CHANGES IN THIS VERSION:

• New feature: Mosio SMS Services

  • REDCap has the capability to send SMS text messages for surveys and for Alerts & Notifications by using a third-party web service named Mosio (www.mosio.com). In this way, users can invite a participant to take a survey by sending them an SMS message, in which the data would be collected in REDCap directly from their phone without having to use a webpage. There are two ways REDCap currently works with Mosio: 1) Surveys – Sending survey invitations and also sending questions and getting replies via text message, and 2) Alerts - Sending one-way Alerts & Notifications via text message.

  • The Mosio Two-Way Text Messaging (SMS) Services work exactly the same as the current Twilio functionality, with the exception of the Voice Call features. Mosio can only send and receive SMS messages. If a user wishes to switch a project from using Twilio to using Mosio, the only thing that needs to be done is for them to get a Mosio account and API key, then disable Twilio and enable Mosio in their REDCap project using their API key. That’s all that needs to be done to migrate from Twilio.

  • If you wish to disable the Mosio functionality at the system-level so that users do not see the feature on the Project Setup page, an administrator may do so on the Modules/Services Configuration page in the Control Center (similar to the Twilio settings there).

  • For more information and to get a Mosio account, visit https://www.mosio.com/redcap. Mosio specializes in research communications automation, helping researchers improve engagement, adherence, and data collection in studies. The service is both HIPAA and 21 CFR Part 11 compliant and willing to sign BAAs.

• Change: The Internet Explorer web browser is no longer supported in REDCap.

• Change: The third-party package named Bootstrap that is embedded inside REDCap has been upgraded from Bootstrap 4 to Bootstrap 5. Most external modules should be unaffected by this change since most of the deprecated Bootstrap 4 classes and conventions have been backported into this version to make the transition as seamless as possible.

• Major bug fix: If the Automatic Upgrade (blue button on the Upgrade page), Easy Upgrade, and/or Auto-Fix options are available in your REDCap installation (regardless of whether you have actually used those options or not), it could be possible for someone that is not logged in to REDCap to directly access the upgrade page of an older version sitting on the web server (e.g., https://.../redcap_v11.1.0/upgrade.php) and click the blue Upgrade button for the Automatic Upgrade, which would mistakenly revert the system back to that version. Note: Doing this would not run any other SQL but only the few queries that change the "redcap_version" in the redcap_config database table (and a couple of other minor things). If either the Automatic Upgrade or Easy Upgrade option is available on your system, then it is recommended that you additionally go and remove EVERY ugprade.php file that exists inside all previous REDCap version folders. This is just a one time thing, and is not necessary to do in the future. (Ticket #200338)

• Change: Replaced all hard-coded links to REDCap Community pages to point to the new REDCap Community website hosted on the Vanderbilt REDCap server. Previous links pointed to the old AnswerHub site.

• Change: The project PID was added to the email subject of all "Request to Move Project to Production" emails that are sent to REDCap administrators. (Ticket #76956)

• Bug fix/change: Inline PDF attachments on Description Text fields were mistakenly not being rendered as inline in PDF exports.

  • Last year when the inline PDF feature was added for attachments on Description Text fields, in which in previous REDCap versions only images could be displayed as an inline attachment on the web page and in the exported PDF file, the feature was mistakenly not fully implemented because the PDF attachment was not rendered inline inside the resulting exported PDF file for a form or survey. To fix this, any PDF attachments that are set to be displayed as inline on a Descriptive Text field will now correctly be rendered as inline in the PDF of the form/survey in order to be consistent with how inline images have always been treated in PDFs. 

  • Additionally, the ImageMagick PHP extension is required for this fix to work. It is a common but not universal PHP extension. A new check has been added to the Configuration Check page to detect if this extension has been enabled on the REDCap web server, and if not, the page will provide a link with instructions for installing it, if desired. 

  • NOTE: If administrators wish to disable this setting so that inline PDF attachments are not rendered as inline inside the PDF files, they may disable this functionality at the system level on the Modules/Services Configuration page in the Control Center.

• Bug fix: When the min or max validation range of a date- or number-formatted Text field contains certain Smart Variables, the min/max range check might mistakenly not work on a form or survey due to a JavaScript error. (Ticket #143298)

• Bug fix: When a user deletes all the data in a single event for a record (in the UI or via the API), the resulting logged event seen on the Logging page would mistakenly note that it happened to the first event instead of to the specified event.

• Bug fix: When the Record ID field has the @HIDDEN-PDF action tag, the field would mistakenly not get hidden in the downloaded PDF when clicking the PDF option "This data entry from with saved data (via browser's Save as PDF)" while on a data entry form. (Ticket #111718b)

• Bug fix: While the ability of individual projects to have their own authentication method was removed in REDCap 13.1.2, this setting was mistakenly not removed from the Edit Project Settings page (in which changing its value on that page does nothing to affect anything). (Ticket #200379)

• Bug fix: When copying a MyCap-enabled project, it would mistakenly copy the MyCap tasks into the new project, even when the MyCap copy option is not checked.

• Bug fix: When migrating a project using the MyCap external module to begin using the native MyCap feature, the migration process might mistakenly not process certain MyCap tasks correctly that were not adequately enabled in the MyCap EM.

• Bug fix: The Smart Variables [survey-time-started], [survey-date-started], [survey-time-completed], [survey-date-completed], [survey-duration], [survey-duration-completed] might mistakenly return the value for record "1" in a project (if record "1" exists) when these Smart Variables are used in a calculated field, @CALCTEXT field, or branching logic on the first page of a public survey. These would, however, work correctly if used in a field label, choice label, etc., if used on a non-public survey, or if used on survey page 2 or higher of a public survey.

CHANGES IN THIS VERSION:

• Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in the @CALCTEXT action tag in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way inside the text of the @CALCTEXT action tag.

• Minor security fix: An SQL Injection vulnerability was found on the Database Activity Monitor page, in which a malicious user could potentially exploit it by manipulating an HTTP request on another page while an administrator views the Database Activity Monitor page.

• Change: HTML "style" tags are now allowed in user-defined text, such as field labels, survey instructions, etc.

• Change/improvement: On the Calendar page, the year selection drop-down list now extends to 10 years in the future by default, and if the year is changed via the drop-down, the drop-down's option will extend to 10 years in the future of either the current year or the selected year (whichever is largest). (Ticket #143067)

• Bug fix: Several missing LOINC codes were added to the CDIS mapping features.

• Bug fix: When REDCap is sending a confirmation email to a survey participant after completing a survey, it might mistakenly cause a fatal PHP error on the page. (Ticket #143145)

• Bug fix: When piping a File Upload field with “:link” or “:inline” in the body of outgoing emails (e.g., alerts, ASIs), the piping would mistakenly not be successful under certain circumstances. (Ticket #143158)

• Bug fix: The Stats & Charts page might mistakenly crash in certain situations due to a fatal PHP error when using PHP 8. (Ticket #143019b)

• Bug fix: When using Multi-Language Management, in which an Automated Survey Invitation has been translated, the ASI might mistakenly not be sent in the desired language when there are conflicting things (or none) dictating what the language should be for the ASI. To prevent this issue regarding language ambiguity in ASIs, a new MLM setting had to be added to allow users to define the language source of a given ASI at the survey level (but not at the survey-event level), in which users may choose the “Language preference field” or “User's or survey respondent's active language” as the ASI Language Source on the MLM setup page. (Ticket #143119)

• Bug fix: When using Multi-Language Management, in which an Automated Survey Invitation has been translated, the ASI might mistakenly be sent out in the fallback language in some cases. (Ticket #143119b)

• Bug fix: Any HTML tags used inside the equation of a @CALTEXT field would mistakenly not display correctly in the View Equation popup on data entry forms. (Ticket #143228)

• Bug fix: An issue specific to PHP 8.1+ might cause some features of the Clinical Data Mart to crash with a fatal PHP error.

• Bug fix: When using comments in calculations or logic, if the comment contained a quote or apostrophe, it would mistakenly get included in the check to ensure that there is always an even number of quotes/apostrophes in the calculation/logic. This would sometimes throw an error and prevent users from being able to add or edit the calc/logic. (Ticket #143367)

• Bug fix: Large configurations for Multi-Language Management might mistakenly get truncated in the database when saved. The configuration columns in the MLM database tables were increased to handle this. (Ticket #143355)

• Bug fix: The embedded PDF on the e-Consent certification page of a survey with the e-Consent Framework enabled would mistakenly look squished (have incorrect dimensions) when taking the survey on an iPad. (Ticket #143212)

• Bug fix: In some cases after a participant has completed a survey, if they return to the survey using a private survey link (i.e., not a public survey link) while the survey has "Save & Return Later" disabled, the participant might mistakenly be allowed to modify the existing survey response. (Ticket #143400)

CHANGES IN THIS VERSION:

• Major bug fix: On public surveys where the participant fails to enter a value for a required field on the first page of the survey, in which the survey page has dozens or hundreds of fields, the survey page might mistakenly crash with an HTTP 414 error (URL Too Long) after being submitted, thus preventing the participant from completing the survey. Bug emerged in REDCap 13.1.11 (LTS) and 13.3.0 (Standard). (Ticket #142829)

• Bug fix: The Azure AD (V1) authentication was mistakenly displaying “samAccountName” as an option to use for “AD attribute to use for REDCap username” when instead it should have been using “onPremisesSamAccountName”. (Ticket #134789)

• Bug fix: When re-evaluating an Automated Survey Invitation for a repeating survey that has been set up with a repeating ASI, the re-evaluation process might report that some invitations were scheduled when they were not.

• Bug fix: In some cases, images that were added via the rich text editor to a project dashboard, to custom text on a report, or to survey components (instructions, questions, etc.) would mistakenly not display on the public version of the dashboard, on a public report, or on the survey, respectively, unless the person viewing it was currently logged in as a REDCap user. (Ticket #142302)

• Bug fix: If Automated Survey Invitations have been set up for a survey, in which some invitations have already been scheduled for a record, if the survey instrument gets marked as "Complete" via normal save operations on the data entry form (with the exception of clicking the "Save & Mark Survey as Complete" button), the scheduled invitations would mistakenly get automatically deleted. They should only get deleted if the survey has been completed via the survey page or by a user clicking the "Save & Mark Survey as Complete" button on the data entry form. Bug emerged in REDCap 9.3.7. (Ticket #142989)

• Bug fix: When creating a Table-based authentication user or when adding a user to a project, if the username that was entered contained illegal characters, the error message would fail to note that the @ symbol is allowed in usernames. (Ticket #142999)

• Bug fix: The Stats & Charts page might mistakenly crash in certain situations due to a fatal PHP error when using PHP 8. (Ticket #143019)

• Bug fix: When using Duo two-factor authentication, if the system is set to "Offline", it would mistakenly prevent administrators from successfully logging in via Duo 2FA. (Ticket #143003)

• Bug fix: The admin detection on survey pages might mistakenly fail in certain situations and thus fail to display the “Auto-fill survey” link at the top-right of a survey page whenever an administrator is viewing the survey.

• Bug fix: When piping instance-related Smart Variables into the email text of a survey's Confirmation Email, the resulting piped text might mistakenly not be formed correctly. For example, appending [new-instance] to the [survey-link] Smart Variable, in which survey-link contains custom display text, would output the survey URL instead of the survey link with the custom text. (Ticket #143059)

CHANGES IN THIS VERSION:

• Bug fix: When a record is correctly assigned to a Data Access Group, it might not appear to be assigned to its DAG while viewing the Record Status Dashboard, the Add/Edit Records page, and reports if data values for the record somehow got stored incorrectly in the backend redcap_data table in multiple/mixed cases (e.g., "101a" vs "101A"). Un-assigning and then re-assigning the record back to its original DAG might fix this issue temporarily, but the bug would arise again whenever the project's internal "Record List Cache" was cleared/rebuilt. (Ticket #141329, #142544) NOTE: If the issue still exists after the upgrade, click the “Clear the Record List Cache” button on the Project Setup->Other Functionality page.

• Bug fix: When exporting CSV files in various places throughout REDCap, the process might mistakenly fail for PHP 8 under specific unexpected conditions.

• Bug fix: The cron job used for the Clinical Data Mart or Clinical Data Pull might mistakenly fail due to the user ID being used instead of the username when creating a new instance of the job.

• Bug fix: Over 20 missing LOINC codes were added to the CDIS mapping features.

• Bug fix: The "resources" link in the MyCap informational dialog on the Project Setup page mistakenly pointed to the wrong URL. (Ticket #142514)

• Bug fix: The CSV file upload for importing Automated Survey Invitations (ASIs) in the Online Designer would mistakenly fail with an error if the user's preferred CSV delimiter was not set to "comma" via their user profile. (Ticket #142555)

CHANGES IN THIS VERSION:

• Change/improvement: Added a new internal service check to the Configuration Check page that checks REDCap's ability to make server-side HTTP calls to its own survey end-point. For some server/network configurations, this kind of HTTP call was failing silently and causing some survey pages to timeout sporadically. This check will help administrators become aware of this issue if it exists.

• Bug fix: When performing certain actions in the File Repository, such as uploading files, an error message would mistakenly be displayed afterward saying that there is a DataTables warning. Bug emerged in REDCap 13.3.0 (Standard).

• Bug fix: When using the page "Updating your REDCap Database Tables to support full Unicode", some REDCap installations (depending on their specific database configuration) might experience a few minor SQL errors during the unicode transformation process.

• Bug fix: The "System Statistics" page in the Control Center did not display the label correctly for the count of projects utilizing the Clinical Data Pull feature.

• Bug fix: Data values imported for a patient’s “birth-sex” via FHIR using the Clinical Data Operability Services might mistakenly get converted into an incorrect value (“UNK”) in some specific cases. (Ticket #141976)

• Bug fix: If using the e-Consent Framework with the setting "Allow e-Consent responses to be edited by users?" enabled, users with edit privileges would mistakenly be prevented from modifying the data on the consent form via a data import. (Ticket #140846)

• Bug fix: The Survey Queue page might crash due to a fatal PHP error when using PHP 8. (Ticket #142125)

• Bug fix: When using the @RICHTEXT action tag on a Notes field, changing the text in the editor (i.e., the field's value) might mistakenly not trigger calculations or branching logic accordingly. (Ticket #142127)

• Bug fix: When using the rich text editor to translate a survey's survey instructions on the Multi-Language Management setup page, any images uploaded via the rich text editor would mistakenly not load when viewing the translations on a survey page (that is, unless the person viewing the survey is a REDCap user and is currently logged in to REDCap). (Ticket #141658b)

• Bug fix: If a user that has "read-only" user privileges for a specific instrument is viewing the Data History of a File Upload field on that instrument, the "Delete" link next to each file/revision would mistakenly be displayed in the Data History popup. Users with read-only instrument-level privileges should not be able to delete older revisions of a File Upload field. (Ticket #141709)

• Bug fix: If a repeating instrument has been enabled as a survey, but the survey setting "(Optional) Repeat the survey" has not been enabled on the Survey Settings page, then when viewing the participant list, a placeholder instance might mistakenly not be displayed in the participant list to represent a not-yet-taken instance of the repeating survey. There should always be at least one untaken placeholder instance displayed for each record in the participant list for repeating surveys because this allows users to open a new instance of the survey or email the participant a link to that new survey instance. (Ticket #141545)

• Bug fix: When creating/editing a report, the explanatory dialog for Step 3's "Show data for all events for each record returned" checkbox was outdated and mistakenly did not mention anything about the setting's usage in projects containing repeating instruments/events. (Ticket #141953)

• Bug fix: When the "Text-To-Speech" feature is enabled on a survey, the speaker buttons would mistakenly not appear next to the field labels of fields in a matrix, thus preventing participants from utilizing the feature there. (Ticket #141787)

• Bug fix: In very specific situations where a field is a required field and is embedded in another field, in which the container field is hidden by an @HIDDEN action tag while the field embedded inside it also has an @HIDDEN action tag, the user would mistakenly get prompted by the Required Field dialog for a hidden embedded field if the container and/or embedded fields have @HIDDEN-SURVEY while on a data entry form *or* if they have @HIDDEN-FORM while on a survey page. (Ticket #142212)

• Bug fix: If a whole record has been locked or if a data entry form has been locked for a given record, any survey participant who happened to have opened their survey prior to the record/instrument being locked would mistakenly still be able to submit and save their survey response, and as a result, possibly overwrite any existing data on the locked record/form. (Ticket #139555)

• Bug fix: When downloading a data dictionary or an instrument zip file, any Dynamic Query (SQL) fields that contain "\\n" in their SQL query would mistakenly have the text "\\n" replaced with "|" in the resulting downloaded file. (Ticket #141734)

CHANGES IN THIS VERSION:

• New feature: Administrators will now see an “Auto-Fill Form” or “Auto-Fill Survey” button at the top right of forms and surveys, respectively. Clicking the button will auto-fill all visible fields on the entire instrument. This is to help with testing or troubleshooting data collection.

• New feature: Embedding file attachments in text & emails

  • Users may now attach one or more files into the text of a survey invitation, an alert, or a field label on a form/survey, among other things, by clicking the file attachment (paperclip) icon in the rich text editor and then by uploading a file from their local device.

  • This feature is available for every rich text editor *with the exception* of non-project pages (e.g., the Email Users page) and also any field with the @RICHTEXT action tag.

  • If administrators wish to disable the ability to embed attachments in text via the rich text editor, they may disable this functionality at the system level on the Modules/Services Configuration page in the Control Center. Note: This setting operates independently from the other setting “File Repository: Users are able to share files via public links” (found on the File Upload Settings page in the Control Center); thus, even if public file sharing has been disabled globally, users can still upload file attachments via the rich text editor so long as its associated setting has been enabled globally.

  • Note: All files uploaded via the rich text editor will be represented in the text of the editor as a public file-sharing link, which allows the file to be downloaded in any context (e.g., on surveys, on authenticated REDCap pages, and in public areas like emails and public dashboards). This means that if anyone has possession of this link, they will be able to download the file (at least, until the file has been deleted). All files uploaded via the rich text editor will be automatically stored in a special “Miscellaneous File Attachments” folder in the File Repository where they can be accessed and/or deleted, if necessary. If any such file is deleted from the “Miscellaneous File Attachments” folder in the File Repository, the associated download link for the file will cease to be active and thus will become a dead link wherever it has been used.

• Improvement: A new "preformatted code block" button was added to the toolbar of all rich text editors.

• New feature: New one-way messaging system for Clinical Data Interoperability Services (CDIS) that is designed to provide secure communication to users who are utilizing asynchronous CDIS processes, such as background data pulling via a cron job. This new system has been developed to address the need for a secure means of communication outside of REDCap Messenger, particularly for messages that contain protected health information (PHI). Emails were not a viable option for these types of messages, as they do not provide the necessary level of security to protect PHI from unauthorized access. The system utilizes encryption techniques to ensure the confidentiality and integrity of all messages exchanged.

• Bug fix: When using comment lines inside the Field Annotation for a @CALCTEXT field, Data Quality rule H would mistakenly not perform the calculation successfully. (Ticket #141558)

• Various updates and fixes for the External Module Framework.

• Bug fix: Fixed PHP 8 related error when an administrator tries to hide the blue Easy Upgrade box in the Control Center. (Ticket #141539)

• Bug fix: When using "now" as the min/max for a date field or using "today" as the min/max for a datetime field, the validation range check would mistakenly not detect an out-of-range value. (Ticket #141646)

• Bug fix: When using the rich text editor to translate a label on the Multi-Language Management setup page, the image icon was mistakenly missing from the editor's toolbar interface, thus preventing users from uploading alternative images into the translated text.

• Bug fix: When using the rich text editor to translate a label on the Multi-Language Management setup page, any images uploaded via the rich text editor would mistakenly not load when viewing the translations on a survey page (that is, unless the person viewing the survey is a REDCap user and is currently logged in to REDCap). (Ticket #141658)

• Bug fix: When a survey participant enters data on a public survey, in which some required fields are left blank, it is possible for the participant to re-submit the page in the browser (via the browser Back/Reload button) and thus cause duplicate records to be created. This can especially happen for certain browsers, such as Mobile Safari on iOS devices, when minimizing the browser and then re-opening the browser later. (Ticket #141012)

CHANGES IN THIS VERSION:

• Improvement: Comment lines can be added to calculations and logic to serve as annotations to explain various parts of the logic/calc. Thanks to Günther Rezniczek for helping add this new feature.

• Improvement: When setting up the Survey Queue or an individual Automated Survey Invitation, the survey drop-down for the “When the following survey is completed” setting in the dialog now has a built-in search feature to easily find a specific survey in a long list. Additionally, if the survey title does not match the instrument title, the drop-down list will also display the user-facing form name for the survey, which should help users find the right survey quicker in certain cases.

• Bug fix: In some cases, images that were added via the rich text editor to a project dashboard would mistakenly not display on the public version of the dashboard unless the person viewing it was currently logged in as a REDCap user.

• Updates for the External Module Framework, including: 1) Added arguments allowing $module->getProjectsWithModuleEnabled() to return projects in analysis/cleanup status and with completed dates, and 2) Miscellaneous scan script updates and unit test updates.

• Bug fix: When creating a project using the MyCap project template included in REDCap, in some cases the resulting project might result in errors when a participant loads the project on their MyCap mobile app.

• Bug fix: A fatal PHP error might occur for PHP 8 on a project using the Clinical Data Pull feature, in which a user clicks the "Delete data for THIS FORM only" button at the bottom of a data entry form. (Ticket #141230)

• Bug fix: When using Clinical Data Pull and launching the CDP REDCap page embedded inside of Epic Hyperspace (this does not affect other EHRs but only Epic), the embedded page would not function correctly due to incompatibilities with Internet Explorer, which is the embedded browser utilized by Hyperspace. This bug emerged in the previous REDCap version.

• Bug fix: When exporting a project’s data to SAS, in which the project is using Missing Data Codes and also the exported data set contains Text or Notes fields, the resulting SAS syntax file might mistakenly be missing an underscore at the end of the variable name for the “format” attribute for the Text and Notes fields. (Ticket #103142)

• Bug fix: The replacement function utf8_encode_rc() for PHP's utf8_encode() might prevent certain users from logging in successfully, in which this ultimately is caused by certain unknown web server configurations. (Ticket #140393)

• Bug fix: When using the Randomization page while a project is in production status, a REDCap administrator is unintentionally able to erase the randomization model of the project, which should only be allowed while in development status (even for admins). The "Erase randomization model" button will now stay disabled for everyone when a project is in production. (Ticket #141286)

• Bug fix: If a required field's field label contains a lot of HTML, in which the field value is left empty when submitting a survey page or data entry form, the "Some fields are required" dialog that is displayed would mistakenly not look correctly on some occasions due to the HTML in the label. To prevent this issue and to make the field label more readable, the required field dialog will now strip all HTML from the field label when displaying it. (Ticket #141262)

• Bug fix: Bug fix: When MyCap is enabled in a project, on some rare occasions when migrating a project using the MyCap external module, the process might fail due to an SQL error. (Ticket #138168b)

• Bug fix: Importing data for a patient’s race via Clinical Data Interoperability Services (CDIS) might mistakenly fail in cases where the patient has more than one race listed in the EHR.

• Bug fix: When a user is viewing the field drop-down for the Data Search feature on the Add/Edit Records page in a project that has more than 20K records, the note text in the first option of the field drop-down would mistakenly be truncated, thus preventing the user from being able to read it. (Ticket #141317)

• Bug fix: When uploading a CSV file of user privileges on the User Rights page, the "lock_records" privilege would mistakenly return an error if its value is set to "2", which is a valid value. (Ticket #141141)

• Bug fix: When changing an existing alert from sending "immediately" and "every time" to sending not immediately (e.g., "Send on next X at time Y") without explicitly clicking the "Just once" radio option in Step 2B after doing so, these changes made to Step 2 would mistakenly not get saved when saving the alert. (Ticket #140491)

CHANGES IN THIS VERSION:

• Improvement: When using the built-in MyCap feature, users can now explicitly define the title of the project as seen by participants in the MyCap Mobile App. A new button has been added near the top of the “MyCap App Design” to allow users to set the project title that is displayed in the app. If not defined, it will default to using the user-facing title of the REDCap project, which was how it behaved in previous versions of REDCap.

• Major bug fix: In certain situations where survey invitations get scheduled for a repeating Automated Survey Invitation, in which the record's data is later modified, the repeating invitations that were scheduled might mistakenly get unscheduled. (Ticket #140851)

• Major bug fix: If a user is creating a new record on a data entry form, in which record auto-numbering is enabled in the project and the form is submitted by the user with a required field that has no value, if the project's internal Record List Cache (a secondary list of records in the database for improving performance) had not been built yet or was recently cleared (which is done automatically by REDCap internally), the user submitting the form might trigger the Record List Cache building process, which might inadvertently create multiple identical records instead of just creating the one record.

• Bug fix: If a checkbox field has a large amount of choices, thus causing the checkbox options to become a scrollable box, the overall height of the scrollable box would mistakenly be too short on surveys that have the "Enhanced radio buttons and checkboxes" feature enabled. Since the enhanced radios/checkboxes are much larger than regular radios/checkboxes, the scrollable area has been made twice as tall in these cases in order to provide a less confusing user experience to survey participants.

• Bug fix: The Multi-Language Management page in the Control Center might incorrectly denote a translated language as being 100% complete when it is only 99.9% complete. (Ticket #140724)

• Bug fix: Various issues related to checkbox fields with many options, such as displaying a horizontally-aligned checkbox field as too wide in Firefox. Also, the new feature added in the previous version that would cause a long list of checkbox options to become scrollable has now been completely removed since so many users complained about it being problematic for them. (Ticket #140759)

• Bug fix: When piping a Notes field that has the @RICHTEXT action tag, the HTML formatting in the field's value might mistakenly not render correctly on the page, especially if the value contains HTML tables. (Ticket #140910)

• Bug fix: When a datetime field is using "now" as the min or max validation range, and the user clicks the "Now" button next to the field after having been on the page for more than one minute, the "out of range" popup would mistakenly display.

• Bug fix: When using Multi-Language Management, if some slider fields do not have their slider label values translated, it could cause some parts of the survey page or data entry form not to display all its translated text successfully. (Ticket #140871)

• Bug fix: Some LH-aligned radio buttons might mistakenly cause the page to be too wide if a radio choice label is very long. Unfortunately, the only way to fix this issue fully is to revert a change in the previous version that improved the text wrapping of the choice labels of horizontally-aligned checkbox fields.

• Bug fix: If a survey participant clicks the "Save & Return Later" button on a survey, which has no survey title (i.e., it was left blank), the email sent to the participant might be slightly confusing because it displays only two double quotes where the survey title should be. It now displays slightly different text if the survey title has not been defined.

• Bug fix: If a project title contains some UTF-8 encoded characters, the project title would mistakenly display as garbled when viewing it on the My Projects page on a mobile device. (Ticket #140814)

• Bug fix: If a repeating Automated Survey Invitation has reminders enabled, the Survey Invitation Log might mistakenly display a bell icon and number (representing a reminder) next to a recurring invitation that is not actually a reminder.

• Bug fix: When using the Randomization page and downloading an example allocation table in Step 2, for certain randomization models, the CSV file produced may become too large to be processed, which might throw an error, and/or it might take an abnormally large amount of time to output the CSV file. To prevent these situations, the example allocation tables now will only output a maximum of 50,000 rows regardless of the randomization model set up in the project. (Ticket #140909)

CHANGES IN THIS VERSION:

• Bug fix: If a Project Template has Form Display Logic, new projects created from that Project Template would mistakenly not have the Form Display Logic settings copied over. (Ticket #140489)

• Bug fix: If REDCap is using an external file storage method (e.g., AWS S3, Azure Blob Storage) for storing all files in the system, the Project Revision History's version comparison feature would mistakenly fail, and it would result in a fatal PHP error when using PHP 8. (Ticket #140551)

• Bug fix: If a participant email address contains one or more capital letters and is added manually to the Participant List multiple times, the Participant List would mistakenly fail to display a number and parentheses immediately before the email address on each row (e.g., "1) rob@aaa.com") to help differentiate the multiple instances of the same email address. (Ticket #140466)

• Bug fix: When using Duo two-factor authentication, some important debugging information would mistakenly not get output to the page when an error occurred, in which it prevented admins from effectively troubleshooting certain network-based configuration issues that could cause Duo not to work dependably for users.

• Bug fix: If a checkbox field has a large amount of choices, it could cause the field to mistakenly take up a disproportionate amount of the survey page or data entry form, thus resulting in a bad user experience. In this case now, the whole list of checkbox options will instead become scrollable so that the checkbox field does not become too unwieldy while still allowing the user to see all the choices.

• Bug fix: Checkbox fields that are horizontally-aligned might mistakenly have a choice’s checkbox and its label appear on two different lines due to text wrapping. Instead, an individual choice’s checkbox and label now no longer wrap to the next line but instead stay together on the same line. (Note: This fix does not apply when viewing a form/survey on a mobile device.)

• Bug fix: In very specific situations where a field is a required field and is embedded in another field, in which the container field is hidden by an @HIDDEN action tag while the field embedded inside it does not have an @HIDDEN action tag but does have a @DEFAULT action tag, the default value added to the embedded field via the @DEFAULT action tag would mistakenly not get saved when saving the page.

• Bug fix: Various fixes related to issues with using Duo two-factor authentication, including issues caused by the use of a proxy with the REDCap web server. (Ticket #140186, #137099)

• Bug fix: Clicking the "View Equation" link for a @CALCTEXT field on a data entry form or survey page while the project is in production status but not in draft mode would mistakenly display an error message instead of displaying the calculation. (Ticket #140645)

• Bug fix: When downloading a CSV file of either users or user roles on the User Rights page, the form-level viewing rights and form-level export rights in the CSV file might mistakenly contain instruments that have been deleted from the project. (Ticket #140668)

• Bug fix: If PDF files had been stored in the File Repository's "PDF Survey Archive" folder, after which the Auto-Archiver and/or e-Consent Framework had been disabled for all surveys in the project, the "PDF Survey Archive" folder would mistakenly no longer be visible in the File Repository, thus preventing users from accessing previously-saved files. That folder will now be displayed if the Auto-Archiver and/or e-Consent Framework is enabled or if any files already exist in the folder. (Ticket #140435)

CHANGES IN THIS VERSION:

• Bug fix: In certain situations in which REDCap or an External Module executes a specific parameterized query to the database, the query might mistakenly fail due to an "illegal mix of collations".

• Bug fix: Unless using the latest version of the REDCap Mobile App, a @CALCTEXT field might mistakenly not function correctly in the Mobile App if its calculation contains multiple nested IF() statements.

• Bug fix: When a participant is viewing their survey queue, if they click the "Get link to my survey queue" button and then click "Send" to email the survey queue link to themselves, the Email Logging page would mistakenly not associate the email with a record in a project when searching for emails on that page. This can make it very difficult to find this email via the Email Logging page. In the future, this action will associate the email with a specific record on the Email Logging page.

• Bug fix: A SQL query might mistakenly not get formatted correctly and thus might fail when CDIS is sending a notification to a user via REDCap Messenger regarding the completion of an asynchronous CDIS task.

• Bug fix: The "How do I format the equation?" link in the "Edit Field" dialog in the Online Designer would mistakenly open the wrong question on the "Help & FAQ" page.

• Bug fix: If a user assigned to a Data Access Group views a report that has DAG filtering imposed via "Step 3: Additional Filters" in the report settings, in which the user's DAG is not one of the selected DAGs of the Additional Filters, the report might mistakenly display some records from the user's DAG when instead it should not return any records in the report. A similar behavior might also occur for a user that is not assigned to a DAG when viewing the same report, but instead occurring when using the DAG Live Filter to select a DAG that is not one of the selected DAGs of the Additional Filters. (Ticket #140302)

CHANGES IN THIS VERSION:

• Major bug fix: If using AAF authentication or any of the "X & Table-based" authentication methods (excluding "LDAP & Table-based"), the login process might not function correctly and might appear as if the authentication has mistakenly reverted to only "Table-based" authentication. Bug emerged in REDCap 13.2.0 (Standard). (Ticket #140065)

• Bug fix: Certain Font Awesome icons might mistakenly not display correctly on survey pages.

CHANGES IN THIS VERSION:

• New feature: “Azure AD & Table-based” authentication method - The “Security & Authentication” page contains a section of custom settings for using the Azure AD authentication method in REDCap. All the existing Azure AD settings apply to this new authentication method, with the addition of a new custom button text for the “Azure AD” button on the login page.

• Important change: New option displayed on the Configuration Check page to update the REDCap database tables to support full Unicode. REDCap installations that were initially installed using a version prior to REDCap 8.5.0 will have an older, legacy type of database collation/encoding and charset (character set). If your REDCap installation is affected, it is *highly* recommended that you follow the steps detailed on the page that is linked on the Configuration Check page in order to update your database. Please note that this is NOT an urgent issue, but it is something we recommend you address sooner rather than later since your current database collation and charset (UTF8 or UTFMB3) have been deprecated in the latest versions of MySQL/MariaDB and thus will eventually be removed altogether in future versions of MySQL/MariaDB. The full process of updating your database tables may take many minutes or possibly hours to run all the pertinent SQL to convert both the table structure and table data. Please follow the instructions on that page carefully, and make sure you perform a database backup before starting the process. (Thanks to Tony Jin for his help with this effort.)

