, as has been a problem in the past.
Bug fix: For certain server configurations, the REDCap cron job might mistakenly crash due to a floating point precision issue when creating a timestamp. This occurrence is fairly rare. (Ticket #117186)
Bug fix: The x-axis of a [scatter-plot] Smart Chart would mistakenly not display in the correct sorted fashion. (Ticket #117202)
Bug fix: If a user has many conversations (e.g., hundreds or more) listed in their REDCap Messenger window, every page of REDCap would load slowly for them, even if Messenger is closed when the page loads.
Bug fix: If the setting "Allow survey respondents to view aggregate survey results?" has been disabled at the system level in the Control Center, then a user entering a URL into the "Redirect to a URL" option on the Survey Settings page in a project would cause an unrelated error message to mistakenly appear and would prevent the user from adding/modifying the "Redirect to a URL" option. (Ticket #117399)
Bug fix: If a calculation, branching logic, or conditional logic contains exponents in which the base number's value is negative, it might mistakenly not return any value at all - e.g., ([number1])^(1/3) where the value of "number1" is "-8". (Ticket #117456)
Bug fix: In calculations or branching logic, the special function isinteger() would mistakenly only return True if the value came from an integer- or number-validated Textbox field. (Ticket #117447)
Bug fix: When saving some custom text for the settings "Custom text to display at top of Project Home page in project" or "Custom text to display at top of all Data Entry pages in project" on the "Edit A Project's Settings" page in the Control Center, it would mistakenly display a lot of extra line breaks on the project page where the custom text would be rendered. (Ticket #117403)
Bug fix: Upgraded the JavaScript libraries Backbone.js and Underscore to their latest version since they were both outdated. (Ticket #117462)
Bug fix: When using Azure AD authentication, the logout process in REDCap would mistakenly not take the user to the Azure AD logout page, thus not actually logging out the user fully. (Ticket #117166)
Bug fix: When initializing a project in the REDCap Mobile App in which the project contains an SQL field, if the query for the SQL returns only one column (rather than two columns), the drop-down would mistakenly not display correctly on the data entry form in the REDCap Mobile App. (Ticket #107409b)
Change: The explanation text for the "Re-evaluate Automated Invitations" process was modified to improve clarity with regard to how the re-evaluation process works. (Ticket #116807)
Bug fix: When performing the Import Records API method with the data format set as "csv" in which the data being imported was obtained from a data export via the user interface (not via the API) in CSV Raw format, the API would return a field validation error message or might save the imported value with an extra space prepended to it if the original value that was exported for that field began with a specific CSV Injection character, such as -, @, +, or =. The data import API process now removes the extra space character at the beginning of the value when this specific scenario is detected in order to preserve the original value of the field. (Ticket #117546)

Version 11.4.3 (released on 2021-11-05)

Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way as user-defined text in various places.
Change/improvement: A button to open the Codebook page as a floating popup window was added inside the Logic Editor popup to allow users to easily find and reference fields they want to use in their logic while in the editor.
Improvement/change: The underlying business logic of REDCap’s cron job processing methods have been changed so that long-running cron jobs will not block other jobs from running at their scheduled time.
Bug fix: Typo in "SFTP/WebDAV-only settings"
Bug fix: Fixed issues with regard to users adding a secondary/tertiary email address on their Profile page. (Ticket #116375)
Bug fix: When viewing the Survey Queue page when it is displaying repeating surveys for a record, if some instances of the repeating survey are missing or were deleted, it would mistakenly display them in the queue with a “Begin Survey” button next to them. It should instead only display a button to create a new instance after the last current instance for the survey. (Ticket #116534)
Bug fix: Some files that were uploaded to a REDCap Messenger conversation might mistakenly not download correctly and might appear corrupt when opened after being downloaded.
Bug fix: If a project is in production and collecting data via surveys, and then it is moved to Draft Mode, after which a user downloads an Instrument Zip file in the Online Designer for one of the project's survey and then re-uploads the same Instrument Zip file, all existing survey responses would get disconnected from the original survey, thus losing all their survey completion timestamps and changing all the survey links for the existing records in the project. Bug emerged in REDCap 11.2.0. (Ticket #116940)
Bug fix: PHP compatibility issue with PHP 8 on the Online Designer might cause the page to crash with a fatal error. (Ticket #117020)
Bug fix: When creating a new conversation in REDCap Messenger, it would mistakenly fail to open the new conversation in the user interface immediately after being created.
Bug fix: When using the Data Resolution Workflow and entering data on a data entry form, the floating button that says "Save and then open data resolution pop-up" would mistakenly be displayed next to every embedded field inside a block of embedded fields when the cursor is placed in the field, even when the embedded field does not have a data query opened for it. The button should only appear next to fields that have an open query. (Ticket #116987)
Bug fix: Smart Charts (e.g. bar-chart, pie-chart, donut-chart) that display multiple choice labels that contain multibyte characters, in which the labels are 13 or more characters in length, might have those multibyte characters mistakenly get garbled and thus not appear correctly in the chart. (Ticket #117103)

Version 11.4.2 (released on 2021-10-29)

Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way as user-defined text in various places.
Minor security fix: To improve the overall security of the application, the SameSite attribute of all cookies created by REDCap now has a value of “Lax”, whereas in previous versions it was set to “None”.
Minor security fix: To prevent a Session Fixation attack, session IDs are now regenerated upon every successful login by a user.
New feature: A new Cron History table was added to the bottom of the Cron Jobs page in the Control Center to allow administrators to have more visibility regarding when certain cron jobs are run and for how long, including cron jobs for external modules. The table includes a date field to easily adjust the window of time by date.
Improvement: If using Amazon S3 or Azure Blob Storage for the system-level File Storage Method, the same file storage method may also be used for the following system-level settings: 1) 'File Upload' field enhancement: Password verification & automatic external file storage, 2) Record-level Locking Enhancement: PDF confirmation & automatic external file storage, and 3) e-Consent Framework: PDF External Storage Settings (for all projects). These three settings will each utilize a different bucket/container than the system-level file storage method where all other REDCap files are stored (as a means of keeping them separate from the other files). These settings are often utilized for compliance with 21 CFR Part 11 and similar regulations. The addition of the S3/Azure options will be helpful when already running REDCap on AWS/Azure. The bucket/container where the files will be stored for these three options may be set for each near the bottom of the Modules/Services Configuration page in the Control Center.
Bug fix: The optional settings for the Protected Email Mode feature would mistakenly not get copied to a new project when using the Copy Project page. Additionally, those settings would also not get added to a Project XML file if the project were exported and then re-created in REDCap via Project XML.
Bug fix: When instruments are added from the REDCap Shared Library to a production project in Draft Mode, after the changes have been approved, all users would mistakenly have full "View/Edit" Data Viewing privileges to the new instrument. By default, users should initially have “No Access (Hidden)” privileges to newly added instruments.
Change: The email that users receive from an administrator that has just approved their production changes now reminds them that the default Data Viewing Rights for any newly added instruments will be 'No Access (Hidden)'.
Bug fix: When an administrator processes and commits a user's draft mode changes for their production project, the "Project Changes were Approved" email confirmation sent back to the user would mistakenly have its From address as the admin's email when it should instead be the general "Email Address of REDCap Administrator". (Ticket #116368)
Bug fix: When calling the "Export Records" API method with parameters type=eav and format=csv, the API might mistakenly output survey fields incorrectly if exportSurveyFields=true in the API request. Additionally, it might mistakenly output the "redcap_event_name" and "redcap_repeat_instance" CSV columns in certain cases when those columns are not relevant and should not be output. (Ticket #115862)
Bug fix: Fixed a compatibility issue for logged IP addresses in some server environments in which some load balancers/proxies/WAFs would unexpectedly add the port number to the HTTP_X_FORWARDED_FOR header that ultimately gets used as the client's IP address. (Ticket #116486)
Bug fix: The Online Designer might mistakenly display a comma after some action tags listed in pink below a given field that has action tags.
Bug fix: The page on a survey that is displayed after a participant has clicked the "Save & Return Later" button would display text and contents that mistakenly did not completely conform to the survey theme of the current survey. (Ticket #116613)
Bug fix: Using the ":record-name" parameter in the [stats-table] Smart Variable would mistakenly not limit the descriptive stats displayed in the table to the currently viewed record but would instead display the stats for all records in the project. (Ticket #116546)
Bug fix: Using the @IF action tag on a field in which @IF is nested more than twice would mistakenly cause it not to get parsed correctly and thus might cause the wrong action tags to be implemented for the field. (Ticket #116535)

Version 11.4.1 (released on 2021-10-22)

New feature: Auto-adjudication for Clinical Data Pull (CDP) projects - As an extension of the existing "Instant Adjudication" feature for CDP projects, any projects with Instant Adjudication enabled can optionally enable the Auto-adjudication feature on the CDP Setup page in a project. Once enabled, if any records in the project have data that has already been pulled from the EHR and are awaiting adjudication, they will be adjudicated automatically by a cron job process that checks every 5 minutes. This allows the data to follow into the project automatically and prevents the need for a user to manually adjudicate data or to click the Instant Adjudicate button. Similar to the Instant Adjudication setting, only users with CDP Setup/Mapping privileges can enable the Auto-adjudication setting.
New feature: Admins can set or change a user's sponsor on the "View User List By Criteria" tab on the Browser Users page in the Control Center. An administrator can click the "Set or change user’s sponsor" button on the page and then select another user in the system to become their new sponsor. This feature works for any users that currently have a sponsor or that do not have a sponsor.
Improvement: “Google Cloud Storage using API Service Account” as new file storage option - To store REDCap’s edoc files via Google Cloud Storage, this option can be selected in the File Upload Settings page in the Control Center. An additional option exists to organize files by REDCap project ID when storing them in Google Cloud. (Thanks to Andy Martin and his team for this contribution.)
Improvement: New CDIS setting - Admins now have the option to use the CA bundle from REDCap or the verification provided by the webserver for HTTPS connections.
Improvement: New option for Protected Email Mode - Users may now upload a custom logo that they wish to be displayed on the webpage and in emails utilizing the Protected Email Mode. This feature is supplementary to the existing custom text option for Protected Email Mode. This option is located in the Protected Email Mode section of the Additional Customizations popup on the Project Setup page.
Minor security fix: When displaying a fatal PHP error to REDCap administrators, the full file path of the PHP file is no longer exposed and output on the page, but instead it only outputs the local path from the REDCap webroot in the PHP error message. This prevents inadvertently exposing some of the file/folder structure of the web server.
Bug fix: The "Returning?" popup that appears near the top right of a survey page would display text and contents that mistakenly did not conform to the survey theme of the current survey. (Ticket #115314)
Bug fix: Fixed issue with database issue detection script regarding a key for the redcap_user_roles table. (Ticket #115587)
Fixed typo in @IF documentation
Bug fix: Some explanatory text not displayed for the “Allow normal users to edit their primary email address on their Profile page” setting on the User Settings page.
Bug fix: The @IF action tag might not work correctly when the currently viewed record has not been saved/created yet.
Bug fix: The @IF action tag might not work correctly when the True or False part of the IF has two single or double quotes. (Ticket #115731)
Bug fix: The smart variable [line-chart] might mistakenly display plain text data on the x-axis if a Textbox or Notesbox field is used as the x-axis field. (Ticket #115818)
Bug fix: In some very specific cases when using PHP 8, the upgrade module might mistakenly not load due to a fatal PHP error. (Ticket #115680)
Change/improvement: The HTML tags "video" and "source" can now be used in user-defined labels throughout REDCap. (Ticket #16057)
Bug fix: Returning 'false' from the redcap_email hook method in an external module would mistakenly not prevent emails from being sent.
Change: When viewing an individual email on the Email Logging page, it now logs the record name, event_id, and instrument name (when applicable) in the redcap_log_view database table.
Bug fix: When a repeating instrument has data entered on multiple repeating instances, and then afterward the instrument is made to no longer be repeatable, the Data History popup would mistakenly display the history for all repeating instances for that field (including the ones that have now been orphaned), rather than for only the first instance. (Ticket #115308b)
Bug fix: The jSignature JavaScript library used for "signature" field types was mistakenly reverted to an earlier version of the library that was sometimes not compatible with a stylus. (Ticket #115607)
Bug fix: When using the Twilio telephony services in a project and utilizing the "Designate a phone number field" setting, in certain situations it might fail to display the record name of the participant in the Survey Invitation Log. (Ticket #115206)
Bug fix: When appending the Smart Variable [current-instance] to a field variable in branching logic or a calculation on an instrument that is not a repeating instrument and not on a repeating event in the current context, it might mistakenly not evaluate the branching logic/calculation correctly on the data entry form or survey page. (Ticket #115585)
Bug fix: When viewing a survey via a private/unique survey link (i.e., not via a public survey link), in which the survey is set to "offline" and has field variables piped into its custom offline message, it would mistakenly not pipe the data successfully in the offline message. (Ticket #116092)
Bug fix: When exporting a PDF of an instrument containing data, if a drop-down or radio field in the PDF has a choice coded as "0" in which the field's saved value is not currently "0", the resulting PDF might mistakenly show both the "0" choice and the saved choice as being selected. This appears to only occur in certain versions of PHP 7. (Ticket #115505)
Bug fix: When the enhanced checkbox option has been enabled on a survey in which a checkbox on the survey utilizes the @NONEOFTHEABOVE action tag, if the checkbox is embedded in another field on the page, the enhanced buttons would mistakenly not behave/display correctly for the checkbox when selecting the "None of the Above" choice or if another option is clicked while the "None of the Above" choice is already selected. Note: This does not affect the data being saved correctly for the checkbox but affects only the displaying of the enhanced buttons; thus it could be confusing for the survey participant. (Ticket #115891)
Bug fix: When using the [survey-link] or [survey-url] Smart Variables in a project in which a literal instance number is appended to it (e.g., [survey-link:my_survey][2]), it might mistakenly return the link/URL of the first instance instead of the correct repeating instance.
Bug fix: When using a Smart Chart, Smart Table, or Smart Function that has a unique report name appended to it, anytime a REDCap page would display the output of the chart/table/function, it would mistakenly log an individual "Data export" event on the Logging page for every chart/table/function having a unique report name.