• Important change: Dropped support for PHP 7.2. Only PHP 7.3.0 and higher are now supported in REDCap.

• Bug fix: The user privilege for "Alert & Notifications" was mistakenly not getting copied for project users when using the "Copy Project" feature while electing to copy the current users into the new project. (Ticket #140023)

• Bug fix: The Cron Jobs page in the Control Center might crash with a fatal PHP error for certain versions of PHP if the "exec" function is disabled in PHP as a "dangerous" function on the REDCap web server. (Ticket #140034)

CHANGES IN THIS VERSION:

• Improvement: The "Help & FAQ" page has been updated with new content (thanks to the FAQ Committee).

• Bug fix: When the system-level setting "Allow reports to be made 'public'?" has been set to "No", administrators are still allowed to make reports public, which is expected; however, when anyone attempts to view the report using the public link, it displays an error saying that it cannot be displayed. Anyone with the public link should be able to view the report. (Ticket #132901b)

• Bug fix: When testing a calculation using the "Test calculation with a record" drop-down for a calculated field in the "Edit Field" popup on the Online Designer, there are certain situations where the process might mistakenly crash with a fatal PHP error when using PHP 8. (Ticket #139955)

• Bug fix: If the value of a Text or Notes field contains an email address that is immediately followed by a line break/carriage return, the email address would mistakenly not get converted into a "mailto" link properly when displayed on a report. (Ticket #139960)

• Bug fix: The user privilege for "Alert & Notifications" was mistakenly not getting copied for project users when using the "Copy Project" feature while electing to copy the current users into the new project. (Ticket #140023)

• Bug fix: Text describing that piping can now be used in the URL of a Data Entry Trigger and the URL of an external video for a Descriptive Text field was mistakenly not added in the previous version. It has now been added in order to inform users that piping can be used in these places now

CHANGES IN THIS VERSION:

• Major bug fix: An error would occur when enabling External Modules on PHP 7, thus preventing modules from being successfully enabled. Bug emerged in REDCap 13.1.2 (Standard).

CHANGES IN THIS VERSION:

• Improvement: Users may now pipe Smart Variables or field variables into the Data Entry Trigger URL.

• Improvement: Users may now pipe Smart Variables or field variables into the External Video URL for Descriptive Text fields.

• Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered on the User Rights page where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way inside a CSV file when importing user privileges or user roles on that page.

• Change: PHP 8.2 is now supported in REDCap. Note: The release notes of REDCap 13.1.0 (Standard) mistakenly noted that PHP 8.2 was supported in REDCap 13.1.0, which was only partially true because PHP 8.2 was not yet supported by the External Module Framework, which is a part of REDCap.

• Change: REDCap no longer supports individual projects having their own authentication method that is different from the system-level authentication method. Going forward, every project will automatically assume the same authentication method of the system as defined on the "Security & Authentication" page in the Control Center. (Note: The "auth_meth" column name in the "redcap_projects" database table has not been removed in order to be backward compatible with any custom scripts that might be specifically querying that column in an SQL query.)

• Improvement: When setting up an alert, Step 2's sub-section “When to send the alert?” now contains the new drop-down choice "the day (beginning at midnight) that the alert was triggered" in the sub-option “Send the alert X days Y hours Z minutes before/after [drop-down]”. This new choice in the drop-down allows users to schedule the notification based on the day the alert was triggered and provides greater control and precision with regard to when exactly the notification will be sent. For example, if this new drop-down option is selected along with setting it to “send the alert 1 day 8 hours after…”, this will cause the notification to be scheduled to be sent at exactly 8:00am the next morning. In previous versions, it was not possible to get this level of precision for the notification send-time based upon the alert trigger-time unless you used a date field’s value as a reference. (Note: This new option is very similar to the one added for Automated Survey Invitations in REDCap 12.5.0.)

• Improvement: When exporting the project logging via CSV file or via API, the record name is now included as a separate column/attribute "record" in the resulting output if the logged event is record-centric (and if not, the record value will be left blank). (Ticket #132246)

• Improvement: The on/off switches on the Multi-Language Management setup page now have green/red coloring to more clearly denote their on/off state. (Ticket #139703)

• Various changes and improvements for the External Module Framework:

  • PHP 8.2 is now supported.

  • Added the methods $module->disableModule(), $module->isSuperUser(), and $module->escape().

  • Added the allow-project-overrides and project-name setting options.

  • New feature to hide external modules from non-admins in the list of enabled modules in a project.

  • Made the scan script warn when system hooks are used.

  • Miscellaneous scan script improvements.

  • Fixed a bug where escaped HTML displays in field list values.

• Change/improvement: The Database Activity Monitor page now specifies if a specific request is an instance of the REDCap cron job.

• Change/improvement: When a user creates, edits, copies, or deletes a report, the logged event of this specific action now contains the list of all fields in the report. This improves the granularity of the audit trail for reports. (Ticket #139193)

• Bug fix: In very specific cases when a report is set to only display the record ID field, in which the report has filter logic that contains fields on a repeating instrument/event, the resulting report might mistakenly include grayed out columns that correspond to the fields (or to the form status fields of the fields' instrument) that are used in the filter logic. (Ticket #139584)

• Bug fix: Users with instrument-level locking privileges could inadvertently bypass locking controls and modify data on a locked data entry form if they have another browser tab open of that same data entry form before it was locked, and then saved that form within 30 seconds of locking the form in the other tab. (Ticket #139555)

• Bug fix: If Two-Factor Authentication is enabled in REDCap, and a user is using Clinical Data Pull, in which they are viewing a REDCap window specifically inside Epic Hyperspace, a JavaScript error might be displayed on the page. Bug was introduced in REDCap 12.5.7. (Ticket #139775)

• Bug fix: If a project is created using a Project XML file, in which the XML file contains public reports, the unique public report link/hash of any public reports in the original project would mistakenly get duplicated and attributed to the newly created project. This would not cause any noticeable problems for the user because the public report link would always point to the original project and not to the new project created.

• Bug fix: When using the Clinical Data Mart, a patient’s Medical Record Number (MRN) might get stored as an empty string in the FHIR logs table, thus causing the Data Mart to crash.

• Bug fix: REDCap might fail with a fatal PHP error on various pages when using PHP 8 under very specific conditions. (Ticket #139416)

• Bug fix: If a user shared a public link to a file in the File Repository, that public link would still be functional and active even after an administrator has disabled the "File Repository: Users are able to share files via public links" setting in the Control Center. (Ticket #139899)

• Bug fix: The @IF action tag would mistakenly not function correctly for fields in PDF exports. For example, @IF([field]="", @HIDDEN-PDF, "") would not function correctly to show/hide the field in the resulting PDF export.

CHANGES IN THIS VERSION:

• Improvement: Descriptive Text fields can now have inline PDF attachments that display as an embedded PDF on the page (rather than just displaying a download link).

• Change: HTML tags are no longer stripped out of Project Dashboard titles as displayed in the "My Project Dashboards" list on the left-hand menu or on the Project Dashboards page. Additionally, the title of Project Dashboards are no longer limited to 150 characters.

• Bug fix: The "Data Collection Strategies for Repeating Surveys" informational dialog would mistakenly not open.

• Bug fix: A fatal PHP error would occur when using DDP Custom in a project for PHP 8. (Ticket #138771b)

• Bug fix: When using MyCap in a project and with a Custom Participant Label that utilizes the piping of fields (rather than selecting a single field from the field drop-down list), the Custom Participant Label would mistakenly not be displayed on the MyCap Participant List page.

• Bug fix: If a user is adding an external video URL to a Descriptive Text field, in which they mistakenly paste some Embed HTML or an invalid URL into the field's video URL attribute, if REDCap doesn't recognize it as a Vimeo or YouTube link, REDCap might mistakenly try to output the text directly onto the page as-is without verifying that it is a valid URL. (Ticket #139291)

• Bug fix: When using the date/time picker widget to select a value for a date or datetime field on a survey page or data entry form, and then later on the same page the user uses the time picker on a "Time (HH:MM)" or "Time (HH:MM:SS)" validated field, after selecting the value for the Time field, the page would mistakenly scroll back to the last date/time field on that page where the date/time picker was used, which could be very confusing and disorienting to the user. (Ticket #139201)

• Bug fix: The Standalone Launch process for Clinical Data Interoperability Services might mistakenly fail for some server configurations due to a duplicate slash (“/”) in the link to the page.

• Bug fix: When a user performs a data export containing fields from an instrument for which they have "De-identified" data export rights, and the user selects the de-id option to "Shift all dates" (rather than "Remove all date and datetime fields") in the export dialog, the date fields would not be date shifted but would mistakenly be completed removed from the resulting exported data set. Bug emerged in REDCap 12.2.0. (Ticket #139392)

• Bug fix: When a user creates a new project, either as an empty project or using a Project XML file, the project creator's user rights would mistakenly be missing the "Alerts & Notifications" privilege.

• Bug fix: When using Clinical Data Pull, in which a user is accessing an embedded REDCap page inside of Epic Hyperspace, some parts of the page might mistakenly not work due to JavaScript errors.

• Bug fix: A field with the @CALCTEXT action tag, in which the calculation contains text strings with line breaks, might mistakenly cause calculation errors to appear on the page and prevent the @CALCTEXT from working.

• Bug fix: Some calculations or branching logic might mistakenly fail to work and would display an error if they are substantially long. Bug emerged in the previous version. (Ticket #127140)

• Bug fix: Surveys that are set to use Comic Sans as the font for the survey text would mistakenly not display correctly when viewing the survey on iOS devices. (Ticket #95086)

• Bug fix: In very specific situations where a field is a required field and is embedded in another field, in which both fields have branching logic, if the container field is hidden by branching logic while the field embedded inside it has branching logic that evaluates to True (meaning that the embedded field would otherwise be visible if the container field itself were visible), REDCap would mistakenly display an error saying that the embedded field is required and thus needs a value, which is incorrect since the embedded field is not even visible on the page. (Ticket #139582)

• Bug fix: When piping a field value for a field on a repeating instrument/event, in which the piped value originates from another repeating instance (e.g., [field][previous-instance]), the current instance's value might mistakenly be piped instead of the value from the desired instance. (Ticket #139581)

• Bug fix: When an image is embedded (via the rich text editor) in an email for a survey invitation or alert, in which the Protected Email Mode is enabled in the project, the page where the recipient would view their email in REDCap might mistakenly not display the embedded image on the page but would show a broken image placeholder. (Ticket #139648)

• Bug fix: If a user uploaded a Project XML file for a Clinical Data Mart project, it would mistakenly enable the Data Mart feature in the newly created project even when the CDM feature is disabled at the system level. This would cause some errors to occur in the project. (Ticket #139577)

CHANGES IN THIS VERSION:

• New feature: Redesign of the File Repository

  • Overview: The File Repository page has been redesigned to make it easier to store, organize, and share the files in your projects.Users now have the ability to create folders and sub-folders to help organize their files more effectively. If using Data Access Groups or user roles, users may optionally limit access to a new folder so that it is DAG-restricted and/or role-restricted. Uploading multiple files is much faster with a new drag-n-drop feature that allows for uploading dozens of files at a time. Sharing files is better too, in which users may obtain a public link to conveniently share a file with someone. New API methods also exist that allow users to upload, download, and delete files programmatically using the API. Additionally, the File Repository has a new built-in Recycle Bin folder that makes it easy to restore files that have been deleted. Users can upload as many files as they wish. There is no limit. Additionally, there is no limit to how many folders and sub-folders that can be created (or how deep that they can be nested within other folders).

  • Sharing: Files can be shared via Send-It or using a public link. If you do not want users to be able to share files using the public link functionality, this may be disabled on the File Upload Settings page in the Control Center. Once disabled, users will only be able to share files using Send-It.

  • File storage limit: Admins may optionally set a file storage limit that applies to all projects so that users cannot upload too many files in an abusive fashion. The value can be set in MB on the File Upload Settings page in the Control Center. There is also a project-level override for the file storage limit on the Edit Project Settings page for any given project. Note: Files in the starred folders (e.g. Data Export Files, e-Consent PDFs, Recycle Bin) do not count toward the overall file space usage of the project.

  • Recycle Bin: Files that are deleted from the File Repository will be put in the Recycle Bin folder where they will be kept for up to 30 days before being permanently deleted. Any file in the Recycle Bin can be restored back to its original location (so long as doing so does not surpass the project’s file storage limit, if enabled). Administrators can “force delete” any file in the Recycle Bin, which deletes it immediately and permanently.

  • New API methods for the File Repository: 1) Create a New Folder in the File Repository, 2) Export a List of Files/Folders from the File Repository, 3) Export a File from the File Repository, 4) Import a File into the File Repository, and 5) Delete a File from the File Repository.

• Security improvement: Restricted file types for uploaded files - At the bottom of the “Security & Authentication” page in the Control Center, administrators may now provide a list of all disallowed file types/extensions (e.g., exe) in order to prevent users from uploading files of these types into REDCap (often for security purposes). When set, this setting will be applied to all places throughout REDCap where users are allowed to upload files.

• Improvement: The “Alerts & Notifications” page now has its own separate user privilege. Previously, only users with “Project Design and Setup” privileges could access the Alerts & Notifications page. Now, users must explicitly be given “Alerts & Notifications” privileges in order to access the Alerts & Notifications page. Note: During the upgrade to REDCap 13.1.0 or higher, any users with "Project Design and Setup" rights will automatically be given "Alerts & Notifications" rights in order to keep continuity with their current access to the Alerts & Notifications page.

• Improvement: For OpenID Connect authentication, the Response Mode (response_mode) authorization parameter can now be explicitly set in the OIDC authentication settings on the "Security & Authentication" page in the Control Center. This will allow admins to choose between "query (default)" and "form_post" for the response_mode OIDC setting.

• New method for plugins/hooks/modules: REDCap::getFile - Returns an array containing the file contents, original file name, and mime-type of a file stored in the REDCap system by providing the file's doc_id number (the primary key from the redcap_edocs_metadata database table).

• New method for plugins/hooks/modules: REDCap::addFileToField - Attaches a file to a File Upload field for a specified record when provided with the doc_id of an existing file from the REDCap system.

• Improvement: New setting added to the User Settings page in the Control Center: "Notify the REDCap admin via email when a new account is created (excluding Table-based user accounts)?" When enabled, this setting can be used to notify admins whenever new users enter the system. Table-based users are not included because their accounts are created by an administrator. (Ticket #133382)

• Improvement: New setting added to the User Settings page in the Control Center: "Send a "welcome" email to new users when they create a REDCap account (excluding Table-based user accounts) - i.e., when they log in the first time using an external authentication method?". The "welcome" email will consist of the following stock text: "You have successfully created an account in REDCap at https://your-redcap-server.edu/. Your REDCap username is "USERNAME". Please note that REDCap does not manage your password. If you have difficulty logging in, you should contact your local IT department. Welcome to REDCap!".

• Improvement: When importing User Role assignments via CSV file uploads on the User Rights page or via the API, if the project contains Data Access Groups, users can now be assigned to a DAG during the User Role assignment import process by providing an extra parameter named "data_access_group" with a valid unique DAG name. This will allow users to be added to the project, assigned to a role, and assigned to a DAG all at the same time. Additionally, when exporting User Role assignments via CSV file or via the API, the "data_access_group" attribute will be exported for each user if the project contains DAGs (to be consistent with the Import User-Role Assignment format). (Ticket #119192)

• Change: PHP 8.2 is now supported in REDCap.

• Change/improvement: When importing User Role assignments via CSV file uploads on the User Rights page or via the API, users can now be assigned to a role if they do not currently have access to the project. In previous versions, only existing project users could not be assigned to a role via CSV file or via API. (Ticket #119192)

• Major bug fix: A malicious user could potentially delete a file uploaded into a project to which they do not have access by manipulating an HTTP request on the Alerts & Notifications page in another project. (Ticket #138873)

• Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered on the Project Modifications page (where an admin would view a user's Draft Mode changes) where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way in a field's Field Label, Choice Labels, or Field Notes. (Ticket #139108)

• Change/improvement: When setting the designated email field on the Project Setup page or when setting the survey-level designated email field on the Survey Settings page, if the selected field is utilized in more than one event and/or is utilized on a repeating instrument or repeating event, a warning message will be displayed in a yellow box immediately below the email field drop-down to inform the user that any update to the field on any event or repeating instance will change the value of the field in ALL events and repeating instances. This should help provide more transparency to users who might get confused by the fact that the field's value gets updated in all places if the designated email field is located in more than one context in the project. (Ticket #131999)

• Bug fix: When both randomization and MyCap are enabled on a project, users would be unable to enable any instrument as a MyCap task in the Online Designer (excluding active tasks that were imported).

• Bug fix: A fatal PHP error would occur when using DDP Custom in a project for PHP 8. (Ticket #138771)

• Bug fix: A fatal PHP error would occur when certain Data Quality rules when using PHP 8. (Ticket #131294b)

• Bug fix: The REDCap Mobile App page mistakenly noted that the mobile app does not support Field Embedding, which is no longer true. That warning message has been removed.

• Bug fix: If one or more fields in a project utilize the @IF action tag, the REDCap Mobile App page would mistakenly fail to display a warning at the top of page to explain that the @IF action tag is not supported by the mobile app and thus fields with @IF might not function in the mobile app the same as they do on survey pages and data entry forms.

• Bug fix: A couple REDCap pages that are served as AJAX requests via JavaScript mistakenly had their "Content-Type" header set as "text/html" when instead it should have been "application/json", which was causing these requests not to be loaded successfully in the REDCap user interface in certain server/network environments.

• Bug fix: If a user on a data entry form clicks the PDF download option called "This survey with saved data (via browser's Save as PDF)", if some fields on the page have been modified but not yet saved, REDCap will display a confirmation to the user to ensure that they understand that the resulting PDF will not contain only saved data values but instead may contain both saved and yet-to-be-saved values. (Ticket #138777)

• Bug fix: Language ID and display names on the MLM "Usage" page in the Control Center could mistakenly be mismatched in some cases. (Ticket #138808)

• Bug fix: The MLM “Usage” page in the Control Center would mistakenly fail to render HTML special characters in project titles. (Ticket #138887)

• Bug fix: If an external module calls a randomization-related method in a project that does not have randomization enabled, it might throw a fatal PHP error for PHP 8. (Ticket #138756)

• Bug fix: Multi-line text used inside single quotes or double quotes in the @CALCTEXT action tag might mistakenly have some words mistakenly replaced in the resulting text if they look like JavaScript or PHP operators (e.g., "or", "and"). (Ticket #138785)

• Bug fix: When using certain text or HTML inside the text of the @CALCTEXT action tag, the output value of the field might mistakenly be missing some spaces if text elements in the @CALCTEXT contained leading or trailing spaces. Additionally, text used in @CALCTEXT that contains HTML or single/double quotes might mistakenly get mangled and not display correctly on the page for the @CALCTEXT field. (Ticket #138396)

• Bug fix: When using the Survey Auto-Continue feature, in which a participant clicks a survey link of an already-completed survey and is redirected 20+ times through a bunch of subsequent already-completed completed surveys, some browsers might mistakenly display a “too many redirects” error to the participant instead of properly redirecting them to the next unfinished survey. (Ticket #138914)

• Bug fix: A malicious user could potentially view a deleted message in REDCap Messenger by manipulating the parameters and/or query string of an HTTP request performed by Messenger. Only administrators should be allowed to view deleted messages in the Messenger interface. (Ticket #138873)

• Bug fix: A malicious user could potentially delete or edit a REDCap Messenger message, even when the user did not create the message and is not an administrator, by manipulating the parameters and/or query string of an HTTP request performed by Messenger. (Ticket #138859)

• Change: Added full support for parameterized queries in REDCap’s db_query() function.

• Change/improvement: Added a new option $project_id parameter for the developer method REDCap::getSurveyReturnCode().

• Bug fix: When using the AAF authentication method, the PHP method User::updateUsernameForAaf() mistakenly would not update all the database tables that contain a "user" or "username" column. Four tables were missing from the list. Thus, some database tables would not get updated when the method is called. (Ticket #138396)

• Bug fix: When creating a new project via a Project XML file, if the project is longitudinal and utilizes the Survey Queue and/or Automated Survey Invitations, the Survey Queue and ASI settings might mistakenly not get added from the XML file when the project is created. (Ticket #139035)

CHANGES IN THIS VERSION:

• Improvement: MLM Usage Page - A new “Usage” tab will be displayed on the Multi-Language Management page in the Control Center that will display a list of all projects using MLM and in what ways they are utilizing MLM, such as the number of languages in the project (and how many are active) and whether the following MLM options apply to the given project: Deactivated by user, Enabled by admin, Deactivated by admin, and Debug mode turned on.

• Major bug fix: Several PHP 8 related issues for MyCap would sometimes prevent data from syncing correctly back to the REDCap server from the MyCap mobile app.

• Major bug fix: When using certain external authentication methods, survey pages might sometimes mistakenly time out if the project's internal Record List Cache (a secondary list of records in the database for improving performance) had not been built yet, which is done automatically by REDCap internally. This would cause an internal API call to fail when it is made inline while loading survey pages, thus causing the survey page not to load. This was supposedly fixed in version 12.4.13 LTS and 12.5.6 Standard Release, but mistakenly was not. (Ticket #104761b)

• Change/improvement: The path to the web server's PHP error log file is now listed at the bottom of the main Control Center page. This information will be useful to help admins locate their web server's error log, which can sometimes be difficult to find.

• Bug fix: The calendar feed might mistakenly provide incorrect times of calendar events for certain geographical regions that do not observe Daylight Saving Time. (Ticket #130176)

• Bug fix: When using the Clinical Data Pull, temporal fields were mistakenly not displayed in the CDP mapping table because REDCap metadata was incorrectly removed from the settings payload.

• Bug fix: When using Clinical Data Pull, when launching from the EHR context, the button "Show record in project" would mistakenly not work if the record name was non-numeric.

• Bug fix: Typo on OpenID Connect's login screen. (Ticket #138381)

• Bug fix: When exporting a project as a Project XML file, the export process might mistakenly fail with a fatal PHP error for PHP 8. (Ticket #138389)

• Bug fix: When creating a new project where a user selects a project template but then chooses to upload a Project XML file, REDCap might get confused about which option was selected and behave unexpectedly, such as creating the project without granting access to the initial user. (Ticket #138361)

• Bug fix: When a calculated field uses the datediff() function, in which the first parameter is literally "today" while the second parameter is a datetime field, the calculation might mistakenly return a blank value. (Ticket #138033)

• Bug fix: In some specific circumstances, the Data Import Tool might mistakenly crash due to a fatal PHP error for PHP 8. (Ticket #138527)

• Change: The “Break the Glass” feature for Epic in CDIS has been updated to automatically refresh any expired BTG token. Previously, BTG tokens were short-lived and did not refresh, thus causing some issues with users.

• Bug fix: Dozens of REDCap pages that are served as AJAX requests via JavaScript mistakenly had their "Content-Type" header set as "text/html" when instead it should have been "application/json", which was causing these requests not to be loaded successfully in the REDCap user interface in certain server/network environments.

• Change: Added an MLM-related note at the top of the survey page where participants enter their survey access code. The note mentions that the language choices seen on that particular page might not necessarily be available on the survey that they are able to enter after entering their access code.

CHANGES IN THIS VERSION:

• Improvement: When setting up repeating Automated Survey Invitations, users can now set the repeating interval value as a number with a decimal (in previous versions, the value could only be an integer). This will allow users to approximate the interval of a monthly repeating ASI as 30.44 days since it is currently not possible for repeating ASIs to be scheduled on exactly the same day and time each month. To help users, a note has been added in the repeating survey section of the ASI setup dialog to inform them how to approximate a month as 30.44 days. (Ticket #136957)

• Major bug fix: Regarding Multi-Language Management, if the system-level setting "Require admin activation of multi-language support in projects" is disabled, the "Multi-Language Management" left-hand menu link would mistakenly not be visible to normal users unless one or more MLM languages had already been created in the project. Bug emerged in REDCap 13.0.0.

• Improvements for CDIS

  • Expiration indicator for the “Break the Glass” feature: The new Break the Glass workflow uses tokens that expire in an hour from their creation. The interface will now show if a token is expired.

  • Delete button for the “Break the Glass” feature: Users can remove entries from the list of Break the Glass protected patients using a button.

• Improvement: A link to the Codebook page was added inside the Add/Edit Field dialog on the Online Designer. This will allow the user to open the Codebook in a new tab without having to close the dialog to do so. (Ticket #138300)

• Bug fix: When using repeating Automated Survey Invitations, a record's Record Home Page might mistakenly say that there are upcoming scheduled invitations that will be sent in the next 7 days despite the fact that they are actually scheduled to be sent more than 7 days later. This only involves repeating ASIs that have been scheduled.

• Bug fix: When entering a value for the "Domain allowlist for user email addresses'' setting on the User Settings page in the Control Center, it would mistakenly not allow top-level domains to be entered if they contain more than 4 characters (e.g., vanderbilt.health). It now appropriately allows top-level domains up to the maximum 63 characters. (Ticket #104291)

• Bug fix: Using the “Break the Glass” feature in CDIS might mistakenly fail if the user has no access token.

• Bug fix: The “Mapping Helper” feature in CDIS might mistakenly not appear or be usable in Data Mart projects.

• Bug fix: When using the “Mapping Helper” feature or CDP Mapper for CDIS, some things might not load correctly because of some HTML needing to be escaped first in the resulting JSON.

• Bug fix: If the RemoveTempAndDeletedFiles cron job happens to be running at the same time as the Easy Upgrade process is extracting a new REDCap version, on certain server configurations the cron job might mistakenly delete some of the REDCap files being deployed in the new version, thus leaving the new REDCap version directory missing some critical files. (Ticket #137910)

• Bug fix: Bar charts and pie charts might mistakenly be displayed on Public Dashboards despite having an insufficient amount of data to display (based on the setting "Minimum number of data points required to display Smart Charts, Smart Tables, or Smart Functions on a *public* Project Dashboard..."). (Ticket #137411)

• Bug fix: When performing field embedding on a survey page or data entry form, the page might crash due to a fatal PHP error if the project has a very large amount of fields.

• Change: Slight tweak in the SQL queries used on the project Logging page to make the page load faster for older projects. (Ticket #138200)

• Bug fix: When MyCap is enabled in a project, clicking the [?] link to the right of the green Publish button at the top of the Online Designer would mistakenly display an empty dialog when viewing/editing the fields in an instrument (but it looks correct when viewing the instrument list in the Online Designer). (Ticket #138146)

• Bug fix: When MyCap is enabled in a project, on some rare occasions when migrating a project using the MyCap external module, the process might fail due to an SQL error. (Ticket #138168)

• Bug fix: When viewing the MyCap Participant List, in which a baseline date is being used, the baseline date value seen in the table for each participant would mistakenly be displayed in the wrong date format or would appear mangled. (Ticket #138166)

• Bug fix: When renaming an instrument in the Online Designer and then immediately creating a new instrument right after the renamed instrument, the new instrument might mistakenly get relocated to the first-instrument position after being created, and the record ID field might mistakenly get relocated to another position. Bug emerged in REDCap 13.0.0.

• Bug fix: For a repeating Automated Survey Invitation that has conditional logic and has the "Ensure logic is still true" checkbox checked, if a record has invitations scheduled for the repeating ASI, and the ASI's conditional logic no longer evaluates as True for the record, the repeating invites will stop sending (as expected), but the repeating invites would mistakenly still be displayed on the Survey Invitation Log. This would give the false impression to the user that those invitations will be sent when, in fact, they will not. (Ticket #134780)

CHANGES IN THIS VERSION:

• New feature: Integration of the MyCap External Module

  • Introduction: MyCap is a participant-facing mobile application (on iOS and Android) used for data collection and the automated administration of active tasks (activities performed by participants using mobile device sensors under semi-controlled conditions). All data collected in the MyCap app is automatically sent back to the REDCap server as soon as internet connection is available (i.e., it can also be used for offline participant data collection). MyCap is a no-code solution for research teams conducting longitudinally-designed projects or projects with frequent participant contact. MyCap also facilitates participant engagement and retention by providing quick access to project staff and two-way communications (e.g., messaging and announcements) within the app. MyCap is available on any iOS device (iOS v11.0+) and any Android device (Android v8.0+). For more information about MyCap, check out the MyCap website, publication, resources, and a list of MyCap use cases.

  • System-level settings: The MyCap feature will be enabled globally by default after upgrading or installing REDCap, but it can be disabled (so that no users see the option in their projects) on the Modules/Services Configuration page in the Control Center. That page also contains a setting where, assuming MyCap is enabled globally, an admin can set it so that 1) users can enable MyCap in their projects on their own, or 2) users will need to click a button in their project to send a request requiring admin approval to enable MyCap in the project.

  • Project-level settings: The ability to enable or request to enable MyCap in a project will be in the Main Project Settings section at the top of the Project Setup page. There is an informational dialog there that can be opened that contains helpful links to many resources, including the MyCap website, the MyCap Help document (a detailed 16-page instruction manual on setup and usage), and three videos.

  • Project Utilization: Utilizing MyCap in a project consists of two main parts: 1) design, and 2) managing participants. The design portion is where users can enable instruments as MyCap tasks, import active tasks, and design the look and feel of the MyCap app (as the participant sees it). These things pertaining to design are performed in the Online Designer and thus require “Project Design and Setup” rights. The participant portion requires a new user right “Manage MyCap Participants” that appears on the User Rights page after MyCap has been enabled in a project. Having this privilege, a user will have access to the “MyCap Participant Management” page on the left-hand menu. This page will allow users to view, invite, and message their MyCap participants. In many ways, it is very similar to the “Survey Distribution Tools” page when using surveys.

  • External Module Migration: If users have been using the MyCap external module, there is an upgrade path to import all the MyCap EM settings into the built-in MyCap feature. In projects with the MyCap EM enabled, users will see a “Migrate to REDCap” button on the left-hand menu, which opens a dialog with plenty of information about the new built-in MyCap feature. As the dialog will note, users themselves cannot perform the migration, but a REDCap admin must do so for them. The migration is fast and only requires a couple button clicks, after which it will disable the MyCap EM in the project. Note: Currently, the MyCap EM is planned to be supported only until June 2023, so it is recommended that users using the EM attempt to fully migrate well before that time.

  • Smart Variables and Action Tags: Several new Smart Variables and Action Tags can be used with MyCap, some of which are a required, integral part of how users invite participants and also how MyCap imports data into a project. See the documentation for Smart Variables containing the prefix “mycap-” and Action Tags containing the prefix “@MC-”.

  • Stats: System-level MyCap statistics can be seen on the System Statistics page in the Control Center.

• Improvement:New Multi-Language Management option to require admin activation of multi-language support in projects

  • Administrators may now change the behavior of the Multi-Language Management feature so that project users cannot view or use MLM in a project until a REDCap administrator has first enabled it explicitly in that project.

  • This behavior can be changed on the Settings tab on the Multi-Language Management page in the Control Center where it says “Require admin activation of multi-language support in projects”. Note: Enabling that system-level setting will not affect any projects where multi-language support is already enabled (either because it had previously been enabled explicitly by an admin or there is at least one language already set up).

  • Additionally, the following new admin-only options have been added to the Settings tab on the MLM setup page in each project, in which these options only appear to admins and only when the system-level setting has been set where only admins may enable MLM:

    1. “Enable multi-language support for this project” - Allows users with Project Setup and Design rights to see the MLM menu link and to use the MLM setup page.

    2. “Disable and hide multi-language support for this project” - Turning on this option will hide the MLM menu link and prevent access to Multi-Language Management for users even when there are languages defined. This overrides the Enable option above.

• Improvement for the External Modules Framework: New "Developer Tools" section & "Module Security Scanning" link on the Control Center -> External Modules -> Manage page.

• Change/improvement: New and improved workflow and user interface for the “Break the Glass” feature when using Clinical Data Interoperability Services (CDIS) with Epic.

• Change: As a convenience, when deleting a conversation in REDCap Messenger, the user is no longer prompted to enter the word "delete".

• Change/improvement: A new check was added to the Configuration Check page to detect if the Zlib PHP extension has been installed on the REDCap web server. (Ticket #137725)

• Change/improvement: The path to the web server's PHP.INI configuration file is now listed at the bottom of the main Control Center page (below the date of the last REDCap upgrade). This information will be useful to help admins locate their web server's config file, which can sometimes be difficult to find.

• Change/improvement: On the Alerts & Notifications page, users are now able to copy deactivated alerts. In previous versions, alerts could not be copied until they were first reactivated.

• Bug fix: Certain versions of MariaDB do not output the "COLLATE" portion of a database table's column definition in the results of a "SHOW CREATE TABLE" query, thus causing false positives to display in the Control Center that say that the "database structure is incorrect". (Ticket #137551, #137575, #137321)

• Bug fix: For some web server configurations, the server's session "garbage collection" might mistakenly not run or might not run very often, thus causing the redcap_sessions database table to become overly bloated. The garbage collection process is now run manually via a cron job to ensure this task gets performed regardless of server configuration. (Ticket #137675)

• Bug fix: When more than ten completed surveys are displayed in a participant's Survey Queue, the "all surveys completed" row might appear in the wrong place in the table. (Ticket #137550)

• Bug fix: An error message would be seen by a REDCap admin attempting to approve an External Module Activation Request for a user. (Ticket #137672)

• Bug fix: For some users, the My Projects page might be unusually slow to load due to a change in REDCap 12.5.17 (Standard) that removed the usage of AJAX requests on the page. To fix this performance issue, the change from 12.5.17 has been reverted back to the old behavior.