Version 11.4.0 (released on 2021-10-11)

New action tag: @IF - Allows various action tags to be set based on conditional logic provided inside an @IF() function - e.g., @IF(CONDITION, ACTION TAGS if condition is TRUE, ACTION TAGS if condition is FALSE). Simply provide a condition using normal logic syntax (similar to branching logic), and it will implement one set of action tags or another based on whether that condition is true or false. For example, you can have @IF([yes_no] = '1', @HIDDEN, @HIDE-CHOICE='3' @READ-ONLY), in which it will implement @HIDDEN if the 'yes_no' field's value is '1', otherwise, it will implement the two action tags @HIDE-CHOICE='3' and @READ-ONLY. If you wish not to output any action tags for a certain condition, set it with a pair of apostrophes/quotes as a placeholder - e.g., @IF([my_radio]='1', @READONLY, ''). You may have multiple instances of @IF for a single field. You may also have multiple nested instances of @IF() inside each other. Both field variables and Smart Variables may be used inside the @IF condition. The @IF action tag is also evaluated for a given field when downloading the PDF of an instrument/survey, in case there are any PDF-specific action tags used inside of @IF(). Note: The conditional logic will be evaluated only when the survey page or data entry form initially loads; thus the action tag conditions will not be evaluated in real time as data is entered on the page.
New feature: Protected Email Mode
- Users can enable the Protected Email Mode on any project on the Project Setup via the Additional Customization dialog. This setting prevents identifying data (PHI/PII) from being sent in outgoing emails for alerts, survey invitations, and survey confirmation emails.
- If enabled, either A) all alerts, survey invitations, and survey confirmation emails or B) those whose email body is attempting to pipe data from Identifier fields will be affected, in which it will not send the full email text to the recipient but will instead send a surrogate email containing a link that leads them to a secure REDCap page to view their original email. If someone is accessing an email in the Protected Email Mode for the first time (or for the first time in the past 30 days), it will send a security code to their inbox that will allow the recipient to view any protected emails for up to 30 days on that same device. The Protected Email Mode is similar to Microsoft Outlook's "sensitivity label" feature.
- When enabled in a project, user’s may specify custom text/HTML to display at top of the sent email and web page where the original email is viewed. This will allow users to also display logos/images pertaining to their project or institution.
- This feature can be disabled in all projects via a global setting on the Modules/Services Configuration page in the Control Center.
New feature: Email Logging page
- This is a new project page that contains a search interface to allow users with User Rights privileges to search and view ALL outgoing emails for that project (also includes searching and viewing of SMS messages if using Twilio services).
- This feature can be disabled in all projects via a global setting on the Modules/Services Configuration page in the Control Center.
- “Re-send email” feature - When viewing an individual email after performing a search on the page, a “Re-send email” button will be displayed in the dialog to allow users to re-send the email. Note: If the original email contained email attachments, the attachments will not be included in the email that is re-sent.
- Only users with User Rights privileges in the project may access the page, and additionally they must opt-in and agree to a disclaimer before being able to view the page. The following text will be presented to the user before accessing the page: “Before viewing and accessing this page, you must first agree that you understand the following important information and conditions. This page is only accessible by users having User Rights privileges in this project. The Email Logging feature allows users to search and view *all* outgoing emails related to this project, and this includes being able to view all aspects of any given email (i.e., the recipient(s), sender, subject, message body, attachment names). If you are using anonymous surveys in this project, keep in mind that viewing this page and the emails displayed therein might inadvertently cause anonymous survey responses to be identifiable/de-anonymized. Additionally, if the project is using Data Access Groups, you will be able to view the emails related to all DAGs in this project (and thus possibly any data piped into the body of those emails). If you understand and agree to these conditions, click the button below. Please note the act agreeing to this disclaimer will be documented on the project Logging page.”
Improvement: New "Banned IP Addresses'' page in the Control Center allows administrators with "Manage User Accounts'' privileges to add or remove IP addresses to/from the blocklist of banned IP addresses for the REDCap installation. The IP addresses listed on that page are IPv4 or IPv6 addresses that have been blocked manually using that page or have been banned automatically via the Rate Limiter feature (enabled on the General Configuration page in the Control Center).
Improvement: When using the ''Reason for Change'' feature in a project, a new button is displayed underneath each "reason for change" textbox on the Data Import Tool summary page. Users can simply click the button to copy the text to all other "reason for change" textboxes on the page, thus saving lots of time of having to add text to each individually. This feature is the integration of Luke Steven’s “Copy Change Reason” external module, which will be automatically disabled at the system-level when upgrading to (or past) REDCap 11.4.0 to prevent any conflicts.
Improve: New data export option - Export blank values for gray instrument status
- All instrument complete status fields having a gray icon can be exported either as a blank value or as "0"/”Incomplete”. In previous versions, they could only be exported as “0”. By default, they are now exported with a value of “0”, but this option can be changed via a drop-down option in the “Advanced data formatting options” section of the data export dialog.
- When exporting the Project XML file with both metadata & data, the option to export gray instrument status as a blank value will be preselected by default, whereas in other data export contexts (e.g. My Reports & Exports page), the option to export them as “0” will be preselected by default.
- The API method “Export Records” has a new optional parameter “exportBlankForGrayFormStatus” that can accept a boolean (true/false) with default value = false, and it functions the same as its equivalent data export option in the user interface.
- Note: Exporting gray instrument statuses as blank values is recommended if the data will be re-imported into REDCap. For example, when users export a Project XML file for a project and then create a new project with it, all the gray instrument status icons will be preserved in the new project, whereas in previous versions they were all converted into red status icons.
Improvement: New option “Allow normal users to edit their primary email address on their Profile page” on the User Settings page in the Control Center. This setting will be enabled by default, but an admin can disable it if they wish to prevent any users from modifying their primary email address for their user account.
Improvement: The developer methods REDCap::getSurveyLink() and REDCap::getSurveyQueueLink() now have an optional parameter "project_id" that (when provided) allows one to call the method outside of that target project's context. If project_id is not explicitly provided, then the methods must still be called within their target project's context.
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way as user-defined text on the Project Setup page.
Major bug fix: When a repeating instrument has data entered on multiple repeating instances, and then afterward the instrument is made to no longer be repeatable, then any new data entered on that data entry form for fields that already have data on other instance might mistakenly get stored in the wrong repeating instance (i.e., get orphaned in the "redcap_data" database table) and thus would fail to be seen when reloading the form again. (Ticket #115308)
Improvement/change: New LOINC codes were added for CDIS-related functionality.
Change: All CDIS-related features and functionality now utilize a centralized set of assets in the code, rather than each feature having only their own private set of assets. This change reduces the entire size of the REDCap code by half, thus saving lots of space on the REDCap web server.
Various updates and fixes for the External Module Framework, such as the following: PID parameter safety improvements, Documentation updates, Prevented unnecessary errors from the Portable UTF-8 library's auto-redirection, Increased the setting lock timeout, and Fixed a getSafePath() case with absolute paths.
Bug fix: When a user creates a new alert, the "Email From" address is now validated on the server side to ensure it is valid and belongs to a user in the project (or belongs to an administrator, if the current user is an admin that is not a user in the project).
Bug fix: The green label "Field is embedded elsewhere on page" mistakenly doesn't show up for SQL fields on the Online Designer (Ticket #114889).
Bug fix: For some REDCap installations, the redcap_new_record_cache database table might have an incorrect table collation.
Bug fix: When clicking any of the "All..." buttons at the top of the Data Quality page to execute multiple data quality rules, some rules might randomly return an error message by mistake. Bug emerged in REDCap 11.3.4 Standard. (Ticket #102636)
Bug fix: For surveys that have a "Size of survey text" setting set to "Large" or "Very Large", any slider fields on the survey page that display their number value to the right might mistakenly display the value textbox as too narrow in certain situations. (Ticket #114920)
Bug fix: When using the @CALCDATE action tag with certain values entered for the date/datetime field used in the calculation, it might cause the page to unexpectedly crash with a fatal PHP error when running PHP 8. (Ticket #114831)
Bug fix: The API Tokens page in the Control Center would mistakenly not display the "Last Used" timestamp for some users displayed in the tables on the page. Also, some AJAX calls that load the drop-down lists on the page might fail in certain cases. Additionally, the "Manage API tokens by Project" drop-down would mistakenly not display its full list of options when the page initially loads but only fully loads after an option is selected from it. (Ticket #114834)
Bug fix: When uploading a CSV file of Automated Survey Invitations in the Online Designer, any datetimes set for the "Send on exact date/time" setting (including reminders) might mistakenly not get saved correctly. (Ticket #115024)
Bug fix: Page-view information for plugins and external modules were mistakenly not getting stored in the redcap_log_view table and thus such information was not being displayed on the MySQL Dashboard page in the Control Center.
Bug fix: The feature that detects database structure issues might mistakenly create false negatives in specific cases where a database table's collation isn't correct, thus allowing the issue to go unnoticed.
Bug fix: The "Manage All Project Tokens" tab on the API page in a project might mistakenly fail to load the table of users.
Bug fix: When using [aggregate-X] Smart Functions in branching logic or calculations, an error message might mistakenly display on the page saying that errors exist if any of the [aggregate-X] functions return a blank value. (Ticket #115235)

Version 11.3.4 (released on 2021-09-23)

Improvement: When executing many data quality rules at once, the total time to finish all the rules occurs 3X faster. Instead of running only one rule at a time in a serial fashion, REDCap now executes three rules simultaneously when clicking the "All", "All except A&B", and "All custom" buttons at the top of the Data Quality page.
Improvement: SQL fields can now be used in the following Smart Charts: bar-chart, pie-chart, and donut-chart. (Ticket #107115)
Improvement: SQL fields can now be used as Live Filters in reports. (Ticket #8791)
Bug fix: When using a Text Box field with date, time, datetime, or datetime w/ seconds validation as the x-axis field for a [scatter-plot] Smart Chart, the chart would mistakenly not display the data correctly. (Ticket #107721)
Change: Added the "Microsoft Authenticator" mobile app as a two-factor authentication method that is equivalent to using the "Google Authenticator" mobile app.
Change: When viewing a report while using a mobile device, it will no longer enable the floating table headers or floating first column automatically for the report table. This was changed because the floating headers/column made it difficult to view parts of a report while on a mobile device with a small screen.
Bug fix: Slider fields that have HTML inside the slider labels might mistakenly not display correctly in a downloaded PDF of an instrument.
Bug fix: When using the @DOWNLOAD-COUNT action tag on fields displayed on a report, if the download trigger field exists on that same report, then attempting to download the file would cause a JavaScript error on the page.
Bug fix: If a field is used as a Live Filter in a report, in which some values for that field contain spaces or other characters that might get URL-encoded, it would mistakenly cause the Live Filter not to return any values in the report.
Bug fix: The real-time logic validator in the Logic Editor popup might mistakenly fail and would return a false positive saying that the logic is invalid if the logic contains certain Smart Variables, such as [record-name].
Bug fix: When using the API Playground and selecting certain drop-downs, such as the Forms drop-down list, they might mistakenly result in an error from the API. This only affects the API Playground and does not affect the API in general. (Ticket #114563)
Bug fix: When a user has been assigned to multiple Data Access Groups via the DAG Switcher, the User Rights page would mistakenly not correctly display how many DAGs to which they are assigned if the user's username contained a capital letter when they were added to the project. (Ticket #114550)

Version 11.3.3 (released on 2021-09-17)

New API method “Rename record” and new developer method REDCap::renameRecord() allows users/developers to rename a record in a project. For multi-arm longitudinal projects where a record might exist on multiple arms, the $arm number can be specified to rename the record only on the specified arm, otherwise by default it will rename the record in all arms in which it exists.
Change: Renamed the "My Profile" page to "Profile".
Change/improvement: Added “ICD-10 Australian Modification” to the list of parsed coding systems in the Condition resource for Clinical Data Interoperability Services (both CDP and Data Mart).
Bug fix: Clicking the download link for a File Upload field that is utilized in another field's @DOWNLOAD-COUNT action tag would mistakenly not trigger calculations or branching logic on the page.
Bug fix: When performing cross-form/cross-event calculations (via data entry forms and surveys) or auto-calculations (via data import) - including both calc fields and @CALCTEXT fields - in a longitudinal project, in some cases the calculated value would mistakenly be saved in events that currently have no data. Calculated fields should only operate and save a value in events that already contain data. (Ticket #113972)
Bug fix: When using the eConsent Framework for one or more surveys in a project, the PDF Survey Archive tab in the File Repository might mistakenly not display the "Download All" button unless at least two records exist in the project. Additionally, the drop-down filter to view "only eConsent files" would mistakenly display zero records after being selected if fewer than three records exist in the project. (Ticket #114091)
Bug fix: When using the Double Data Entry module, instead of seeing the correct colored form status icons, a user that is DDE person 1 or 2 would mistakenly see all gray status icons for instruments on the Record Status Dashboard and on the left-hand menu while viewing a record. (Ticket #114068)
Bug fix: Conditional logic used for a survey in the Survey Queue might mistakenly not evaluate correctly in specific cases, such as when using certain Smart Variables (e.g., [record-dag-name]). (Ticket #114181)
Bug fix: When using the [survey-link] or [survey-url] Smart Variables in a longitudinal project in which a literal instance number is appended to it (e.g., [event_1_arm_1][survey-link:my_survey][2]), it would mistakenly always return the link/URL of the first instance instead of the correct repeating instance.
Bug fix: When piping a datetime- or time-validated Text Box field on the same page as where the field itself is located while using the ":ampm" piping parameter, it might mistakenly pipe the value as-is instead of converting it to the AM/PM format. Additionally, it might mistakenly pipe the literal text "undefined:NaNam" if the field's value is set as blank/null in real time while on the page. (Ticket #114247)
Bug fix: The Custom Application Links page in the Control Center might crash due to a PHP compatibility error when using PHP 8.0. This might also occur when downloading the User-DAG Assignments CSV file on the User Rights page. (Ticket #114292)
Bug fix: Downloading the User-DAG Assignments CSV file on the User Rights page might produce an incorrectly structured CSV file. (Ticket #114292)

Version 11.3.2 (released on 2021-09-10)