• Bug fix: When a user not assigned to a Data Access Group filters the results on the Logging page by DAG, the page might crash with an error if no users are currently assigned to that DAG in the project. (Ticket #137764)

• Bug fix: When viewing the REDCap Mobile App's "App Data Dumps" page, in which a data dump file could not be found on the server for unknown reasons, it would mistakenly throw a fatal PHP error on the page for PHP 8. (Ticket #137777)

• Bug fix: When using REDCap::saveData() in a plugin, hook, or external module, in which the "dataLogging" parameter is passed to the method as FALSE, the record list cache (i.e., the back-end secondary list of records) would mistakenly fail to get updated during this process. This means that if new records are being created via REDCap::saveData() with dataLogging=FALSE, those records would appear not to have been created until an admin clicked the "Clear the Record List Cache" button, after which the records would finally appear in the project, such as on the Record Status Dashboard, reports, and the Add/Edit Records page. (Ticket #137836)

CHANGES IN THIS VERSION:

• Change/improvement: If the monthly User Access Dashboard reminder emails are enabled, which are used to remind project users to keep their role-based access rights up to date, the emails will now be sent only during business hours. This is intended to help increase their visibility and thus improve response rates to these reminders.

• Change/improvement: The "My Projects" page (and also the "Browse Projects" page in the Control Center) no longer loads the projects' count of records and fields via AJAX after the page has loaded but instead now loads the counts more efficiently in real time while rendering the page, which requires less HTTP requests.

• Bug fix: When attempting to upgrade an external module from the main Control Center Notifications page, the process would mistakenly fail due to a JavaScript error. However, this process does successfully complete if performed on the External Modules Module Manager page in the Control Center. (Ticket #137243)

• Bug fix: The Duo Universal Prompt utilized in the Duo two-factor authentication in REDCap might mistakenly not work for certain username conventions. REDCap now uses an updated algorithm to match the "simple" username normalization in Duo, in which "DOMAIN\username", "username@example.com", and "username" are treated as the same user. It will also consider aliases when matching the username. Bug emerged in REDCap 12.5.5 Standard. (Ticket #137039)

• Bug fix: When using Multi-Language Management, the section header above a matrix of fields would mistakenly not display the translated text. (Ticket #137255)

• Bug fix: When using CDIS/FHIR services to extract medications from the EHR, the values for the RxNorm code and RxNorm label were mistakenly switched.

• Bug fix: Longitudinal projects might fail to load on the "Setting up Project" screen in the REDCap Mobile App. Bug emerged in REDCap 12.5.15 (Standard). (Ticket #137314)

• Bug fix: CDIS related cron jobs were mistakenly running for projects in Analysis/Cleanup mode or marked as Completed.

• Bug fix: When certain Smart Variables (specifically form-url, form-link, survey-date-completed, survey-time-completed, survey-date-started, survey-time-started, survey-duration, and survey-duration-completed) have [first-event-name] or [last-event-name] appended to them, an incorrect value might be returned from the Smart Variable.

• Bug fix: When performing randomization on a record while on the first instrument, in which the user locks the instrument immediately after randomization has occurred, the record would get mistakenly duplicated after clicking the Save button on the page. (Ticket #137260)

• Bug fix: The BioPortal API token stored in the redcap_config database table was mistakenly not encrypted at rest as other third-party tokens/keys are. (Ticket #137403)

• Bug fix: When using Multi-Language Management, the language drop-down list was mistakenly being displayed on data entry forms even when only one language has been defined on the MLM setup page. It should only display the language choice list if there is another language to choose.

• Bug fix: If a field is used in cross-form or cross-event branching logic, in which the value of the field contains double quotes, the branching logic may not function correctly on the page. (Ticket #136926)

• Bug fix: A fatal PHP error might be thrown in some specific cases where the method Records::deleteEventInstanceByProject() is called in certain contexts. (Ticket #137376)

• Bug fix: If a project is using record auto-numbering, and the highest-numbered record gets renamed so that it is no longer the highest-numbered record, after which a participant completes a public survey in the project, the new record created by the participant would mistakenly skip the appropriate record number and be assigned to one number higher than expected. (Ticket #125567)

CHANGES IN THIS VERSION:

• Bug fix: If the text in a Text field or Notes field contains an email address, it should display the email address as a clickable mailto link when viewing the data on a report. However, it would only do that if the field value contained only an email address and no other text. (Ticket #136735)

• Change: Improved compatibility of Clinical Data Pull with Epic Hyperspace, which uses Internet Explorer.

• Bug fix: When an Automated Survey Invitation has been set up in a longitudinal project, in which the ASI's conditional logic includes datediff()+today/now and has the "Ensure logic is still true" checkbox checked while additionally one or more of the variables in the logic are missing a prepended unique event name, the DateDiff+Today/Now cron job might mistakenly schedule a survey invitation that should not be scheduled, even though REDCap will ultimately unschedule the invitation right before trying to send it. This bug was supposedly fixed in REDCap 12.4.7 LTS and 12.5.0 Standard, but mistakenly it was not. (Ticket #136960)

• Bug fix: The Multi-Language Management settings "Export or import general settings" were mistakenly being displayed on the MLM Control Center page when they should only be displayed in a project. (Ticket #136968)

CHANGES IN THIS VERSION:

• Minor security fix: An SQL Injection vulnerability was found in the Copy Field action on the Online Designer, in which a malicious user could potentially exploit it by manipulating an HTTP request on that page.

• Minor security fix: An SQL Injection vulnerability was found in the "Import from Field Bank" action on the Online Designer, in which a malicious user could potentially exploit it by manipulating an HTTP request on that page.

• Major bug fix: When a user clicks the "Generate API Token" button on the API page in a project, it would mistakenly return a vague/unhelpful error message saying that the token could not be created (or it would simply reload the page with no warning in some cases). This would happen if the user has API Import and/or API Export privileges but does not have Mobile App privileges. The only user permission that should be required to request an API token on this page are API Import or API Export privileges. Bug emerged in REDCap 12.4.20 LTS and 12.5.13 Standard Release.

• Major bug fix: When renaming or deleting an instrument via the Online Designer while in development status, the instrument-level data viewing rights and instrument-level data export rights would mistakenly not always get updated to reflect the new instrument name for all the users and roles in the project. Note: While this fix will prevent the issue going forward, users will need to manually update a user's/role's permissions to fix any already affected users/roles. (Ticket #136038)

• Major bug fix: When a field is embedded on a multi-page survey, in which the embedded field's container field is hidden by branching logic on a different page on which the container field is itself located, the embedded field's value might mistakenly get erased when the later survey page is submitted if the embedded field is a Required field.

• Change/improvement: If the URL for a request on the To-Do List page contains an outdated REDCap version number (i.e., the request was made prior to the latest REDCap upgrade), the URL will now be auto-updated in the To-Do List to replace the old REDCap version number in the URL with the current REDCap version number. This will prevent 404 "Not Found" errors when processing To-Do List items in the case where the previous REDCap version directories have been removed from the web server after the latest REDCap upgrade.

• Change/improvement: The "Export Events" API method now also returns the "event_id" for each event. (Ticket #135602)

• Change: If a user cancels their own request to an admin that requests to move a project to production or to delete a project, the request no longer gets permanently deleted but gets marked as archived instead. This effectively has the same effect but preserves any comments or info associated with the original request, whereas deleting the whole request causes the comments/info to be permanently erased, which might not be ideal. (Ticket #136506)

• Bug fix: When using Multi-Language Management, the Survey Login page text might mistakenly not get translated. (Ticket #136358)

• Bug fix: When using Multi-Language Management, the choices for multiple choice fields would mistakenly not get imported when performing a CSV file import on the MLM setup page. (Ticket #136415)

• Bug fix: When the authentication method is set to "OpenID Connect" or "OpenID Connect & Table-based", admins may define which OIDC attribute will serve as the REDCap user's username. However, the "preferred_username" attribute was mistakenly missing from the "Attribute to use for REDCap username" drop-down on the Security & Authentication page. (Ticket #132200)

• Bug fix: If a user clicks the "Re-send Email" button for an email displayed on the Email Logging page in a project that has the "Protected Email Mode" feature enabled, that re-sent email would mistakenly not be sent using the Protected Email Mode but would be sent to the recipient as-is. (Ticket #120500)

• Bug fix: The Duo Universal Prompt utilized in the Duo two-factor authentication in REDCap might mistakenly not work and would throw an error if the REDCap username is not all lower case. (Ticket #133020b)

• Bug fix: If a text field on a data entry form or survey page is a required field and already has a saved value, if the field's value is manually removed (via backspacing) on the page and then the field is hidden by branching logic, upon saving the page, the "Some fields are required!" prompt might mistakenly get displayed for the field, which should not occur due to the fact that the field is hidden on the page. (Ticket #136520)

• Bug fix: When using Multi-Language Management, the text in the title of the “Invalid values entered” popup on data entry forms and survey pages would mistakenly not be available for translation on the MLM setup page. (Ticket #136541)

CHANGES IN THIS VERSION:

• Major bug fix: When attempting to upgrade to REDCap 12.5.13 (Standard), the REDCap upgrade page would mistakenly redirect the user back to the REDCap home page, thus preventing them from actually completing the upgrade process. (Ticket #136337)

• Major bug fix: When performing a data import (via API, Mobile App, Data Import Tool, or REDCap::saveData) that contains not-yet-created records, in which the import process will trigger Automated Survey Invitations immediately after creating the new records, the ASI invitations might mistakenly not get scheduled/sent. In this case, the ASIs would only get triggered when someone modified a record after the import or ran the "Re-evaluate Auto Invitations" process.

• Bug fix: When exporting a Project XML file and creating a new project using it, if the project is not longitudinal but was longitudinal at some point in the past, in which the first event (while longitudinal) was named something other than "Event 1" on Arm 1, then any Automated Survey Invitation settings from the XML file might mistakenly fail to import correct into the newly created project. (Ticket #136254b)

CHANGES IN THIS VERSION:

• Change: The Configuration Check page now provides a suggestion for modifying any REDCap database tables that do not have the InnoDB attribute ROW_FORMAT set to DYNAMIC. For the greatest compatibility with future REDCap upgrades, all database tables are recommended to have Dynamic row format. If any do not, the Configuration Check page will output the necessary SQL queries for fixing these tables. Note: This is not a requirement but a suggestion to prevent possible issues with future upgrades.

• Major bug fix: If a user is currently logged into REDCap and then opens and completes a survey in another browser tab, their non-survey user session would mistakenly get destroyed, thus causing the user to need to log in again when reverting back to the original tab after completing the survey.

• Bug fixes and improvements to CDIS/FHIR launch workflows (EHR and Standalone launch)

  • Fixed compatibility with Cerner system where auto-login was not working when launching from EHR.

  • Fixed compatibility with certain external REDCap authentication systems.

  • Workflow diagram and better logs added in case of error to help identify issues.

• Bug fix: Reports that have filter logic might mistakenly display some records as being in multiple arms despite the fact that they only exist in a single arm (or exit in less arms than depicted in the report). If this occurs, the report will show the record with default values in the other arm. (Ticket #135620)

• Bug fix: When exporting user roles via the API, the "unique_role_name" attribute of some roles might mistakenly be blank if the role had been recently created but not yet viewed in the user interface on the User Rights page. (Ticket #125602)

• Bug fix: When upgrading REDCap to v12.1.0 or higher, some queries in the upgrade SQL script might mistakenly fail when specifically using MySQL 8 as the database. (Ticket #131519b)

• Bug fix: When performing a fresh install of REDCap, the install page might output a 500 server error and might provide confusing error messages when valid database credentials have not been successfully added to the database.php file yet. (Ticket #128344)

• Bug fix: The Duo Universal Prompt utilized in the Duo two-factor authentication in REDCap might mistakenly be preventing some users from successfully logging in to REDCap in certain situations. (Ticket #134514)

• Bug fix: When a user/participant accesses a page utilizing Multi-Language Management for the first time, the auto language selection (via browser settings) might mistakenly not work correctly in certain cases, thus only displaying the correct language for some of the things on the page that were translated on the MLM setup page. (Ticket #135984)

• Bug fix: When performing a data dictionary export in a project that is using "Japanese (Shift JIS)" for the "character encoding for exported files", the process might fail with a fatal PHP error for PHP 8.0+. (Ticket #136046)

• Bug fix: Utilizing a forward slash "/" anywhere inside the @IF action tag would mistakenly cause the action tag not to function. (Ticket #135803)

• Bug fix: The EHR Launch process for Clinical Data Pull might mistakenly result in a JavaScript error, specifically when using Epic, when a user attempts to add a patient to a project inside the REDCap embedded window in Hyperspace.

• Bug fix: CDIS-related issue with FHIR version DSTU2 where date filters were mistakenly not applied to Observations data.

• Bug fix: On the Other Functionality page when exporting the Project XML file ("metadata & data"), it would mistakenly always include all available project attributes in the resulting XML file despite the fact that some or all of the checkbox options for those project attributes were left unchecked on the page. This does not affect the "metadata only" XML file but only the "metadata & data" XML file.

• Bug fix: Important documentation was missing from the Special Functions dialog and FAQ regarding the usage of date/datetime fields with MDY and DMY date formatting when used in text string functions in branching logic and calculations.

• Bug fix: Fields in a project might randomly get out of order, which can be caused by a user on the Online Designer reordering the instruments in conjunction with some other action, such as copying an instrument immediately before the reordering and/or viewing an instrument immediately after the reordering. (Ticket #109041)

• Bug fix: When using Multi-Language Management, the Automated Survey Invitation tab on the MLM setup page might mistakenly display as blank and prevent any translation of ASIs in certain cases, such as when some ASIs have been orphaned in the backend database and are not associated with a valid event in the project. (Ticket #136254)

• Bug fix: The "Conditional logic for Survey Auto-Continue" would mistakenly not get copied into a new project's survey(s) when using the Copy Project feature on the Other Functionality page. (Ticket #136281)

• Bug fix: When REDCap is using WebDAV for file storage, in which the WebDAV connection settings have not yet been defined, a fatal PHP error may occur on certain pages when using PHP 8. (Ticket #136289)

• Bug fix: When a user clicks the "Request API Token" button on the REDCap Mobile App page in a project, it would mistakenly return a vague/unhelpful error message saying that the token could not be created (or it would simply reload the page with no warning in some cases). This would happen if the user did not have API Import or API Export privileges. The only user permission that should be required to request an API token specifically for the Mobile App is "Mobile App" user privileges. Bug emerged in REDCap 12.4.13 LTS and 12.5.6 Standard Release. (Ticket #135788)

CHANGES IN THIS VERSION:

• Bug fix: The Record Status Dashboard might load unnecessary slowly for projects that are not using Form Display Logic and have 1000+ records.

• Bug fix: On some rare occasions in longitudinal projects, a report with filter logic might mistakenly not display its report headers on the page. Bug emerged in the previous version.

• Updates and fixes for the External Module Framework, including a fix that prevents out of memory errors if a record is not specified for the getChoiceLabel() method.

• Bug fix: When using Twilio telephony services for surveys, U.S. phone numbers having the area code "656" would mistakenly not work for SMS or voice calls unless the number has a "1" prepended to it.

• Bug fix: Some pages might mistakenly not function correctly due to a JavaScript error when using Internet Explorer. For example, this can cause branching logic and calculations to fail to function on survey pages and data entry forms when using IE.

• Bug fix: When performing a Data Search specifically on a project's record ID field on the "Add/Edit Records" page in a longitudinal project, some record names might mistakenly not be returned from the search, especially if no data has been saved in the first event for some of the records. (Ticket #135313)

• Bug fix: The "Phone (North America)" field validation might not correctly recognize some valid 10-digit North American phone numbers, especially if the fourth digit is a "3". (Ticket #135444)

• Bug fix: When using the Text-to-Speech survey feature, any fields initially hidden by branching logic on the survey would mistakenly not have the speaker icon displayed for it to allow participants to hear the question text audibly. (Ticket #135010)

• Bug fix: If a project is using Missing Data Codes and is also using the Secondary Unique Field, setting a missing data code for the Secondary Unique Field on a survey or data entry form might mistakenly result in the "Duplicate Value" error dialog. The uniqueness check should instead be ignoring any missing data codes for the Secondary Unique Field. (Ticket #132779)

• Bug fix: If a user is exporting data in EAV format for the Export Records API Method, and some of the data being exported exists on a repeating instrument or a repeating event, the record ID field might mistakenly get exported multiple times as identical rows, despite the fact that the first instrument is not a repeating instrument and does not exist on a repeating event. (Ticket #135154)

CHANGES IN THIS VERSION:

• Bug fix: The "Add Participants" dialog on the Participant List page would mistakenly be missing some text that displays the name of the currently selected arm (only for longitudinal projects that have multiple arms). (Ticket #134086)

• Various fixes and updates for the External Module Framework, including:

  • The enable-email-hook-in-system-contexts flag must now be set to true in config.json for the redcap_email hook to run in system contexts (when a project ID is not specified).

  • External Module Framework unit tests have been refactored to significantly improve performance.

• Bug fix: When new records are being created via a data import that will trigger the scheduling of an Automated Survey Invitation that contains the Smart Variable [survey-queue-url] or [survey-queue-link] in the ASI email body, the Smart Variable would mistakenly be blank in the resulting email that gets scheduled. This does not affect existing records but only those created via data import. (Ticket #101536)

• Bug fix: Appending the Smart Variable [aggregate-count:record_id] with a parameter to filter the results by one or more specific Data Access Groups (using the either unique DAG names or "user-dag-name") would mistakenly have no effect on the result. (Ticket #132676)

• Bug fix: When opening a Calendar event, the popup might crash due to a fatal PHP error in PHP 8.0+. (Ticket #134180)

CHANGES IN THIS VERSION:

• Bug fix: The "Add Participants" dialog on the Participant List page would mistakenly be missing some text that displays the name of the currently selected arm (only for longitudinal projects that have multiple arms). (Ticket #134086)

• Various fixes and updates for the External Module Framework, including:

  • The enable-email-hook-in-system-contexts flag must now be set to true in config.json for the redcap_email hook to run in system contexts (when a project ID is not specified).

  • External Module Framework unit tests have been refactored to significantly improve performance.

• Bug fix: When new records are being created via a data import that will trigger the scheduling of an Automated Survey Invitation that contains the Smart Variable [survey-queue-url] or [survey-queue-link] in the ASI email body, the Smart Variable would mistakenly be blank in the resulting email that gets scheduled. This does not affect existing records but only those created via data import. (Ticket #101536)

• Bug fix: Appending the Smart Variable [aggregate-count:record_id] with a parameter to filter the results by one or more specific Data Access Groups (using the either unique DAG names or "user-dag-name") would mistakenly have no effect on the result. (Ticket #132676)

• Bug fix: When opening a Calendar event, the popup might crash due to a fatal PHP error in PHP 8.0+. (Ticket #134180)

CHANGES IN THIS VERSION:

• Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way for calculated fields on data entry forms and survey pages. (Ticket #132986)

• Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way for certain features of REDCap Messenger.

• Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way for a certain feature on the Project Setup page and Copy Project page.

• Improvement: Various changes and improvements for the External Module Framework, including a new module AJAX request feature (thanks to Günther Rezniczek and Mark McEver). While it has always been possible to make AJAX requests via module code, using this new framework method makes it easier and more secure. Note that for framework version 11+, logging in non-authenticated contexts must be explicitly allowed by setting the “enable-no-auth-logging” flag in “config.json”.

• Bug fix: When renaming records, the record name would mistakenly get double-decoded during the process, which is not necessary and might cause issues depending on the specific characters inside the record's record name. (Ticket #133650)

• Bug fix: Using "now" or "today" as the first parameter in the @CALCDATE action tag might mistakenly not work while viewing a data entry form or survey page if the @CALCDATE field has DMY or YMD date format. (Ticket #133677)

• Bug fix: When using the Randomization feature and randomizing a record in a project that has record auto-numbering enabled, in which the record is being randomized before the record has first been created, right after the record has been randomized, the left-hand menu link to the record's Record Home Page might mistakenly point to a new not-yet-created record instead of the record that was just randomized. (Ticket #133678)

• Bug fix: When using the biomedical ontology searching mechanism on a data entry form or survey, results in certain ontologies might not return the expected "notation" or "cui" attribute (because they do not have those attributes), thus defaulting to the using the label itself for the data value of the field. It should instead attempt to use the "@id" attribute (if available) as a tertiary measure before defaulting to using the label. (Ticket #133550)

• Bug fix: When using "OpenID Connect" or "OpenID Connect & Table-based" authentication and logging in to the server at a specific URL outside the main REDCap Home page, the user would always mistakenly be redirected back to the Home page instead of the original URL. This could cause issues in certain cases, such as when clicking the email address validation link from an email. (Ticket #133729)

• Bug fix: When using WebDAV for file storage in REDCap, very large files might be able to be uploaded into File Upload fields, but attempting to download the same large files might mistakenly result in a fatal PHP error due to memory constraints. (Ticket #133638)

• Bug fix: When viewing the dialog of Upcoming Scheduled Survey Invitations for a record on the Record Home Page, the survey title (if long) might mistakenly be truncated inside the dialog. (Ticket #133813)

• Bug fix: The "Other Export Options" page was mistakenly displaying the Tableau Export dialog contents near the top of the page instead of only displaying it inside the dialog after clicking the blue "View export instructions" button. (Ticket #133813)

• Bug fix: When using Multi-Language Management, in which a survey’s text is translated, the survey might crash with a fatal PHP error in specific scenarios when using PHP 8. (Ticket #133892)

• Bug fix: When using the Data Resolution Workflow and either opening/responding to/closing a data query or verifying/de-verifying a value via the results of a Data Quality rule on the Data Quality page, that specific result's button in the Data Quality dialog might not correctly get updated with the new status icon/number of comments if the project is longitudinal but instead would incorrectly display the icon/comment count for another event's result for the same record. (Ticket #131878)

CHANGES IN THIS VERSION:

• Minor security fix: The third-party JavaScript libraries Handlebars and Moment.js were updated to the latest version because they contained some security vulnerabilities.

• Major bug fix: When using Multi-Language Management on a survey with the e-Consent Framework enabled, the PDF displayed inline on the page to the participant at the end of the survey would mistakenly not be in the participant's chosen language but instead would be in the default language. Note: This does not affect the e-Consent PDF being stored in the File Repository, which is correctly stored in the participant's language.

• Bug fix: Fix for fatal PHP 8 error when viewing the Participant List page in specific circumstances. (Ticket #132555)

• Bug fix: The Email Logging page would mistakenly not return any logged emails if the search filter was set to return emails of type "Alerts & Notifications". This was due to emails not getting stored in the email logging database table with the correct category attribute. Thus, when using the type filter "Alerts & Notifications" going forward, it will only return results of emails sent after upgrading to this version of REDCap. (Ticket #133222)

• Bug fix: When creating a report and adding a date, datetime, or number field as a report filter in Step 3, if the field has a min or max range validation set and the user enters a value for the filter field that was outside of the field's min/max range, it would mistakenly display the out-of-range warning. This out-of-range warning is not necessary when building reports but only when entering data. The out-of-range check has been removed for report filter fields. (Ticket #133203)

• Bug fix: When a user in a Data Access Group is viewing the Logging page or calling the API Export Logging method, if the "Filter by event" filter (or "logtype" parameter in the API) was set to a record-oriented value (e.g., Record created only), certain logged events might mistakenly not be returned if the logged events were not performed by a user that explicitly belongs to the current user's DAG (e.g., a non-DAG user or a survey participant). (Ticket #133203)

• Bug fix: While reordering an event on the Define My Events page of a longitudinal project, the black popup that appears temporarily would mistakenly be located in the wrong place on the page. (Ticket #133296)

• Various updates and fixes for the External Module Framework, including:

  • Logged a stack trace instead of displaying it to avoid exposure of file paths

  • Prevented redcap_module_link_check_display() from running on surveys

  • Miscellaneous documentation updates

  • Miscellaneous Psalm scanning improvements

  • Fixed miscellaneous PHP 8 warnings

• Bug fix: A space was mistakenly missing before the URL in the "Super API Token has been deleted" email sent to the user. (Ticket #133345)

• Bug fix: When adding a new instrument to a project in development status, all users in the project would mistakenly not automatically be given "Full Data Set" data export rights to the new instrument. In certain circumstances when a new instrument is added, users would receive De-Identified export rights mistakenly, and in other situations, they would not appear to have any export rights at all for the new form until they logged in to REDCap and entered the project. This could additionally cause confusion where it might appear that the user's form-level export rights had changed if the user had not accessed the project during the time in which the new instrument was created and then the project was moved to production. (Ticket #133306)

• Bug fix: When using Multi-Language Management, the MLM setup page might mistakenly crash with a fatal PHP error in specific circumstances due to UTF-8 characters being present in some text. (Ticket #133305)

• Bug fix: When creating/editing an alert on the Alerts & Notifications page, the "Show Advanced SendGrid Settings" link inside the alert dialog would mistakenly be displayed when the SendGrid Template option is not selected and also when the SendGrid Template setting is not even enabled in the project or whole REDCap system. Bug emerged in REDCap 12.5.6 (Standard).

• Bug fix: The Duo Universal Prompt utilized in the Duo two-factor authentication in REDCap might mistakenly crash with a fatal PHP error in certain situations. (Ticket #133318)

• Bug fix: Added 11 missing LOINC codes for Clinical Data Interoperability Services (CDIS) mapping.

• Bug fix: Clicking the "Project Owners" button on the Email Users page in the Control Center might mistakenly select some users that should not be selected, especially if the users had been project owners on projects that had been marked as completed or were recently deleted.

• Bug fix: When using Azure AD authentication, specifically V1 of Azure AD, the username or email address for a B2B collaboration user object might contain an "#EXT#" identifier as text inside it in certain cases. This is problematic to have the character "#" in a user's username and email. If this occurs, the text "#EXT#" will be automatically removed. (Ticket #121605c)

• Bug fix: When a user has User Rights privileges in a project and has also been assigned to a Data Access Group, if the user goes to edit their own rights on the User Rights page and clicks "Save", it would mistakenly remove them from their current DAG without warning. (Ticket #133313)

• Bug fix: When using Twilio for sending SMS messages for survey-related activities, in some cases the Survey Invitation Log might not correctly report that the participant had opted out of receiving SMS messages. In these cases, in which the Twilio API returns the specific error message "Attempt to send to unsubscribed recipient", the invitation log now correctly notes that the invitation did not send because the participant opted out. (Ticket #105253)

• Bug fix: When a user clicks the "Delete data for THIS FORM only" button at the bottom of a data entry form, in which the form exists on a repeating event where no other forms have data (i.e., all other form status icons are a gray color), the repeating event would mistakenly still appear in reports when in fact it should no longer appear in reports. (Ticket #131790)

CHANGES IN THIS VERSION:

• Minor security fix: Several Cross-site Scripting (XSS) vulnerabilities were discovered where a malicious user could potentially exploit them on specific pages by inserting HTML tags and JavaScript event attributes or by manipulating parameters in the URL, specifically when editing Project Dashboards, when uploading and viewing inline images files on forms/surveys, and when entering Missing Data Codes of the Project Setup page.

• Change: When performing a data export, the dialog now mentions more REDCap publications that might need to be cited in published manuscripts relating to the current REDCap project. Such publications would include those for MyCap, the REDCap Mobile App, the e-Consent Framework, and CDIS.

• Change: The Configuration Check page now suggests that the MySQL setting "max_allowed_packet" be increased to 128 MB or higher (preferably to 1 GB) if it is currently less than 128 MB. In previous REDCap versions, it only made this recommendation if its value was less than 16 MB, which proved to be too small for certain very large projects to function normally.

• Bug fix: When the system-level setting "Allow reports to be made 'public'?" has been set to "No", administrators would mistakenly not be allowed to make reports public. Regardless of this setting, admins should always be able to make any report public. (Ticket #132901)

• Bug fix: Clicking the "View export instructions" for the Tableau Export option on the "Other Export Options" page might mistakenly fail to open the dialog, thus resulting in a JavaScript error.

• Bug fix: When changing the system-level language on the General Configuration page in the Control Center, the page would mistakenly not change over to the new language immediately after submitting the page but only when the page was refreshed afterward.

• Bug fix: The new Duo Universal Prompt utilized in the Duo two-factor authentication in REDCap might mistakenly not work for certain devices/OSs, such as iPhones and iPads. Bug emerged in REDCap 12.5.5 Standard. (Ticket #133020)

• Bug fix: When using Multi-Language Management, single-instrument PDF downloads would mistakenly not occur in the user's preferred language but would always be rendered in the default language. Bug emerged in REDCap 12.5.2 Standard. (Ticket #133121)

• Bug fix: If a user knows specific paths for the PHPQRCODE third-party library in REDCap, they could call it many times at a specific URL, which might cause the web server's storage to fill up with lots of temporary files. (Ticket #132432)

• Bug fix: When using Form Display Logic in a longitudinal project, in which the logic references one or more fields on an event that currently has no data for a given record, the Form Display Logic would mistakenly fail to work correctly.

• Bug fix: When piping a date or datetime field into the max validation range check for another date/datetime field, if the field being used as the max exists on a different instrument or survey page, it would mistakenly not throw an out-of-range warning if the value was above the maximum. Note: This does not affect the min range check but only the max. (Ticket #124222b)

CHANGES IN THIS VERSION:

• New Feature: SendGrid Template Advanced Settings for Alerts & Notifications

  • Introduction - A new “advanced settings” section was added to the Alerts & Notifications interface when building an alert using the relatively new SendGrid Template alert type that gives users more control over the underlying SendGrid API call being made when REDCap triggers a SendGrid Template alert. Note that all of the advanced settings are optional, and they are all disabled by default. If “SendGrid Template email services for Alerts & Notifications” are enabled for a project on the Project Setup page, then these advanced settings will appear in the alert creation dialog after selecting “SendGrid Template” as the alert type. The new advanced settings are all listed in detail below.

  • SendGrid Unsubscribe Groups - SendGrid can allow recipients of its emails to unsubscribe from all emails being sent from a sendgrid account, or from emails associated with specific unsubscribe groups in a sendgrid account. To take advantage of custom unsubscribe groups, you can create unsubscribe groups in your sendgrid account then associate them with alerts in your REDCap project. When a recipient unsubscribes from an email that has been associated with a specific unsubscribe group, they get added to that unsubscribe group's list and any future emails that are associated with that unsubscribe group will not be delivered to them. An alert can be associated with at most one unsubscribe group. Here is SendGrid's documentation on unsubscribe groups: https://docs.sendgrid.com/ui/sending-email/unsubscribe-groups.

  • SendGrid Categories - SendGrid allows you to associate arbitrary categories to each email you send from your account, effectively giving you the ability to tag each individual email sent with different metadata about the email like the email type. Unlike unsubscribe groups, categories don't have to be made in your sendgrid account before associating them with an alert in REDCap. You can define your categories in REDCap as you create your REDCap alert, and your sendgrid account will automatically detect new categories as emails get sent with them. In your SendGrid account's Category Stats page, you'll be able to see data about your emails by category. You can associate up to 10 unique categories per email, and a category name cannot be longer than 255 characters.

  • SendGrid Mail Settings - Full documentation for the SendGrid bypass settings can be found at https://docs.sendgrid.com/ui/sending-email/index-suppressions#bypass-suppressions.

    1. Bypass List Management - When enabled, your email will be delivered regardless of any other existing suppression management control in your account. For example, if a recipient is in an unsubscribe group or the global unsubscribe group, they will still receive the email if bypass list management is enabled. Bypass List Management can't be combined with any other bypass option.

    2. Bypass Spam Management - Allows you to bypass the spam report list to ensure that the email is delivered to recipients. Some email services allow recipients to mark emails as spam. In some cases, sendgrid will be notified when a recipient marks an email as spam and will maintain a spam report list.

    3. Bypass Bounce Management - Allows you to bypass the bounce list to ensure that the email is delivered to recipients. A bounce occurs when a receiving mail server rejects an incoming email. This can happen if the recipient address is bad, for example. If sendgrid sees too many bounces happening, it will add that recipient to a bounce list and it will stop trying to send mail to that recipient. Enabling this will bypass that bounce list and force sendgrid to retry delivery.

    4. Bypass Global Unsubscribe Management - When enabled, your email will be delivered even if the recipient is on your account's global unsubscribe list.

    5. Sandbox Mode - Sandbox mode lets you check for errors in the SendGrid API call used to send an email without the potential of delivering the email. If you're unsure about your sendgrid configuration, you can run a test by enabling sandbox mode for an alert and triggering it. If your project's logs state that the alert was sent successfully and you don't see any errors, then your configuration is good to go. However, since sandbox mode was enabled for that alert, an email was not actually sent. After you're satisfied with your tests, you can disable sandbox mode and start sending real emails with your alert.