Improvement: The Project Revision History page now displays icons next to each production revision and snapshots, and after being clicked, will display options to compare that revision/snapshot with any other revision/snapshot in the project. (This feature represents the integration of the "Data Dictionary Revisions" external module created by Ashley Lee at BC Children's Hospital Research Institute).
Improvement: When using the eConsent Framework in a project, the "PDF Survey Archive" tab on the File Repository page now displays a "Download all" button that will download all PDF files displayed on the page in a single zip file. Additionally, there is a record filter drop-down list and a "file type" drop-down list, which distinguishes between general "PDF Auto-Archiver" PDFs and "eConsent Framework" PDFs. Note: If a user is in a Data Access Group, they will only be able to download and filter on records in their DAG.
Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way as user-defined text in various places.
Bug fix: Fix for PHP 8 compatibility issue when entering data on a repeating instrument in specific cases. (Ticket #113507)
Bug fix: When creating a new instrument via the Online Designer, the "Close" button in the success dialog would mistakenly say "Close2" instead. (Ticket #113587)
Bug fix: The discrepancy result for Data Quality rules A and B would mistakenly display fields that exist on instruments for which the current does not have Data Viewing Rights. (Ticket #113589)
Bug fix: If a checkbox field contains an invalid/stale value (i.e., not a currently existing choice) in the database backend, and then a Missing Data Code is saved for the field via a data entry form, both the invalid/stale value and the missing data code value will stay stored in the backend, and the data entry view mistakenly will not show that a missing data code has been saved for the field. (Ticket #113763)

Version 11.3.1 (released on 2021-09-03)

New feature: “DAG Switcher” API method - When using the DAG Switcher functionality in a project, this method allows users to move themselves in and out of a Data Access Group at will using the API just as they would do the same thing in the user interface (assuming they have been assigned to multiple DAGs on the DAG Switcher page).
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the URL for the project Logging page.
Change: All cookies created on the client side (JavaScript) will now have the same "SameSite" and "Secure" attributes as cookies created on the server side (PHP). This helps improve general security.
Bug fix: When using the Clinical Data Interoperability Services, specifically the CDP Field Mapping page, some translated mappable fields might not display correctly on the page and would mistakenly be garbled.
Bug fix: If the user clicks the "Piping" or "Smart Variables" help buttons inside the “Add new alert” dialog on the Alerts & Notifications page, and then the user hits their ESC key on their keyboard, it would mistakenly close the “Add new alert” dialog (i.e., the dialog on the bottom) rather than the dialog on the top. (Ticket #112745)
Bug fix: When using the "Save a PDF of completed survey response to a File Upload field" feature, the resulting PDF that gets saved to the File Upload field would mistakenly hide (not display) any fields in the PDF containing the @HIDDEN or @HIDDEN-SURVEY action tag. In that particular PDF export, only fields with @HIDDEN-PDF should be hidden (not displayed) in the PDF. (Ticket #113197)
Bug fix: For projects with Data Access Groups, users that are not currently assigned to a DAG would mistakenly not see the DAG filter drop-down displayed on the Logging page. That drop-down should normally be displayed for users not assigned to a DAG. (Ticket #113188)
Bug fix: When using Duo as a Two Factor Authentication option, it would mistakenly initiate the Duo 2FA process before the user even selects the Duo option from the list of choices to use when logging in. (Ticket #113193)
Bug fix: When deleting an instance of a repeating event on the Record Status Dashboard, it might still cause that empty event instance to be displayed in reports and data exports. (Ticket #17859b)
Bug fix: Due to a fatal PHP error when using certain versions of PHP, attempting to upload a signature on a survey or data entry form would mistakenly fail. (Ticket #113234)
Change: Any multi-select drop-downs that are enhanced using the Select2 JavaScript library (e.g., the "Email To" field when creating/editing an alert) now display a down arrow on their right edge to better indicate that they are a clickable drop-down list.
Bug fix: Real-time piping (i.e., performed via JavaScript after the page has already loaded) might mistakenly truncate the piped text in certain cases where a "<" character is used in the piped field's value. (Ticket #113237)
Change: The REDCap Install page now returns a notice to anyone who accesses it that the page is no longer functional or available if it detects that REDCap has already been fully installed.
Bug fix: If the File Version History feature was disabled at the system level but was still enabled for an individual project (according to the value of that setting in the redcap_projects database table), the feature might mistakenly function in some capacity in the user interface within the project but might cause issues for other features on the page. If this feature is disabled at the system level, it should by default also be disabled in all projects. (Ticket #113131)
Change: In all outgoing emails, the "font-size" attribute for the "body" tag is no longer explicitly defined in the HTML of the email. This should have little (if any) effect on the appearance of emails sent from REDCap.
Bug fix: On the Alerts & Notifications page, some alert settings might mistakenly not get saved when changed on an existing alert. (Ticket #113363)
Bug fix: When editing a user's privileges on the User Rights page, the expiration date text box might mistakenly not display the full date because the text box is too narrow. (Ticket #113357)
Bug fix: When the Table-based authentication setting "Force users to change their password after a specified number of days" has been enabled while also using Two Factor Authentication, it might mistakenly display the "Password will expire soon" popup warning on top of the 2-step login, in which clicking the "Change my password" button might cause issues with the 2-step login process for the user. It now still displays the popup dialog, but it functions now more as an information-only warning to let users know that they need to change their password as soon as they finish the login process. (Ticket #113393)
Bug fix: When deleting a file for a Signature field or File Upload field on a data entry form or survey page, it was mistakenly deleting the file in the backend database when the user clicked the "Remove file" link when it should instead only be deleting the file after they click "Remove file" *and also* then save the page via a Save button. This fix makes it consistent with how files are saved when uploaded, in which the add/delete action is finalized only when the Save button is clicked on the page. (Ticket #113058)
Bug fix: The email test on the Configuration Check page might mistakenly fail and display a false negative for certain email server configurations despite the fact that emails are able to be sent successfully out of REDCap in all other places in the application.
Bug fix: When the "URL shortening service" setting is disabled on the Modules/Services Configuration page in the Control Center, it would still mistakenly display the option to create a custom/short URL for public reports and public project dashboards. It should not be displayed as an option in those places when disabled at the system level. (Ticket #112895)
Bug fix: When viewing the draft mode changes for a production project, any field with branching logic that is being modified might mistakenly get truncated or display incorrectly on the page if the branching logic contains "<>". (Ticket #113237b)
Bug fix: When navigating in a project on a mobile device, in which the user has been assigned to multiple Data Access Groups via the DAG Switcher, the blue toolbar at the top of the page for switching DAGs would mistakenly not be visible. (Ticket #113459)
Bug fix: In a longitudinal project, Data Quality rules A and B might mistakenly not return a discrepancy when a field is missing a value in which the field's branching logic contains a Smart Variable and also does not have a unique event name or X-event-name prepended to all the field variables used in the rule logic. (Ticket #111474)

Version 11.3.0 (released on 2021-08-27)

New action tag: @RICHTEXT - Adds the rich text editor toolbar to a Notes field to allow users/participants to control the appearance (via styling and formatting) of the text they are entering into the field.
New API methods
- Delete User - Remove a specified user from a project.
- Export User Roles - Returns a list of user roles, including their role name, unique role name, and privileges, from a project.
- Import User Roles - Allows one to create new roles (specifying their role name and privileges) or edit the role name and privileges of existing roles.
- Delete User Role - Deletes a specified user role from a project.
- Export User-Role Assignment - Returns a list of project users and what user role to which they are assigned.
- Import User-Role Assignment - Allows one to assign, reassign, or unassign one or more users to/from a user role in a project.
New features: New drop-down options on the User Rights page to allow users to perform the tasks listed below using a CSV file in the user interface.
- Upload users and their privileges
- Download users and their privileges
- Upload user roles and their privileges
- Download user roles and their privileges
- Upload user role assignments
- Download user role assignments
New developer method: REDCap::deleteRecord() - Plugin/hook/module developers may utilize this new method to delete entire records from a project or to delete the data from a specified instrument, event, or repeating instrument/event for specific records.
Improvement: More options/parameters for the API Delete Record method - Users can now specify instrument, event, and/or repeat_instance to delete the data from a specified instrument, event, or repeating instrument/event for the records specified in the API request. In previous versions, the only option was to delete the entire record.
Change/improvement: When an administrator is reviewing a user's submitted production changes for Draft Mode on the "Project Modification Module" page and then clicks the "Compose confirmation email" button in the blue "Administrator Actions" box, the email template displayed in the dialog now contains clearer wording to help users better understand how to respond. This helps make the production change process faster and more efficient.
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way as user-defined text in REDCap Messenger.
Change: If new instruments are created in a project while in production status, all users and user roles will no longer automatically get full "View & Edit" rights to that instrument for their Data Viewing Rights but instead will receive "No Access (Hidden)" rights by default for new instruments. When in development status, the instrument-level rights still defaults to "View & Edit" for new instruments. This change helps improve security when a project is in production to ensure that users do not accidentally gain access to data that they should not see if new instruments are still being added to the project. (Ticket #54096)
Change/improvement: When viewing the Record Status Dashboard in which one or more repeating instrument tables are displayed at the bottom of the page, if any of the tables were collapsed on a previous visit of the page, the page will load much faster, especially for records containing hundreds or more repeating instances.
Bug fix: Some email addresses that are entered into the value of a Text or Notes field might mistakenly not get converted into a clickable "mailto" link when viewed on a report.
Bug fix: When exporting and importing a Project XML file, the Survey Queue setting "Keep the Survey Queue hidden from participants?" (if enabled) would mistakenly not get enabled in the new project created from the XML file.
Bug fix: When calling the Export Records API method and providing the "fields" parameter, in which the parameter's value only contains the variable names of one or more Descriptive fields in the project, it would mistakenly return data for all fields instead.
Bug fix: When using the DDP Custom feature, required parameters (i.e., user, project_id, redcap_url) were mistakenly not being sent to the custom metadata web service.
Bug fix: Fields with the @DEFAULT action tag might mistakenly not get prefilled with the default value on the page if any fields on that same instrument contain saved data and have the @CALCDATE or @CALCTEXT action tag. (Ticket #110331)
Bug fix: If the "Save & Return Later" feature is enabled for a survey in a project that also has the "Survey Login" feature enabled, if a participant clicked the "Save & Return Later" button on a public survey, it would mistakenly display information about a Return Code, which is actually not needed and is confusing because it is inaccurate.
Bug fix: If a user is requesting that an administrator generate an API token for them, it would mistakenly not log the admin's action of generating the token. Technically, the action was being logged but was just not available on the Logging page in the project for which it was requested.
Bug fix: When using multiple action tags together on a single field, in which the action tags have values inside single quotes or double quotes (e.g., @NONEOFTHEABOVE='1,2,3' @HIDECHOICE='4'), the action tags might mistakenly not get parsed correctly, thus causing them not to function correctly in some cases. (Ticket #113018)
Bug fix: When the project-level setting "Prevent branching logic from hiding fields that have values" is enabled, it might cause an error popup to appear on survey pages when a field with a value is trying to be hidden by branching logic. (Ticket #113054)

Version 11.2.6 (released on 2021-08-20)

Improvement: On the External Modules page in a project, users with appropriate privileges may now import and export the configuration settings for any module that is enabled in the project. This feature functions as a convenience by allowing users to easily migrate the configuration settings of one or more modules to another project that has the same module(s) enabled.
Improvement: If a user is not assigned to a Data Access Group in a project, the user will now see a new "[No assignment]" option in the "Displaying Data Access Group" drop-down list on the Record Status Dashboard, in which selecting that option will display only records that have not been assigned to any DAG.
Change/improvement: "Previous instrument" and "Next instrument" buttons were added at the top right of the Online Designer field-view page to allow easier navigation between instruments. (Ticket #101057)
Minor security improvement: Removed the usage of the PHP function "mt_rand" in the source code, and replaced it with the more cryptographically secure PHP function "random_int".
Bug fix: When copying a project, it mistakenly does not copy the Data Entry Trigger URL into the new project. (Ticket #112269)
Bug fix: When a project has the setting "Delete a record's logging activity when deleting the record?" enabled on the Edit A Project's Settings page, it would mistakenly not display the checkbox option to allow users to additionally delete a record's logging when deleting the record itself via the Record Home Page. (Ticket #112239)
Bug fix: When downloading a CSV export of various things in REDCap (e.g., Notification Log export, Data Access Groups export), it might fail to add a BOM (Byte Order Mark) to the CSV file if the file contained UTF-8 characters. The Byte Order Mark is required to open UTF-8 encoded CSV files correctly in certain spreadsheet applications, such as Microsoft Excel. (Ticket #112239)
Bug fix: If all the discrepancies of any Data Quality rule have been excluded, it would mistakenly not display the "view" link next to the rule (even though it returns "0" results) after the rule had finished running. It is necessary to still display the "view" link so that users can click it in order to view the exclusions inside the dialog. (Ticket #112294)
Bug fix: When clicking "Cancel" inside the Logic Editor dialog, it might mistakenly revert the value of the text box being modified to the value of another text box that was previously edited via the Logic Editor while on that same page. (Ticket #101200b)
Bug fix: When exporting and then importing an instrument via the Instrument Zip file in the Online Designer, in which the instrument is enabled as a survey, it might fail to import the instrument in the zip file successfully. (Ticket #112346)
Bug fix: Any generated zip files would mistakenly fail upon creation and thus return an empty zip file when using Google Cloud Storage as the File Storage Method (as defined on the File Upload Settings page in the Control Center).
Bug fix: The developer method REDCap::getSurveyQueueLink() would mistakenly always return NULL.
Bug fix: Multiple blank rows in the table displayed on the survey queue page might mistakenly take up too much room on the page. (Ticket #110914)
Bug fix: When a survey is set to "Auto-continue to next survey" in the Survey Termination Options on the Survey Settings page while the other survey setting "Prevent survey responses from being saved if the survey ends via Stop Action?" is set to "Do NOT save the survey response...", the survey would mistakenly continue to the next survey if the participant triggered the survey to end via a Stop Action.
Bug fix: When viewing the data entry form for a survey-enabled instrument, if the Compose Survey Invitation dialog is opened on the page, then closed, and then opened again without refreshing the page, the rich text editor in the dialog would mistakenly not be initiated anymore. (Ticket #96574)
Bug fix: Custom Application Links (which are to be displayed on the left-hand project menu) were mistakenly only visible to users with User Rights privileges in the project. (Bug #112651)

Version 11.2.5 (released on 2021-08-13)

Improvement/change: Any HTML used in the value of a Text field or Notes field will no longer be escaped on a report (i.e., displayed as-is) but instead the HTML will be interpreted on the report to allow for the styling of text on the page. This means that while previous versions would have displayed the text value "Word" literally as "Word" (without quotes) on a report, it now instead displays "Word" as bolded text on a report. Note: This does not affect data exports or any pages other than reports.
Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into user-defined text. (Ticket #112003)
Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by uploading a malicious file to a File Upload field on a survey page or data entry form, and then trick someone into executing the file by providing them with a URL of specific end-point in the application in which to navigate.
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the user-defined URL of a Project Bookmark. (Ticket #112021)
Bug fix: When clicking the "Re-evaluate Alerts" button on the Alerts & Notification in a longitudinal project in which an alert is set to be triggered when an instrument status is complete and when the specified conditional logic is true, it would cause alerts to get triggered on events where the logic is true but where the instrument status is not complete. (TiBug fix: If a malicious user knows how to manipulate some AJAX requests for REDCap Messenger, they might be able to post messages to Messenger threads to which they do not belong, including the ability to post to the General Notifications channel while not being an administrator.cket #111866)
Bug fix: Fixed typo in email-related error message. (Ticket #112126)
Bug fix: Fix for PHP 8 error message when viewing contributors of a survey response. (Ticket #112144)
Bug fix: Logic (including branching logic, conditional logic, and calculations) might not get parsed correctly and thus might return an incorrect result if Smart Variables are used in the logic and also while an element in the logic has a blank value that appears on the left side of an equals sign - e.g., [user-dag-name] = 'vanderbilt' (assuming [user-dag-name] is blank). (Ticket #112010)
Bug fix: When survey participants attempt to download a file belonging to a File Upload field while on a survey page, it might mistakenly display the error message "NOTICE: This file is no longer available for download". Bug emerged in the previous version of REDCap.
Bug fix: If a calculated field is utilizing a date and datetime value that are used together in the same datediff() function, if the date value happens to be today's date, it might return an incorrect value (typically a value of "0"). (Ticket #112183)
Bug fix: When a project is not using "Default Encoding" for "Character encoding for exported files" on the Edit Project's Settings page, calling the API Export PDF method might mistakenly return a corrupt, unopenable PDF file. (Ticket #112035)
Bug fix: The Text-To-Speech functionality on survey pages did not work on mobile devices, iOS, or in the Safari web browser in previous versions. It should now work successfully for all platforms and browsers. (Ticket #111739)
Bug fix: The Smart Variable [bar-chart] might mistakenly mislabel the groupings in a bar chart that uses color grouping using a multiple choice field if there are no records that have a value for a specific choice for the multiple choice field. For example, if a grouping field has choices "One", "Two", and "Three", in which no records in the project have "Two" selected, then the resulting bar chart might mislabel all the "Three"s as "Two".

Version 11.2.4 (released on 2021-08-06)

Bug fix: When downloading a Descriptive field attachment while on a survey page, it might mistakenly return an error message and prevent the participant from downloading the file.
Bug fix: When downloading a file for a File Upload field or an attachment for a Descriptive field, in which that file is being counted via the @DOWNLOAD-COUNT action tag on another field, the download count would not get successfully incremented for the @DOWNLOAD-COUNT field when the file is downloaded on a survey page (as opposed to on a report or data entry form).
Bug fix: When downloading a file for a File Upload field or an attachment for a Descriptive field, in which that file is being counted via the @DOWNLOAD-COUNT action tag on another field, it might mistakenly attempt to save the incremented value to a non-existent record (as seen in the logging) when the file is downloaded on a public survey that has not been saved yet (i.e., the record does not yet exist).

Version 11.2.3 (released on 2021-08-06)

New action tag: @DOWNLOAD-COUNT - The @DOWNLOAD-COUNT action tag provides a way to automatically count the number of downloads for a File Upload field or a Descriptive field attachment. It can be used on a Text field or Notes field so that its value will be incremented by '1' whenever someone downloads the file for either a File Upload field or a Descriptive field attachment. The variable name of the File Upload field or Descriptive field whose downloads are to be counted should be provided inside the @DOWNLOAD-COUNT() function. For example, the Text field 'my_download_count' might have its action tag defined as @DOWNLOAD-COUNT(my_upload_field), in which 'my_upload_field' is the variable of a File Upload field. Whenever the file is downloaded on a data entry form, survey page, or report, the value of the field with this action tag will be incremented by '1'. If that field has no value or has a non-integer value, its value will be set to '1'. NOTE: The download count field must be in the same context as the File Upload field or a Descriptive field. This means that in a longitudinal project the two fields must be on the same event, and in a repeating instrument context, they must be on the same repeating instrument.
Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into a field's value on a data entry form or survey page.
Change/improvement: The Configuration Check page now checks to ensure that the "Email Address of REDCap Administrator" on the General Configuration page has a valid email entered. Without an email entered there, some features might not work correctly.
Change: Updated setup instructions zip file for Clinical Data Interoperability Services by including a new CDIS Manual (PDF) in the zip file.
Bug fix: When a PDF of a survey response is sent in a confirmation email after completing a survey, saved via the survey setting “Save a PDF of completed survey response to a File Upload field”, or saved via the e-Consent Framework in the File Repository, it would mistakenly not store the survey version of the PDF (containing the survey title and instructions) but instead would store the data entry form version of the PDF.
Bug fix: When editing the value of the Secondary Unique Field in a longitudinal or repeating instance context, it might mistakenly log the change extra times unnecessarily. (Ticket #110740)
Bug fix: Making a call to the Import Records API method when importing zero records might cause an Out of Memory error. (Ticket #110761)
Bug fix: When using Internet Explorer 11, clicking on a slider field or matrix of fields might mistakenly cause the screen to scroll to the top of the page. (Ticket #111202)
Bug fix: When using Internet Explorer 11, trying to expand/collapse a project folder on the My Projects page would fail to work due to a JavaScript issue. (Ticket #111553)
Bug fix: The REDCap cron job named "AlertsNotificationsSender" might unexpectedly crash for PHP 8 in certain circumstances. (Ticket #110702)
Bug fix: Since Twilio limits SMS messages to 1600 characters, to prevent errors from being returned from a failed request to Twilio for very long text messages, REDCap now automatically breaks an SMS into multiple parts if it exceeds the 1600 character limit. (Ticket #110440)
Bug fix: When making API data imports without any data being imported (i.e., blank or missing value for the "data" API parameter), it might behave erratically and cause a PHP error. It now correctly returns the error message "No data was provided". (Ticket #110761)
Bug fix: After copying a user role, a text box would mistakenly appear on the User Rights page below the instruction text.
Bug fix: When exporting a PDF of an instrument with the character encoding set as Japanese (SJIS), for certain server configurations or PHP versions it might crash with a fatal PHP error. (Ticket #111593)
Bug fix: When editing a user role in a project that contains Data Access Groups, it would mistakenly display the "Assign To DAG" drop-down list in the dialog, which should not be displayed when editing roles.
Bug fix: When a project contains repeating events in which a report has filter logic to filter out specific repeating instances (e.g., [current-instance] <> "" and [current-instance] = [first-instance]), the report might mistakenly display no results or incorrect results when there is actually data to display. This does not affect repeating instruments but only repeating events. (Ticket #110896)
Change: Added clarifying text regarding the behavior of a non-active Automated Survey Invitations in the ASI dialog in the Online Designer. (Ticket #111182)
Bug fix: In a project using Twilio telephony services, any Automated Survey Invitations or manually-scheduled invitations that utilize the "Use participant's preference" option for the Invitation Type might mistakenly append the survey link to the message of the survey invitation, even when that is not desired. It now no longer appends the survey link automatically but instead sends the invitation using only the literal text defined by the user. (Ticket #111484)
Bug fix: When a user's account expires after the account expiration time has passed, the email sent to the user to notify them of this might be slightly incorrect and might mention user sponsors even if the user does not have a sponsor. The user sponsor related language was removed in that case.
Bug fix: The offline survey message that is defined on the Survey Settings page would mistakenly not perform any piping when being displayed on an inactive survey. (Ticket #111707)
Bug fix: Fields with the @HIDDEN-PDF action tag would mistakenly be displayed in the PDF download of the instrument when using the PDF download option "Send to printer: select 'Save as PDF' for Printer/Destination". (Ticket #111718)
Bug fix: If a calculated field in a longitudinal project has a cross-event calculation that contains an [X-event-name] Smart Variable, the calculation might mistakenly not get triggered when entering data on a form, survey, or via a data import.
Bug fix: When using Twilio SMS or Voice Call services on a survey that has only one field that is a Descriptive field, it would mistakenly ask the Form Status complete question at the end of the survey. (Ticket #111799)
Bug fix: When calling the surveyLink API method in which a space exists (not necessarily intentionally) at the beginning or end of the "record" parameter passed in the API request, it might cause the space(s) to mistakenly get stored in some parts of the database where the record name is stored, thus causing the Survey Login feature not to work for that particular record anymore. (Ticket #111002)

Version 11.2.2 (released on 2021-07-16)

Improvement: New piping parameter “:ampm” - When piping a time, datetime, or datetimes w/ seconds Text field, appending “:ampm” to the variable name (e.g., [visit_time:ampm]) will display the time in am/pm format (e.g., 4:45pm, 10:35am) instead of military time.
Improvement: Ability for admins to configure the required password length and password complexity for user accounts when using Table-based authentication. These settings will default to requiring a 9-character password that must contain lowercase letters, uppercase letters, and numbers (but does not require any special characters. The following new controls have been added to the “Additional Table-based Authentication Settings” section of the Security & Authentication page in the Control Center.
- Password Minimum Length - any length between 6 and 99 characters
- Password Complexity options
  1. Requires both letters and numbers
  2. Requires lowercase and uppercase letters and numbers
  3. Requires lowercase and uppercase letters with either numbers or special characters
  4. Requires lowercase and uppercase letters, numbers, and special characters
Bug fix: When making a report "public" and when viewing the report via its public link afterward, the check that ensures Identifier fields do not exist in the report would sometimes mistakenly fail to detect Identifier fields in the report.
Bug fix: After making a report "public", if the report was made to be no longer public, it would mistakenly still display the report when viewing it via the public link. Instead it should display only an error message on that page (until the report has been made public again).
Bug fix: If a public report contains the record ID field while the Custom Record Label or Secondary Unique Field is enabled in the project, REDCap would fail to prevent the report from being shown via the public link if any of the fields used in the Custom Record Label or Secondary Unique Field are Identifier fields. (Ticket #110288)
Bug fix: The "Download metadata & data (XML)" button on the Other Functionality page would fail to work correctly due to a JavaScript error.
Bug fix: When exporting a PDF of an instrument with data, any slider fields that have a custom range defined (i.e., anything other than 0-100) would mistakenly not be displayed correctly in the PDF and might appear as if the slider has a different value. (Ticket #110391)
Bug fix: When a user is assigned to a Data Access Group while using record auto-numbering in a project, if the user attempts to schedule a record via the Scheduling page, it would mistakenly not generate the new record name correctly (i.e., with the DAG ID number appended to the end) when creating the new record.
Bug fix: Download links for File Upload fields on surveys might mistakenly still be active and might allow participants to download the file if they still have the download link (e.g., clicking on the link [my_file:link] piped inside an email). The download link is correctly no longer active if the survey or project is inactive, but it would mistakenly be active if the survey response has been completed while the survey in general is still active. This has been changed so that it will now return an error message if someone follows the download link after the survey response has been completed and is no longer active anymore (i.e., no one can return to the survey response to modify it). (Ticket #110442)
Bug fix: When creating a user role in a project that contains Data Access Groups, it would mistakenly display the "Assign To DAG" drop-down list in the dialog, which should not be displayed when creating roles.
Bug fix: When assigning a user to a user role on the User Rights page while not also assigning them to a Data Access Group at the same time in the popup, it would fail to email the user even if the "Notify user via email?" checkbox is checked in the popup. (Ticket #110339)
Bug fix: Any HTML tags used in field labels and elsewhere in a project might mistakenly get stripped out when a project is exported as a Project XML file. (Ticket #110503)
Bug fix: Time-validated text fields would mistakenly not be formatted correctly in the "informat" and "format" statements in the resulting SAS syntax file when exporting data to SAS. This appears to occur only when Missing Data Codes are being utilized in the project. (Ticket #110278)

Version 11.2.1 (released on 2021-07-09)

Major bug fix: If using the AWS S3 file storage option, a fatal PHP error would occur when uploading or downloading documents, including on the Configuration Check page. (Ticket #110210)

Version 11.2.0 (released on 2021-07-09)