  • SendGrid Tracking Settings

    1. Click Tracking - SendGrid has the ability to detect when a recipient clicks on links in an email. The count of clicks for a given email can be seen in the email activity section of your sendgrid account.

    2. Open Tracking - SendGrid has the ability to detect when a recipient opens an email by embedding a single pixel image in an email. Enabling this setting will make sendgrid include this tracking pixel in your emails. You can view the count of opens for a specific email in the email activity section of your sendgrid account.

    3. Subscription Tracking - If subscription tracking is enabled and configured on your sendgrid account, this setting lets you choose whether or not you want to include the global unsubscribe link associated with the subscription tracking feature in your emails. Note that you can utilize unsubscribe groups without using the more general subscription tracking feature. I believe subscription tracking is disabled by default on a sendgrid account. Here is some documentation from sendgrid about unsubscribe methods: https://support.sendgrid.com/hc/en-us/articles/1260806604209-Unsubscribe-Methods

  • Miscellaneous Additions

    1. Added an External Service Check for https://api.sendgrid.com/v3 in the Control Center's Configuration Check page.

    2. Added a line in the Modules utilized section of the Systems Statistics page to keep track of how many non-practice projects are utilizing sendgrid for Alerts & Notifications.

  • Additional SendGrid API Token Requirements - To fully support SendGrid Advanced Settings, the SendGrid API token used in the project's setup needs the permission for getting an account's unsubscribe groups through the API. This permission is mapped to the asm.groups.read scope. You can add this permission to your existing API token by editing its permissions in your SendGrid account and giving it Read Access to Unsubscribe Groups in the Suppression section.

• Improvement: When utilizing Multi-Language Management in a project, the Field Finder on the Codebook page now supports searching in translated field labels.

• Improvement: The date of the most recent REDCap upgrade for the system is now displayed near the bottom of the main Control Center page. (Ticket #69036)

• Improvement: "Project 5 (COVID-19)" was added as a new classification that is selectable under the NIH CDE Repository catalog for the Field Bank feature in the Online Designer. Project 5 (COVID-19) is a classification of NIH-Endorsed CDEs (Common Data Elements).

• Major bug fix: When exporting a PDF that contains a multiple choice field that has been flagged as an Identifier field, if the user has De-Identified data export rights for the field's instrument, the data for the field would mistakenly not be removed from the resulting PDF. (Ticket #132190)

• Major bug fix: When clicking the “Forgot your password?” link on the login page and then entering the username of a valid REDCap user, the password of the username entered would mistakenly be reset immediately after being entered, which could lock out the user if a malicious user is randomly entering usernames to try and discover a valid username. It now only resets the user’s password after they click the password reset link in the email that they receive. Additionally, in order to prevent malicious users from discovering valid usernames, the password reset page now returns the exact same message in all situations, whether the username entered is a real username or not. In the case when using one of the “X & Table-based” authentication methods, if the user entered is an external user (i.e., not a Table-based user), they will also receive an email that will inform them that they must reset their password using an external resource outside of REDCap (or it will instead display the custom password reset text that has been defined in the Control Center). (Ticket #132595)

• Major bug fix: When using certain external authentication methods, survey pages might sometimes mistakenly time out if the project's internal Record List Cache (a secondary list of records in the database for improving performance) had not been built yet, which is done automatically by REDCap internally. This would cause an internal API call to fail when it is made inline while loading survey pages, thus causing the survey page not to load. (Ticket #104761)

• Bug fix: The Codebook page can become very slow in certain situations when lots of fields exist in the project, especially when utilizing languages for Multi-Language Management. (Ticket #132349)

• Bug fix: When using Multi-Language Management in a project, some translations might get mistakenly overwritten when importing a CSV/JSON translation file due to an issue with case sensitivity with the language ID (e.g., “es” vs “ES”). (Ticket #132443)

• Bug fix: Some of the text inside the dialog displayed to an administrator when a project has been marked as Completed was changed in order to be less confusing about the project's status after the admin has restored it. (Ticket #132499)

• Bug fix: When using Azure AD authentication, users might mistakenly not have their first/last name and email auto-populated into their user profile after initially logging in to REDCap. This bug was supposedly fixed in the previous version but mistakenly was not. (Ticket #130664b)

• Bug fix: When using the Data Resolution Workflow feature and creating data queries based on the results of Data Quality rules, the results of the Data Quality rules might not display the correct number of comments for a given discrepancy unless it belongs to a repeating instrument. (Ticket #131878)

• Bug fix: When a user's date/time format user preference on the Profile page is set specifically to "YYYY-MM-DD and 24-hour time", some timestamps displayed in the REDCap user interface (e.g., Most recent activity on Project Home, Email Logging sent time) would mistakenly display the "seconds" component of the datetime when it should only display hours and minutes. (Ticket #132678)

• Bug fix: When using Azure AD authentication, the username for a B2B collaboration user object might contain an "#EXT#" identifier as text inside it in certain cases. This is problematic to have the character "#" in a user's username. If this occurs, the text "#EXT#" will be automatically removed from the user's username. (Ticket #121605b)

• Bug fix: By manipulating URLs and/or JavaScript variables on a REDCap project page, a user might be able to request an API token for a project in which they do not explicitly have API rights (although they would have to have access to the other project in order to do this). Even if the administrator approved the token request via the To-Do List or via the email request, the user would not be able to obtain the API token that was created for them, nor would they be able to use the token even if they could somehow obtain it. So no real harm or privacy issues could result from this. (Ticket #132778)

• Bug fix: When using Multi-Language Management and importing translations for survey settings via a CSV file, some survey settings would mistakenly fail to import successfully. (Ticket #132828)

• Bug fix: When using Multi-Language Management, the “[Reminder]” text for Automated Survey Invitation reminders was mistakenly not translatable. It can now be translated on the User Interface > Survey > Survey Emails section on the MLM setup page. (Ticket #132868)

CHANGES IN THIS VERSION:

• Improvement: Admins can now provide an alternate URL that will be used for the "Contact REDCap Administrator" links on each project's left-hand menu. If admins are using a ticket system, for example, to collect questions/issues from users, they may enter the URL of the ticket system's page where new tickets can be submitted. The alternate URL can be entered on the General Configuration page of the Control Center. If left blank (its default value), the "Contact REDCap Administrator" links will function as they have in previous versions, in which clicking them will open a pre-formatted email in the user's native email client.

• Improvement: The Duo two-factor authentication process has been upgraded to use the new Duo Universal Prompt. This will provide a better and more reliable user experience for those institutions using Duo for two-factor authentication in REDCap. (Ticket #130859)

• Improvement: Two more fields (general_practitioner and managing_organization) were added to the Patient FHIR resource when using the Clinical Data Mart service for CDIS.

• Major bug fix: When viewing and downloading files under the "Data Export Files" tab of the File Repository, users that do not have Full Data Set data export rights to every field contained within a given export file on that page would mistakenly be able to download the export file(s). REDCap will now check to ensure that the user has Full Data Set access to every field contained within the export file, and if they do not, the user will not be able to download the data export file(s), in which it will instead display the following message on the page: "NOTICE: You are not able to download the export files here because you have either none or partial data export rights to one or more fields contained within the data export file." This bug was introduced in REDCap 12.2.0 with the advent of instrument-level data export rights.

• Bug fix: When a user attempts to submit an instrument to the REDCap Shared Library via the Online Designer, the descriptive text regarding this process mistakenly includes a dead hyperlink to a page that no longer exists. The hyperlink has been replaced with a modal dialog containing the same information. (Ticket #131617)

• Bug fix: PHP compatibility issue in some circumstances might cause the PDF export to fail with a fatal error when using PHP 8. (Ticket #131673)

• Bug fix: When using Multi-Language Management, some HTML and JavaScript might be inserted into the webpage source code too early when viewing the Survey Access Code page. (Ticket #131704)

• Bug fix: The Codebook would mistakenly not display the min/max values of slider fields on the page if the min/max range values were never explicitly set (i.e., as 0 and 100, respectively). (Ticket #131065b)

• Bug fix: When using Multi-Language Management, there might be an issue when attempting to import a system language (from the Control Center) into a project and also with exporting a language. (Ticket #131811)

• Bug fix: A user creating a new project would mistakenly not receive "Full Data Set" data export privileges on all instruments in the new project.

• Bug fix: When using the Survey Setting to provide custom text for the survey’s Submit button, in which a field variable is piped into the Submit button text, it might mistakenly cause the Previous page button not to function on the survey page. (Ticket #131937)

• Change: When deleting a project via the Other Functionality page, it now displays the total number of project records inside the Delete Project dialog to give the user more context prior to deleting the project.

• Bug fix: Viewing a report might cause the page to mistakenly crash with a fatal PHP error in certain situations when running PHP 8. (Ticket #132041)

• Bug fix: If a participant is attempting to take an Adaptive or Auto-Scoring survey (i.e., downloaded from the REDCap Shared Library), in which the survey has the Survey Login feature enabled, after the participant has successfully logged in, the survey would mistakenly not display correctly because the first question and submit button would not be visible on the page, thus making it impossible to complete the survey (unless the participant refreshed the page in their browser, after which it would work correctly).

• Bug fix: When using Multi-Language Management, if a user exports a CSV language file on the MLM setup page, edits it, and then imports it back again, in certain circumstances the uploaded changes might not take effect.

• Bug fix: When using Azure AD authentication, users might mistakenly not have their first/last name and email auto-populated into their user profile after initially logging in to REDCap. (Ticket #130664)

• Change: In the Action Tag documentation, a note was added about how to escape text returned from the @CALCTEXT action tag.

• Bug fix: When using Multi-Language Management, if the survey setting checkbox “Store the translated version of the PDF” is not checked for the “Save a PDF of completed survey response to a File Upload field” setting on the Survey Settings page, the saved PDF of the response would mistakenly be stored in the language that the participant had chosen on the survey page instead of storing the PDF using the default language. (Ticket #131879)

CHANGES IN THIS VERSION:

• Major bug fix: When the Protected Email Mode is enabled in a project, and a recipient clicks the link in their email to view the original email content within REDCap, they would never receive the follow-up email containing the one-time code, thus preventing them from accessing the content of their email. (Ticket #131414)

• Major bug fix: When an Automated Survey Invitation utilizes conditional logic with the "Ensure logic is still true" checkbox checked, and a survey invitation gets scheduled, after which the record's data is modified, thus invalidating the ASI conditional logic, the scheduled invitation would mistakenly fail to get automatically deleted. Bug emerged in REDCap 12.5.0 (Standard). (Ticket #131358)

• Major bug fix: When using Google OAuth2 authentication with the User Allowlist enabled, the User Allowlist would mistakenly not prevent users from logging in who were not on the allowlist. (Ticket #131346)

• Major bug fix: When simultaneous users are viewing the same data entry form for a record that has not yet been created, in which the same tentative record name is displayed at the top of the form for both users, if the second user attempts to lock the form after the first user has already saved the form and created the record, the second user will end up creating a record with another record name (as expected); however, instead of the second record's form getting locked, the first user's record would mistakenly be the one that gets locked. (Ticket #131431)

• Bug fix: Various PHP errors specific to PHP 8 were fixed on the Data Quality page. (Ticket #131294)

• Bug fix: Attempting to copy an instrument in the Online Designer when the instrument contains no fields (excluding the form status complete field) often results in the instrument not actually being copied or causes it to be half-copied (i.e., almost copying it but leaving some parts orphaned in the database backend). To fix this, users will no longer be able to copy an instrument if the instrument has no fields. If a user attempts to copy an instrument with no fields, a dialog will be displayed letting them know that they cannot copy the instrument until at least one field exists in the instrument. (Ticket #131273)

• Bug fix: When using the Multi-Language Management feature, selecting a language as the Fallback language in the MLM setup might prevent the user/participant from switching to the Default language on a form/survey and would instead mistakenly display the Fallback language text on the page.

• Bug fix: A fatal PHP error might occur when using a CDIS service. (Ticket #130928)

• Bug fix: When using biomedical ontology searching for a Text field, certain specific codes for very specific ontologies (e.g., SNOMEDCT) might mistakenly return a slightly incorrect code/value (typically off by a value of "1"). This appears to be extremely rare and seems to be due to a limitation with regard to how JavaScript handles large numbers. (Ticket #131406)

• Bug fix: If survey instructions or survey completion text is indented in specific ways (e.g., when the HTML <p> tag has a padding style added to it), the indention would not appear on the survey page but only on the Survey Settings page. (Ticket #131479)

• Bug fix: When two records are about to be created on a data entry form with the same tentative record name (as is displayed at the top of the form) by two simultaneous users, and the second record being created is created via the randomization process, then the project Logging page would mistakenly list the second record's record name with an incorrect value in the "List of Data Changes" column, although the real record name in the "Action" column would be correct for the record.

• Bug fix: The “json-array” data format that was recently added to REDCap::getData might mistakenly not return the full data expected but might only return partial data when using REDCap::getData with “json-array” data format for large sets of data.

• Bug fix: When using the Data Resolution Workflow feature and creating data queries based on the results of Data Quality rules, the results of the Data Quality rules might not display the correct number of comments for a given discrepancy if it belongs to a repeating instrument or repeating event. (Ticket #130207)

• Bug fix: When upgrading to REDCap 12.1.0 or higher, in certain situations the resulting upgrade SQL script might contain some malformed "drop foreign key" queries in which the foreign key name is mistakenly blank, thus resulting in an SQL error during the upgrade. (Ticket #131519)

• Bug fix: Fixed typo on the Publication Matching page in the Control Center. (Ticket #131581)

• Bug fix: When the text of the survey Submit buttons have been translated (either via a language INI file or via the Multi-Language Management feature), the button text might mistakenly spill out of the button and not display correctly if the button text ends up being wider than 140 pixels. (Ticket #131545)

CHANGES IN THIS VERSION:

• Major bug fix: The "Export Logging" API method would mistakenly allow users to export a project's logging when they do not explicitly have "Logging" privileges in the project. Note: The method would still require API Export privileges to work. The method now requires both API Export privileges and Logging privileges. (Ticket #131089)

• Minor security fix: The jQuery UI library was updated from v1.13.1 to v1.13.2 due to a Cross-site Scripting (XSS) bug.

• Bug fix: When using Multi-Language Management and translating the alternative Stop Action text that appears when a survey ends via Stop Action, the alternative Stop Action text would mistakenly not appear in its translated form when displayed on the survey page. (Ticket #130689)

• Various fixes and updates to the External Module Framework, including:

  • Clarified that the button to delete modules applies only to the selected version, not all versions.

  • Fixed issue with choice labels that have commas in them getting cut off.

  • Expanded log() method docs.

• Bug fix: When using Multi-Language Management, certain items would not be translated when only one language (which differs from what is set as the project language) is used. (Ticket #130688)

• Bug fix: When an Automated Survey Invitations option "Send the invitation X before/after Y" in Step 3 is set to "the same day (beginning at midnight)...", the invitation would mistakenly not get scheduled in longitudinal projects if the survey of the invitation being scheduled exists on a different event from the event where the ASI is being triggered (e.g., if a pre-screening survey on the first event is supposed to trigger an ASI for a follow-up survey on a subsequent event). Note: There is no way for REDCap to automatically schedule any invitations that missed getting scheduled as a result of this bug, so the only way to get the invitation(s) scheduled appropriately is to run the "Re-evaluate ASIs'' option in the Online Designer or instead open each record and click the "Save" button on any data entry form (or wait for the datediff+today cron job to trigger it - this only happens if datediff+today/now is used in the ASI conditional logic). Most importantly, users may need to adjust the send-time of any new invitations that get scheduled that initially missed getting scheduled due to this bug (because their scheduled date might differ from what their scheduled date should have been originally). (Ticket #131024)

• Bug fix: When using the "Save & Return Later" feature on a multi-page survey, in which the survey contains a non-hidden @CALCTEXT field whose value gets populated early in the survey, when a participant returns to the survey later, REDCap would mistakenly advance the participant to the page with the @CALCTEXT field, even if it occurs on a later page than where the participant left off. (Ticket #131056)

• Bug fix: Any embedded images (added via the rich text editor) displayed on a public report or public project dashboard would mistakenly not display successfully on the page. (Ticket #130897)

• Bug fix: Regarding the Text-To-Speech functionality for surveys, the "Arabic (Male)" voice was deprecated in the IBM Watson TTS service that is utilized by REDCap. That voice has now been removed as an option on the Survey Settings page, and any surveys using the "Arabic (Male)" voice will automatically have the Text-To-Speech functionality disabled.

• Bug fix: The Codebook would mistakenly not display the min/max values of slider fields on the page if the "Display number value?" slider setting is not checked/enabled. (Ticket #131065)

• Bug fix: When using one of the "X & Table-based" authentication methods, various processes (e.g., cron job for user auto-suspension due to inactivity) might not work correctly for some users in certain situations, and various user interfaces (e.g., Sponsor Dashboard) might not display all correct options or page elements for some users in certain situations

CHANGES IN THIS VERSION:

• Major bug fix: If survey invitations are scheduled via the Participant List or via the Survey Options on a data entry form (i.e., not using an ASI), in which one or more invitation reminders are scheduled to be sent, the reminders would mistakenly not get automatically removed from the Survey Invitation Log after the survey had been completed. This would cause the reminders to be sent to the participant even after they had completed the survey. Bug emerged in REDCap 12.5.0 (Standard).

• Improvement: Added “json-array” as a new option to the data formats for REDCap::getData and REDCap::saveData. It provides a way around the json data format, for the sake of computer cycles as well as for the sake of being able to pass large data structures. The “json-array” option represents the same flat data structure as decoded JSON data when using the “json” data format for these methods, but it avoids the encode/decode steps.

• Change/improvement: All the language displayed in the CDIS popup dialog “Key differences between Clinical Data Pull (CDP) and Clinical Data Mart (CDM)” has been abstracted and is now translatable.

• Bug fix: When a survey is set to use "Large" or "Very large" survey text size while some SPAN tags are located inside some H1, H2, etc. tags in the survey instructions, survey completion text, or in any other text displayed on the survey page, the text inside the SPAN tags would mistakenly appear as much smaller than they should on the page. (Ticket #130326)

• Bug fix: When using Azure AD authentication, the user principal name for a B2B collaboration user object might contain an "#EXT#" identifier as text inside the user's email address. This is problematic to have the character "#" in a user's email and also (if using their email address as the user's username) to have it in the username. If this occurs, the text "#EXT#" will be automatically removed from the user's email address. (Ticket #121605)

• Various fixes and changes for the External Module Framework, including…

  • Made the "required" flag work for rich text modules settings.

  • Hid the button to enable modules when config.json is missing (preventing a confusing error).

  • Clarified the error when modules do not extend AbstractExternalModule.

• Bug fix: When using the Multi-Language Management feature and translating the titles of surveys in a project, if a survey participant navigates to the survey queue page directly, the survey titles for the surveys listed in the survey queue would be correctly translated; however, when viewing the survey queue immediately after completing a survey, the survey titles would mistakenly not be translated into the participant’s selected display language. (Ticket #130429)

• Bug fix: Outgoing emails would mistakenly get logged in the "redcap_outgoing_email_sms_log" database table even when the emails themselves failed to send successfully. This could cause the table to fill with emails that never actually sent, many of which might have a missing sender or recipient address in the table. (Ticket #130546)

• Bug fix: If data is being imported (via API, Data Import Tool, Mobile App, or REDCap::saveData) for a slider field, an erroneous message might be returned in some situations regarding the slider field's min/max specific range settings.

• Bug fix: If a user has instrument-level locking privileges but only has read-only data viewing privileges for an instrument when viewing the instrument that has been fully or partially completed as a survey response, the "Lock this instrument?" checkbox would mistakenly not be displayed at the bottom of the page, thus preventing the user from locking or unlocking the form. Users with locking privileges should always be able to lock or unlock a form despite whether they have edit privileges or read-only privileges for that instrument. (Ticket #130667)

• Bug fix: A fatal PHP error might occur for longitudinal projects with no instrument-event designations when navigating to the Survey Distribution Tools page when using PHP 8. (Ticket #130743)

• Bug fix: When an administrator attempts to use the Project Revision History link for a given project on the Browse Projects page in the Control Center, it would mistakenly not load and thus would not be usable.

• Bug fix: When modifying Descriptive Text fields in the Online Designer, in which a field contains an inline image attachment, the image might mistakenly not display anymore in certain cases until the page is reloaded. (Ticket #130817)

• Bug fix: When using Multi-Language Management, if a user removed the default text of an item (e.g., sets the text as blank for a field label, survey instructions, etc.) after having translated the item, the MLM setup page would mistakenly no longer display the item anymore, thus making it impossible to edit the existing translated text.

• Bug fix: User input text (e.g., field labels, survey instructions) that is rendered in downloaded PDFs might get mistakenly truncated if the text contains the less-than character "<" immediately followed by certain special characters, such as "+", "-", "".", or "*". (Ticket #130761)

• Bug fix: Embedding an image via the rich text editor into the text value of a field with the @RICHTEXT action tag on a private survey would mistakenly fail with a 404 error. (Ticket #130673)

CHANGES IN THIS VERSION:

• Improvement: When using the Multi-Language Management in a project where the languages created on the MLM setup page have Language IDs that correspond to language ISO codes, if a user or participant has not yet selected their display language via the MLM language-switching choices, REDCap will use their current browser settings to auto-detect and then auto-select their preferred display language. This is meant to be an added convenience to the user/participant. Note: This only occurs if project users have set up their MLM Language IDs as ISO codes.

• Improvement/change: Updated the Font Awesome library from v5.15.4 to v6.1.1.

• Improvement: Stop Actions (for multiple choice fields) and Video Display Format settings (for Descriptive Text fields with videos) are now included in Instrument Zip files when downloading or uploading them for an instrument in the Online Designer. In previous versions, stop actions were not included, and while the video URL was included, the setting that defines if the video is displayed inline or not was not included. (Ticket #124377)

• Bug fix: When a field's action tags are displayed below it in the Online Designer, sometimes an apostrophe might mistakenly get displayed in the action tag name.

• Bug fix: Fixed issue with example HTML not displaying correctly for an item on the "Help & FAQ" page.

• Bug fix: When using the Multi-Language Management setup page, translation changes might mistakenly not get saved successfully (although they might appear to be saved) if the current user is an administrator that has “Access to all projects and data” system privileges but has not been explicitly given Project Design privileges within the project. (Ticket #130248)

• Various fixes and changes to the External Module Framework, including…

  • Improved the error message when firewalls prevent module downloads.

  • Allow deleting old versions of enabled modules.

  • Fixed a bug preventing modules containing symlinks from being deleted.

• Bug fix: A fatal PHP error might occur when accessing the Data Quality page with PHP 8.0+. (Ticket #130364)

CHANGES IN THIS VERSION:

• New feature: Repeating Automated Survey Invitations (ASIs)

  • Users can now set ASIs to send multiple times on a recurring basis for any repeating survey in a project. If the survey is a repeating instrument or if it exists on a repeating event, then users will see a new section "How many times to send it" in the ASI setup popup in the Online Designer. There users may set the ASI to send survey invitations repeatedly at a regular interval, in which it can repeat forever or a set number of times. This new repeating ASI feature works similarly to how recurring alerts have always worked for Alerts & Notifications.

  • Note: If an instrument is not a repeating survey, then this new section will not appear for that survey in the ASI setup dialog.

  • When an ASI is set up to recur for a repeating survey, the [survey-link] Smart Variable in the invitation text will always point to a different repeating instance of the survey for each time the invitation is sent. For example, if the ASI is set to recur daily, then the first day’s invitation will have a link pointing to instance #1 of the survey, the next day’s invitation will point to instance #2, then the next to #3, and so on.

• New Smart Variable: [new-instance]

  • This new Smart Variable [new-instance] can be appended to [survey-link], [survey-url], [form-link], and [form-url] to create a URL that points to a new, not-yet-created repeating instance for the current record. In this way, [new-instance] functions essentially as [last-instance]+1. This new Smart Variable works for repeating instruments and also for instruments on repeating events.

  • [new-instance] can also be used as stand-alone, in which it will return an integer. But it will only work when used within the context of a repeating instrument or repeating event, in which it will essentially return [last-instance]+1 for the current repeating context.

  • [new-instance] will auto-append “&new” to the end of the form link or survey link (when used with [form-link/url] or [survey-link/url]) and thus will cause the user/participant to be redirected to the next repeating instance if the current repeating instance (i.e., the instance number in the URL) already exists for the record. Thus, using [form-link] or [survey-link] appended with [new-instance] will ensure that you always end up on a new, not-yet-created instance. And if two participants arrive at the same repeating survey instance with both using the exact same link created by [survey-link][new-instance], then the second participant to submit the survey page will not override the first participant’s response. Instead, it will add the second participant’s response as another repeating instance that does not exist yet.

  • TIP: One of the main intended usages of [new-instance] is to utilize it as [survey-link:instrument][new-instance] inside the text of a recurring alert to allow users/participants to enter data easily into a repeating survey. In this way, it works very similarly to a repeating ASI. However, repeating ASIs do not need their survey link appended with [new-instance] because it is already implied from the ASI setup.

• New feature: Embedding images in text & emails

  • Users may now embed one or more inline images into the text of a survey invitation, an alert, or a field label on a form/survey, among other things, by clicking the image icon in the rich text editor and then by uploading an image from their local device. Anywhere that the rich text editor is used, users may embed an image into its text (with one exception: the @RICHTEXT action tag on public surveys).

  • If you wish to disable the ability to embed images in text via the rich text editor, you may disable this functionality at the system level on the Modules/Services Configuration page in the Control Center.

• New method for plugins/hooks/modules: REDCap::storeFile - Stores a file in REDCap when provided with the full path of a file on the local REDCap web server. Returns the doc_id from the redcap_edocs_metadata database table for the stored file. The file will be automatically stored using the defined file storage method in the system (e.g., WebDAV, S3, local). Note: The original file on the server will *not* be deleted by this process.

• New method for plugins/hooks/modules: REDCap::copyFile - Creates a new file in REDCap by copying a file already stored in the system when provided with the doc_id of the original file from the redcap_edocs_metadata database table in the REDCap system. Returns the doc_id for the newly created file. The new file will be automatically stored using the defined file storage method in the system (e.g., WebDAV, S3, local). Note: The original file whose doc_id is provided as a parameter will *not* be deleted by this process.

• New method for plugins/hooks/modules: REDCap::addFileToRepository - Adds a file to a project's File Repository when provided with the doc_id of an existing file from the REDCap system. Warning: This method should not be used for files already stored for File Upload fields or as various attachments in the system because deleting the file from the File Repository will delete it in all places where the file is utilized. Ideally, this method is meant to be paired with the method REDCap::storeFile(). If you wish to add a file to the File Repository that is already being utilized elsewhere in REDCap (e.g., as an attachment or uploaded to a File Upload field), it is recommended that you first call REDCap::copyFile() to copy the original file, and then call REDCap::addFileToRepository() afterward.

• Improvement: When setting up an ASI, the sub-section “When to send invitations AFTER conditions are met” now contains the new drop-down choice "the same day (beginning at midnight) that the automated invitation was triggered" in the sub-option “Send the invitation X days Y hours Z minutes before/after [drop-down]”. This new choice in the drop-down allows users to schedule the invitation based on the day the ASI was triggered and provides greater control and precision with regard to when exactly the invitation will be sent. For example, if this new drop-down option is selected along with setting it to “send the invitation 1 day 8 hours after…”, this will cause the invitation to be scheduled to be sent at exactly 8:00am the next morning. In previous versions, it was not possible to get this level of precision for the invitation send-time based upon ASI trigger-time unless you used a date field’s value as a reference.

• Change/improvement: When setting up an Automated Survey Invitation, the setting to make the ASI “Active” or “Not Active” has been moved to the top right of the ASI setup dialog.

• Various fixes and changes for the External Module Framework, including…

  • Prevented return value warnings on external module hooks that shouldn't return values.

  • Added tags to improve Psalm scanning.

• Bug fix: The REDCap Cron Job might mistakenly output some SQL queries when running the QueueRecordsDatediffCheckerCrons job.

• Bug fix: When an Automated Survey Invitation has been set up in a longitudinal project, in which the ASI's conditional logic includes datediff()+today/now and has the "Ensure logic is still true" checkbox checked while additionally one or more of the variables in the logic are missing a prepended unique event name, the DateDiff+Today/Now cron job might mistakenly schedule a survey invitation that should not be scheduled, even though REDCap will ultimately unschedule the invitation right before trying to send it. (Ticket #129893)

• Bug fix: When a Vimeo video link is provided for the embedded video URL for a Descriptive Text field, the video would mistakenly not to be playable on the page if the URL contained extra alphanumeric characters that appear after the first set of numbers and slash in the video URL (e.g., https://vimeo.com/637116791/709509f375). (Ticket #118309)

• Bug fix: Missing Data Codes could mistakenly not be saved to a File Upload field during a data import (e.g., API, Data Import Tool, REDCap::saveData) despite the fact that Missing Data Codes could be saved for File Upload fields via the web interface. (Ticket #82602)

• Bug fix: If an administrator has "Manage user accounts" privileges but does not have "Access to all projects and data..." privileges, the Browse Users page might malfunction when they attempt to perform certain actions, such as suspending users, where it would mistakenly send an email to the user themselves as if they had made a request from the Sponsor Dashboard page (which they didn't). (Ticket #129830)

• Bug fix: Fixed typo in Double Data Entry error message. (Ticket #130093)

• Bug fix: If a project is using randomization with strata fields, in which the strata fields exist on the first instrument, and then a participant loads the first instrument as a survey via the public survey link, if the strata fields appear on the first page of the survey, the strata fields will mistakenly be rendered as disabled/read-only on the public survey page if the highest-numbered record in the project has already been randomized. (Ticket #130107)

CHANGES IN THIS VERSION:

• Improvement: The Multi-Language Management setup page now has an option to “Export or import general settings”. This includes which languages are set as active, default, or fallback, which fields and survey settings are excluded, as well as the settings on the Alerts tabs and Settings tab. Note: The export/import option will appear when at least one language has been created in the project. This option is available as a JSON file only for import/export.

• Bug fix: When using the calendar feed with Outlook for calendar events containing both day and time components (as opposed to those without a time component), it might mistakenly display an error in Outlook relating to a "floating DTSTART" issue and would prevent the calendar feed from syncing properly. (Ticket #128842)

• Bug fix: The popup about anonymous surveys on the Participant List page would mistakenly display some text meant to be seen only if the project is set up to use anonymous surveys. (Ticket #129540)

• Bug fix: The calendar feed URL displayed on the Calendar page would mistakenly not display the URL of the impersonated user when an administrator uses the "View Project as User" feature but instead would display the calendar feed URL of the admin impersonating the user. (Ticket #129488)

• Bug fix: The calendar feed generated from the [calendar-link] or [calendar-url] Smart Variable would mistakenly display the Data Access Group name (if the record is assigned to a DAG) in the title of the record's calendar event in the feed. The DAG name should never appear in the participant-facing calendar event feed. (Ticket #129475)

• Bug fix: When an admin is using the Email Users page, some emails to users might mistakenly not be sent successfully due to some information being truncated (and thus corrupted) when being added to the backend database. (Ticket #129254)

• Bug fix: When using Send-It to send a file from the File Repository or a file associated with a File Upload field on a record, although the email being sent would get captured in the backend email log, the email details would mistakenly not get captured in the project-level Email Logging page. (Ticket #129554)

• Bug fix: In some specific cases when using Clinical Data Mart, normal users are not allowed to fetch data more than once.

• Bug fix: When a record's Survey Queue contains more than five completed surveys, in which case it will hide all the completed surveys in the queue to conserve space on the page, the queue would mistakenly display the text "X surveys completed!" where X is mistakenly the total number of surveys in the queue and not the total number of completed surveys in the queue. (Ticket #128732)

• Bug fix: On the System Statistics page, the stats for the number of data values pulled for both the Clinical Data Mart and Clinical Data Pull were not being calculated correctly and might have been previously reporting much lower numbers by mistake.

CHANGES IN THIS VERSION:

• Bug fix: If the Custom Record Label is enabled in a project, and the current user is exporting a PDF of an instrument containing data, the fields in the Custom Record Label might all be replaced with the text [**DATA REMOVED**] at the top right of each PDF page if the user has De-Identified data export rights for just some of the fields. It would mistakenly either display the data for all the Custom Record Label fields or instead remove all of them, but not necessarily remove just some of them based on their form-level export rights. (Ticket #129822)

• Bug fix: Using the Action Tag @NOW on a Text field with "Time (HH:MM:SS)" field validation would mistakenly return a full datetime value when the page loads rather than just the time in HH:MM:SS format. (Ticket #129882)

• Bug fix: If a project is using randomization with strata fields, in which the randomization field and/or strata fields exist on a survey that has "Save & Return Later" enabled, if a participant completes part of the survey for a record that has already been randomized, then returns later to the survey but forgets their return code, then clicks the "Start Over" button on the survey, the randomization field and/or strata fields on the survey would mistakenly have their values erased. All the other field values on the survey should be erased, but the randomization field and strata field data should never get erased for records that are already randomized. (Ticket #129892)

CHANGES IN THIS VERSION:

• Major bug fix: If a user attempts to delete a recurring alert on the Notification Log, the dialog would not close and would fail silently due to a PHP error.