New feature: Ability to make reports accessible at a public link
- Summary: When editing a report, users can now set a report as “public” and can obtain a public link to the report if they have User Rights privileges in the project. When a report is public, this means that all data in the report will be fully accessible (with no authentication required) to anyone with the public link to the report.
- In order to make a report public, all the following must be true:
  - The user must have User Rights privileges in the project or be a REDCap administrator.
  - The report cannot have any Identifier fields in it.
  - The user is required to view the report during their current REDCap session.
  - The user must agree to and check off the following statements: 1) I understand that making this report "public" means that all data in the report will be fully accessible to anyone with the public link to the report, and 2) I understand that I am responsible if any private, sensitive, or identifying data in the report is exposed to persons who should not have access to such data.
- The behavior of how reports are made public can be controlled at the system level near the bottom of the User Settings page in the Control Center using the setting “Allow reports to be made 'public'?”. Admins may completely disallow reports to be made public (although admins will still have this ability to do so). But if enabled, they may choose to allow users to make reports public on their own or enable the To-Do List approval process by which an admin will need to approve their request to make a given report public (similar to the same system level approval process for Project Dashboards being made public).
- Once a report has been made public, its configuration cannot be modified while it is public (users cannot add new fields, modify filter logic, etc.). In order to modify a public report, the user will need to make it no longer public, then make their changes, and then make it public again.
New Smart Variables
- [event-id] - (longitudinal only) The event id number of the current event.
- [survey-access-code:instrument] - The Survey Access Code of the specified survey for a given record/event/instance. The format must be [survey-access-code] or [survey-access-code:instrument], in which 'instrument' is the unique form name of the desired instrument. This can be used simply as [survey-access-code] inside the content of a survey invitation, in which 'instrument' is assumed to be the current survey instrument.
- [survey-return-code:instrument] - The Survey Return Code of the specified survey for a given record/event/instance in order to allow a participant to return to a completed or partially completed survey response when using the 'Save & Return Later' survey feature. The format must be [survey-return-code] or [survey-return-code:instrument], in which 'instrument' is the unique form name of the desired instrument. This can be used simply as [survey-return-code] inside the content of a survey invitation, in which 'instrument' is assumed to be the current survey instrument.
- [user-role-id] - The Role ID of the user role to which the current user is assigned (blank if not assigned to any user role). This value is auto-generated for each user role. NOTE: This value is not just unique for all roles within the project but is also unique across all REDCap projects. Thus, if the project and its user roles are copied, the Role IDs of the user roles in the resulting copy will be different from the ones in the original project.
- [user-role-name] - The unique role name of the user role to which the current user is assigned (blank if not assigned to any user role). This value is auto-generated for each user role. NOTE: This value is only unique for roles within the project. Thus, if the project and its roles are copied, the new project will retain the same unique role names, which allows you to utilize the unique role names in conditional logic, calculations, branching logic, etc. that will not break when the project is copied.
- [user-role-label] - The name/label of the user role to which the current user is assigned (blank if not assigned to any user role). This value is defined by the user that creates the user role.
New Action Tag: @MAXCHOICE-SURVEY-COMPLETE - Similar to @MAXCHOICE but only counts choices on completed survey responses (does not count data entered as data entry only or on partial responses). Causes one or more specified choices to be disabled (i.e., displayed but not usable) for a checkbox, radio button, or drop-down field after a specified amount of records have been saved with that choice for completed survey responses only.
New feature: Tableau Data Export- Extract all records into Tableau via the REDCap API.
- This feature enables Tableau (v10.0+) users to connect Tableau to a REDCap project using an API token. Project data can be exported on demand and be available for use within Tableau to produce summaries and visualizations. The Other Export Option page in any given project has instructions to export project data into Tableau.
- NOTICE: It is required for a user to have an API token generated for the project in order to use this feature.
New feature: MailGun Email API Integration
- As an alternative for sending outgoing emails from REDCap (rather than using the standard settings in PHP.INI to send them natively from the web server), you may use MailGun, which is a third-party paid service that can send emails on behalf of REDCap.
- The option can be configured on the General Configuration page in the Control Center. You merely have to provide the API key and domain name for your MailGun account, and it will begin using the MailGun Web API to send *all* emails going out of REDCap.
New feature: Project-level setting “Prevent branching logic from hiding fields that have values”
- This setting can be enabled by any project user with Project Setup/Design privileges in the Additional Customizations popup on the Project Setup page.
- This setting affects both data entry forms and surveys. If it is not enabled (default), then whenever a field is to be hidden by branching logic on a data entry form, it will always ask the user if they wish to hide the field and erase its value, whereas on survey pages it will automatically erase the value of the field being hidden without displaying the confirmation prompt, which has always been the default behavior for surveys. If this setting is enabled, the branching logic behavior will change so that fields with values will not cause the 'Erase the Value of the Field?' confirmation prompt to ask the user if they wish to keep the value or hide the field, and instead fields with values will not be hidden by branching logic and will stay visible. Thus they will be exempt from branching logic. This will prevent data from being erased as it normally does if fields are hidden by branching logic.
- When a field should be hidden by branching logic but is not hidden because it has a value, an icon will be displayed on the field to indicate this to the user.
- This project-level setting is included in the API Export Project Info method as “bypass_branching_erase_field_prompt”. The REDCap Mobile App will soon have this same functionality, but it will only work if the REDCap server is on REDCap 11.2.0 or higher.
- The name of Data Quality rule F has been slightly changed when this setting is enabled from “Hidden fields that contain values” to “Fields that contain values that should be hidden”.
Improvements for report display and/or data exports- When creating/editing a report, the “Additional report options” section in Step 2 now contains the new options below:
- For projects that have repeating instruments and/or repeating events, the repeating fields that are automatically added (e.g., redcap_repeat_instrument and redcap_repeat_instance) can now be excluded from the report and data export. These fields are displayed by default in reports/exports.
- Users may choose to display the field label, variable name, or both (default) in the header of a report. Note: This is only used when viewing reports and thus is not applicable for exports since there already exist options for choosing raw vs label format in data exports.
- Users may choose to display the field label, raw data value, or both (default) for multiple choice fields in the data displayed in a report. Note: This is only used when viewing reports and thus is not applicable for exports since there already exist options for choosing raw vs label format in data exports.
Improvement: If the value of a Text field or Notes field contains a URL or email address, the URL or email address will be converted into clickable link and mailto link, respectively, when viewing the data in a report.
Improvement: More detailed logging descriptions on the Logging page for report-related logged events, such as mentioning the report name and report ID.
Improvement: When users download an Instrument ZIP file for a given instrument in the Online Designer, the zip file now includes all survey settings for the instrument if the instrument has been enabled as a survey, including various files (e.g., survey logo, confirmation email attachment). The downloaded Instrument ZIP can then be uploaded into any project to transfer both the fields and all the survey settings.
Improvement: In the Online Designer, the "Custom text to display at top of survey queue" now utilizes the rich text editor to make it easier to style the custom text.
Change: PHP 7.2.5 is now the new minimum PHP version that is required for running REDCap. Note: All versions of PHP 8 are currently supported.
Major bug fix: Fields embedded inside radio button and checkbox choices would fail to appear on data entry forms and survey pages. (Ticket #109836)
Bug fix: When uploading a CSV file of events on the Define My Events page for a longitudinal project that has the Scheduling module enabled, it would mistakenly not add the events in the order in which they appear in the CSV file. (Ticket #108552)
Bug fix: When clicking a table header on the My Projects page, the projects inside any collapsed Project Folders would disappear on the page until the page was reloaded. (Ticket #107547)
Bug fix: When clicking on a collapsed Project Folder on the My Projects page, it might mistakenly open multiple Project Folders. (Ticket #108579)
Bug fix: HTML styling on radio button and checkbox choices would mistakenly get removed on a survey page or data entry form.
Bug fix: Using the Smart Variable [aggregate-count] for checkboxes would mistakenly not return any value. It now returns the number of total checkboxes that have at least one checkbox option checked for the field, which is consistent with how [stats-table] behaves for checkboxes.
Bug fix: Referencing the record ID field in the Smart Variable [stats-table] would not return any values for that row in the table.
Bug fix: The cron job that sends email notifications for REDCap Messenger might mistakenly send multiple emails repeatedly to users. (Ticket #97084)
Bug fix: When importing alerts via a CSV file on the Alerts & Notifications page, the “Ensure logic is still true” setting would mistakenly not get set correctly during the upload if it was already disabled/unchecked for an existing alert and then was being enabled/checked in the CSV upload.
Bug fix: Depending on a user's number format preference as defined on their My Profile page, certain Smart Functions (e.g., [aggregate-sum:field]) might fail to work successfully in calculations and branching logic. (Ticket #109994)
Bug fix: The survey setting "Save a PDF of completed survey response to a File Upload field" would mistakenly display Signature fields in the drop-down list when it should exclude those. (Ticket #110071)
Bug fix: The [bar-chart] Smart Variable would fail to display any data in the chart when used with a checkbox field. (Ticket #109370)
Change: Added a dark gray line above the Custom Application Links section (if used) on the project left-hand menu to help differentiate the Custom Application Links from REDCap's built-in application page links.
Bug fix: When the Secondary Unique Field is enabled in a project in which a data import is being performed with values for that field, it would mistakenly allow duplicate values to be imported for the Secondary Unique Field if the same value exists multiple times within the data file being imported. (Ticket #109791)

Version 11.1.4 (released on 2021-06-30)

Bug fix: If a field’s value is being piped on the same data entry form or survey page where the field itself is located, if that field is being hidden by branching logic, in which the user clicks “Okay” to the “Erase value” prompt to hide the field and erase its value, the piped value seen on the page would mistakenly not get changed/reset during this process but would instead retain the previous value of the field. (Ticket #108756)
Bug fix: When viewing Report A or B, the built-in Live Filter for the Record ID field would display a list of all records in the project, which might crash the user's browser if tens of thousands or more records exist. To prevent this, it now only displays the first ten thousand record names in the Live Filter drop-down, similar to how the Data Quality page behaves.
Bug fix: A fatal PHP error might occur on some pages related to CDP or Data Mart for certain versions of PHP. (Ticket #108971)
Various fixes and improvements for the External Module Framework
Bug fix: If the headers of a matrix of fields are displayed as floating/sticky on a data entry form or survey page, the floating headers would mistakenly disappear (at least until the user scrolls the page again) whenever branching logic gets triggered or if the "Reset" link for radio buttons are clicked. (Ticket #109434)
Bug fix: The video link for Smart Charts/Functions/Tables in the Smart Variables dialog mistakenly pointed to the Project Dashboard video.
Bug fix: When exporting data to a stats package (e.g., SAS) in which some multiple choice fields contain "<" in a choice label, the resulting syntax file might be mangled, truncated, and/or incorrect. Also, that choice label with "<" may not display correctly on the Data Dictionary Codebook page. (Ticket #109571)
Bug fix: When importing data in standard XML format via the API, some fields that have a blank value in the XML file might cause the data import to fail. (Ticket #109293)
Bug fix: When using the Scheduling module for a project that has record auto-numbering disabled, it is possible that a record could mistakenly be created twice if one user creates the record via data entry at the same time that another user creates the record via the Scheduling module. (Ticket #109287)

Version 11.1.3 (released on 2021-06-18)

Improvement: Reports A and B now have built-in Live Filters: 1) the record ID field, 2) a list of all events (if the project is longitudinal), and 3) a list of all Data Access Groups (if the project contains DAGs and the current user is not assigned to a DAG).
Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the URL of a specific endpoint.
New videos: Added two new videos for Project Dashboards and Smart Charts/Functions/Tables on the Training Video page, Project Dashboards page, and Smart Variable popup documentation.
Change: Small change to add clarity to the text of Step 1A when creating/editing an alert on the Alerts & Notifications page.
Bug fix: A PHP error would mistakenly occur in the redcap_connect.php file if the binlog_format setting for MySQL/MariaDB has been enabled on the General Configuration page in the Control Center. (Ticket #108667)
Bug fix: When exporting data to SAS in which the export contains some Ontology Text fields that have a dash in the raw value for some records in the export, it would prevent the data from being successfully loaded into SAS. Now when creating SAS formats for character variables in the resulting SAS syntax file, the values will be wrapped in single quotes for greater compatibility (unless all the values/options are numerical for the field).
Bug fix: Calendar events that had no time set (i.e., only had the date set) but were scheduled or attached to a record would mistakenly not be ordered by record name when displaying the events of a given day on the Calendar page. (Ticket #108688)
Bug fix: If a "bar-chart" Smart Chart utilizes multiple fields and also references a report via its unique report name, if the order of the fields defined in the Smart Chart is different than the order of the fields as they appear in the report, the bar chart would mistakenly not display correctly. (Ticket #108709)
Bug fix: When a project is in draft mode, the Online Designer would mistakenly allow users to modify the variable name of matrix fields that exist live in production (i.e., not just in draft mode), which should not be allowed because it could inadvertently cause fields to be deleted via renaming. (Ticket #108705)
Bug fix: Smart Charts and Smart Tables would mistakenly display HTML tags inside the chart/table if any HTML tags exist in the choice labels or field labels for the fields being utilized in the chart/table.
Bug fix: Smart Charts with long field labels or long choice labels might cause text to overlap on themselves or might show only the label ending and not the beginning, which is due to a limitation in the ChartJS library used to generate the charts. Such labels are now truncated to fit better in the chart by using an ellipsis in the middle of the label for optimal display.
Bug fix: When using the background fetch method for fetching EHR data via the Clinical Data Mart service, it no longer sends the user an email when the process has finished but instead sends a message via REDCap Messenger. This has been changed because it could be possible that any error messages sent inside the email might contain Medical Record Numbers. So sending the notification via Messenger is more secure.
Bug fix: When a REDCap server uses the HTTP_X_FORWARDED_FOR header for a user's IP address, in which the IP actually contains multiple IPs delimited with commas (often because a load balancer is being utilized), it now instead just uses the first IP address in the list rather than the whole value, which was causing a blank IP address to be recorded in REDCap's logging for users in this particular case.
Bug fix: In very specific cases where data has been imported into an instrument (but not for the form status complete field) and no user has entered data for that instrument via the data entry form or survey page yet, the form status icon might mistakenly display as a gray color instead of as red on the Record Home page or Record Status Dashboard. (Ticket #108183)
Bug fix: If using "LDAP" or "LDAP & Table-based" authentication, any user containing an apostrophe in their LDAP username would cause JavaScript issues to occur for an administrator on the Browse Users page when performing certain actions, such as changing their 2FA code expire time, suspending/unsuspending the user, or deleting the user account from the system. (Ticket #79647d)

Version 11.1.2 (released on 2021-06-11)

Improvement: New alternative PDF print option in the "Download PDF" drop-down at the top of data entry forms, in which there is a new PDF export choice: "This data entry form with saved data (send to printer: select "Save as PDF" for Printer/Destination)". This will produce a much improved browser-based print option to print/save the webpage as a PDF that serves as a suitable alternative to the existing server-side PDF rendering options, which can sometimes be very limited and inaccurate (e.g., when representing field embedding). Note: This “Print to PDF” does correctly hide fields that have the @HIDDEN-PDF action tag.
Change: Due to concerns about sending identifying information from REDCap in outgoing emails, Survey Notification emails will no longer include the Participant Identifier in the email body (if a Participant Identifier was entered in the Participant List for a given participant).
Bug fix: Smart Charts, Tables, and Functions that have a unique report name or "user-dag-name" as a parameter were mistakenly not using the impersonated user's username and DAG when an administrator uses the "View project as user" tool, thus mistakenly utilizing all data in the project for the Smart Chart/Table/Function instead of just the data from that user's DAG. (Ticket #108017)
Bug fix: Some FHIR metadata fields were mistakenly not being displayed in Clinical Data Pull (CDP) mapping page if using FHIR v2 (DSTU2).
Bug fix: When a user or admin is clicking the "Yes, move to production status" button in the Move To Production dialog in a development project, it would mistakenly not disable the button after being clicked, which might cause confusing pop-up messages to appear if the button was clicked again before it finished processing. (Ticket #108321)
Bug fix: When using the Data Resolution Workflow and assigning a user to a data query, the Messenger notification would mistakenly fail if the user chose to notify the other user of their assignment via Messenger. Thus they would not be notified. (Ticket #108335)
Change: When setting the 2-step login controls for a given project on the "Edit a Project's Settings" page, it now displays a popup warning if an admin attempts to set both settings to "Yes" (because they are not compatible). (Ticket #108326)
Bug fix: When importing or deleting a file via the API Import File or Delete File methods, it would mistakenly allow users to import files even when the entire record is locked or when the record/event/instrument/instance is locked for that file upload field. (Ticket #108399)
Bug fix: When an alert has an email address set for the setting "Email to send email-failure errors", in certain situations (such as when running the "Re-evaluate Alerts" process) it would mistakenly send the email failure notification for *all* alerts in the project instead of just the ones that have an email address defined for the "Email to send email-failure errors" setting. This could result in some users receiving many more emails than expected when an alert fails to send successfully. (Ticket #85030)
Bug fix: Fields that are embedded inside other embedded fields might not fully have their data piped in the field's label when viewed in a downloaded PDF of an instrument but might still display some field variables inside braces/curly brackets. (Ticket #108310)
Bug fix: In certain cases where a backslash (\) is used in a data value that gets piped (e.g., text that contains "p\0.0233"), it might cause the data to get piped recursively many times and mistakenly output a mangle mess of text. (Ticket #108451)
Bug fix: When selecting the Export Records method in the API Playground, if one or more values were selected for the Fields, Forms, or Records parameter, and then they were deselected to have no selections for them, the API request would return an error after clicking the Execute Request button on the page. (Ticket #108526)
Bug fix: When clicking the "Delete data for THIS FORM only" button at the bottom of a data entry form, if the record currently exists in multiple arms and the form data being deleted is the only data in the current arm for the record, it would mistakenly delete the record from the arm in addition to removing the form data (although the record would still exist in other arms). This would not cause any data loss, technically, but the user would have to recreate the record in that arm again.

Version 11.1.1 (released on 2021-06-04)

Improvement: The Easy Upgrade process should now take much less time to complete due to the implementation of a faster unzipping method used when extracting the source code files on the server from the REDCap upgrade zip file that was downloaded. (Note: This faster Easy Upgrade process may not be seen in this upgrade but in the upgrade after this one.)
Security Improvement for the External Module Framework
- Cross-site Request Forgery (CSRF) protection is now available for module pages/endpoints in framework version 8. If a module has a "framework-version" value of “8” or higher in the module’s config.json file, then a valid redcap_csrf_token parameter will now be required on all POST requests (unless manually set as exempt), but will be automatically added behind the scenes in many cases.
- NOTE: If a module is on a framework version lower than 8 (or if the framework-version is not defined in config.json), then that module does not have CSRF protection. So every module currently available in the REDCap Repo or otherwise will have to be updated in order to gain this CSRF protection feature. Thus, action is required by the module creator to add this security protection.
- Many module pages where the REDCap page headers are included will not require any changes because the redcap_csrf_token parameter will automatically be added to static forms and jQuery post() method calls. In this case, updating "framework-version" to “8” in config.json is all that is required for adding CSRF protection.
- The redcap_csrf_token POST parameter will need to be added to dynamically generated forms, jQuery ajax() calls, non-jQuery javascript requests, and POST requests on pages where the REDCap headers are not included. In those cases, the $module->getCSRFToken() method should be used to set the value of the redcap_csrf_token POST parameter. All POST requests made by module code should be tested before releasing a module update for this framework version.
- For the very small number of pages where CSRF tokens should not be required (like custom APIs), pages can be omitted from CSRF checking by adding them to config.json as follows (similar fashion to no-auth-pages). See the Configuration Example module for an example. Do NOT abuse this feature by using it in cases where you should be using CSRF tokens: { "no-csrf-pages": [ "some-page" ] }
Bug fix: When importing a file via the File Import API method in which the file exceeds the maximum allowed file size, it would return an error message that mistakenly referenced the max upload size of the server instead of the max upload size that is manually set for File Upload fields for the project, which might be a different value than the server maximum.
Bug fix: If an error popup for a calculation or branching logic appears immediately when a survey page or data entry form initially loads (due to syntax errors in the branching/calculation), the stock language in the error message itself would mistakenly say "undefined" instead of actual text. However, this would not occur if the error message was displayed later on after the page had already loaded.
Bug fix: Certain example plugins that are included in an initial installation of REDCap would mistakenly display PHP errors if they are accessed without a "pid" parameter in their URL. (Ticket #107782)
Bug fix: Fixed error that prevented data from being saved in DDP Custom projects
Bug fix: When using the "Select instruments/events" option for a custom record status dashboard, it would mistakenly not limit the dashboard to those instruments/events. (Ticket #107785)
Bug fix: The "Preview Message by Record" feature on the Alerts & Notifications page would mistakenly not work when selecting a record from the drop-down list.
Bug fix: The horizontal line on which users/participants write their signature was mistakenly not displaying in the "add signature" dialog on forms/surveys.
Bug fix: The "Export Records" and “Export Reports” API method would mistakenly use the system-level default CSV delimiter (set on the User Settings page) when performing an API CSV export in "flat" format instead of correctly outputting a comma as the default CSV delimiter whenever the "csvDelimiter" parameter has not been defined in the API request. (Ticket #108082)
Bug fix: When copying a project or creating a new project using a project template, it would mistakenly not copy over the project-level settings below (Ticket #108151):
- Delete a record's logging activity when deleting the record?
- Auto-delete all Data Export Files in the File Repository that were created more than X days ago?
- Exempt the project from 2-step login?
- Always force 2-step login in this project for EVERY login session?
- Double Data Entry module
- Date Shifting De-Identification Option: Date Shift Range
- Enable/disable the Shared Library for this project?

Version 11.1.0 (released on 2021-05-28)

New feature: More clinical data available via FHIR R4 endpoints for CDIS - The CDIS services Clinical Data Pull and Clinical Data Mart can now utilize version 4 (called “R4”) of the FHIR web services from their local EHR system. The new R4 endpoints include the existing data that could be pulled in earlier versions as well as the following: Adverse Events, Core Characteristics (Observation), Encounters, and Immunizations. Note that "Adverse events" are only available for "research" projects where an IRB number is specified, in which the project’s IRB number corresponds to the “Study ID” value from the EHR interface for a particular study (which is often the same as the study’s IRB number).
Improvements: Other FHIR/CDIS additions
- Clinical Data Mart
  1. A new template is used for new DataMart projects when REDCap is set to use R4, including new forms for Encounters, Immunizations, Core Characteristics, Adverse Events.
  2. New option to fetch data in a background process and receive an email when completed.
  3. MRNs can be searched and fetched individually on the Clinical Data Mart page.
- Epic institutions using the "legacy" app on the Epic App Orchard will be notified on the CDIS Control Center page with info about how to upgrade to the new R4 enabled version.
- While on the CDIS Control Center page, changing the FHIR client ID will now automatically remove all existing FHIR access tokens stored in the backend. Note: This will not impact any data but will require each CDIS user to perform a standalone launch again or else launch REDCap via the CDP embedded window in the EHR interface before they can begin to pull data again from the EHR.
- The FHIR statistics in the Control Center now displays CDP instant adjudication.
New feature: Fields that are "sql" field type (Dynamic Query - SQL field) now work in the REDCap Mobile App. In previous versions, they were not functional at all in the mobile app. Now when a project is loaded into the mobile app, any "sql" fields will be converted into static drop-down fields in the app. If new choices get dynamically added to the sql field on the server afterward, the project will need to be loaded again in the mobile app to obtain those choices for the sql field. (Ticket #107409)
New feature: Import/export alerts via CSV file on Alerts & Notifications page - Users may export and import alerts to the same project or another project using a CSV file. If updating an existing alert, the unique alert ID must be included in the CSV file to identify the alert that the user wishes to modify. If the unique alert ID is left blank in the CSV file being uploaded, it is assumed that the user wishes to create a new alert.
New feature: Reorder alerts on Alerts & Notifications page - In the options menu for any given alert, a user can select an alert to be moved to another position on the Alerts & Notifications page. When this is done, it notifies the user that moving the alert will in most cases cause the alert numbers to be renumbered for many existing alerts (since they are numbered based on their order). However, their alert title and unique alert ID will not change during this process.
Improvement: If using Twilio for SMS/Voice Call verification for Two Factor Authentication, there is now a new alternative phone number field on the Security & Authentication page for providing a number only to be used for the Voice Call option for 2FA. This is useful if you are in a country where a single phone number cannot be used for both voice calls and SMS. If the new field is left blank, then the existing number will be used for both SMS and voice calls, but if this new field is utilized, its value will be used for the 2FA voice call option while the first number will only be used for the 2FA SMS option. (Ticket #99563)
Major bug fix: If a project has randomization enabled and is using strata fields, if one or more strata fields exist on a survey instrument, and the survey containing the strata field(s) is opened after the record has been randomized, the strata fields would mistakenly not be disabled/readonly on the survey page but could be edited, which can cause major issues with a randomized project. It is expected that the strata fields should be disabled/readonly (whether on the data entry form or survey page) after the record has been randomized.
Change/improvement: The To-Do List page now contains a “PID” column to display the project ID of the project for which the user request belongs.
Change: For certain processes in which administrators perform an action that causes an email to be sent to a user (e.g., creating new Table-based users, rejecting/resetting a user's draft mode changes, and various requests from user sponsors via the Sponsor Dashboard), the email to the user would come from the admin processing the request or performing the work. Whereas many other similar tasks would send an email with the From address as the "Email Address of REDCap Administrator" value instead (which might be different from the current user). To make things more consistent now among these admin-related tasks, in all cases these emails will have their From address be the "Email Address of REDCap Administrator". (Ticket #88651)
Change/improvement: If the REDCap database connection needs to use a specific value for the MySQL/MariaDB "binlog_format" setting that is different from the value set in the MySQL configuration file, it can now be set on the General Configuration page to MIXED, STATEMENT, ROW, or "Use system default setting" (default). It is recommended to leave this with the default setting unless you absolutely know you need to change this and are intentional about it. This will provide greater compatibility with MySQL clusters, etc. (Ticket #107202b)
Change: Updates and new content for the Help & FAQ page.
Bug fix: When copying a project dashboard, the popup dialog might mistakenly display the name of the wrong dashboard.
Bug fix: When accessing an invalid link for a public project dashboard, it would mistakenly not display any error message.
Bug fix: When creating a custom link for a public project dashboard, it might mistakenly show a success message even when the custom link returns an error because it has already been taken.
Bug fix: When a project has a very large number of arms, it may prevent the Record Status Dashboard from displaying data properly, and might also prevent the background "record list cache" process from completing successfully. (Ticket #107502)
Bug fix: In server environments with PHP error reporting enabled, it would display a deprecation notice regarding the constructor of the PEAR Log class. (Ticket #55557b)
Bug fix: When unlocking an instrument using the Unlock button at the bottom of a form, any fields with the @READONLY or @READONLY-FORM action tag would mistakenly become editable. (Ticket #107549)
Bug fix: The <caption> HTML tag was mistakenly not allowed in field labels, survey instructions, and all places that display user-defined text on a webpage. (Ticket #107664)

Version 11.0.5 (released on 2021-05-24)

Major bug fix: Reverted the following change from REDCap 11.0.4 (Standard) because it cause major parts of REDCap not to work anymore for some server configurations: "REDCap now sets "SESSION binlog_format=MIXED" for every connection in MySQL to provide greater compatibility with MySQL clusters (Ticket #107202)". (Ticket #107335)
Bug fix: When a project is in Analysis/Cleanup mode, and a user wishes to set the project data to be read-only/locked, the popup dialog for doing this mistakenly has the wrong text for the dialog buttons.
Bug fix: Most of the stock language used for displaying errors for calculations and branching logic were mistakenly not abstracted and therefore were not translatable into a non-English language for a project. (Ticket #106976)
Bug fix: When using a Project XML file to create a project, it would mistakenly display an error that the record ID field could not be found in the XML file, which is not true. Bug emerged in REDCap 11.0.4.

Version 11.0.4 (released on 2021-05-21)

Change: If the setting "Allow normal users to add or modify events and arms on the Define My Events page for longitudinal projects while in production status?" on the User Settings page is set to "Yes", then in any longitudinal projects that are in production status, normal users will no longer be able to modify the name of an existing arm or event. Since renaming an event or arm can have drastic downstream consequences, such as if the unique event/arm name is used in any calculations, branching logic, report filters, or other conditional logic throughout the project, users are now prevented from renaming events and arms in this case as an extra safety net. If a user attempts to rename an event or arm, it will now display an informational message letting them know that they should contact an administrator to complete that task for them.
Bug fix: When using the Survey Queue in a longitudinal project, there are some scenarios where the queue might mistakenly not process the conditional logic correctly for a survey in the queue, thus causing it to return an empty queue or omit some surveys from being displayed in the queue. (Ticket #106801)
Bug fix: PHP 8 compatibility error when viewing some custom record status dashboards. (Ticket #107055)
Bug fix: When using the Data Resolution Workflow in which a normal user is attempting to delete a file attachment that has been uploaded to an opened data query, it would mistakenly display an error message every time. Instead it should display a message letting them know that only administrators are allowed to delete files attached to data queries. (Ticket #106984)
Bug fix: PHP 8 compatibility error when using Two Factor Authentication. (Ticket #103721)
Change: REDCap now sets "SESSION binlog_format=MIXED" for every connection in MySQL to provide greater compatibility with MySQL clusters. (Ticket #107202)
Bug fix: PHP 8 compatibility error when using the DAG Switcher. (Ticket #107209)
Bug fix: PHP 8 compatibility error that occurs in some specific cases when viewing the Record Status Dashboard. (Ticket #107225)
Bug fix: When a project contains repeating events in which a report has filter logic to filter out specific repeating instances (e.g., [current-instance] <> "" and [current-instance] = [first-instance]), the report might mistakenly display no results or incorrect results when there is actually data to display. This does not affect repeating instruments but only repeating events.
Bug fix: When a radio button field that is part of a matrix is embedded on a data entry form or survey page, the radio button's "reset" link would mistakenly not get embedded along with its associated field. Thus there would be no way to reset a matrix radio field that is embedded. Now the "reset" link appropriately gets moved to be immediately below its associated embedded radio field.
Bug fix: To prevent Microsoft Outlook Safe Links from submitting surveys and junk data on its own, REDCap survey pages now block all POST requests that originate via the IP address range 52.147.217.*, in which it immediately returns an error message. This is in addition to a recent fix that protected surveys from Safe Links coming from another IP range (40.94.*.*).
Bug fix: When REDCap is sending a large amount of email notifications from REDCap Messenger, such as when there is a General Notification or System Notification, if the cron job process for sending the emails takes too long, it may mistakenly get run several times, resulting in users receiving the same email notification several times. (Ticket #107208)