• Major bug fix: A change in the code for the Multi-Language Management setup page in the previous REDCap version might mistakenly cause certain tabs on the page not to get updated when saved.

• Improvement: To improve page-loading performance of the Data Access Groups page, the DAG Switcher table at the bottom of the page will no longer be displayed when the page is initially loaded if the number of project users X the number of DAGs is greater than 5000. If the threshold is reached, then a big button saying "Display the DAG Switcher" will be displayed, and after clicking it, it will then display the DAG Switcher table. This will improve overall load time of the page in extreme cases. (Ticket #128578)

• Change/improvement: The red "Action Tags" button was added inside the Logic Editor dialog to make it easier to reference the Action Tags documentation while the Logic Editor is open. (Ticket #120079)

• Change/improvement: Below the instructional paragraph on the Participant List page, new text has been added that lists the "Survey Response Status" as being either "Anonymous*" or "Not Anonymous" along with a clickable help link that opens a dialog that discusses in-depth why/how survey responses in the project are being collected in an anonymous or non-anonymous fashion based on the project's current configuration settings. This text was added to provide more transparency and awareness to users who might not realize that they are collecting survey data in an anonymous or non-anonymous fashion, which could ultimately have implications on processes in their project later on.

• Bug fix: UTF-8 encoded names would mistakenly not display correctly on the newly improved Email Users page in the Control Center. (Ticket #129209)

• Bug fix: If a hook, plugin, or external module is calling the REDCap::saveData() method, in which parameters are passed to the method all in a single array (i.e., $params=[...]; REDCap::saveData($params)), the "dataAccessGroup" parameter's value would mistakenly be ignored if included in the parameter array. (Ticket #129203)

• Bug fix: The data entry form page or Online Designer might mistakenly crash with a fatal PHP error in certain situations when using PHP 8.0+. (Ticket #129297)

• Bug fix: Documentation of the datediff() function was mistakenly inferring that the "returnSignedValue" function parameter could be provided in all caps (e.g., TRUE). However, its value must always be lower case (e.g., true). The documentation has been changed to reflect this to reduce confusion. (Ticket #129332)

• Bug fix: When using Twilio to send invitations via Automated Survey Invitations that utilize the "Participant's Preference" as the invitation type, if the ASI belongs to a survey that is a repeating instrument, it is possible that the participant's preferred invitation type might get stored incorrectly in the backend database, thus potentially causing some invitations to be sent to the participant using the wrong invitation type (e.g., sent via Email instead of via SMS). (Ticket #128878)

• Bug fix: The API method "Export Logging" would mistakenly not return the extra text for the "Reason for Data Changes(s)" if the setting "Require a 'reason' when making changes to existing records" is enabled in the project.

• Bug fix: The calendar feed or downloadable ICS file from the Calendar page might mistakenly not include calendar events that are not associated with any records if the current user belongs to a Data Access Group. All non-record calendar events should be exportable and viewable in the calendar feed so long as the user still has "Calendar" user privileges. (Ticket #129359)

• Bug fix: If using one of the "X & Table-based" authentication methods, excluding "LDAP & Table" and "AAF & Table", the User Allowlist (if enabled) would mistakenly prevent Table-based users from accessing the system.

• Bug fix: The "Survey Link Lookup" link would mistakenly still be displayed on the Control Center left-hand menu even if all survey functionality was disabled globally in the system via the "Enable the use of surveys in projects?" setting on the Modules/Services Configuration page.

• Bug fix: If the custom survey width setting is set to a percentage width of the page and is set to less than 100%, it would cause less ideal user experiences when taking the survey on a mobile device. For mobile devices (i.e., narrow screens), the custom width setting is no longer applied but will instead display the survey at full screen width. (Ticket #129429)

CHANGES IN THIS VERSION:

• Improvement: New “Multi-Language Management” video (9 minutes) added to the MLM setup page and the Training Videos page.

• Improvement: New and improved user interface for the Email Users page in the Control Center.

• Improvement: A new option ("View & Edit / De-Identified") has been added to the system-level setting "Default instrument-level user access set for all project users' Data Viewing Rights and Data Export Rights whenever a new instrument is created while in production status" on the User Settings page in the Control Center. This new option will allow users to automatically have View & Edit viewing rights to all new instruments created while in production but will provide limits on their data export privileges for those new instruments.

• Improvements for CDIS:

  • Added RxNorm code and display fields in Clinical Data Mart (R4 and DSTU2).

  • Updated the Clinical Data Mart templates to accommodate the new data.

• Change/improvement: When using "OpenID Connect & Table-based" authentication, if the OIDC authentication process fails with an error that is returned to REDCap in the URL query string, the error description will now be displayed on the page for the user to see, whereas previously the error message might not be displayed on the page in certain situations. Additionally, if a Table-based user fails to successfully log in, as a convenience the login form will now automatically be displayed again without the user having to click the "Local REDCap Login" button. (Ticket #129023)

• Bug fix: Piping would not work successfully in real-time for Dynamic SQL fields on a survey or data entry form when the displayed language is changed on the page via Multi-Language Management. (Ticket #128562)

• Bug fix: The "Add Users (Table-based Only)" page in the Control Center would mistakenly not allow Administrators to create Table-based user accounts if using "OpenID Connect & Table-based" authentication.

• Bug fix: The "Reset Password" button would mistakenly not display on the Profile page for Table-based users if using "OpenID Connect & Table-based" authentication.

• Bug fix: Added 2 missing LOINC codes for the "social history" observation category in CDIS.

• Bug fix: When changing a project's authentication method to "OpenID Connect" or "OpenID Connect & Table-based" on the "Edit A Project's Settings" page in the Control Center, it would appear not to save the new authentication setting, but it would. But if the page was reloaded and saved again, it might revert the authentication setting to another value. (Ticket #128576)

• Bug fix: The up/down sorting arrows that appear in the headers of many tables displayed throughout REDCap might mistakenly display a smaller duplicate pair of arrows that are unnecessary. (Ticket #128758)

• Bug fix: Slider fields would mistakenly not be active and functional when viewed in the Online Designer. (Ticket #128916)

• Bug fix: Project-level external module settings would mistakenly not get deleted from the "redcap_external_module_settings" database table after a project has been permanently deleted. (Ticket #128909)

• Bug fix: The Record Home Page in a longitudinal project would mistakenly display the column for an event when the current user has no access to any instruments that are designated for that event. It should instead hide the column on the page rather than displaying it as empty. (Ticket #127708b)

• Bug fix: All rich text editors would mistakenly strip out any Font Awesome icons that were added to the source code HTML of the rich text editor.

• Bug fix: When using Multi-Language Management, a piped label might fail to display its translated language when on a PROMIS instrument (adaptive, auto-scoring, or battery) that was downloaded from the REDCap Shared Library.

• Bug fix: The Moment.js library was updated since it was out of date.

• Bug fix: The Multi-Language Management setup page might mistakenly not load due to a JavaScript error in some very specific situations.

• Bug fix: When using "OpenID Connect & Table-based" authentication in which a user clicks the "Forgot your password?" link on the login page, and then they enter a username that is not a real username when attempting to reset their password, REDCap would mistakenly not display the error message "You entered an invalid user name or password!" on the page after the login failed. (Ticket #129022)

• Bug fix: When a user is attempting to reset their password via the "Forgot your password?" link on the REDCap login page, and the system is using one of the "X & Table-based" authentication methods, if they enter a valid username on that page in which the user is not a Table-based user but is a user from the external authentication system (e.g., LDAP, OIDC), REDCap would mistakenly fail to display the custom Password Recovery text or the stock text "The password cannot be reset due to one of the following reasons: 1) It is not a valid REDCap username, or 2) The password for this user is not able to be reset in REDCap because it can only be reset using an outside authentication resource at your institution." Bug introduced in REDCap 12.3.1.

• Bug fix: When deleting the data of an entire instrument or of an entire event that includes survey responses, the survey start time (stored in the backend database) would mistakenly not get deleted along with the data, thus causing the Smart Variables [survey-date-started] and [survey-time-started] to return the start date/time of the original response(s), which not longer exist. (Ticket #129076)

• Bug fix: Prepending [previous-event-name] or [next-event-name] to the Smart Variables [survey-time-X] and [survey-date-X] might mistakenly not return a value (e.g., [previous-event-name][survey-time-completed:followup_survey]). (Ticket #128662)

CHANGES IN THIS VERSION:

• Improvement: New two-factor authentication option - If using an "X & Table-based" authentication method, you can make non-Table-based users be exempt from 2FA. This can be set on the Security & Authentication page, in which a new setting "Enforce two-factor authentication ONLY for Table-based users?", which defaults to "No", can be enabled so that only Table-based users will have to go through the 2-step login process if the system is using an "X & Table-based" authentication method. This will be useful if 2FA is already implemented on the other non-Table authentication process - e.g., OpenID Connect, thus preventing the non-Table users from having to perform 2FA twice (once outside REDCap and then once inside REDCap). (Ticket #128474)

• Change/improvement: The "sub" attribute was added to the "Attribute to use for REDCap username" drop-down in the OpenID Connect authentication settings in the Control Center to provide greater compatibility with OIDC providers. (Ticket #128417)

• Change/improvement: When a user logs in to REDCap the first time via OpenID Connect authentication, it now automatically adds their first name, last name, and email address to their REDCap user account. (Ticket #128417b)

• Bug fix: The datediff() function might not work as expected when using different data types in the parameters (e.g., date and datetime together) for PHP-based implementations of the logic evaluation process, such as the Survey Queue, ASI conditional logic, Data Quality rule logic, etc. (Ticket #128299)

• Bug fix: If a survey that is a repeating instrument is displayed in the survey queue, if over 8 instances of the survey have been completed and the survey is to allow participants to return via Save & Return Later in order to modify completed responses, it would mistakenly display all 8+ survey instances as visible in the survey queue when instead it should display them as being collapsed on the page. (Ticket #128362)

• Bug fix: If a Descriptive Text field has an inline image attachment, in which the image's file extension does not match its true mime type (i.e., someone has renamed its file extension to something incorrect prior to uploading the image), it would mistakenly cause the PDF export to run a long time and eventually time out when attempting to export a PDF of the instrument. (Ticket #128336)

• Various updates and fixes for the External Module Framework

• Bug fix: If using the [survey-link] Smart Variable with Custom Text and with an instance Smart Variable appended to the end (e.g., [survey-link:medications:Take this survey][last-instance]), the custom text would not display correctly but would include the unique instrument name at the beginning of the custom text by mistake.

• Bug fix: The "OpenID Connect" authentication would mistakenly not work successfully if using a proxy server. (Ticket #127244)

• Bug fix: The "Add Users (Table-based Only)" link would mistakenly not be displayed on the Control Center left-hand menu if using "OpenID Connect & Table-based" authentication, thus preventing admins from being able to create Table-based user accounts. (Ticket #128472)

• Bug fix: When granting a user access to a project via the User Rights page, the new user's data export rights in the popup would mistakenly default to "Full Data Set" for all instruments when instead they should default to "De-Identified" if in development status and to "No Access" if in production status. (Ticket #128504)

• Bug fix: The ":ampm" piping parameter would mistakenly not work for datetime fields that have DMY date format. (Ticket #128507)

• Bug fix: Data Quality rule D "Field validation errors (out of range)" would mistakenly not process the min and max values for the out-of-range check correctly if a field's min/max was set as "today", "now", or as a piped variable (e.g., [other_date]).

• New feature: Calendar Sync

  • Users may sync their REDCap project calendar or perform a one-time import of their project calendar events to external calendar applications such as Google Calendar, Outlook, Office 365, Zoho, Apple Calendar, or any application that supports iCal or ICS files. They may choose one of the two options below to sync or import their project calendar events to an external calendar application.

    1. Live calendar feed: Add calendar from URL/Internet - A unique web address will be displayed in a dialog on the Calendar page, in which the URL represents a real-time live feed of the REDCap project calendar. Users may copy the URL to paste it as the calendar URL in their calendar application using the option "Add calendar from URL/Internet". This will subscribe their external application to the REDCap project calendar. Privacy Note: This calendar feed URL on the Calendar page is unique to the user in the project. So if the user gets expired, removed from the project, or deleted from the system, their unique calendar feed will go blank and will not output anything anymore (for privacy purposes).

    2. One-time import: Download ICS file - Download and open the calendar ICS file below to import REDCap calendar events manually into the calendar application on your computer, or upload the file to a web-based calendar service. Notice: This is not a live feed but a one-time import. Thus, any new events added to the REDCap calendar in the future will not be automatically added to the external calendar application.

  • Disabling: The Calendar Sync feature can be disabled at the system level on the Modules/Services Configuration page in the Control Center.

  • Feed-syncing Notice: Different calendar applications have different refresh rates. So if new events are added to the calendar in REDCap, they may not immediately appear in the external application that is consuming the feed but will appear after the next refresh interval, which might be some time later that day or the next day (depending on the calendar application). Additionally, the calendar feed represents a one-way feed. This means that while changes made to the calendar in REDCap will automatically show up in the external calendar application, users will not be able to modify them in the external calendar application because they will be read-only.

  • Privacy Note: When viewing events from the Calendar page’s feed or downloadable ICS file, any data from Identifier fields will be automatically removed from the feed/file (e.g., if identifier fields are included in the Custom Record Label or Secondary Unique Field, or if the record name is an identifier), in which their data will be replaced with the text “**DATA REMOVED**”.

  • New calendar-specific Smart Variables

    1. [calendar-url] - The web address (URL) of the calendar feed or downloadable ICS calendar file belonging to the current record.

    2. [calendar-link:Custom Text] - The HTML web link that, when clicked, will navigate to the calendar feed or downloadable ICS calendar file belonging to the current record. 'Custom Text' is an optional parameter whereby you can specify the visible link text, and if it is not provided, it defaults to simply displaying the URL as the link text.

• New feature: SendGrid Dynamic Templates for Alerts & Notifications

  • SendGrid Dynamic Templates give users significantly more control over the style and design of emails when compared to the standard email alert type. Enabling this feature on the Project Setup page will give users another alert type to choose from on the Alerts & Notifications page called “SendGrid Template”. Thus, similar to Twilio, this feature is a project-level feature that users may enable on individual projects (or users can have administrators enable it for them).

  • DISABLING: The SendGrid Dynamic Templates feature can be disabled at the system level on the Modules/Services Configuration page in the Control Center. There are also other additional features on that page that determine who can enable the SendGrid services in a given project.

  • SETUP & CONFIGURATION: This integration requires that you have an account setup on sendgrid.com. After creating a SendGrid account, you'll need to configure senders for the account, create the dynamic templates you wish to use for REDCap alerts, and generate an API Key with appropriate permissions for REDCap to use. When configuring senders on your SendGrid account, you may specify individual senders, authenticate an entire domain so that any email address associated with that domain may be a sender, or both. Please refer to SendGrid's documentation on how to set up Domain Authentication and how to add individual Verified Senders. To create a dynamic template in your SendGrid account, login to your SendGrid account and use the sidebar to navigate to Email API→Dynamic Templates. Here you can create a dynamic template, give it a name, and associate an email design with it. Please reference SendGrid's documentation on Dynamic Templates and Handlebars to learn more about creating templates in your SendGrid account. Lastly, to create an API Key for REDCap, login to your SendGrid account and use the sidebar to navigate to Settings→API Keys. Here you can create a new API Key and specify its permissions. It is recommended that you create a Restricted Access API Key and only give the API Key the permissions REDCap needs to function. REDCap will need Full Access to Mail Send, Read Access to Sender Authentication, and Read Access to Template Engine. Once you have your API Key, you may use it to configure SendGrid Template email services for alerts & notifications through the REDCap Project Setup page.

  • ALERTS & NOTIFICATIONS: The SendGrid Template alert type will allow you to specify a sender email address that's in your SendGrid account's list of Verified Senders or an email address that matches an Authenticated Domain associated with your SendGrid account. You'll also have an interface to choose which of your SendGrid account's dynamic templates you'd like to use for the alert as well as an interface to specify key/value pairs that will be used to populate your template with REDCap data. Lastly, choosing recipients for SendGrid alerts works the same way as choosing recipients for email alerts.

  • COST: As REDCap makes API calls to SendGrid's Email API using your account's API Key, your SendGrid account will keep track of REDCap's usage and your SendGrid account will be charged accordingly. This is not done by REDCap but is done internally by SendGrid as you use its services. In this way, no monetary transactions are made by REDCap, and thus it is your responsibility to maintain the funds in your SendGrid account in order to ensure that the service continues to work for your REDCap project. If your SendGrid account runs out of funds, the SendGrid services in REDCap will cease to function. You may reference SendGrid's pricing page to get their latest pricing.

  • Thanks to Remi Frazier and Kaizen Towfiq at University of California San Francisco for their code contributions, which made this new feature possible.

• New feature: “OpenID Connect & Table-based” authentication

  • Admins may enable this new authentication method on the Security & Authentication page. It functions exactly like “OpenID Connect” authentication, and has the added bonus of providing some users with the ability to log in via REDCap’s local Table-based authentication (if they will not log in via OIDC).

  • Additionally, admins may optionally define the display name of the OpenID Connect system (e.g., Google, NIH), which gets displayed in a button on the login page that says “Log in using [X] or [Local REDCap Login]”. If a value is not provided for this setting, it will simply output "OpenID Connect" as the button text. Clicking that button will take the user to the OIDC login page.

• Improvement: When the authentication method is set to "OpenID Connect" or "OpenID Connect & Table-based", you may define which OIDC attribute will serve as the REDCap user's username. Simply set the setting "Attribute to use for REDCap username" on the Security & Authentication page. It will default to "username" when installing/upgrading REDCap, but also provides the other options "nickname" and "email". Note: If the selected attribute does not have a value for the current user, it will revert to using the user's associated email address to serve as their username.

• Improvement: New v2 endpoint for Azure AD authentication

  • The “Additional OAuth2 Azure AD Authentication Settings” section on the Security & Authentication page now contains a new “Endpoint Version” setting, which can be set as “V1” (default) or “V2” to allow REDCap to utilize different versions of the Azure AD authentication. Previously, only V1 could be utilized in REDCap. Now V2 can also be used.

  • Thanks to Paul Ryan (University of Hawaiʻi at Mānoa) and Eric Wagner (The Ohio State University) for their code contributions, which made this new feature possible.

• Improvement: REDCap now implements a new version of the two “datediff” cron jobs that run frequently each day and are utilized for Alerts & Notifications and Automated Survey Invitations. Instead of having a single cron job for each that runs a very long time every 4 hours, the two cron jobs will now run more often in a batched mode to spread out the same amount of work in smaller batches over time. This allows the processes to be done more efficiently (and sometimes faster in many cases) without the risk of the cron jobs timing out, which has been a concern with them in the past.

• Improvements: The following are enhancements for the Multi-Language Management system setup page in the Control Center:

  • Additional column "Initial" - this governs the language that is initially shown on the translatable non-project pages (essentially, this is only the generic Survey Access page) when no browser cookie is set yet.

  • Designates the "Default" column to identify the language that matches that from the active Language.ini file

  • Adds popups with explanations to the various columns.

• Improvement: When viewing a suspended user's account on the Browse Users page in the Control Center, it now displays the text "Suspended" in red next to the user's name and username to help admins more easily identify if the user is suspended or not.

• Change/improvement: When defining the footer links on the Footer Settings page in the Control Center, if the administrator fails to enter the link values correctly by forgetting to add a label for each URL, the resulting link displayed in the project footer would not be clickable. In this case, it now displays the URL as the label and will be clickable.

• Bug fix: When viewing an email using the Protected Email Mode feature, the page would mistakenly crash with a fatal PHP error if the Multi-Language Management feature is enabled in the project.

• Bug fix: The Instant Adjudication process for the Clinical Data Pull feature would mistakenly not pull a value from the EHR system when there exists a perfect timestamp match for a data value whose field has been mapped using the Near, Earliest, or Latest preselection strategies.

• Bug fix: The install page would mistakenly crash with a fatal PHP error if using PHP 8 when the database credentials in database.php are either not correct or they cannot successfully connect to the database.

• Bug fix: When using the same field two or three times (i.e., from different arms) as a Survey Login field, clicking the "Show value" checkbox in the Survey Login dialog would mistakenly cause the field to duplicate itself inside the dialog.

• Bug fix: If duplicate instances of the same cron job somehow exist in the redcap_crons database table, which should not happen, REDCap will now detect this issue automatically and remove the duplicate jobs from the table.

• Bug fix: If the Smart Variables [form-link] and [form-url] have a literal instance number appended to them (e.g., [form-link:meds][3]), they would mistakenly not get parsed correctly and would always produce a link/URL that points to the first repeating instance. (Ticket #127042)

• Bug fix: When using Multi-Language Management, @CALCTEXT and @CALCDATE fields would fail to have their values piped immediately on the page after a language switch. Additionally, when only a single language (out of multiple languages) was active on a survey, the language switch might actually fail to work.

• Bug fix: If a participant clicks the “Start Over” button on a partially completed survey that happens to be a repeating instrument or on a repeating event, the Logging page would mistakenly not explicitly state the repeating instance number to which the survey response belonged, thus making it appear as if it references instance #1 always. (Ticket #128018)

• Bug fix: When uploading a data dictionary that has calculations or branching logic that contain Smart Variables with a comma inside them (e.g., [aggregate-sum:age,age2], it would recommend stripping out the comma during the upload process, which would not be desirable.

• Bug fix: When using CDIS services (CDP or CPM), the FHIR services might mistakenly not function successfully if the EHR endpoint contains custom port numbers in their URL (e.g., https://example.com:8888/FHIR/DSTU2/).

• Bug fix: If a Project Bookmark is set to only be displayed for users in specific Data Access Groups, the bookmark would mistakenly fail to display for aa REDCap administrator that is using the "View Project As User" feature to impersonate a user assigned to one of those DAGs. However, the bookmark would display correctly for the DAG-assigned users themselves. (Ticket #128093)

• Bug fix: The Survey Settings feature "Save a PDF of completed survey response to a File Upload field" would mistakenly fail to function if enabled for an Adaptive or Auto-Scoring survey that has been imported from the REDCap Shared Library. (Ticket #128156)

• Bug fix: When certain field labels or section headers utilize the rich text editor on a survey that is set to display as very wide (e.g., 100% page width), the label text would mistakenly not extend to the full width of the survey table but would instead begin wrapping to the next line when the line reached a width of 850 pixels. (Ticket #128090)

• Bug fix: In the API Playground, the Export Metadata API method would mistakenly display the Form Complete Status fields in the field drop-down list on the page. It should not display those fields in the drop-down because those fields are never included in the data dictionary, thus they would never return anything from this API method. (Ticket #127974)

• Bug fix: Fixed rare issue where the fast refreshing of the main Control Center page would mistakenly display an issue where "redcap_ztemp_X" database tables exist and need to be deleted. (Ticket #128055)

• Change: If a suspended Table-based user attempts to reset their password on the login page, it would send them the email for resetting their password, which is not useful since they can't actually log in to the system. It now tells them that an admin needs to first unsuspend them. (Ticket #128232)

CHANGES IN THIS VERSION:

• Improvement: If using Two-Factor Authentication, users can be allowed to use their 6-digit 2FA one-time PIN for e-signing processes in place of their password (e.g. performing an e-signature on data entry forms or when utilizing the 'File Upload' field enhancement feature when uploading a file on a data entry form - often used for 21 CFR Part 11 compliance for FDA trials). Normally, e-signing requires a username and password, but when this system-level setting is enabled while also having REDCap’s Two-Factor Authentication enabled, users can alternatively provide their username and 2FA one-time PIN to perform the e-signing. A user can obtain their one-time PIN from their Google Authenticator or Microsoft Authenticator app, or else there will be an option available to send the user the PIN via email and/or SMS whenever they need to enter it. Note: This setting is disabled by default but can be enabled in the “Two-Factor Authentication” section on the Security & Authentication page.

• Change/improvement: Hyperlinks created in the rich text editor will now default to being opened in a new tab/window rather than defaulting to being opened in the current tab/window. This default value can be changed by the user when saving/inserting the link. (Ticket #124813)

• Change/improvement: The rich text editor might be finicky when dealing with non-Latin characters, such as converting them to HTML character codes when enabling and then disabling the rich text editor in the Edit Field popup in the Online Designer.

• Bug fix: Fix for an issue in the External Modules Framework that was mistakenly converting all HTML entities in some text and causing JavaScript errors when utilizing a specific EM method that might be used by an EM. (Ticket #126891)

• Bug fix: Field labels containing HTML character codes (e.g., &auml;) would mistakenly not be displayed correctly on the X or Y axis of a [line-chart] or [scatter-plot] Smart Chart. (Ticket #127516)

• Bug fix: On the "Modules/Services Configuration" page in the Control Center, the setting to globally disable the "Stats & Charts" page in every project was mistakenly still referring to the page by its old name "Graphical Data View & Stats", which was confusing for admins. (Ticket #127597)

• Various changes and fixes to the External Module Framework, including the following: Modified the module setting export & import features to use names rather than IDs for the arm-list, event-list, user-role-list, and dag-list setting types

• Bug fix: CDIS-related fixes

  • Several missing LOINC codes were added to the CDP and CDM mapping.

  • The field “Address (district/county)” in CDM was mistakenly missing as a field in CDM projects.

  • The deceasedBoolean value in CDM was mistakenly not being saved if False.

• Bug fix: If the value of the "report_id" parameter that is passed to the Export Reports API method does not belong to the current project whose API token is being used, if the user who owns the API token has access to the project to which the report_id belongs, the API would mistakenly not return an error but would instead return a list of record names from the other project. Note: No other data from the other project would be returned other than the record names.

• Bug fix: When running PHP 8.0+, the Stats & Charts page might fail with a fatal PHP error if number/integer fields somehow contain non-numeric values. (Ticket #122604b)

• Bug fix: When Multi-Language Management is disabled in a project, the process of a user's production draft mode changes being approved would inadvertently cause an MLM snapshot to be saved. (Ticket #127650)

• Bug fix: If the system-level setting "Enable the Graphical Data View & Stats" has been disabled and then a user is granted access to a project, the user might mistakenly be able to access parts of the "Data Reports, Exports and Stats" page, even when they do not have any data export or reports privileges. (Ticket #127597)

• Bug fix: The Record Home Page in a longitudinal project would mistakenly display the column for an event that has no instruments designated for it. It should instead hide the column on the page rather than displaying it as empty. (Ticket #127708)

• Bug fix: When branching logic contains certain Smart Variables, especially [aggregate-X] Smart Variables, it would throw a branching logic error on the survey page or data entry form. (Ticket #127741)

• Bug fix: When a user calls the API method "Export PDF file of instruments" in a longitudinal project, in which the "event" parameter is either blank or is not provided in the API request, it would return a PDF that mistakenly only contains the first event's data, when instead it should return a PDF with data for all events. (Ticket #127820)

• Minor security fix: An SQL Injection vulnerability was found when submitting the Create Project page, in which a malicious user could potentially exploit it by manipulating an HTTP request on that page.

• Improvement: New field validation type: "Phone (UK)". This validation type supports phone numbers from the United Kingdom (e.g., +44 7911 123456, +447911123456). Note: This validation type will be disabled by default after installing or upgrading, but it can be easily enabled on the Field Validation Types page in the Control Center. Thanks to the Field Validation Committee for donating this.

• Change: When deleting unsent/scheduled survey invitations on the Survey Invitation Log, the checkbox "Permanently cancel these invitations?" that appears in the delete invitation dialog now defaults to being unchecked. In previous versions, the checkbox was checked by default, which could sometimes lead to disastrous consequences if the user did not read all the text carefully before deleting the invitation. (Ticket #127156)

• Bug fix: When using [aggregate-X] Smart Functions in branching logic or calculations, in which the value being returned from the function will be blank/null, it would mistakenly cause the popup error message to display on the survey page or data entry form saying that calculation errors or branching logic errors exist. (Ticket #115235b)

• Bug fix: If an embedded date or datetime field has a @READONLY action tag, the field's Today/Now button and its clickable datepicker icon would mistakenly remain active and allow users/participants to modify the field's value.

• Bug fix: If a field being piped into an outgoing email has the @RICHTEXT action tag, the resulting email body would mistakenly not look correct, such as containing too many line breaks or malformed tables. (Ticket #127174)

• Bug fix: Some REDCap installations somehow missed the upgrade script from REDCap 9.7 that enabled the "redcap.link" URL shortener. It will now be enabled if not.

• Bug fix: When using Twilio telephony services for surveys, U.S. phone numbers having the area code "332" would mistakenly not work for SMS or voice calls unless the number has a "1" prepended to it.

• Bug fix: The Publication Matching feature in the Control Center might mistakenly fail with a fatal PHP error when using PHP 8. (Ticket #127359)

• Bug fix: If a drop-down or radio button field on a survey has the @DEFAULT action tag, when the page initially loads, it would mistakenly scroll all the way down to the field with the @DEFAULT action tag (thus skipping the fields above it) if the participant was taking the survey on a mobile device. (Ticket #127406)

• Bug fix: Fixed an issue pertaining to changes made to Multi-Language Management translations while projects are in draft mode, especially affecting Automated Survey Invitation translations, in which the submitted changes would mistakenly not save successfully.

• Bug fix: If the conditional logic for an Automated Survey Invitation in a longitudinal project was mistakenly missing prepended event names for any field variables in the logic, the ASI might mistakenly not get triggered appropriately. (Ticket #127385)

CHANGES IN THIS VERSION:

• Improvement: New system-level option to disable the E-signature feature so that its checkbox option is not displayed at the bottom of data entry forms (immediately above the Submit buttons). You might wish to disable this feature if you are not using Table-based, LDAP, or LDAP+Table-based authentication since the e-signature feature will not function for certain external authentication methods (e.g., Shibboleth, OAuth2) due to its requirement for the user to re-authenticate. This feature is enabled by default but can be disabled on the "Modules/Services Configuration" page in the Control Center.

• Improvement: In many places that display a drop-down list of records (e.g., Logging page, Email Logging, Field Comment Log, Data Quality page, ad hoc calendar event popup, Alerts & Notifications Log, Survey Notification Log), it will display a normal drop-down list if the project contains 5000 records or less, and if the project contains more than 5000 records, it will instead automatically revert to displaying an auto-suggest textbox to allow the user to manually enter the record name (rather than attempting to display an extremely long drop-down). This should make these pages load much faster and also make them easier to use in projects containing many records.

• Improvement/change: Password recovery questions have been removed as a feature for Table-based authentication. Password recovery questions will no longer be utilized as a part of the process whereby Table-based users reset their password. They are an unnecessary part of that process, they only cause issues and confusion for users, and they do not add much security-wise.

• Change/improvement: If an [aggregate-X] Smart Function is used inside a calculation or in branching logic, the function is no longer subject to the minimum data point threshold when viewing a survey page. In previous versions, under certain situations this could lead to a calculation/branching logic error on the survey page when too few data points had been entered. Note: If the Smart Function is being utilized for piping on a survey page, it is still subject to the minimum data point threshold though (i.e., different behavior for piping vs branching/calc). (Ticket #113901)

• Change/improvement: A value of "0" can now be used for the setting "Minimum number of data points required to display Smart Charts..." on the system-level "User Settings" page and on the project-level "Edit a Project's Settings" page. Previous versions would not allow "0" but would allow "1" as the smallest possible value. (Ticket #113901)

• Bug fix: The HTML tag "code" was mistakenly not included in the ALLOWED_TAGS list of HTML tags that are allowed to be used in user input (e.g., field labels, survey instructions).

• Bug fix: When using the survey setting “Redirect to a URL” together with Multi-Language Management, the resulting URL would not be correct or would be malformed, thus preventing the redirection from working successfully. (Ticket #126791)

• Bug fix: When uploading and then downloading a file for a File Upload field on the first page of a public survey, in which a record named record "1" already exists in the project prior to loading this survey, an erroneous message would be displayed along with some JavaScript errors on the page. (Ticket #125758)

• Bug fix: When copying a project via the Copy Project page, many of the new survey features (e.g., custom width, font resize icons) added in REDCap 12.3.0 would mistakenly not get copied into the new project. (Ticket #126824)

• Bug fix: The new survey-level settings added in REDCap 12.3.0 for defining custom text for the survey Submit buttons were mistakenly not incorporated into Multi-Language Management, thus the custom button text was not able to be translated in MLM.

• Bug fix: When using the export->import process for Multi-Language Management via a JSON/CSV file, there might be issues with successfully importing Alerts and Automated Survey Invitations in the file.

• Bug fix: If a drop-down field has the "auto-complete" setting enabled, in which the drop-down contains more than 200 choices, then when viewing drop-down on a survey page or data entry form, clicking the drop-down's down-arrow would mistakenly not open the full list of choices for the drop-down. (Ticket #125257)

• Change: Added a "Contact REDCap administrator" link near the top of the project left-hand menu to provide a secondary place for users to easily contact their local administrator since the blue "Contact REDCap administrator" button at the bottom of the menu is often not visible on many pages if the menu is very long. Both the existing blue button and this new link function exactly the same. Note: The blue button was not removed but has been kept as a secondary way for users to contact their admin.