Version 11.0.3 (released on 2021-05-14)

Major bug fix: When using an Adaptive or Auto-Scoring instrument downloaded from the REDCap Shared Library, in which that survey was set to use "Enhanced radios and checkboxes" via the Survey Settings page, the survey would not function and would not allow participants to submit their responses unless the survey was reverted to no longer using "Enhanced radios and checkboxes".
Bug fix: The Survey Link Lookup page in the Control Center would fail when using a new survey link that has a 16 character length hash. (Ticket #106907)
Bug fix: When a survey participant is taking a specific Adaptive or Auto-Scoring instrument (such as "NIH TB Hearing Handicap Age 65+") downloaded from the REDCap Shared Library that contains an initial descriptive text field (i.e., it has no choices to choose from), the survey would not function and would not allow participants to submit their responses. Note: This only affects 3 or 4 total Adaptive or Auto-Scoring instruments in the entire REDCap Shared Library.
Bug fix: If a report contains filter logic containing around 900 or more field variables, the report might mistakenly return 0 results instead of the appropriate results. REDCap cannot parse more than 900 or so field variables in logic due to a limitation in PHP. If more than 900 field variables are used in a report's filter logic and it causes PHP to crash, REDCap will provide a helpful error message in this case to inform the user that there is either a syntax error in the filter logic or that it is too long and needs to be shortened. (Ticket #106834)

Version 11.0.2 (released on 2021-05-14)

Change/improvement: A new database configuration check was added to the Configuration Check page that looks at the value of the optimizer_switch's "rowid_filter" setting to make sure that it is set to OFF in the MySQL configuration file. Having that setting turned on can cause certain issues when running REDCap. (Ticket #103092)
Change/improvement: Added four new redcap_log_event database tables for new projects to improve server performance when REDCap is querying logging data for a project. Note: This will not improve performance when querying the logging records of existing projects but only applies to projects created after upgrading to v11.0.2 or higher.
Change: The alphanumeric hash that exists in all survey links has been increased in length from 10 to 16. Any new survey links created will have a 16 character length hash.
Bug fix: If a data export takes a long time and the user is away from the computer so long that the auto-logout dialog displays on the page, the auto-logout dialog would mistakenly be displayed underneath the "Exporting data" popup, thus preventing the user from seeing it and preventing the auto-logout process from occurring. (Ticket #106545)
Bug fix: When not using record auto-numbering in a project while viewing the Add/Edit Records page or Record Status Dashboard, if a record name is hand-entered in a different case than in which it was saved (e.g. "abc" vs "ABC"), it might cause issues on the Record Home page, such as not displaying Custom Labels for Repeating Instruments. (Ticket #106559)
Bug fix: When viewing a custom Record Status Dashboard in a project that has Double Data Entry enabled, the custom dashboard's "sort by" setting (if utilized) would mistakenly not sort the dashboard's records correctly for any user that has the DDE #1 or #2 designation. (Ticket #105030)
Bug fix: When REDCap is reporting its general stats to the consortium, it would mistakenly fail to send them in some cases where the URL ended up being more than 2000 characters long.
Bug fix: A survey theme's background color might mistakenly not get applied to a radio/checkbox matrix on the survey page, thus displaying part of the matrix in the wrong color. Bug emerged in the previous version. (Ticket #106712)
Bug fix: If the system-level setting for setting Project Dashboards as "public" is set to "Yes, but an administrator must approve the request", that feature would not work correctly and would mistakenly allow normal users to set their dashboards as public without the approval process. (Ticket #106813)
Bug fix: If the system-level setting for setting Project Dashboards as "public" is set to "Yes, but an administrator must approve the request", if a normal user clicks the "Copy" button to copy a dashboard that has been set as public, it would mistakenly set the newly created dashboard as public also. In this situation, it should set it not to be public, and a user would need to edit the newly created dashboard and click the "Set as public" setting to put in a new request for an admin to approve this new dashboard to be public. (Ticket #106813b)
Bug fix: Clicking the "Enable color-blind accessibility" on public Project Dashboards would fail to work. (Ticket #106901)
Bug fix: The chart legend was mistakenly not being displayed for the Smart Charts scatter-plot, line-chart, and bar-chart when using a grouping field for them. (Ticket #106543)
Bug fix: The setting "Designate an email field for communications (including survey invitations and alerts)" on the Project Setup page would mistakenly be disabled and not usable unless the project has the setting "use surveys in this project?" enabled, which is not correct since the designated email setting can be used for more than just surveys.

Version 11.0.1 (released on 2021-05-07)

Improvement: The Smart Charts [pie-chart] and [donut-chart] now display the percentage value on top of each colored slice in the chart.
Improvement: On the Calendar page when viewing the "View/Edit Calendar Event" popup for a calendar event that is attached to a record, the popup now displays a "View Record Home Page" link next to the record name to allow the user to easily navigate to the record.
Major bug fix: Alerts & Notifications that are set to be sent via SMS or Voice Call would mistakenly not get sent whenever the alert is triggered. Bug emerged in REDCap 10.6.18 LTS and 11.0.0 Standard. (Ticket #106260)
Bug fix: When viewing the public URL of a project dashboard, the dashboard's project_id would mistakenly not get passed to the redcap_every_page_before_render hook.
Bug fix: The wrong language is mistakenly used in the Smart Variable documentation for the ":no-export-link" Smart Table parameter. (Ticket #106023)
Bug fix: When using the wizard on the Project Dashboard creation page, it might mistakenly insert the unique report name for the wrong report into Step 4 when selecting an option in the report drop-down in Step 3. (Ticket #106013)
Bug fix: Smart Charts that are "bar-chart" type with the ":bar-vertical" parameter would mistakenly have the field label displayed on the Y-axis when instead it should be located on the X-axis for vertical display. (Ticket #106017)
Bug fix: On surveys that have Enhanced Radio & Checkboxes enabled, in which radio fields are embedded inside checkbox labels or checkboxes are embedded inside radio labels (or other variations of these), some of the options might mistakenly not be selected after clicking on them. (Ticket #105880)
Bug fix: When using the ":inline" piping parameter on a File Upload field that has a PDF file uploaded to it, the PDF would fail to successfully embed on the page and would mistakenly display a bunch of HTML in its place. (Ticket #105462)
Bug fix: The External Service Check for the NML Field Bank service was mistakenly missing on the Configuration Check page. (Ticket #106086)
Bug fix: When using the Designated Phone Field with the Twilio telephony services for surveys, the participant's record ID might mistakenly not be displayed on the Survey Invitation Log in certain cases. (Ticket #49955)
Bug fix: When creating a new Table-based authentication user on the "Create single user" page in the Control Center, it is possible to create a user without entering a value for their username. That should not be allowed. (Ticket #106103)
Bug fix: Smart Charts that are "bar-chart" type and use a second field for grouping might mistakenly display the wrong counts in the chart if there exist any blank values for the grouping field, or it might mismatch the counts for the wrong grouping category in certain scenarios. (Ticket #106017)
Bug fix: When using the "Move to Production status" public survey for "Custom Surveys for Project Status Transitions" when users are not allowed to move projects to production on their own but must request an administrator do so on their behalf, if the user failed to select the radio button asking "Keep existing data or delete?" in the dialog pop-up and then they completed the public survey afterward, the "Working..." progress message would appear and never go away, thus preventing the request from being submitted correctly. (Ticket #106173)
Bug fix: When the datediff cron job is running for Alerts & Notifications that contain datediff+today/now in their conditional logic, the cron job might mistakenly take a long time to complete (or might time out) because the record list cache has not been created yet for the projects for which the cron job is processing. To prevent the cron job from taking too long and possibly timing out, it will attempt to build the record list cache in real time for each project it is processing. This may mean that initial attempts of the cron job may still take a long time, but later instances of the cron should be much faster.
Bug fix: When the datediff cron job is running for Automated Survey Invitations that contain datediff+today/now in their conditional logic, the cron job might mistakenly take a long time to complete (or might time out) because the record list cache has not been created yet for the projects for which the cron job is processing. To prevent the cron job from taking too long and possibly timing out, it will attempt to build the record list cache in real time for each project it is processing. This may mean that initial attempts of the cron job may still take a long time, but later instances of the cron should be much faster.
Change: The REDCap cron job now automatically resets a project's record list cache if the project has had some activity in the past week and if its cache is more than 5 days old. In previous versions, it would only reset the cache if the project had some activity in the past week when its cache was more than 3 days old. This was changed because the cache is more stable in recent versions and doesn't require being reset quite as often.
Bug fix: When using the survey setting "Time Limit for Survey Completion" in which a user clicks the clock icon for a participant in the Participant List in order to modify their Link Expiration time, clicking the "Expire it now" button in the dialog would mistakenly fail to do anything because of a JavaScript error. (Ticket #106167)
Bug fix: When a text field is embedded inside a checkbox field, clicking inside the text box mistakenly causes its parent checkbox to become unchecked. (Ticket #105001b)
Bug fix: When launching the Clinical Data Pull embedded window inside an EHR user interface, it might mistakenly say that the current web browser is not compatible.
Bug fix: In some cases, upgrading to REDCap 11.0.0 mistakenly did not load the new project template that illustrates Project Dashboards, etc. If that project template is missing, it will automatically be added when upgrading to 11.0.1. (Ticket #105976)
Bug fix: If a field is using the @CALCDATE action tag that references a field variable as the second parameter, if that second parameter field has a blank value, the @CALCDATE calculation might return an incorrect value when instead it should be returning a blank value. This only occurs on the server-side (PHP) processing of @CALCDATE when a form/survey is being saved, and does not occur with the client-side (JavaScript) version of the function. This means that while the value looks blank when viewing a data entry form or survey page, the incorrect value would be seen on reports, data exports, or wherever the @CALCDATE field is being piped. (Ticket #106243)
Bug fix: If using a survey-level designated email field, in certain cases the Participant Email displayed in the Survey Invitation Log might mistakenly be blank or might display the project-level designated email field instead. Bug emerged in REDCap 10.6.18 LTS and 11.0.0 Standard.
Bug fix: When a survey invitation is sent to a participant via a Twilio SMS message, viewing the message afterward in the Survey Invitation Log would mistakenly display extra text (e.g., "-- To begin the survey, visit...") appended to the message that did not actually get sent to the participant in the SMS message. Additionally, when viewing an SMS message in the Survey Invitation Log, it would mistakenly display any URLs in the message as clickable links instead of correctly displaying them as non-clickable URLs, which is more accurate to how they are seen by the recipient. (Ticket #104997)
Bug fix: When a project has been set up with Automated Survey Invitations and is using the Designated Email Field, the Public Survey Link page might mistakenly display the red box saying "WARNING: The designated email field does not exist on the first survey", which might not be true if a survey has been orphaned (created in the past but then later removed) in which the survey had one or more ASI's set up for it.
Bug fix: Dots/periods have been allowed in checkbox codings since REDCap 9.9.0, but the data dictionary import process would still mistakenly display an error message saying that this is not allowed, which is not correct. (Ticket #106375)
Bug fix: When a project is using Twilio for sending survey invitations, and an Automated Survey Invitation is set to "use participant's preference" for the invitation type/delivery method, then any participant whose delivery preference is "email" would mistakenly receive the expected email body text but with extra text appended to it (e.g. "Please take this survey. You may open the survey..."). In many cases, this means that the email body is duplicated in the email, which is not desirable. (Ticket #102953)
Bug fix: When editing a field in the Online Designer and using different background colors or text colors in tables added via the rich text editor, a survey theme's color might mistakenly override a table row's or table cell's background/text color when viewing the field on a survey page. (Ticket #106340)
Change/improvement: The green highlight background color will no longer appear when a user/participant puts focus on or clicks on a field that is embedded inside another field on a data entry form or survey. From now on, it will only highlight the field with green for non-embedded fields. This should improve the user experience when many fields are embedded in the same table row on the page in which the green highlight would highlight all of them (sometimes making the entire page green), which is often not desirable.
Bug fix: For certain projects, unique report names were mistakenly not being generated for some or all reports in the project. (Ticket #106366)

Version 11.0.0 (released on 2021-04-30)