• Bug fix: Calculated fields containing form status fields (i.e. form+"_complete") mistakenly do not fire when on a survey page. (Ticket #127009)

• Bug fix: When importing data for a field that has the @FORCE-MINMAX action tag and also has a minimum or maximum range check value as "now", "today", or a piped variable name, out-of-range values in the data import file would mistakenly not be flagged as errors during the import process and would be saved. (Ticket #126862)

• Bug fix: When a user requests that their project be moved to production, after the administrator approves their request, the user would mistakenly not receive a confirmation email of this approval if the "Enable email notifications for administrators" checkbox is left unchecked on the "To-Do List" page in the Control Center. (Ticket #127040)

• Change: The context under which the redcap_module_configure_button_display() external module hook has changed from the module list pages to an AJAX request. Any modules implementing this hook should test it to make sure it still behaves as desired.

CHANGES IN THIS VERSION:

• New feature:Integration of the “MySQL Simple Admin” External Module

  • The integrated version of this EM works exactly the same way, and additionally, has the bonus feature of being able to export the query results to a CSV file. Also, the page has been renamed to “Database Query Tool”.

  • Note: The upgrade process contains a migration script that will auto-migrate all existing custom queries saved in the EM, after which it will disable the EM for the system.

• New feature: OpenID Connect authentication method - The “Security & Authentication” page contains a section of new custom settings for using this new OpenID Connect authentication method in REDCap.

• New feature:Integration of many features from the “Survey UI Tweaks” External Module

  • Thanks to Andy Martin and his team at Stanford for their creation and support of the EM. Several (but not all) of the features in the Survey UI Tweaks EM have been integrated as-is. Some features from the EM have actually existed in REDCap for a while. As such, the Survey UI Tweaks EM will not be disabled for any projects or even at the system level when upgrading to this version.

  • Improvement: If custom question numbering is used on a survey page in which no questions have a custom question number defined, the extra space on the left of the questions will be removed to give the questions more room for display on the page.

  • Improvement: On the Survey Settings page, the setting “For Required fields, display the red 'must provide value' text on the survey page?” now has a new option: "Display only the red asterisk". This provides an additional option rather than having to choose between the binary options to hide or not hide the text.

  • Improvement: When taking a survey while on a mobile device, the survey page will auto-scroll whenever selecting a value for a drop-down or radio button field to help the participant scroll down the page more easily.

  • Improvement: New survey setting allows users to set a custom width of the survey displayed on the page between 50% and 100%. The default value for the setting is “Fixed width (default)”.

  • Improvement: New survey setting allows users to display or hide the font resize icons at the top of the survey page. By default, it is set to display the font resize options.

  • Improvement: New survey setting allows users to show or hide the Submit buttons displayed at the bottom of every survey page (including the 'Next Page' and 'Previous Page' buttons).

  • Improvement: New survey setting allows users to provide alternative text for the 'Submit', 'Next Page', and 'Previous Page' buttons displayed at the bottom of every survey page.

• Major bug fix: A field's question text on a survey page might mistakenly not get recognized by certain screen reading software. Bug emerged in REDCap 12.2.2 Standard and REDCap 12.0.14 LTS. (Ticket #122843)

• Change: Renamed the “MySQL Dashboard” to "Database Activity Monitor" on the Control Center left-hand menu.

• Change: The textbox for date, time, and datetime fields are no longer displayed with full width on data entry forms or survey pages where the whole page is disabled (e.g., when locked, when initially viewing a survey response) but instead are now displayed at their typical width.

• Bug fix: The Record Status Dashboard page might crash with a fatal PHP error in specific cases when using PHP 8.0 or 8.1. (Ticket #126395)

• Bug fix: When a checkbox is set as an Identifier field and is referenced in the body of an alert, which is set to remove all identifiers from the alert body when sent, it might throw a fatal PHP error in PHP 8.0+.

• Bug fix: When using Twilio telephony services for surveys, U.S. phone numbers having the area code "346" would mistakenly not work for SMS or voice calls unless the number has a "1" prepended to it. (Ticket #126590)

• Bug fix: When using Twilio telephony services for surveys, U.S. phone numbers having the area codes "220", "223", "458" would mistakenly not work for SMS or voice calls unless the number has a "1" prepended to it. (Ticket #126741)

• Bug fix: Clicking certain hyperlinks on a survey page might mistakenly add the green highlighted background to the field if the link exists inside a field that is a container for embedded fields. (Ticket #105242b)

• Bug fix: If a line-chart or scatter-plot Smart Variable contains a third field used for categorization, the plot might mistakenly not display but would appear blank if some choices for the categorization field are not all presented in the plot's data.

• Bug fix: When importing data in JSON format (including via the REDCap::saveData method), if a single record is represented in the imported data as multiple items/rows (i.e., when importing longitudinal events or repeating instances), if one of the rows for a record contained a leading or trailing space in the record name while other items/rows for that same record did not, the spaces would mistakenly not get trimmed off of the record name but instead would cause the record to end up in a split state in the project, in which it would appear ultimately as separate records. (Ticket #126035)

CHANGES IN THIS VERSION:

• Improvement: The “Email Users” page in the Control Center now sends emails using a cron-job based queueing process. This means that emails are no longer sent in real time on the page, and thus there is no longer a need for the admin sending the email to stay on the page while all the emails are sent. This makes the process much faster and easier for admins using this page.

• Improvement: When using S3 for file storage, you may now specify a custom S3 endpoint URL on the "File Upload Settings" page in the S3 section. This helps support the use of alternative S3 destinations. (Ticket #62790)

• Bug fix: If using the Multi-Language Management feature, changing the language on the page would mistakenly not alter the URL of embedded video in a descriptive text field if a translated/alternative version of the video URL was provided for a language in the project. (Ticket #125502)

• Bug fix: When the Survey Queue is enabled in a project, a fatal PHP error might occur in some specific cases when using PHP 8.0 or 8.1 while exporting the Project XML file or while performing other Survey Queue related activities. (Ticket #126079)

• Bug fix: When one or more suspended users have access to a project that contains Data Access Groups, the User Rights page might mistakenly still display a placeholder for a suspended user's DAG assignment in the user/role table even if the users' usernames are hidden on the User Rights page. Bug emerged in REDCap 12.2.9. (Ticket #126081)

• Bug fix: When a project’s language is set to be different from the system language, the popup dialogs in a project that display documentation for piping, field embedding, and special functions would mistakenly always be shown in the system language. (Ticket #126117)

• Bug fix: Using the action tag @READONLY (including @READONLY-SURVEY and @READONLY-FORM) on a Notes field that also has the action tag @RICHTEXT would mistakenly cause the Notes field not to be disabled/readonly but would still be editable. Going forward, any of the @READONLY action tags will negate @RICHTEXT on a field. (Ticket #126097)

• Bug fix: If a user assigned to a Data Access Group attempts to view a data entry form for a record not assigned to their DAG (e.g., by manipulating the URL in order to navigate to the record), it would mistakenly not display the "Record X belongs to another Data Access Group" error message and would display mostly a blank page due to a JavaScript error.

• Bug fix: When using the Mailgun service for sending outgoing emails while utilizing the “Universal FROM Email Address” setting, the Reply-To header would mistakenly fail to be set correctly for all outgoing emails. (Ticket #126173)

• Bug fix: If a user had downloaded an Adaptive or Auto-Scoring instrument from the REDCap Shared Library, they would mistakenly be allowed to translate the instrument via the Multi-Language Management setup page. Since Adaptive or Auto-Scoring instruments are validated, they should not be able to be translated because such would cause them to no longer be validated. So all Adaptive or Auto-Scoring instruments will be disabled on the MLM setup page, thus preventing users from translating them.

• Bug fix: If a user has downloaded an instrument from the REDCap Shared Library, whether it was a curated instrument or not, it now displays a warning when attempting to translate the instrument on the Multi-Language Management setup page that the user should first check to see if the instrument is validated. And if so, they should not translate the instrument because such might cause it to no longer be validated.

• Bug fix: When using Multi-Language Management, the survey termination option "Redirect to a URL" would mistakenly not use the translated URL. (Ticket #126255)

• Bug fix: When creating a project via Project XML import, the process might crash with a fatal PHP error if using PHP 8.0 or 8.1. (Ticket #126268)

• Bug fix: Fields with a @READONLY or @READONLY-X action tag would mistakenly not be disabled on the page if the fields were embedded. (Ticket #126276)

• Bug fix: The @IF action tag will mistakenly not evaluate correctly on a survey page or data entry form if the record does not yet exist (e.g., when viewing the first page of a public survey).

• Bug fix: The @IF action tag might mistakenly not get parsed correctly in certain instances when using Multi-Language Management.

• Bug fix: When using Multi-Language Management, the UI text displayed below a field when using the @CHARLIMIT or @WORDLIMIT action tags would mistakenly not be translatable on the MLM setup page.

• Bug fix: On the Survey Settings page, if the option "Send Confirmation Email" is enabled along with the option "Include PDF of completed survey as attachment" while using Multi-Language Management, the PDF of the survey response attached to the confirmation email would mistakenly always be in the default language when instead it should be in the language in which the respondent took the survey. (Ticket #126341)

• Bug fix: When a user assigned to a Data Access Group is performing a data import for a project with Record Auto-Numbering enabled, in which the import setting "Yes, rename all records" has been set for the data import, the import process will mistakenly time out and never fully complete. (Ticket #126160)

CHANGES IN THIS VERSION:

• Change/improvement: A link to the "Language File Creator/Updater" page was added to the Control Center's left-hand menu in the Administrator Resources section.

• Change/improvement: When printing a report, the "Number of results returned" and "Total number of records queried" counts are now included in the printout of the page.

• Bug fix: The "RTL" dialog on the Multi-Language Management page in the Control Center would mistakenly be empty instead of having the appropriate text.

• Bug fix: A PHP fatal error would be thrown when attempting to edit a field in the Online Designer if using PHP 7.2. (Ticket #118919)

• Bug fix: When using newer versions of MySQL or MariaDB, the Easy Upgrade or Automatic Upgrade features might mistakenly fail in certain instances if the REDCap MySQL user does not have "REFERENCES" privileges for the MySQL database. (Ticket #119033)

• Bug fix: When pulling EHR data from the Conditions R4 endpoint for Clinical Data Pull or Clinical Data Mart, the condition’s date value might mistakenly fail to get imported into the REDCap project.

• Changes and various bug fixes for the External Module Framework, including the following: Included cron start & end times in the cron log, Improved unit testing & psalm scanning (of the framework itself), and Improved performance of the "Logs" page.

• Bug fix: The variable name displayed for fields on the Codebook page would mistakenly display a square bracket after the branching logic instead of before it. (Ticket #119302)

• Bug fix: If a user is in a Data Access Group, the Participant List would display an incorrect count of how many visible participants are in the Participant List, and it might show some pages of the Participant List as being empty. (Ticket #119056)

• Bug fix: If records are named a specific way in a project (e.g., ABC-1, ABC-2), they might appear out of order when displayed in certain contexts, such as if the record list spans multiple pages on the Record Status Dashboard. (Ticket #119189)

• Bug fix: If a calculated field is using a datediff() function with a datetime field and with "today" as the first two parameters, it would mistakenly throw an error on the page that a calculation error exists. (Ticket #119049)

• Bug fix: When sending an SMS via Twilio, in which the Twilio API returns the error message "violates a blacklist rule", the survey invitation log would mistakenly not flag this error correctly with reason_not_sent = 'PARTICIPANT OPTED OUT' but instead would revert to the default reason_not_sent of 'ERROR SENDING SMS'.

• Bug fix: If HTML tags are used inside the Custom Labels for Repeating Instruments, whenever the dialog is reopened to edit the Custom Labels for Repeating Instruments, the HTML tags will have been automatically removed. It should not remove the HTML tags that have been already saved. (Ticket #119244)

• Bug fix: When clicking the "export" link to download the results after running Data Quality rule A or B, it would be impossible to determine which field had the missing value for a given row/record if more than one field had a missing value for the whole set of results exported. To remedy this issue, the export file no longer lists each variable name as a separate column (like other DQ rules) but instead has a new "field" column that will list the variable name of the field with the missing value in each row. (Ticket #119276)

• Bug fix: When upgrading to REDCap 12.0.0 or higher and when the Form Render Skip Logic external module is being utilized for one or more projects, the upgrade script to auto-migrate all the FRSL settings into the new Form Display Logic feature might be slightly incorrect for some FRSL configurations (only affecting longitudinal projects). If the FRSL checkbox setting "Restrict this rule to specific events" is not checked but one or more events have been selected (which is not expected), the resulting behavior from the Form Display Logic would cause the form to be disabled for the selected event, whereas the FRSL module beforehand would disable the form on every event. The auto-migration script now has been changed to match the behavior of the FRSL module for this particular misconfiguration of the FRSL module. (Ticket #118353)

• Change: For new REDCap installations, the global setting "Minimum number of data points required to display Smart Charts, Smart Tables, or Smart Functions" has been changed from "11" to "5" since the previous default value was regarded as too conservative by many. For existing installations, this value can easily be changed on the User Settings page in the Control Center and additionally can be overridden for any project via the Edit A Project's Settings page.

• Bug fix: When displaying Smart Charts on a public Project Dashboard, in which the chart is grouped via a secondary field, in some specific cases where data is missing for the first field in the chart but not for the grouping field, the chart might mistakenly get displayed (instead of displaying the message "[INSUFFICIENT AMOUNT OF DATA FOR DISPLAY]") even when it does not meet the minimum data point criteria. (Ticket #119348)

• Bug fix: Custom Data Quality rules whose logic utilizes fields from repeating instruments might mistakenly return results that are duplicates or not relevant, such as displaying the base/non-repeating instance when all the fields in the logic exist on a repeating instrument. (Ticket #72996)

CHANGES IN THIS VERSION:

• Major bug fix: When the "Enable support for Survey Auto-Continue" option is checked in the Form Display Logic setup dialog, the feature might mistakenly fail to evaluate the logic correctly during the Survey Auto-Continue process. Thus, it could cause some surveys to get skipped unintentionally.

• Improvement/change: When using Multi-Language Management on a survey, the current language name is now displayed next to the globe icon at the top right of the survey page so that participants more intuitively understand what the current language is and to click it to change the language.

• Improvement/change: The Online Designer now denotes whether a field on the instrument contains embedded fields inside its label, choices, notes, etc. by displaying a blue box saying "Contains embedded fields", similar to the green "Field is embedded elsewhere on page" boxes for embedded fields themselves. This will provide users with visual cues to know when and where field embedding is occurring.

• Improvement: The Design Checker feature for Clinical Data Mart now has improved descriptions of changes that will be made, including the severity of the design issue.

• Bug fix: When using vertical sliders on forms/surveys, the “Change the slider above to set a response” text would have a translucent background that might mistakenly cover part of the text field displaying the number value. (Ticket #118330)

• Bug fix: When using the Sponsor Dashboard or Browse Users->View User List By Criteria pages and clicking the "Time of latest password reset" link on the page, the resulting error message might be confusing if the user selects users in the table in which none of those select users log in via Table-based authentication (assuming the system authentication is LDAP+Table or Shibboleth+Table). More text has been added to the error message to inform the user that at least one Table-based authentication user must be selected in order to perform this action. (Ticket #118200)

• Bug fix: If an admin has "Modify System Configuration Pages" admin rights but does not have "Access to all projects and data with maximum user privileges" admin rights, then if the system was taken offline, the admin would mistakenly not be able to restore the system back to online status. (Ticket #118540)

• Bug fix: The “Save your changes?” prompt that is displayed when attempting to leave a Data Entry Form via closing the current window/tab might mistakenly cause a JavaScript error rather than displaying the prompt.

• Bug fix: When using Missing Data Codes for an embedded field with the ":icons" parameter set (e.g., {field1:icons}), the list of Missing Data Codes would fail to display after clicking the "M" icon for the embedded field. (Ticket #118636)

• Bug fix: When using Missing Data Codes for an embedded field with the ":icons" parameter set (e.g., {field1:icons}), in which the field is a Radio Button field, if the user clicks the "reset" link to reset the value of the field, it would mistakenly throw a JavaScript error. It would still correctly remove the value of the field and reset it, but it would appear to the user as if it did not.

• Bug fix: The Smart Variables [survey-time-completed] and [survey-date-completed] might not get evaluated correct when used in Survey Queue conditional logic. (Ticket #118452)

• Bug fix: When attempting to save a custom Record Status Dashboard in a non-longitudinal project, in which one or more instruments are selected for the "Select instruments" option, it would fail to save the selected instruments, thus resulting in displaying all instruments on the custom dashboard instead of only the selected ones.

• Change: To the right of the REDCap/PHP/MySQL versions listed at the top of the main Control Center page, a "copy" icon was added to allow administrators to easily copy those that version information text so that they may paste them elsewhere, such as when posting a question or bug report on REDCap Community.

• Bug fix: When a multi-arm longitudinal project does not have "arm 1" defined but has higher-numbered arms defined, it can cause certain things not to work correctly, such as branching logic, calculations, or action tags.

• Change: In the "Add Field"/"Edit Field" dialog in the Online Designer, it is no longer possible to tab into the Action Tags text box. This was changed because users found it a bit jarring for the Logic Editor dialog to automatically display as they are tabbing through the fields inside the "Add Field"/"Edit Field" dialog.

• Change: Light gray square brackets are now displayed around the variable name for each field on the Data Dictionary Codebook to aid users when searching for a specific field on the page (because it may sometimes be hard to find a field on the page if it is used in lots of branching logic or calculations).

• Bug fix: When attempting to do a fresh install of REDCap on PHP 8.0, the install page might mistakenly crash with a blank white page.

• Bug fix: When a public survey is completed and the "Save & Return Later" feature is not enabled for the survey, references to the survey link via the Smart Variable [survey-link] might mistakenly allow participants to return to the completed survey when instead it should prevent them and thus display the "Thank you for your interest, but you have already completed this survey" message. This could cause further confusion if a participant attempted to download a file for a File Upload field on that survey, in which it would prevent them from downloading it (via an error message); however, this might be confusing since the participant could access the survey page (via this bug) but not the downloadable file on the survey. (Ticket #118314)

CHANGES IN THIS VERSION:

• Change: The Control Center now recommends using PHP 7.4, 8.0, or 8.1, which are the only currently supported versions of PHP (by the PHP Team).

• Bug fix: The "Add/Edit Records" page would display a green button with the incorrect text "Add new record for the arm selected above" for projects that do not have multiple arms. The button instead should say "Add new record".

• Bug fix: When upgrading from a version prior to REDCap 11.4.1, the upgrade SQL script might mistakenly fail when dropping an index on the `redcap_user_roles` table.

• Bug fix: When copying a project where Twilio is enabled, the various Twilio configuration settings would mistakenly not get copied. Note: The Twilio feature will still be disabled in the newly created project. (Ticket #118265)

• Bug fix: When using a Project Bookmark as an "Advanced Link", the API call that should return the various parameters (e.g., username, project_id) would mistakenly default to "xml" as the return format when instead it should default to "csv" if the "format" API parameter is not provided in the API request.

CHANGES IN THIS VERSION:

• Major bug fix: When using Twilio SMS or Voice Call functionality on a survey, field labels or section headers might mistakenly not get included in the SMS message or Voice Call message unless one or more languages have been defined and are active on the Multi-Language Management page.

• Bug fix: When using Twilio SMS or Voice Call functionality on a survey, the choices for some multiple choice fields would mistakenly not appear in the correct translated language when one or more languages have been defined and are active on the Multi-Language Management page.

• Bug fix: When using Twilio SMS or Voice Call functionality on a survey, the survey instructions and completion text might mistakenly not appear in the correct translated language when one or more languages have been defined and are active on the Multi-Language Management page.

• Bug fix: Some rare adaptive PROMIS instruments that contain checkbox or textbox field types (e.g., PROMIS Sexual Function v2 Brief Profile (Female)) would crash in certain instances and prevent the participant from completing the survey whenever a participant attempts to answer a checkbox or textbox field on the survey page.

CHANGES IN THIS VERSION:

• New feature: Multi-Language Management

  • Summary: Users can create and configure multiple display languages for their projects for surveys, data entry forms, alerts, survey invitations, etc. Users can design data collection instruments and have them be displayed in any language that they have defined and translated so that their survey participants or data entry persons can view the text in their preferred language. This eliminates the need to create multiple instruments or projects to handle multiple languages. NOTE: The MLM feature will not auto-translate text, but provides tools so that users may easily translate them themselves.

  • Usage: When entering data on a data entry form or survey, users and participants will be able to choose their language from a drop-down list or buttons on the page to easily switch to their preferred language for the text displayed on the page. This feature allows users to translate all text related to the data entry process, both for surveys and for data entry forms. Even various survey settings and email text can be translated. For users on data entry forms, if a language is selected, that selection is stored in the user’s user account settings internally (in the REDCap backend database), whereas a survey participant’s selected language will be stored in a cookie in their web browser as a way to remember their language preference if they return in the future (and also to maintain their selected language from page to page). The language can be pre-selected for a participant, if desired, using the “Language preference field” setting on the MLM page in the project or via the @LANGUAGE-FORCE action tags (seen below).

  • User Rights: Users must have Project Design/Setup privileges in a project in order to see the link to the Multi-Language Management page on the left-hand menu.

  • System-level Configuration: The MLM feature can be completely disabled at the system level, if desired, via the MLM page in the Control Center (on the Settings tab). On this page in the Control Center, admins can optionally seed any User Interface (i.e., stock language) translations for the entire REDCap installation, in which users could import any activated User Interface translations into their project. This will only import the User Interface elements (since those are universal to each project), but it can be a big time saver to prevent the user from having to translate those common elements in their project. These can be imported via the Create New Language process in a project (or via the Edit Language setting also).

  • Note: The MLM feature works seamlessly with SMS messages sent via Twilio. Additionally, the MLM feature works with the e-Consent Framework, in which the archived PDF of the participant’s consent form will be stored in the File Repository in the same language in which the participant took the survey.

  • Note: When a project is in production, the MLM page and all translations can only be modified when the project is in Draft Mode. So if the user desires to make edits or additions to their translations, they must first enable Draft Mode via the Online Designer, and then return to the MLM page to make translation changes while in Draft Mode. When the drafted changes are approved, their translation changes made while in Draft Mode will automatically be approved together with them.

  • New Action Tags for Multi-Language Management

    1. @LANGUAGE-CURRENT-FORM - Allows you to capture the currently used language in projects where multilingual data is enabled on data entry forms. The @LANGUAGE-CURRENT-FORM action tag can be used on fields of type 'Text Box' (no validation), and 'Drop-down List', or 'Radio Buttons' (these need to have choices whose codes correspond to the IDs of the defined languages - e.g., 'en'). This action tag is only active on data entry forms and will always, when possible, set the field's value to the currently active language.

    2. @LANGUAGE-CURRENT-SURVEY - Same as @LANUGAGE-CURRENT-FORM, but works only on survey pages. For multi-page surveys, @LANGUAGE-CURRENT-SURVEY needs to be used on a field of each page where capture of the language is relevant (e.g. for performing branching).

    3. @LANGUAGE-FORCE - When used on a field, the data entry form or survey on which the field is located will be rendered in the specified language (which must have been set up using the Multi-Language Management feature). The format must follow the pattern @LANGUAGE-FORCE="???", in which the ID of the desired language should be inside single or double quotes - e.g., @LANGUAGE-FORCE="de". Piping is supported - e.g., @LANGUAGE-FORCE="[field_name]". When the language is forced successfully (i.e., it exists and is active), the language selector is hidden. Using this together with @LANGUAGE-CURRENT-FORM/SURVEY on the source field for @LANGUAGE-FORCE may be used to 'lock in' a user to their selected language.

    4. @LANGUAGE-FORCE-FORM - Same as @LANGUAGE-FORCE, but the effect is limited to data entry forms (i.e. this does not affect surveys).

    5. @LANGUAGE-FORCE-SURVEY - Same as @LANGUAGE-FORCE, but the effect is limited to surveys (i.e. this does not affect data entry forms).

    6. @LANGUAGE-SET - When used on a Drop-down or Radio Button field only, this action tag will allow the field's value to control the currently shown language (in the same way as switching the language via the buttons at the top of the page). Tip: When used in a survey, this field could be prepopulated (and thus auto-selected) by embedding a participant's language ID in the survey URL itself (for details, see the FAQ's "How to pre-fill survey questions" section).

  • Thanks to Günther Rezniczek for all his work to help us build the new Multi-Language Management feature.

• New feature: Form Display Logic

  • Form Display Logic is an advanced feature that provides a way to use conditional logic to disable specific data entry forms that are displayed on the Record Status Dashboard, Record Home Page, or the form list on the left-hand menu. You might think of it as 'form-level branching logic'. Form Display Logic can be very useful if you wish to prevent users from entering data on a specific form or event until certain conditions have been met. The forms will still be displayed on the page, but they will be disabled in order to prevent users from accessing them. Below you may define as many conditions as you want. A form may be selected in multiple conditions, but if so, please note that the form will be enabled if at least one of the conditions is met. The Form Display Logic does not impact data imports but only operates in the data entry user interface to enable/disable forms. Additionally, Form Display Logic is not utilized by the Survey Queue at all but can affect the behavior of the Survey Auto-Continue feature if the checkbox for it is enabled in the setup dialog. The Form Display Logic setup can be found by clicking the “Form Display Logic” button at the top of the instrument list in the Online Designer.

  • This feature serves as the official integration of the Form Render Skip Logic external module created by Philip Chase and his team. Thanks to them for their work on this module. Note: When upgrading REDCap to v12.0.0 or higher, if the Form Render Skip Logic is installed and is being used by any projects, all the configuration settings for the module will automatically be translated into the new Form Display Logic settings format, after which the external module will be disabled for each project and also for the entire system (since it will no longer be needed). This all happens automatically during the upgrade.

• New feature: Design Checker for the Clinical Data Mart (CDM) - The “Data Mart Design Checker” is a new tool available in the Data Mart fetch page that will report any issue related to the design of the current Data Mart project. Based on the most recent Data Mart XML template available in REDCap, the tool will check, list, and fix any of these issues: missing forms, variables, revisions, or section headers, the lack/presence of repeatability in a form, variables included in the wrong form, etc. An administrator or a user with Project Setup/Design privileges can use the tool to review and automatically fix all reported issues. This tool will mainly be utilized when users have modified the structure of an existing Data Mart project or if new forms and data types have been added to the Data Mart feature itself since the users initially created their Data Mart project.

• Improvement: Errors displayed in the Survey Invitation Log when sending SMS or Voice Calls via Twilio will now display the full error message returned by Twilio's API to provide the user with more information regarding why the SMS/Voice Call failed to send successfully.

• Major bug fix: When a field is embedded on a multi-page survey, in which the embedded field's parent field is used in branching logic on a later page, the embedded field's value might mistakenly get erased when a later survey page is submitted if the embedded field is set as a Required field. (Ticket #117620)

• Bug fix: The cron job that sends email notifications for REDCap Messenger might mistakenly send multiple emails repeatedly to users. (Ticket #97084b)

• Bug fix: The x-axis of a [scatter-plot] Smart Chart would mistakenly not display in the correct sorted fashion. (Ticket #117202b)

• Bug fix: Clicking the "Today" or "Now" button for a date or datetime field, respectively, would mistakenly add the green highlighted background to the field if that field is embedded. Embedded fields should never get highlighted as green like regular fields do. (Ticket #105242)

• Bug fix: When using the "Copy multiple fields" feature in the Online Designer, on some occasions the process might mistakenly fail for some fields selected and would display them on the page as fields with empty variable names. (Ticket #117339)

• Change: The text for the "Example code" link at the bottom of the API Playground was modified for clarity. (Ticket #117797)

• Bug fix: When using specific PHP versions, the Clinical Data Pull (CDP) service might mistakenly throw a fatal PHP error when attempting to fetch data from the EHR. (Ticket #117953)

• Change: When drafted changes are auto-approved in a production project, the "Changes Were Made Automatically" dialog now provides extra text reminding the user that if any new instruments were just added, by default no users in the project have access to any newly created instruments. Thus they might need to grant users access to the new instruments.

• Bug fix: When creating a new project or copying an existing one, the users that are initially granted access to the project would mistakenly not get logged as having been added to the project on the project logging page, thus making it very difficult for an auditor to determine exactly when and by whom the initial users had been given access.

• Bug fix: A fatal PHP error would occur that prevented an administrator from creating a Data Mart project on behalf of a user. (Ticket #117929)

• Bug fix: When using the Data Resolution Workflow in a project, the Resolve Issues page would mistakenly display data queries for fields that exist on instruments to which the user does not have data viewing privileges. (Ticket #118026)

• Bug fix: If a value is piped into a Descriptive Text field which is itself embedded in another field, then in some specific instances the Descriptive Text field's label would mistakenly not get embedded but only the piped value would get embedded. (Ticket #117925)

CHANGES IN THIS VERSION:

• Improvement: New parameter "repeat_instance" was added to the API method "Export PDF file of Data Collection Instruments" to allow users to export a PDF of an instrument for a specific repeating instance of a repeating instrument/event. (Ticket #117182)

• Change/improvement: When a survey participant partially completes a survey that has the Save & Return Later feature enabled, and an email is then sent to the participant to remind them to finish their survey later, instead of sending that email from the system-level "Email Address of REDCap Administrator" (as in previous versions), the "From" email address of the "Survey partially completed" email will be set to the sender's address from the most recent survey invitation received by the participant. This will create more consistency and will reduce confusion for participants when attempting to reply back to the email, as has been a problem in the past.

• Bug fix: For certain server configurations, the REDCap cron job might mistakenly crash due to a floating point precision issue when creating a timestamp. This occurrence is fairly rare. (Ticket #117186)

• Bug fix: The x-axis of a [scatter-plot] Smart Chart would mistakenly not display in the correct sorted fashion. (Ticket #117202)

• Bug fix: If a user has many conversations (e.g., hundreds or more) listed in their REDCap Messenger window, every page of REDCap would load slowly for them, even if Messenger is closed when the page loads.

• Bug fix: If the setting "Allow survey respondents to view aggregate survey results?" has been disabled at the system level in the Control Center, then a user entering a URL into the "Redirect to a URL" option on the Survey Settings page in a project would cause an unrelated error message to mistakenly appear and would prevent the user from adding/modifying the "Redirect to a URL" option. (Ticket #117399)

• Bug fix: If a calculation, branching logic, or conditional logic contains exponents in which the base number's value is negative, it might mistakenly not return any value at all - e.g., ([number1])^(1/3) where the value of "number1" is "-8". (Ticket #117456)

• Bug fix: In calculations or branching logic, the special function isinteger() would mistakenly only return True if the value came from an integer- or number-validated Textbox field. (Ticket #117447)

• Bug fix: When saving some custom text for the settings "Custom text to display at top of Project Home page in project" or "Custom text to display at top of all Data Entry pages in project" on the "Edit A Project's Settings" page in the Control Center, it would mistakenly display a lot of extra line breaks on the project page where the custom text would be rendered. (Ticket #117403)

• Bug fix: Upgraded the JavaScript libraries Backbone.js and Underscore to their latest version since they were both outdated. (Ticket #117462)

• Bug fix: When using Azure AD authentication, the logout process in REDCap would mistakenly not take the user to the Azure AD logout page, thus not actually logging out the user fully. (Ticket #117166)

• Bug fix: When initializing a project in the REDCap Mobile App in which the project contains an SQL field, if the query for the SQL returns only one column (rather than two columns), the drop-down would mistakenly not display correctly on the data entry form in the REDCap Mobile App. (Ticket #107409b)

• Change: The explanation text for the "Re-evaluate Automated Invitations" process was modified to improve clarity with regard to how the re-evaluation process works. (Ticket #116807)

• Bug fix: When performing the Import Records API method with the data format set as "csv" in which the data being imported was obtained from a data export via the user interface (not via the API) in CSV Raw format, the API would return a field validation error message or might save the imported value with an extra space prepended to it if the original value that was exported for that field began with a specific CSV Injection character, such as -, @, +, or =. The data import API process now removes the extra space character at the beginning of the value when this specific scenario is detected in order to preserve the original value of the field. (Ticket #117546)

CHANGES IN THIS VERSION:

• Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way as user-defined text in various places.

• Change/improvement: A button to open the Codebook page as a floating popup window was added inside the Logic Editor popup to allow users to easily find and reference fields they want to use in their logic while in the editor.

• Improvement/change: The underlying business logic of REDCap’s cron job processing methods have been changed so that long-running cron jobs will not block other jobs from running at their scheduled time.

• Bug fix: Typo in "SFTP/WebDAV-only settings"

• Bug fix: Fixed issues with regard to users adding a secondary/tertiary email address on their Profile page. (Ticket #116375)

• Bug fix: When viewing the Survey Queue page when it is displaying repeating surveys for a record, if some instances of the repeating survey are missing or were deleted, it would mistakenly display them in the queue with a “Begin Survey” button next to them. It should instead only display a button to create a new instance after the last current instance for the survey. (Ticket #116534)

• Bug fix: Some files that were uploaded to a REDCap Messenger conversation might mistakenly not download correctly and might appear corrupt when opened after being downloaded.

• Bug fix: If a project is in production and collecting data via surveys, and then it is moved to Draft Mode, after which a user downloads an Instrument Zip file in the Online Designer for one of the project's survey and then re-uploads the same Instrument Zip file, all existing survey responses would get disconnected from the original survey, thus losing all their survey completion timestamps and changing all the survey links for the existing records in the project. Bug emerged in REDCap 11.2.0. (Ticket #116940)

• Bug fix: PHP compatibility issue with PHP 8 on the Online Designer might cause the page to crash with a fatal error. (Ticket #117020)

• Bug fix: When creating a new conversation in REDCap Messenger, it would mistakenly fail to open the new conversation in the user interface immediately after being created.

• Bug fix: When using the Data Resolution Workflow and entering data on a data entry form, the floating button that says "Save and then open data resolution pop-up" would mistakenly be displayed next to every embedded field inside a block of embedded fields when the cursor is placed in the field, even when the embedded field does not have a data query opened for it. The button should only appear next to fields that have an open query. (Ticket #116987)

• Bug fix: Smart Charts (e.g. bar-chart, pie-chart, donut-chart) that display multiple choice labels that contain multibyte characters, in which the labels are 13 or more characters in length, might have those multibyte characters mistakenly get garbled and thus not appear correctly in the chart. (Ticket #117103)

CHANGES IN THIS VERSION:

• Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way as user-defined text in various places.

• Minor security fix: To improve the overall security of the application, the SameSite attribute of all cookies created by REDCap now has a value of “Lax”, whereas in previous versions it was set to “None”.

• Minor security fix: To prevent a Session Fixation attack, session IDs are now regenerated upon every successful login by a user.

• New feature: A new Cron History table was added to the bottom of the Cron Jobs page in the Control Center to allow administrators to have more visibility regarding when certain cron jobs are run and for how long, including cron jobs for external modules. The table includes a date field to easily adjust the window of time by date.

• Improvement: If using Amazon S3 or Azure Blob Storage for the system-level File Storage Method, the same file storage method may also be used for the following system-level settings: 1) 'File Upload' field enhancement: Password verification & automatic external file storage, 2) Record-level Locking Enhancement: PDF confirmation & automatic external file storage, and 3) e-Consent Framework: PDF External Storage Settings (for all projects). These three settings will each utilize a different bucket/container than the system-level file storage method where all other REDCap files are stored (as a means of keeping them separate from the other files). These settings are often utilized for compliance with 21 CFR Part 11 and similar regulations. The addition of the S3/Azure options will be helpful when already running REDCap on AWS/Azure. The bucket/container where the files will be stored for these three options may be set for each near the bottom of the Modules/Services Configuration page in the Control Center.

• Bug fix: The optional settings for the Protected Email Mode feature would mistakenly not get copied to a new project when using the Copy Project page. Additionally, those settings would also not get added to a Project XML file if the project were exported and then re-created in REDCap via Project XML.

• Bug fix: When instruments are added from the REDCap Shared Library to a production project in Draft Mode, after the changes have been approved, all users would mistakenly have full "View/Edit" Data Viewing privileges to the new instrument. By default, users should initially have “No Access (Hidden)” privileges to newly added instruments.

• Change: The email that users receive from an administrator that has just approved their production changes now reminds them that the default Data Viewing Rights for any newly added instruments will be 'No Access (Hidden)'.

• Bug fix: When an administrator processes and commits a user's draft mode changes for their production project, the "Project Changes were Approved" email confirmation sent back to the user would mistakenly have its From address as the admin's email when it should instead be the general "Email Address of REDCap Administrator". (Ticket #116368)

• Bug fix: When calling the "Export Records" API method with parameters type=eav and format=csv, the API might mistakenly output survey fields incorrectly if exportSurveyFields=true in the API request. Additionally, it might mistakenly output the "redcap_event_name" and "redcap_repeat_instance" CSV columns in certain cases when those columns are not relevant and should not be output. (Ticket #115862)

• Bug fix: Fixed a compatibility issue for logged IP addresses in some server environments in which some load balancers/proxies/WAFs would unexpectedly add the port number to the HTTP_X_FORWARDED_FOR header that ultimately gets used as the client's IP address. (Ticket #116486)

• Bug fix: The Online Designer might mistakenly display a comma after some action tags listed in pink below a given field that has action tags.

• Bug fix: The page on a survey that is displayed after a participant has clicked the "Save & Return Later" button would display text and contents that mistakenly did not completely conform to the survey theme of the current survey. (Ticket #116613)

• Bug fix: Using the ":record-name" parameter in the [stats-table] Smart Variable would mistakenly not limit the descriptive stats displayed in the table to the currently viewed record but would instead display the stats for all records in the project. (Ticket #116546)

• Bug fix: Using the @IF action tag on a field in which @IF is nested more than twice would mistakenly cause it not to get parsed correctly and thus might cause the wrong action tags to be implemented for the field. (Ticket #116535)

CHANGES IN THIS VERSION:

• New feature: Auto-adjudication for Clinical Data Pull (CDP) projects - As an extension of the existing "Instant Adjudication" feature for CDP projects, any projects with Instant Adjudication enabled can optionally enable the Auto-adjudication feature on the CDP Setup page in a project. Once enabled, if any records in the project have data that has already been pulled from the EHR and are awaiting adjudication, they will be adjudicated automatically by a cron job process that checks every 5 minutes. This allows the data to follow into the project automatically and prevents the need for a user to manually adjudicate data or to click the Instant Adjudicate button. Similar to the Instant Adjudication setting, only users with CDP Setup/Mapping privileges can enable the Auto-adjudication setting.

• New feature: Admins can set or change a user's sponsor on the "View User List By Criteria" tab on the Browser Users page in the Control Center. An administrator can click the "Set or change user’s sponsor" button on the page and then select another user in the system to become their new sponsor. This feature works for any users that currently have a sponsor or that do not have a sponsor.

• Improvement: “Google Cloud Storage using API Service Account” as new file storage option - To store REDCap’s edoc files via Google Cloud Storage, this option can be selected in the File Upload Settings page in the Control Center. An additional option exists to organize files by REDCap project ID when storing them in Google Cloud. (Thanks to Andy Martin and his team for this contribution.)

• Improvement: New CDIS setting - Admins now have the option to use the CA bundle from REDCap or the verification provided by the webserver for HTTPS connections.

• Improvement: New option for Protected Email Mode - Users may now upload a custom logo that they wish to be displayed on the webpage and in emails utilizing the Protected Email Mode. This feature is supplementary to the existing custom text option for Protected Email Mode. This option is located in the Protected Email Mode section of the Additional Customizations popup on the Project Setup page.

• Minor security fix: When displaying a fatal PHP error to REDCap administrators, the full file path of the PHP file is no longer exposed and output on the page, but instead it only outputs the local path from the REDCap webroot in the PHP error message. This prevents inadvertently exposing some of the file/folder structure of the web server.

• Bug fix: The "Returning?" popup that appears near the top right of a survey page would display text and contents that mistakenly did not conform to the survey theme of the current survey. (Ticket #115314)

• Bug fix: Fixed issue with database issue detection script regarding a key for the redcap_user_roles table. (Ticket #115587)

• Fixed typo in @IF documentation

• Bug fix: Some explanatory text not displayed for the “Allow normal users to edit their primary email address on their Profile page” setting on the User Settings page.

• Bug fix: The @IF action tag might not work correctly when the currently viewed record has not been saved/created yet.

• Bug fix: The @IF action tag might not work correctly when the True or False part of the IF has two single or double quotes. (Ticket #115731)

• Bug fix: The smart variable [line-chart] might mistakenly display plain text data on the x-axis if a Textbox or Notesbox field is used as the x-axis field. (Ticket #115818)

• Bug fix: In some very specific cases when using PHP 8, the upgrade module might mistakenly not load due to a fatal PHP error. (Ticket #115680)

• Change/improvement: The HTML tags "video" and "source" can now be used in user-defined labels throughout REDCap. (Ticket #16057)

• Bug fix: Returning 'false' from the redcap_email hook method in an external module would mistakenly not prevent emails from being sent.

• Change: When viewing an individual email on the Email Logging page, it now logs the record name, event_id, and instrument name (when applicable) in the redcap_log_view database table.

• Bug fix: When a repeating instrument has data entered on multiple repeating instances, and then afterward the instrument is made to no longer be repeatable, the Data History popup would mistakenly display the history for all repeating instances for that field (including the ones that have now been orphaned), rather than for only the first instance. (Ticket #115308b)

• Bug fix: The jSignature JavaScript library used for "signature" field types was mistakenly reverted to an earlier version of the library that was sometimes not compatible with a stylus. (Ticket #115607)

• Bug fix: When using the Twilio telephony services in a project and utilizing the "Designate a phone number field" setting, in certain situations it might fail to display the record name of the participant in the Survey Invitation Log. (Ticket #115206)

• Bug fix: When appending the Smart Variable [current-instance] to a field variable in branching logic or a calculation on an instrument that is not a repeating instrument and not on a repeating event in the current context, it might mistakenly not evaluate the branching logic/calculation correctly on the data entry form or survey page. (Ticket #115585)

• Bug fix: When viewing a survey via a private/unique survey link (i.e., not via a public survey link), in which the survey is set to "offline" and has field variables piped into its custom offline message, it would mistakenly not pipe the data successfully in the offline message. (Ticket #116092)

• Bug fix: When exporting a PDF of an instrument containing data, if a drop-down or radio field in the PDF has a choice coded as "0" in which the field's saved value is not currently "0", the resulting PDF might mistakenly show both the "0" choice and the saved choice as being selected. This appears to only occur in certain versions of PHP 7. (Ticket #115505)

• Bug fix: When the enhanced checkbox option has been enabled on a survey in which a checkbox on the survey utilizes the @NONEOFTHEABOVE action tag, if the checkbox is embedded in another field on the page, the enhanced buttons would mistakenly not behave/display correctly for the checkbox when selecting the "None of the Above" choice or if another option is clicked while the "None of the Above" choice is already selected. Note: This does not affect the data being saved correctly for the checkbox but affects only the displaying of the enhanced buttons; thus it could be confusing for the survey participant. (Ticket #115891)

• Bug fix: When using the [survey-link] or [survey-url] Smart Variables in a project in which a literal instance number is appended to it (e.g., [survey-link:my_survey][2]), it might mistakenly return the link/URL of the first instance instead of the correct repeating instance.

• Bug fix: When using a Smart Chart, Smart Table, or Smart Function that has a unique report name appended to it, anytime a REDCap page would display the output of the chart/table/function, it would mistakenly log an individual "Data export" event on the Logging page for every chart/table/function having a unique report name.

CHANGES IN THIS VERSION:

• New action tag: @IF - Allows various action tags to be set based on conditional logic provided inside an @IF() function - e.g., @IF(CONDITION, ACTION TAGS if condition is TRUE, ACTION TAGS if condition is FALSE). Simply provide a condition using normal logic syntax (similar to branching logic), and it will implement one set of action tags or another based on whether that condition is true or false. For example, you can have @IF([yes_no] = '1', @HIDDEN, @HIDE-CHOICE='3' @READ-ONLY), in which it will implement @HIDDEN if the 'yes_no' field's value is '1', otherwise, it will implement the two action tags @HIDE-CHOICE='3' and @READ-ONLY. If you wish not to output any action tags for a certain condition, set it with a pair of apostrophes/quotes as a placeholder - e.g., @IF([my_radio]='1', @READONLY, ''). You may have multiple instances of @IF for a single field. You may also have multiple nested instances of @IF() inside each other. Both field variables and Smart Variables may be used inside the @IF condition. The @IF action tag is also evaluated for a given field when downloading the PDF of an instrument/survey, in case there are any PDF-specific action tags used inside of @IF(). Note: The conditional logic will be evaluated only when the survey page or data entry form initially loads; thus the action tag conditions will not be evaluated in real time as data is entered on the page.

• New feature: Protected Email Mode

  • Users can enable the Protected Email Mode on any project on the Project Setup via the Additional Customization dialog. This setting prevents identifying data (PHI/PII) from being sent in outgoing emails for alerts, survey invitations, and survey confirmation emails.

  • If enabled, either A) all alerts, survey invitations, and survey confirmation emails or B) those whose email body is attempting to pipe data from Identifier fields will be affected, in which it will not send the full email text to the recipient but will instead send a surrogate email containing a link that leads them to a secure REDCap page to view their original email. If someone is accessing an email in the Protected Email Mode for the first time (or for the first time in the past 30 days), it will send a security code to their inbox that will allow the recipient to view any protected emails for up to 30 days on that same device. The Protected Email Mode is similar to Microsoft Outlook's "sensitivity label" feature.

  • When enabled in a project, user’s may specify custom text/HTML to display at top of the sent email and web page where the original email is viewed. This will allow users to also display logos/images pertaining to their project or institution.

  • This feature can be disabled in all projects via a global setting on the Modules/Services Configuration page in the Control Center.

• New feature: Email Logging page

  • This is a new project page that contains a search interface to allow users with User Rights privileges to search and view ALL outgoing emails for that project (also includes searching and viewing of SMS messages if using Twilio services).

  • This feature can be disabled in all projects via a global setting on the Modules/Services Configuration page in the Control Center.

  • “Re-send email” feature - When viewing an individual email after performing a search on the page, a “Re-send email” button will be displayed in the dialog to allow users to re-send the email. Note: If the original email contained email attachments, the attachments will not be included in the email that is re-sent.

  • Only users with User Rights privileges in the project may access the page, and additionally they must opt-in and agree to a disclaimer before being able to view the page. The following text will be presented to the user before accessing the page: “Before viewing and accessing this page, you must first agree that you understand the following important information and conditions. This page is only accessible by users having User Rights privileges in this project. The Email Logging feature allows users to search and view *all* outgoing emails related to this project, and this includes being able to view all aspects of any given email (i.e., the recipient(s), sender, subject, message body, attachment names). If you are using anonymous surveys in this project, keep in mind that viewing this page and the emails displayed therein might inadvertently cause anonymous survey responses to be identifiable/de-anonymized. Additionally, if the project is using Data Access Groups, you will be able to view the emails related to all DAGs in this project (and thus possibly any data piped into the body of those emails). If you understand and agree to these conditions, click the button below. Please note the act agreeing to this disclaimer will be documented on the project Logging page.”

• Improvement: New "Banned IP Addresses'' page in the Control Center allows administrators with "Manage User Accounts'' privileges to add or remove IP addresses to/from the blocklist of banned IP addresses for the REDCap installation. The IP addresses listed on that page are IPv4 or IPv6 addresses that have been blocked manually using that page or have been banned automatically via the Rate Limiter feature (enabled on the General Configuration page in the Control Center).

• Improvement: When using the ''Reason for Change'' feature in a project, a new button is displayed underneath each "reason for change" textbox on the Data Import Tool summary page. Users can simply click the button to copy the text to all other "reason for change" textboxes on the page, thus saving lots of time of having to add text to each individually. This feature is the integration of Luke Steven’s “Copy Change Reason” external module, which will be automatically disabled at the system-level when upgrading to (or past) REDCap 11.4.0 to prevent any conflicts.

• Improve: New data export option - Export blank values for gray instrument status

  • All instrument complete status fields having a gray icon can be exported either as a blank value or as "0"/”Incomplete”. In previous versions, they could only be exported as “0”. By default, they are now exported with a value of “0”, but this option can be changed via a drop-down option in the “Advanced data formatting options” section of the data export dialog.

  • When exporting the Project XML file with both metadata & data, the option to export gray instrument status as a blank value will be preselected by default, whereas in other data export contexts (e.g. My Reports & Exports page), the option to export them as “0” will be preselected by default.

  • The API method “Export Records” has a new optional parameter “exportBlankForGrayFormStatus” that can accept a boolean (true/false) with default value = false, and it functions the same as its equivalent data export option in the user interface.

  • Note: Exporting gray instrument statuses as blank values is recommended if the data will be re-imported into REDCap. For example, when users export a Project XML file for a project and then create a new project with it, all the gray instrument status icons will be preserved in the new project, whereas in previous versions they were all converted into red status icons.

• Improvement: New option “Allow normal users to edit their primary email address on their Profile page” on the User Settings page in the Control Center. This setting will be enabled by default, but an admin can disable it if they wish to prevent any users from modifying their primary email address for their user account.

• Improvement: The developer methods REDCap::getSurveyLink() and REDCap::getSurveyQueueLink() now have an optional parameter "project_id" that (when provided) allows one to call the method outside of that target project's context. If project_id is not explicitly provided, then the methods must still be called within their target project's context.

• Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way as user-defined text on the Project Setup page.

• Major bug fix: When a repeating instrument has data entered on multiple repeating instances, and then afterward the instrument is made to no longer be repeatable, then any new data entered on that data entry form for fields that already have data on other instance might mistakenly get stored in the wrong repeating instance (i.e., get orphaned in the "redcap_data" database table) and thus would fail to be seen when reloading the form again. (Ticket #115308)

• Improvement/change: New LOINC codes were added for CDIS-related functionality.

• Change: All CDIS-related features and functionality now utilize a centralized set of assets in the code, rather than each feature having only their own private set of assets. This change reduces the entire size of the REDCap code by half, thus saving lots of space on the REDCap web server.

• Various updates and fixes for the External Module Framework, such as the following: PID parameter safety improvements, Documentation updates, Prevented unnecessary errors from the Portable UTF-8 library's auto-redirection, Increased the setting lock timeout, and Fixed a getSafePath() case with absolute paths.

• Bug fix: When a user creates a new alert, the "Email From" address is now validated on the server side to ensure it is valid and belongs to a user in the project (or belongs to an administrator, if the current user is an admin that is not a user in the project).

• Bug fix: The green label "Field is embedded elsewhere on page" mistakenly doesn't show up for SQL fields on the Online Designer (Ticket #114889).

• Bug fix: For some REDCap installations, the redcap_new_record_cache database table might have an incorrect table collation.

• Bug fix: When clicking any of the "All..." buttons at the top of the Data Quality page to execute multiple data quality rules, some rules might randomly return an error message by mistake. Bug emerged in REDCap 11.3.4 Standard. (Ticket #102636)

• Bug fix: For surveys that have a "Size of survey text" setting set to "Large" or "Very Large", any slider fields on the survey page that display their number value to the right might mistakenly display the value textbox as too narrow in certain situations. (Ticket #114920)

• Bug fix: When using the @CALCDATE action tag with certain values entered for the date/datetime field used in the calculation, it might cause the page to unexpectedly crash with a fatal PHP error when running PHP 8. (Ticket #114831)

• Bug fix: The API Tokens page in the Control Center would mistakenly not display the "Last Used" timestamp for some users displayed in the tables on the page. Also, some AJAX calls that load the drop-down lists on the page might fail in certain cases. Additionally, the "Manage API tokens by Project" drop-down would mistakenly not display its full list of options when the page initially loads but only fully loads after an option is selected from it. (Ticket #114834)

• Bug fix: When uploading a CSV file of Automated Survey Invitations in the Online Designer, any datetimes set for the "Send on exact date/time" setting (including reminders) might mistakenly not get saved correctly. (Ticket #115024)

• Bug fix: Page-view information for plugins and external modules were mistakenly not getting stored in the redcap_log_view table and thus such information was not being displayed on the MySQL Dashboard page in the Control Center.

• Bug fix: The feature that detects database structure issues might mistakenly create false negatives in specific cases where a database table's collation isn't correct, thus allowing the issue to go unnoticed.

• Bug fix: The "Manage All Project Tokens" tab on the API page in a project might mistakenly fail to load the table of users.

• Bug fix: When using [aggregate-X] Smart Functions in branching logic or calculations, an error message might mistakenly display on the page saying that errors exist if any of the [aggregate-X] functions return a blank value. (Ticket #115235)

CHANGES IN THIS VERSION:

• Improvement: When executing many data quality rules at once, the total time to finish all the rules occurs 3X faster. Instead of running only one rule at a time in a serial fashion, REDCap now executes three rules simultaneously when clicking the "All", "All except A&B", and "All custom" buttons at the top of the Data Quality page.

• Improvement: SQL fields can now be used in the following Smart Charts: bar-chart, pie-chart, and donut-chart. (Ticket #107115)

• Improvement: SQL fields can now be used as Live Filters in reports. (Ticket #8791)

• Bug fix: When using a Text Box field with date, time, datetime, or datetime w/ seconds validation as the x-axis field for a [scatter-plot] Smart Chart, the chart would mistakenly not display the data correctly. (Ticket #107721)

• Change: Added the "Microsoft Authenticator" mobile app as a two-factor authentication method that is equivalent to using the "Google Authenticator" mobile app.

• Change: When viewing a report while using a mobile device, it will no longer enable the floating table headers or floating first column automatically for the report table. This was changed because the floating headers/column made it difficult to view parts of a report while on a mobile device with a small screen.

• Bug fix: Slider fields that have HTML inside the slider labels might mistakenly not display correctly in a downloaded PDF of an instrument.

• Bug fix: When using the @DOWNLOAD-COUNT action tag on fields displayed on a report, if the download trigger field exists on that same report, then attempting to download the file would cause a JavaScript error on the page.

• Bug fix: If a field is used as a Live Filter in a report, in which some values for that field contain spaces or other characters that might get URL-encoded, it would mistakenly cause the Live Filter not to return any values in the report.

• Bug fix: The real-time logic validator in the Logic Editor popup might mistakenly fail and would return a false positive saying that the logic is invalid if the logic contains certain Smart Variables, such as [record-name].

• Bug fix: When using the API Playground and selecting certain drop-downs, such as the Forms drop-down list, they might mistakenly result in an error from the API. This only affects the API Playground and does not affect the API in general. (Ticket #114563)

• Bug fix: When a user has been assigned to multiple Data Access Groups via the DAG Switcher, the User Rights page would mistakenly not correctly display how many DAGs to which they are assigned if the user's username contained a capital letter when they were added to the project. (Ticket #114550)

CHANGES IN THIS VERSION:

• New API method “Rename record” and new developer method REDCap::renameRecord() allows users/developers to rename a record in a project. For multi-arm longitudinal projects where a record might exist on multiple arms, the $arm number can be specified to rename the record only on the specified arm, otherwise by default it will rename the record in all arms in which it exists.

• Change: Renamed the "My Profile" page to "Profile".

• Change/improvement: Added “ICD-10 Australian Modification” to the list of parsed coding systems in the Condition resource for Clinical Data Interoperability Services (both CDP and Data Mart).

• Bug fix: Clicking the download link for a File Upload field that is utilized in another field's @DOWNLOAD-COUNT action tag would mistakenly not trigger calculations or branching logic on the page.

• Bug fix: When performing cross-form/cross-event calculations (via data entry forms and surveys) or auto-calculations (via data import) - including both calc fields and @CALCTEXT fields - in a longitudinal project, in some cases the calculated value would mistakenly be saved in events that currently have no data. Calculated fields should only operate and save a value in events that already contain data. (Ticket #113972)

• Bug fix: When using the eConsent Framework for one or more surveys in a project, the PDF Survey Archive tab in the File Repository might mistakenly not display the "Download All" button unless at least two records exist in the project. Additionally, the drop-down filter to view "only eConsent files" would mistakenly display zero records after being selected if fewer than three records exist in the project. (Ticket #114091)

• Bug fix: When using the Double Data Entry module, instead of seeing the correct colored form status icons, a user that is DDE person 1 or 2 would mistakenly see all gray status icons for instruments on the Record Status Dashboard and on the left-hand menu while viewing a record. (Ticket #114068)

• Bug fix: Conditional logic used for a survey in the Survey Queue might mistakenly not evaluate correctly in specific cases, such as when using certain Smart Variables (e.g., [record-dag-name]). (Ticket #114181)

• Bug fix: When using the [survey-link] or [survey-url] Smart Variables in a longitudinal project in which a literal instance number is appended to it (e.g., [event_1_arm_1][survey-link:my_survey][2]), it would mistakenly always return the link/URL of the first instance instead of the correct repeating instance.

• Bug fix: When piping a datetime- or time-validated Text Box field on the same page as where the field itself is located while using the ":ampm" piping parameter, it might mistakenly pipe the value as-is instead of converting it to the AM/PM format. Additionally, it might mistakenly pipe the literal text "undefined:NaNam" if the field's value is set as blank/null in real time while on the page. (Ticket #114247)

• Bug fix: The Custom Application Links page in the Control Center might crash due to a PHP compatibility error when using PHP 8.0. This might also occur when downloading the User-DAG Assignments CSV file on the User Rights page. (Ticket #114292)

• Bug fix: Downloading the User-DAG Assignments CSV file on the User Rights page might produce an incorrectly structured CSV file. (Ticket #114292)

CHANGES IN THIS VERSION:

• Improvement: The Project Revision History page now displays icons next to each production revision and snapshots, and after being clicked, will display options to compare that revision/snapshot with any other revision/snapshot in the project. (This feature represents the integration of the "Data Dictionary Revisions" external module created by Ashley Lee at BC Children's Hospital Research Institute).

• Improvement: When using the eConsent Framework in a project, the "PDF Survey Archive" tab on the File Repository page now displays a "Download all" button that will download all PDF files displayed on the page in a single zip file. Additionally, there is a record filter drop-down list and a "file type" drop-down list, which distinguishes between general "PDF Auto-Archiver" PDFs and "eConsent Framework" PDFs. Note: If a user is in a Data Access Group, they will only be able to download and filter on records in their DAG.

• Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way as user-defined text in various places.

• Bug fix: Fix for PHP 8 compatibility issue when entering data on a repeating instrument in specific cases. (Ticket #113507)

• Bug fix: When creating a new instrument via the Online Designer, the "Close" button in the success dialog would mistakenly say "Close2" instead. (Ticket #113587)

• Bug fix: The discrepancy result for Data Quality rules A and B would mistakenly display fields that exist on instruments for which the current does not have Data Viewing Rights. (Ticket #113589)

• Bug fix: If a checkbox field contains an invalid/stale value (i.e., not a currently existing choice) in the database backend, and then a Missing Data Code is saved for the field via a data entry form, both the invalid/stale value and the missing data code value will stay stored in the backend, and the data entry view mistakenly will not show that a missing data code has been saved for the field. (Ticket #113763)

CHANGES IN THIS VERSION:

• New feature: “DAG Switcher” API method - When using the DAG Switcher functionality in a project, this method allows users to move themselves in and out of a Data Access Group at will using the API just as they would do the same thing in the user interface (assuming they have been assigned to multiple DAGs on the DAG Switcher page).

• Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the URL for the project Logging page.

• Change: All cookies created on the client side (JavaScript) will now have the same "SameSite" and "Secure" attributes as cookies created on the server side (PHP). This helps improve general security.

• Bug fix: When using the Clinical Data Interoperability Services, specifically the CDP Field Mapping page, some translated mappable fields might not display correctly on the page and would mistakenly be garbled.

• Bug fix: If the user clicks the "Piping" or "Smart Variables" help buttons inside the “Add new alert” dialog on the Alerts & Notifications page, and then the user hits their ESC key on their keyboard, it would mistakenly close the “Add new alert” dialog (i.e., the dialog on the bottom) rather than the dialog on the top. (Ticket #112745)

• Bug fix: When using the "Save a PDF of completed survey response to a File Upload field" feature, the resulting PDF that gets saved to the File Upload field would mistakenly hide (not display) any fields in the PDF containing the @HIDDEN or @HIDDEN-SURVEY action tag. In that particular PDF export, only fields with @HIDDEN-PDF should be hidden (not displayed) in the PDF. (Ticket #113197)

• Bug fix: For projects with Data Access Groups, users that are not currently assigned to a DAG would mistakenly not see the DAG filter drop-down displayed on the Logging page. That drop-down should normally be displayed for users not assigned to a DAG. (Ticket #113188)

• Bug fix: When using Duo as a Two Factor Authentication option, it would mistakenly initiate the Duo 2FA process before the user even selects the Duo option from the list of choices to use when logging in. (Ticket #113193)

• Bug fix: When deleting an instance of a repeating event on the Record Status Dashboard, it might still cause that empty event instance to be displayed in reports and data exports. (Ticket #17859b)

• Bug fix: Due to a fatal PHP error when using certain versions of PHP, attempting to upload a signature on a survey or data entry form would mistakenly fail. (Ticket #113234)

• Change: Any multi-select drop-downs that are enhanced using the Select2 JavaScript library (e.g., the "Email To" field when creating/editing an alert) now display a down arrow on their right edge to better indicate that they are a clickable drop-down list.

• Bug fix: Real-time piping (i.e., performed via JavaScript after the page has already loaded) might mistakenly truncate the piped text in certain cases where a "<" character is used in the piped field's value. (Ticket #113237)

• Change: The REDCap Install page now returns a notice to anyone who accesses it that the page is no longer functional or available if it detects that REDCap has already been fully installed.

• Bug fix: If the File Version History feature was disabled at the system level but was still enabled for an individual project (according to the value of that setting in the redcap_projects database table), the feature might mistakenly function in some capacity in the user interface within the project but might cause issues for other features on the page. If this feature is disabled at the system level, it should by default also be disabled in all projects. (Ticket #113131)

• Change: In all outgoing emails, the "font-size" attribute for the "body" tag is no longer explicitly defined in the HTML of the email. This should have little (if any) effect on the appearance of emails sent from REDCap.

• Bug fix: On the Alerts & Notifications page, some alert settings might mistakenly not get saved when changed on an existing alert. (Ticket #113363)

• Bug fix: When editing a user's privileges on the User Rights page, the expiration date text box might mistakenly not display the full date because the text box is too narrow. (Ticket #113357)

• Bug fix: When the Table-based authentication setting "Force users to change their password after a specified number of days" has been enabled while also using Two Factor Authentication, it might mistakenly display the "Password will expire soon" popup warning on top of the 2-step login, in which clicking the "Change my password" button might cause issues with the 2-step login process for the user. It now still displays the popup dialog, but it functions now more as an information-only warning to let users know that they need to change their password as soon as they finish the login process. (Ticket #113393)

• Bug fix: When deleting a file for a Signature field or File Upload field on a data entry form or survey page, it was mistakenly deleting the file in the backend database when the user clicked the "Remove file" link when it should instead only be deleting the file after they click "Remove file" *and also* then save the page via a Save button. This fix makes it consistent with how files are saved when uploaded, in which the add/delete action is finalized only when the Save button is clicked on the page. (Ticket #113058)

• Bug fix: The email test on the Configuration Check page might mistakenly fail and display a false negative for certain email server configurations despite the fact that emails are able to be sent successfully out of REDCap in all other places in the application.

• Bug fix: When the "URL shortening service" setting is disabled on the Modules/Services Configuration page in the Control Center, it would still mistakenly display the option to create a custom/short URL for public reports and public project dashboards. It should not be displayed as an option in those places when disabled at the system level. (Ticket #112895)

• Bug fix: When viewing the draft mode changes for a production project, any field with branching logic that is being modified might mistakenly get truncated or display incorrectly on the page if the branching logic contains "<>". (Ticket #113237b)

• Bug fix: When navigating in a project on a mobile device, in which the user has been assigned to multiple Data Access Groups via the DAG Switcher, the blue toolbar at the top of the page for switching DAGs would mistakenly not be visible. (Ticket #113459)

• Bug fix: In a longitudinal project, Data Quality rules A and B might mistakenly not return a discrepancy when a field is missing a value in which the field's branching logic contains a Smart Variable and also does not have a unique event name or X-event-name prepended to all the field variables used in the rule logic. (Ticket #111474)

CHANGES IN THIS VERSION:

• New action tag: @RICHTEXT - Adds the rich text editor toolbar to a Notes field to allow users/participants to control the appearance (via styling and formatting) of the text they are entering into the field.

• New API methods

  1. Delete User - Remove a specified user from a project.

  2. Export User Roles - Returns a list of user roles, including their role name, unique role name, and privileges, from a project.

  3. Import User Roles - Allows one to create new roles (specifying their role name and privileges) or edit the role name and privileges of existing roles.

  4. Delete User Role - Deletes a specified user role from a project.

  5. Export User-Role Assignment - Returns a list of project users and what user role to which they are assigned.

  6. Import User-Role Assignment - Allows one to assign, reassign, or unassign one or more users to/from a user role in a project.

• New features: New drop-down options on the User Rights page to allow users to perform the tasks listed below using a CSV file in the user interface.

  1. Upload users and their privileges

  2. Download users and their privileges

  3. Upload user roles and their privileges

  4. Download user roles and their privileges

  5. Upload user role assignments

  6. Download user role assignments

• New developer method: REDCap::deleteRecord() - Plugin/hook/module developers may utilize this new method to delete entire records from a project or to delete the data from a specified instrument, event, or repeating instrument/event for specific records.

• Improvement: More options/parameters for the API Delete Record method - Users can now specify instrument, event, and/or repeat_instance to delete the data from a specified instrument, event, or repeating instrument/event for the records specified in the API request. In previous versions, the only option was to delete the entire record.

• Change/improvement: When an administrator is reviewing a user's submitted production changes for Draft Mode on the "Project Modification Module" page and then clicks the "Compose confirmation email" button in the blue "Administrator Actions" box, the email template displayed in the dialog now contains clearer wording to help users better understand how to respond. This helps make the production change process faster and more efficient.

• Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way as user-defined text in REDCap Messenger.