New feature: Project Dashboards
- INTRO: Project Dashboards are pages with dynamic content that can be added to a project. They can utilize special Smart Variables called Smart Functions, Smart Tables, and Smart Charts (described below) that can perform aggregate mathematical functions, display tables of descriptive statistics, and render various types of charts, respectively. User access privileges are customizable for each dashboard, and anyone with Project Design privileges can create and edit them. A Wizard is provided on the Project Dashboard creation page to help users easily construct the syntax for Smart Functions, Smart Tables, or Smart Charts, and a basic list of helpful examples is also included. Example dashboard: https://redcap.link/dash1
- Setting project dashboards as “public”
  1. If enabled at the system-level (described in detail below), any project dashboard can be enabled as “public”, which means it can be accessed at a unique URL that does not require any authentication. Making a dashboard public is useful if you wish for people to view it without having to be REDCap users or log into REDCap. Public dashboards are simply standalone pages that can be viewed by anyone with a link to them.
  2. Users can opt to create a custom/short url (via the https://redcap.link service) for any project dashboard that is enabled as “public”.
  3. System-level setting to allow/disallow public dashboards (on the User Settings page in the Control Center) - By default, normal users will be able to set any project dashboard as public. If you do not want users to do this or even know about this feature, you can completely disable it on the User Settings page. Alternatively, it can be set to “Allow public dashboards with admin approval only”. If set to allow public dashboards after approval by an admin, the admin will receive the request from the user via the To-Do List page (and via email, if the email notification setting is enabled on the To-Do List page), and after the admin approves the request, the user will receive an email regarding the response to their request.
- Setting to control data privacy on public dashboards and other public pages
  1. The User Settings page in the Control Center has a setting to define the “Minimum number of data points required to display data for any Smart Charts, Smart Tables, and Smart Functions on a *public* project dashboard, survey queue, or survey page”. By default, it is set to a value of “11”. While only aggregate data is displayed in Smart Charts, Smart Tables, and Smart Functions, if any of these utilize very few data values, it might pose a threat to an individual’s data privacy if these are being displayed on *public* dashboards and other public pages (i.e., where authentication is not used).
  2. If someone is viewing a public page that has Smart Charts, Smart Tables, and Smart Functions that utilize data that does not meet the minimum data point requirement, instead of displaying the chart/table/number on the page, it will instead display a notice saying “[INSUFFICIENT AMOUNT OF DATA FOR DISPLAY]” with a pop-up note with details about the minimum data requirements.
  3. Project-level override: While this behavior is controlled by a system-level setting, the system-level setting can be modified by an administrator via a project-level override for any given project on the “Edit A Project’s Settings” page.
  4. Note: This setting does not get used when viewing project dashboards inside a project (i.e., at a non-public URL).
- PDF export: Each project dashboard can be exported as a one-page PDF file.
- Dashboard cache: To prevent server performance degradation, each project dashboard will have its content cached (stored temporarily) automatically for up to 10 minutes at a time rather than generating its content in real time every time the dashboard is loaded. It will note at the top right corner of the dashboard page when the dashboard content was last cached. If a user is viewing the dashboard inside a project (i.e., not via a public dashboard link), they have the option at the top right to “Refresh” the dashboard at will, which will refresh/generate its content in real time. Note: The refresh option will only be displayed on the page when the dashboard content is at least 30-seconds old.
New feature: Smart Functions
- Smart Functions are aggregate mathematical functions that are utilized as Smart Variables. The following Smart Functions exist: [aggregate-min], [aggregate-max], [aggregate-mean], [aggregate-median], [aggregate-sum], [aggregate-count], [aggregate-stdev], and [aggregate-unique]. Each represents the mathematical functions minimum, maximum, mean/average, media, sum, count, standard deviation, and unique count, respectively. Each must have at least one field attached to it that follows a colon - e.g., [aggregate-mean:age]. Multiple fields may be used in each one, which will perform the function over all the data values of all the fields. By default, the functions will utilize all data values for all records in the project. To limit the data values being utilized to a subset of the total project data, see the Smart Variable documentation on how to apply filters, such as attached unique report names, DAGs, and other parameters
- Note: When using [aggregate-count:record_id], in which “record_id” in this example represents whatever the variable of the Record ID field is, it performs a special count that does not literally count the number of data values but instead returns a count of the total number of records in the project. This is a quick way to display the total record count of the project.
- Smart Functions can be used anywhere in a project where piping is allowed, and can even be used inside calculations, branching logic, and other conditional logic (report filters, alert conditions, etc.).
New feature: Smart Tables
- Smart Tables are tables displaying aggregate descriptive statistics in which the results of any or all of the following stats functions can be displayed for one or more fields: minimum, maximum, mean/average, media, sum, count, standard deviation, count of missing values, and count of unique values.
- Smart Tables are represented with the Smart Variable [stats-table], which accepts as a parameter the variable names (comma delimited) of all the fields to be displayed as separate rows in the table. There is no limit to the number of fields that can be used. For example, [stats-table:field1,field2,field3].
- By default, all available columns will be displayed in the table and are as follows: Count, Missing, Unique, Min, Max, Mean, Median, StDev, Sum. To display only a subset of the columns, you may provide any of the following designations (comma-separated) that represent a specific column in the table: count, missing, unique, min, max, mean, median, stdev, sum. For example, [stats-table:field1,field2,field3:mean,max].
- By default, each stats table will have an "Export table (CSV)" link displayed immediately below it to allow users to download the table as a CSV file. But if users wish to hide the export link, they can simply attach “:no-export-link” to the Smart Variable, which will cause the link not to be displayed. For example, [stats-table:field1,field2,field3:no-export-link].
- Smart Tables can be used anywhere in a project where piping is allowed.
New feature: Smart Charts
- Smart Charts are various aggregate plots and charts utilized as different Smart Variables. The following plots are available for use: bar charts, pie charts, donut charts, scatter plots, and line charts. These are all represented by the following Smart Variables, respectively: [bar-chart], [pie-chart], [donut-chart], [scatter-plot], and [line-chart]. These Smart Variables accept one or more field names and also other optional parameters, as described below for each.
- Bar charts - Displays a bar chart for a single multiple choice field. It can optionally perform color grouping if a second field (multiple choice only) is provided. The fields must be comma-separated. For example, [bar-chart:field,grouping-field:parameters]. Bar charts have optional parameters that can be applied to alter their appearance. By appending the parameter “:bar-stacked” when two fields are used, the bars in the chart will appear stacked on top of each other rather than side by side. By default, bar charts are displayed with their bars going horizontally, but by appending the parameter “:bar-vertical”, the orientation will be changed to display vertically instead.
- Pie charts - Displays a pie chart for a single multiple choice field. For example, [pie-chart:field:parameters].
- Donut charts - Displays a donut chart for a single multiple choice field.Note: A donut chart is essentially the same as a pie chart but with the center removed. For example, [donut-chart:field:parameters].
- Scatter plots - Displays a scatter plot of one number/date/datetime field for the x-axis and a second field (number field only) for the y-axis. (If a second field is not provided, a random value will be assigned for the y-axis.) It can optionally perform color grouping if a third field (multiple choice only) is provided. All fields must be comma-separated. For example, [scatter-plot:x-axis-field,y-axis-field,grouping-field:parameters].
- Line charts - Displays a line chart of one number/date/datetime field for the x-axis and a second field (number field only) for the y-axis. It can optionally perform color grouping if a third field (multiple choice only) is provided. All fields must be comma-separated. Note: A line chart is essentially the same as a scatter plot except with dots connected with a line. For example, [line-chart:x-axis-field,y-axis-field,grouping-field:parameters].
- Color blindness accessibility: Pie charts and donut charts have the ability for the user to enable color blindness accessibility, via a gray link displayed immediately below each chart, in which it overlays different patterns onto the colored pieces of the chart to make each color more distinct for many types of color blindness. This option to enable color blindness accessibility is stored in a secure cookie on the user’s device and will be used to remember this choice anytime a pie/donut chart is displayed on any page for any REDCap project for that REDCap server.
- The colors displayed in each chart/plot are preset and are not modifiable.
- Smart Charts can be used anywhere in a project where piping is allowed *except* for inside the body of outgoing emails.
Optional parameters for Smart Functions, Smart Tables, and Smart Charts
- There exist various optional parameters that can be used with Smart Functions, Smart Tables, and Smart Charts to either filter the data used in them (e.g., via a unique report name) or to change their appearance (e.g., bar-vertical). See the descriptions for each below, which are all documented in the Smart Variables documentation.
- :R-XXXXXXXXXX Unique Report Name - For Aggregate Functions, Charts, and Tables, filter the data being used by appending a Unique Report Name. Next to each report on the 'My Reports & Exports' page is its unique report name, which has 'R-' following by alphanumeric characters. By default, all Aggregate Functions, Charts, and Tables will use the values of all records in the project, but if a unique report name is appended to any of them, only data from that specific report will be used. Using a report as a surrogate to filter data is a very useful technique of performing complex filtering logic for Aggregate Functions, Charts, and Tables.
- :record-name "record-name" - For Aggregate Functions, Charts, and Tables, filter the data being used to the *current record* by using the literal value 'record-name'. Note: This parameter will only work in a context where a single record is being viewed/accessed, such as on a survey page, data entry form, etc. This parameter can be used with any of the other parameters except unique report names.
- :event-name "event-name" - For Aggregate Functions, Charts, and Tables, filter the data being used to the *current event* (longitudinal projects only) by using the literal value 'event-name'. Note: This parameter will only work in a context where a single record/event is being viewed/accessed, such as on a survey page, data entry form, etc. This parameter can be used with any of the other parameters except unique report names.
- :unique-event-names Unique Event Names - For Aggregate Functions, Charts, and Tables, filter the data being used to specific events (longitudinal projects only) by providing an event's unique event name (found on the Define My Events page). You may use one or more unique event names (comma-separated). Note: This parameter can be used with any of the other parameters except unique report names.
- :user-dag-name "user-dag-name" - For Aggregate Functions, Charts, and Tables, filter the data being used to the records assigned to the *current user's Data Access Group* by using the literal value 'user-dag-name'. Note: This parameter will only work in a context where an authenticated user belongs to a project and has been assigned to a DAG in the project (this excludes survey pages and public project dashboards). This parameter can be used with any of the other parameters except unique report names.
- :unique-dag-names Unique DAG Names - For Aggregate Functions, Charts, and Tables, filter the data being used to the records assigned to specific Data Access Groups by providing a DAG's unique group name (found on the Data Access Groups page). You may use one or more unique DAG names (comma-separated). Note: This parameter can be used with any of the other parameters except unique report names.
- :bar-vertical "bar-vertical" - Display a bar chart with the bars going vertically instead of horizontally (the default) by using the literal value 'bar-vertical'. Note: This parameter can be used with any of the other parameters.
- :bar-stacked "bar-stacked" - Only for bar charts using two fields, display the bar chart with the bars stacked on top of one another for each choice. Whereas the default view is that the bars of each field are displayed side by side to show the color grouping. To enable this, use the literal value 'bar-stacked'. Note: This parameter can be used with any of the other parameters.
- :no-export-link "bar-stacked" - Only for bar charts using two fields, display the bar chart with the bars stacked on top of one another for each choice. Whereas the default view is that the bars of each field are displayed side by side to show the color grouping. To enable this, use the literal value 'bar-stacked'. Note: This parameter can be used with any of the other parameters.
NOTE: Using Smart Functions/Tables/Charts elsewhere in a project - While project dashboards are an excellent place to use Smart Functions, Smart Tables, and Smart Charts, it is important to know that Smart Functions/Tables/Charts can actually be used *almost anywhere* in a project, such as on data entry forms, on survey pages, and in report instructions (to name a few). You can use Smart Functions/Tables/Charts anywhere that piping can be used. Click the green "Smart Variables" button on the Project Setup page to learn more about them. Note: The only place that Smart Charts cannot be used is inside the body of outgoing emails.
NOTE: Smart Functions/Tables/Charts do not yet work in the REDCap Mobile App; however, it is planned that they eventually will (to a certain degree).
NOTE regarding permissions for Smart Functions/Tables/Charts:
- DAG permissions (i.e., filtering out records not assigned to the current user’s DAG) are NOT applied by default to Smart Charts/Tables/Functions but are only applied when the Smart Chart/Table/Function utilizes a unique report name as a parameter (thus mimicking the natural DAG-filtering behavior of reports themselves) OR when the Smart Chart/Table/Function utilizes the “user-dag-name” parameter. This means that if a user is assigned to a DAG and views a project dashboard with the Smart Chart [scatter-plot:weight], for example, the plot will display data for ALL records in the project and not just the user’s DAG. To limit the plot to just data in the user’s DAG, it could be changed to [scatter-plot:weight:user-dag-name] in this case.
- Smart Charts/Tables/Functions that utilize a unique report name as a parameter for data filtering purposes will still function and display normally even if the user does not have explicit access to view that specific report referenced as a parameter.
New feature: CSV Delimiter as a user-level preference - The My Profile page now has a new user preference to allow a user to set their own preferred CSV delimiter (e.g., comma, semi-colon) that will be used as the delimiter character in all CSV file downloads throughout REDCap, such as data dictionary import/export, event import/export, user rights import/export, etc. This setting is not used by data imports and exports because those already have a way to specify the CSV delimiter manually. The system-level default value for this user preference can be set on the User Settings page in the Control Center, in which all new users created afterward will have their user-level preference set with this system-level default value. To modify all existing users’ preference after upgrading (if your users would not want a comma delimiter), it will require running an “update” query in the database, such as this: UPDATE redcap_user_information SET `csv_delimiter` = ';' ;
Improvement: Report “description” text now utilizes the rich text editor. Additionally, users may perform piping into a report’s description, such as project-level Smart Variables, including Smart Charts, Smart Functions, and Smart Tables.
Improvement: New option for Project Templates called “copy records”, which will copy any existing records in the template to the new project created from the template. This option can be enabled for any new or existing Project Templates.
Improvement: A new Project Template was added to illustrate new features in 11.0+. The new template is named “Project Dashboards, Smart Functions, Smart Tables, & Smart Charts”.
Change/improvement: The Logic Editor popup is now utilized when editing the "Action Tags/Field Annotation" text box in the Online Designer. (Ticket #103007)
Bug fix: When exporting data via the Export Records API method as type=eav, it would mistakenly fail to include the value of the redcap_event_name field (and would export it as blank/null) if the project is longitudinal and the exported data format is XML or JSON. Bug emerged in REDCap 10.6.16 (LTS) and 10.9.3 (Standard). (Ticket #105673)
Bug fix: When attempting to use the Easy Upgrade on an AWS Quick Start deployment of REDCap, the upgrade process may fail due to "\r" characters in the upgrade shell script. (Ticket #103939)
Bug fix: When creating a project via a Super API Token, the API call would fail due to a fatal PHP error, thus preventing the project from being created. Bug emerged in REDCap 10.6.16 (LTS) and 10.9.3 (Standard).
Bug fix: When importing data (via Data Import Tool, API, or REDCap::saveData), all records would mistakenly have spaces trimmed off the beginning and end of every value being imported. This would prevent the data from being imported as-is. It now no longer trims whitespace off of the beginning and end of data values during data imports.
Bug fix: On certain occasions, an alert that is triggered may mistakenly send an email to the "Email to send email-failure errors" recipient multiple times (instead of just once) or may send it to that recipient when it is not supposed to.
Bug fix: A field using the @CALCTEXT action tag would mistakenly return a blank value whenever it should be returning a value of 0. (Ticket #105128)
Bug fix: When using the concat() function in a @CALCTEXT field, the calculation might mistakenly fail if certain characters such as "+" are utilized inside the concat() function. (Ticket #105445)
Bug fix: When a text box field is embedded inside a checkbox field on a survey that is using Enhanced Checkbox/Radio Fields, the checkbox would be unable to be selected. (Ticket #97954)
Bug fix: When a checkbox field is embedded inside a checkbox field, it would mistakenly check the first sub-checkbox whenever checking the parent checkbox. (Ticket #97954)
Bug fix: When a radio field is embedded inside a checkbox field, several things would function incorrectly when clicking on the labels of the radio fields or their "reset" link. (Ticket #105001)