• Change: If new instruments are created in a project while in production status, all users and user roles will no longer automatically get full "View & Edit" rights to that instrument for their Data Viewing Rights but instead will receive "No Access (Hidden)" rights by default for new instruments. When in development status, the instrument-level rights still defaults to "View & Edit" for new instruments. This change helps improve security when a project is in production to ensure that users do not accidentally gain access to data that they should not see if new instruments are still being added to the project. (Ticket #54096)

• Change/improvement: When viewing the Record Status Dashboard in which one or more repeating instrument tables are displayed at the bottom of the page, if any of the tables were collapsed on a previous visit of the page, the page will load much faster, especially for records containing hundreds or more repeating instances.

• Bug fix: Some email addresses that are entered into the value of a Text or Notes field might mistakenly not get converted into a clickable "mailto" link when viewed on a report.

• Bug fix: When exporting and importing a Project XML file, the Survey Queue setting "Keep the Survey Queue hidden from participants?" (if enabled) would mistakenly not get enabled in the new project created from the XML file.

• Bug fix: When calling the Export Records API method and providing the "fields" parameter, in which the parameter's value only contains the variable names of one or more Descriptive fields in the project, it would mistakenly return data for all fields instead.

• Bug fix: When using the DDP Custom feature, required parameters (i.e., user, project_id, redcap_url) were mistakenly not being sent to the custom metadata web service.

• Bug fix: Fields with the @DEFAULT action tag might mistakenly not get prefilled with the default value on the page if any fields on that same instrument contain saved data and have the @CALCDATE or @CALCTEXT action tag. (Ticket #110331)

• Bug fix: If the "Save & Return Later" feature is enabled for a survey in a project that also has the "Survey Login" feature enabled, if a participant clicked the "Save & Return Later" button on a public survey, it would mistakenly display information about a Return Code, which is actually not needed and is confusing because it is inaccurate.

• Bug fix: If a user is requesting that an administrator generate an API token for them, it would mistakenly not log the admin's action of generating the token. Technically, the action was being logged but was just not available on the Logging page in the project for which it was requested.

• Bug fix: When using multiple action tags together on a single field, in which the action tags have values inside single quotes or double quotes (e.g., @NONEOFTHEABOVE='1,2,3' @HIDECHOICE='4'), the action tags might mistakenly not get parsed correctly, thus causing them not to function correctly in some cases. (Ticket #113018)

• Bug fix: When the project-level setting "Prevent branching logic from hiding fields that have values" is enabled, it might cause an error popup to appear on survey pages when a field with a value is trying to be hidden by branching logic. (Ticket #113054)

CHANGES IN THIS VERSION:

• Improvement: On the External Modules page in a project, users with appropriate privileges may now import and export the configuration settings for any module that is enabled in the project. This feature functions as a convenience by allowing users to easily migrate the configuration settings of one or more modules to another project that has the same module(s) enabled.

• Improvement: If a user is not assigned to a Data Access Group in a project, the user will now see a new "[No assignment]" option in the "Displaying Data Access Group" drop-down list on the Record Status Dashboard, in which selecting that option will display only records that have not been assigned to any DAG.

• Change/improvement: "Previous instrument" and "Next instrument" buttons were added at the top right of the Online Designer field-view page to allow easier navigation between instruments. (Ticket #101057)

• Minor security improvement: Removed the usage of the PHP function "mt_rand" in the source code, and replaced it with the more cryptographically secure PHP function "random_int".

• Bug fix: When copying a project, it mistakenly does not copy the Data Entry Trigger URL into the new project. (Ticket #112269)

• Bug fix: When a project has the setting "Delete a record's logging activity when deleting the record?" enabled on the Edit A Project's Settings page, it would mistakenly not display the checkbox option to allow users to additionally delete a record's logging when deleting the record itself via the Record Home Page. (Ticket #112239)

• Bug fix: When downloading a CSV export of various things in REDCap (e.g., Notification Log export, Data Access Groups export), it might fail to add a BOM (Byte Order Mark) to the CSV file if the file contained UTF-8 characters. The Byte Order Mark is required to open UTF-8 encoded CSV files correctly in certain spreadsheet applications, such as Microsoft Excel. (Ticket #112239)

• Bug fix: If all the discrepancies of any Data Quality rule have been excluded, it would mistakenly not display the "view" link next to the rule (even though it returns "0" results) after the rule had finished running. It is necessary to still display the "view" link so that users can click it in order to view the exclusions inside the dialog. (Ticket #112294)

• Bug fix: When clicking "Cancel" inside the Logic Editor dialog, it might mistakenly revert the value of the text box being modified to the value of another text box that was previously edited via the Logic Editor while on that same page. (Ticket #101200b)

• Bug fix: When exporting and then importing an instrument via the Instrument Zip file in the Online Designer, in which the instrument is enabled as a survey, it might fail to import the instrument in the zip file successfully. (Ticket #112346)

• Bug fix: Any generated zip files would mistakenly fail upon creation and thus return an empty zip file when using Google Cloud Storage as the File Storage Method (as defined on the File Upload Settings page in the Control Center).

• Bug fix: The developer method REDCap::getSurveyQueueLink() would mistakenly always return NULL.

• Bug fix: Multiple blank rows in the table displayed on the survey queue page might mistakenly take up too much room on the page. (Ticket #110914)

• Bug fix: When a survey is set to "Auto-continue to next survey" in the Survey Termination Options on the Survey Settings page while the other survey setting "Prevent survey responses from being saved if the survey ends via Stop Action?" is set to "Do NOT save the survey response...", the survey would mistakenly continue to the next survey if the participant triggered the survey to end via a Stop Action.

• Bug fix: When viewing the data entry form for a survey-enabled instrument, if the Compose Survey Invitation dialog is opened on the page, then closed, and then opened again without refreshing the page, the rich text editor in the dialog would mistakenly not be initiated anymore. (Ticket #96574)

• Bug fix: Custom Application Links (which are to be displayed on the left-hand project menu) were mistakenly only visible to users with User Rights privileges in the project. (Bug #112651)

CHANGES IN THIS VERSION:

• Improvement/change: Any HTML used in the value of a Text field or Notes field will no longer be escaped on a report (i.e., displayed as-is) but instead the HTML will be interpreted on the report to allow for the styling of text on the page. This means that while previous versions would have displayed the text value "<b>Word</b>" literally as "<b>Word</b>" (without quotes) on a report, it now instead displays "Word" as bolded text on a report. Note: This does not affect data exports or any pages other than reports.

• Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into user-defined text. (Ticket #112003)

• Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by uploading a malicious file to a File Upload field on a survey page or data entry form, and then trick someone into executing the file by providing them with a URL of specific end-point in the application in which to navigate.

• Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the user-defined URL of a Project Bookmark. (Ticket #112021)

• Bug fix: When clicking the "Re-evaluate Alerts" button on the Alerts & Notification in a longitudinal project in which an alert is set to be triggered when an instrument status is complete and when the specified conditional logic is true, it would cause alerts to get triggered on events where the logic is true but where the instrument status is not complete. (TiBug fix: If a malicious user knows how to manipulate some AJAX requests for REDCap Messenger, they might be able to post messages to Messenger threads to which they do not belong, including the ability to post to the General Notifications channel while not being an administrator.cket #111866)

• Bug fix: Fixed typo in email-related error message. (Ticket #112126)

• Bug fix: Fix for PHP 8 error message when viewing contributors of a survey response. (Ticket #112144)

• Bug fix: Logic (including branching logic, conditional logic, and calculations) might not get parsed correctly and thus might return an incorrect result if Smart Variables are used in the logic and also while an element in the logic has a blank value that appears on the left side of an equals sign - e.g., [user-dag-name] = 'vanderbilt' (assuming [user-dag-name] is blank). (Ticket #112010)

• Bug fix: When survey participants attempt to download a file belonging to a File Upload field while on a survey page, it might mistakenly display the error message "NOTICE: This file is no longer available for download". Bug emerged in the previous version of REDCap.

• Bug fix: If a calculated field is utilizing a date and datetime value that are used together in the same datediff() function, if the date value happens to be today's date, it might return an incorrect value (typically a value of "0"). (Ticket #112183)

• Bug fix: When a project is not using "Default Encoding" for "Character encoding for exported files" on the Edit Project's Settings page, calling the API Export PDF method might mistakenly return a corrupt, unopenable PDF file. (Ticket #112035)

• Bug fix: The Text-To-Speech functionality on survey pages did not work on mobile devices, iOS, or in the Safari web browser in previous versions. It should now work successfully for all platforms and browsers. (Ticket #111739)

• Bug fix: The Smart Variable [bar-chart] might mistakenly mislabel the groupings in a bar chart that uses color grouping using a multiple choice field if there are no records that have a value for a specific choice for the multiple choice field. For example, if a grouping field has choices "One", "Two", and "Three", in which no records in the project have "Two" selected, then the resulting bar chart might mislabel all the "Three"s as "Two".

CHANGES IN THIS VERSION:

• Bug fix: When downloading a Descriptive field attachment while on a survey page, it might mistakenly return an error message and prevent the participant from downloading the file.

• Bug fix: When downloading a file for a File Upload field or an attachment for a Descriptive field, in which that file is being counted via the @DOWNLOAD-COUNT action tag on another field, the download count would not get successfully incremented for the @DOWNLOAD-COUNT field when the file is downloaded on a survey page (as opposed to on a report or data entry form).

• Bug fix: When downloading a file for a File Upload field or an attachment for a Descriptive field, in which that file is being counted via the @DOWNLOAD-COUNT action tag on another field, it might mistakenly attempt to save the incremented value to a non-existent record (as seen in the logging) when the file is downloaded on a public survey that has not been saved yet (i.e., the record does not yet exist).

CHANGES IN THIS VERSION:

• New action tag: @DOWNLOAD-COUNT - The @DOWNLOAD-COUNT action tag provides a way to automatically count the number of downloads for a File Upload field or a Descriptive field attachment. It can be used on a Text field or Notes field so that its value will be incremented by '1' whenever someone downloads the file for either a File Upload field or a Descriptive field attachment. The variable name of the File Upload field or Descriptive field whose downloads are to be counted should be provided inside the @DOWNLOAD-COUNT() function. For example, the Text field 'my_download_count' might have its action tag defined as @DOWNLOAD-COUNT(my_upload_field), in which 'my_upload_field' is the variable of a File Upload field. Whenever the file is downloaded on a data entry form, survey page, or report, the value of the field with this action tag will be incremented by '1'. If that field has no value or has a non-integer value, its value will be set to '1'. NOTE: The download count field must be in the same context as the File Upload field or a Descriptive field. This means that in a longitudinal project the two fields must be on the same event, and in a repeating instrument context, they must be on the same repeating instrument.

• Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into a field's value on a data entry form or survey page.

• Change/improvement: The Configuration Check page now checks to ensure that the "Email Address of REDCap Administrator" on the General Configuration page has a valid email entered. Without an email entered there, some features might not work correctly.

• Change: Updated setup instructions zip file for Clinical Data Interoperability Services by including a new CDIS Manual (PDF) in the zip file.

• Bug fix: When a PDF of a survey response is sent in a confirmation email after completing a survey, saved via the survey setting “Save a PDF of completed survey response to a File Upload field”, or saved via the e-Consent Framework in the File Repository, it would mistakenly not store the survey version of the PDF (containing the survey title and instructions) but instead would store the data entry form version of the PDF.

• Bug fix: When editing the value of the Secondary Unique Field in a longitudinal or repeating instance context, it might mistakenly log the change extra times unnecessarily. (Ticket #110740)

• Bug fix: Making a call to the Import Records API method when importing zero records might cause an Out of Memory error. (Ticket #110761)

• Bug fix: When using Internet Explorer 11, clicking on a slider field or matrix of fields might mistakenly cause the screen to scroll to the top of the page. (Ticket #111202)

• Bug fix: When using Internet Explorer 11, trying to expand/collapse a project folder on the My Projects page would fail to work due to a JavaScript issue. (Ticket #111553)

• Bug fix: The REDCap cron job named "AlertsNotificationsSender" might unexpectedly crash for PHP 8 in certain circumstances. (Ticket #110702)

• Bug fix: Since Twilio limits SMS messages to 1600 characters, to prevent errors from being returned from a failed request to Twilio for very long text messages, REDCap now automatically breaks an SMS into multiple parts if it exceeds the 1600 character limit. (Ticket #110440)

• Bug fix: When making API data imports without any data being imported (i.e., blank or missing value for the "data" API parameter), it might behave erratically and cause a PHP error. It now correctly returns the error message "No data was provided". (Ticket #110761)

• Bug fix: After copying a user role, a text box would mistakenly appear on the User Rights page below the instruction text.

• Bug fix: When exporting a PDF of an instrument with the character encoding set as Japanese (SJIS), for certain server configurations or PHP versions it might crash with a fatal PHP error. (Ticket #111593)

• Bug fix: When editing a user role in a project that contains Data Access Groups, it would mistakenly display the "Assign To DAG" drop-down list in the dialog, which should not be displayed when editing roles.

• Bug fix: When a project contains repeating events in which a report has filter logic to filter out specific repeating instances (e.g., [current-instance] <> "" and [current-instance] = [first-instance]), the report might mistakenly display no results or incorrect results when there is actually data to display. This does not affect repeating instruments but only repeating events. (Ticket #110896)

• Change: Added clarifying text regarding the behavior of a non-active Automated Survey Invitations in the ASI dialog in the Online Designer. (Ticket #111182)

• Bug fix: In a project using Twilio telephony services, any Automated Survey Invitations or manually-scheduled invitations that utilize the "Use participant's preference" option for the Invitation Type might mistakenly append the survey link to the message of the survey invitation, even when that is not desired. It now no longer appends the survey link automatically but instead sends the invitation using only the literal text defined by the user. (Ticket #111484)

• Bug fix: When a user's account expires after the account expiration time has passed, the email sent to the user to notify them of this might be slightly incorrect and might mention user sponsors even if the user does not have a sponsor. The user sponsor related language was removed in that case.

• Bug fix: The offline survey message that is defined on the Survey Settings page would mistakenly not perform any piping when being displayed on an inactive survey. (Ticket #111707)

• Bug fix: Fields with the @HIDDEN-PDF action tag would mistakenly be displayed in the PDF download of the instrument when using the PDF download option "Send to printer: select 'Save as PDF' for Printer/Destination". (Ticket #111718)

• Bug fix: If a calculated field in a longitudinal project has a cross-event calculation that contains an [X-event-name] Smart Variable, the calculation might mistakenly not get triggered when entering data on a form, survey, or via a data import.

• Bug fix: When using Twilio SMS or Voice Call services on a survey that has only one field that is a Descriptive field, it would mistakenly ask the Form Status complete question at the end of the survey. (Ticket #111799)

• Bug fix: When calling the surveyLink API method in which a space exists (not necessarily intentionally) at the beginning or end of the "record" parameter passed in the API request, it might cause the space(s) to mistakenly get stored in some parts of the database where the record name is stored, thus causing the Survey Login feature not to work for that particular record anymore. (Ticket #111002)

CHANGES IN THIS VERSION:

• Improvement: New piping parameter “:ampm” - When piping a time, datetime, or datetimes w/ seconds Text field, appending “:ampm” to the variable name (e.g., [visit_time:ampm]) will display the time in am/pm format (e.g., 4:45pm, 10:35am) instead of military time.

• Improvement: Ability for admins to configure the required password length and password complexity for user accounts when using Table-based authentication. These settings will default to requiring a 9-character password that must contain lowercase letters, uppercase letters, and numbers (but does not require any special characters. The following new controls have been added to the “Additional Table-based Authentication Settings” section of the Security & Authentication page in the Control Center.

  • Password Minimum Length - any length between 6 and 99 characters

  • Password Complexity options

    1. Requires both letters and numbers

    2. Requires lowercase and uppercase letters and numbers

    3. Requires lowercase and uppercase letters with either numbers or special characters

    4. Requires lowercase and uppercase letters, numbers, and special characters

• Bug fix: When making a report "public" and when viewing the report via its public link afterward, the check that ensures Identifier fields do not exist in the report would sometimes mistakenly fail to detect Identifier fields in the report.

• Bug fix: After making a report "public", if the report was made to be no longer public, it would mistakenly still display the report when viewing it via the public link. Instead it should display only an error message on that page (until the report has been made public again).

• Bug fix: If a public report contains the record ID field while the Custom Record Label or Secondary Unique Field is enabled in the project, REDCap would fail to prevent the report from being shown via the public link if any of the fields used in the Custom Record Label or Secondary Unique Field are Identifier fields. (Ticket #110288)

• Bug fix: The "Download metadata & data (XML)" button on the Other Functionality page would fail to work correctly due to a JavaScript error.

• Bug fix: When exporting a PDF of an instrument with data, any slider fields that have a custom range defined (i.e., anything other than 0-100) would mistakenly not be displayed correctly in the PDF and might appear as if the slider has a different value. (Ticket #110391)

• Bug fix: When a user is assigned to a Data Access Group while using record auto-numbering in a project, if the user attempts to schedule a record via the Scheduling page, it would mistakenly not generate the new record name correctly (i.e., with the DAG ID number appended to the end) when creating the new record.

• Bug fix: Download links for File Upload fields on surveys might mistakenly still be active and might allow participants to download the file if they still have the download link (e.g., clicking on the link [my_file:link] piped inside an email). The download link is correctly no longer active if the survey or project is inactive, but it would mistakenly be active if the survey response has been completed while the survey in general is still active. This has been changed so that it will now return an error message if someone follows the download link after the survey response has been completed and is no longer active anymore (i.e., no one can return to the survey response to modify it). (Ticket #110442)

• Bug fix: When creating a user role in a project that contains Data Access Groups, it would mistakenly display the "Assign To DAG" drop-down list in the dialog, which should not be displayed when creating roles.

• Bug fix: When assigning a user to a user role on the User Rights page while not also assigning them to a Data Access Group at the same time in the popup, it would fail to email the user even if the "Notify user via email?" checkbox is checked in the popup. (Ticket #110339)

• Bug fix: Any HTML tags used in field labels and elsewhere in a project might mistakenly get stripped out when a project is exported as a Project XML file. (Ticket #110503)

• Bug fix: Time-validated text fields would mistakenly not be formatted correctly in the "informat" and "format" statements in the resulting SAS syntax file when exporting data to SAS. This appears to occur only when Missing Data Codes are being utilized in the project. (Ticket #110278)

CHANGES IN THIS VERSION:

• Major bug fix: If using the AWS S3 file storage option, a fatal PHP error would occur when uploading or downloading documents, including on the Configuration Check page. (Ticket #110210)

CHANGES IN THIS VERSION:

• New feature: Ability to make reports accessible at a public link

  • Summary: When editing a report, users can now set a report as “public” and can obtain a public link to the report if they have User Rights privileges in the project. When a report is public, this means that all data in the report will be fully accessible (with no authentication required) to anyone with the public link to the report.

  • In order to make a report public, all the following must be true:

    • The user must have User Rights privileges in the project or be a REDCap administrator.

    • The report cannot have any Identifier fields in it.

    • The user is required to view the report during their current REDCap session.

    • The user must agree to and check off the following statements: 1) I understand that making this report "public" means that all data in the report will be fully accessible to anyone with the public link to the report, and 2) I understand that I am responsible if any private, sensitive, or identifying data in the report is exposed to persons who should not have access to such data.

  • The behavior of how reports are made public can be controlled at the system level near the bottom of the User Settings page in the Control Center using the setting “Allow reports to be made 'public'?”. Admins may completely disallow reports to be made public (although admins will still have this ability to do so). But if enabled, they may choose to allow users to make reports public on their own or enable the To-Do List approval process by which an admin will need to approve their request to make a given report public (similar to the same system level approval process for Project Dashboards being made public).

  • Once a report has been made public, its configuration cannot be modified while it is public (users cannot add new fields, modify filter logic, etc.). In order to modify a public report, the user will need to make it no longer public, then make their changes, and then make it public again.

• New Smart Variables

  • [event-id] - (longitudinal only) The event id number of the current event.

  • [survey-access-code:instrument] - The Survey Access Code of the specified survey for a given record/event/instance. The format must be [survey-access-code] or [survey-access-code:instrument], in which 'instrument' is the unique form name of the desired instrument. This can be used simply as [survey-access-code] inside the content of a survey invitation, in which 'instrument' is assumed to be the current survey instrument.

  • [survey-return-code:instrument] - The Survey Return Code of the specified survey for a given record/event/instance in order to allow a participant to return to a completed or partially completed survey response when using the 'Save & Return Later' survey feature. The format must be [survey-return-code] or [survey-return-code:instrument], in which 'instrument' is the unique form name of the desired instrument. This can be used simply as [survey-return-code] inside the content of a survey invitation, in which 'instrument' is assumed to be the current survey instrument.

  • [user-role-id] - The Role ID of the user role to which the current user is assigned (blank if not assigned to any user role). This value is auto-generated for each user role. NOTE: This value is not just unique for all roles within the project but is also unique across all REDCap projects. Thus, if the project and its user roles are copied, the Role IDs of the user roles in the resulting copy will be different from the ones in the original project.

  • [user-role-name] - The unique role name of the user role to which the current user is assigned (blank if not assigned to any user role). This value is auto-generated for each user role. NOTE: This value is only unique for roles within the project. Thus, if the project and its roles are copied, the new project will retain the same unique role names, which allows you to utilize the unique role names in conditional logic, calculations, branching logic, etc. that will not break when the project is copied.

  • [user-role-label] - The name/label of the user role to which the current user is assigned (blank if not assigned to any user role). This value is defined by the user that creates the user role.

• New Action Tag: @MAXCHOICE-SURVEY-COMPLETE - Similar to @MAXCHOICE but only counts choices on completed survey responses (does not count data entered as data entry only or on partial responses). Causes one or more specified choices to be disabled (i.e., displayed but not usable) for a checkbox, radio button, or drop-down field after a specified amount of records have been saved with that choice for completed survey responses only.

• New feature: Tableau Data Export- Extract all records into Tableau via the REDCap API.

  • This feature enables Tableau (v10.0+) users to connect Tableau to a REDCap project using an API token. Project data can be exported on demand and be available for use within Tableau to produce summaries and visualizations. The Other Export Option page in any given project has instructions to export project data into Tableau.

  • NOTICE: It is required for a user to have an API token generated for the project in order to use this feature.

• New feature: MailGun Email API Integration

  • As an alternative for sending outgoing emails from REDCap (rather than using the standard settings in PHP.INI to send them natively from the web server), you may use MailGun, which is a third-party paid service that can send emails on behalf of REDCap.

  • The option can be configured on the General Configuration page in the Control Center. You merely have to provide the API key and domain name for your MailGun account, and it will begin using the MailGun Web API to send *all* emails going out of REDCap.

• New feature: Project-level setting “Prevent branching logic from hiding fields that have values”

  • This setting can be enabled by any project user with Project Setup/Design privileges in the Additional Customizations popup on the Project Setup page.

  • This setting affects both data entry forms and surveys. If it is not enabled (default), then whenever a field is to be hidden by branching logic on a data entry form, it will always ask the user if they wish to hide the field and erase its value, whereas on survey pages it will automatically erase the value of the field being hidden without displaying the confirmation prompt, which has always been the default behavior for surveys. If this setting is enabled, the branching logic behavior will change so that fields with values will not cause the 'Erase the Value of the Field?' confirmation prompt to ask the user if they wish to keep the value or hide the field, and instead fields with values will not be hidden by branching logic and will stay visible. Thus they will be exempt from branching logic. This will prevent data from being erased as it normally does if fields are hidden by branching logic.

  • When a field should be hidden by branching logic but is not hidden because it has a value, an icon will be displayed on the field to indicate this to the user.

  • This project-level setting is included in the API Export Project Info method as “bypass_branching_erase_field_prompt”. The REDCap Mobile App will soon have this same functionality, but it will only work if the REDCap server is on REDCap 11.2.0 or higher.

  • The name of Data Quality rule F has been slightly changed when this setting is enabled from “Hidden fields that contain values” to “Fields that contain values that should be hidden”.

• Improvements for report display and/or data exports- When creating/editing a report, the “Additional report options” section in Step 2 now contains the new options below:

  • For projects that have repeating instruments and/or repeating events, the repeating fields that are automatically added (e.g., redcap_repeat_instrument and redcap_repeat_instance) can now be excluded from the report and data export. These fields are displayed by default in reports/exports.

  • Users may choose to display the field label, variable name, or both (default) in the header of a report. Note: This is only used when viewing reports and thus is not applicable for exports since there already exist options for choosing raw vs label format in data exports.

  • Users may choose to display the field label, raw data value, or both (default) for multiple choice fields in the data displayed in a report. Note: This is only used when viewing reports and thus is not applicable for exports since there already exist options for choosing raw vs label format in data exports.

• Improvement: If the value of a Text field or Notes field contains a URL or email address, the URL or email address will be converted into clickable link and mailto link, respectively, when viewing the data in a report.

• Improvement: More detailed logging descriptions on the Logging page for report-related logged events, such as mentioning the report name and report ID.

• Improvement: When users download an Instrument ZIP file for a given instrument in the Online Designer, the zip file now includes all survey settings for the instrument if the instrument has been enabled as a survey, including various files (e.g., survey logo, confirmation email attachment). The downloaded Instrument ZIP can then be uploaded into any project to transfer both the fields and all the survey settings.

• Improvement: In the Online Designer, the "Custom text to display at top of survey queue" now utilizes the rich text editor to make it easier to style the custom text.

• Change: PHP 7.2.5 is now the new minimum PHP version that is required for running REDCap. Note: All versions of PHP 8 are currently supported.

• Major bug fix: Fields embedded inside radio button and checkbox choices would fail to appear on data entry forms and survey pages. (Ticket #109836)

• Bug fix: When uploading a CSV file of events on the Define My Events page for a longitudinal project that has the Scheduling module enabled, it would mistakenly not add the events in the order in which they appear in the CSV file. (Ticket #108552)

• Bug fix: When clicking a table header on the My Projects page, the projects inside any collapsed Project Folders would disappear on the page until the page was reloaded. (Ticket #107547)

• Bug fix: When clicking on a collapsed Project Folder on the My Projects page, it might mistakenly open multiple Project Folders. (Ticket #108579)

• Bug fix: HTML styling on radio button and checkbox choices would mistakenly get removed on a survey page or data entry form.

• Bug fix: Using the Smart Variable [aggregate-count] for checkboxes would mistakenly not return any value. It now returns the number of total checkboxes that have at least one checkbox option checked for the field, which is consistent with how [stats-table] behaves for checkboxes.

• Bug fix: Referencing the record ID field in the Smart Variable [stats-table] would not return any values for that row in the table.

• Bug fix: The cron job that sends email notifications for REDCap Messenger might mistakenly send multiple emails repeatedly to users. (Ticket #97084)

• Bug fix: When importing alerts via a CSV file on the Alerts & Notifications page, the “Ensure logic is still true” setting would mistakenly not get set correctly during the upload if it was already disabled/unchecked for an existing alert and then was being enabled/checked in the CSV upload.

• Bug fix: Depending on a user's number format preference as defined on their My Profile page, certain Smart Functions (e.g., [aggregate-sum:field]) might fail to work successfully in calculations and branching logic. (Ticket #109994)

• Bug fix: The survey setting "Save a PDF of completed survey response to a File Upload field" would mistakenly display Signature fields in the drop-down list when it should exclude those. (Ticket #110071)

• Bug fix: The [bar-chart] Smart Variable would fail to display any data in the chart when used with a checkbox field. (Ticket #109370)

• Change: Added a dark gray line above the Custom Application Links section (if used) on the project left-hand menu to help differentiate the Custom Application Links from REDCap's built-in application page links.

• Bug fix: When the Secondary Unique Field is enabled in a project in which a data import is being performed with values for that field, it would mistakenly allow duplicate values to be imported for the Secondary Unique Field if the same value exists multiple times within the data file being imported. (Ticket #109791)

CHANGES IN THIS VERSION:

• Bug fix: If a field’s value is being piped on the same data entry form or survey page where the field itself is located, if that field is being hidden by branching logic, in which the user clicks “Okay” to the “Erase value” prompt to hide the field and erase its value, the piped value seen on the page would mistakenly not get changed/reset during this process but would instead retain the previous value of the field. (Ticket #108756)

• Bug fix: When viewing Report A or B, the built-in Live Filter for the Record ID field would display a list of all records in the project, which might crash the user's browser if tens of thousands or more records exist. To prevent this, it now only displays the first ten thousand record names in the Live Filter drop-down, similar to how the Data Quality page behaves.

• Bug fix: A fatal PHP error might occur on some pages related to CDP or Data Mart for certain versions of PHP. (Ticket #108971)

• Various fixes and improvements for the External Module Framework

• Bug fix: If the headers of a matrix of fields are displayed as floating/sticky on a data entry form or survey page, the floating headers would mistakenly disappear (at least until the user scrolls the page again) whenever branching logic gets triggered or if the "Reset" link for radio buttons are clicked. (Ticket #109434)

• Bug fix: The video link for Smart Charts/Functions/Tables in the Smart Variables dialog mistakenly pointed to the Project Dashboard video.

• Bug fix: When exporting data to a stats package (e.g., SAS) in which some multiple choice fields contain "<" in a choice label, the resulting syntax file might be mangled, truncated, and/or incorrect. Also, that choice label with "<" may not display correctly on the Data Dictionary Codebook page. (Ticket #109571)

• Bug fix: When importing data in standard XML format via the API, some fields that have a blank value in the XML file might cause the data import to fail. (Ticket #109293)

• Bug fix: When using the Scheduling module for a project that has record auto-numbering disabled, it is possible that a record could mistakenly be created twice if one user creates the record via data entry at the same time that another user creates the record via the Scheduling module. (Ticket #109287)

CHANGES IN THIS VERSION:

• Improvement: Reports A and B now have built-in Live Filters: 1) the record ID field, 2) a list of all events (if the project is longitudinal), and 3) a list of all Data Access Groups (if the project contains DAGs and the current user is not assigned to a DAG).

• Minor security fix: A Cross-site Scripting (XSS) vulnerability was discovered where a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript event attributes in a very specific way into the URL of a specific endpoint.

• New videos: Added two new videos for Project Dashboards and Smart Charts/Functions/Tables on the Training Video page, Project Dashboards page, and Smart Variable popup documentation.

• Change: Small change to add clarity to the text of Step 1A when creating/editing an alert on the Alerts & Notifications page.

• Bug fix: A PHP error would mistakenly occur in the redcap_connect.php file if the binlog_format setting for MySQL/MariaDB has been enabled on the General Configuration page in the Control Center. (Ticket #108667)

• Bug fix: When exporting data to SAS in which the export contains some Ontology Text fields that have a dash in the raw value for some records in the export, it would prevent the data from being successfully loaded into SAS. Now when creating SAS formats for character variables in the resulting SAS syntax file, the values will be wrapped in single quotes for greater compatibility (unless all the values/options are numerical for the field).

• Bug fix: Calendar events that had no time set (i.e., only had the date set) but were scheduled or attached to a record would mistakenly not be ordered by record name when displaying the events of a given day on the Calendar page. (Ticket #108688)

• Bug fix: If a "bar-chart" Smart Chart utilizes multiple fields and also references a report via its unique report name, if the order of the fields defined in the Smart Chart is different than the order of the fields as they appear in the report, the bar chart would mistakenly not display correctly. (Ticket #108709)

• Bug fix: When a project is in draft mode, the Online Designer would mistakenly allow users to modify the variable name of matrix fields that exist live in production (i.e., not just in draft mode), which should not be allowed because it could inadvertently cause fields to be deleted via renaming. (Ticket #108705)

• Bug fix: Smart Charts and Smart Tables would mistakenly display HTML tags inside the chart/table if any HTML tags exist in the choice labels or field labels for the fields being utilized in the chart/table.

• Bug fix: Smart Charts with long field labels or long choice labels might cause text to overlap on themselves or might show only the label ending and not the beginning, which is due to a limitation in the ChartJS library used to generate the charts. Such labels are now truncated to fit better in the chart by using an ellipsis in the middle of the label for optimal display.

• Bug fix: When using the background fetch method for fetching EHR data via the Clinical Data Mart service, it no longer sends the user an email when the process has finished but instead sends a message via REDCap Messenger. This has been changed because it could be possible that any error messages sent inside the email might contain Medical Record Numbers. So sending the notification via Messenger is more secure.

• Bug fix: When a REDCap server uses the HTTP_X_FORWARDED_FOR header for a user's IP address, in which the IP actually contains multiple IPs delimited with commas (often because a load balancer is being utilized), it now instead just uses the first IP address in the list rather than the whole value, which was causing a blank IP address to be recorded in REDCap's logging for users in this particular case.

• Bug fix: In very specific cases where data has been imported into an instrument (but not for the form status complete field) and no user has entered data for that instrument via the data entry form or survey page yet, the form status icon might mistakenly display as a gray color instead of as red on the Record Home page or Record Status Dashboard. (Ticket #108183)

• Bug fix: If using "LDAP" or "LDAP & Table-based" authentication, any user containing an apostrophe in their LDAP username would cause JavaScript issues to occur for an administrator on the Browse Users page when performing certain actions, such as changing their 2FA code expire time, suspending/unsuspending the user, or deleting the user account from the system. (Ticket #79647d)