Yatoon Booking System

1.2.0

• New: Email Notifications page (🔔 Notifications in admin menu) with 4 configurable email types
• New: Appointment Reminder email — sent X hours before appointment (fully configurable), with editable subject, body, and template variables
• New: Review Request email — sent X hours after appointment ends, includes a Google Review button (paste your Google Review link), with editable subject and body
• New: Cancellation Notification email — sent when an appointment is cancelled, with editable subject and body
• New: Reschedule Notification email — sent when an appointment is rescheduled, with editable subject and body
• New: All 4 notification types include a “Send Test Email to Admin” button for easy preview
• New: Admin Bookings page — Cancel button now shows a confirmation modal with “Notify customer by email” checkbox (checked by default)
• New: Customer Portal — Cancel action now shows a confirmation modal with “Send me a confirmation email” checkbox
• New: Customer Portal — Reschedule modal now includes a “Send me a confirmation email” checkbox
• Fixed: Auto Sync cron was not rescheduling when sync interval was changed — hook was listening to wrong option name (sbs_sync_interval instead of yatoon_sync_interval)
• Fixed: yatoon_sync_interval was being sanitized with absint(), converting string values like ‘daily’ to 0 and breaking the cron schedule — changed to sanitize_text_field()
• Fixed: Toggling Auto Sync off now properly removes the cron event; toggling on re-schedules it
• Fixed: Existing installs with a corrupted sync interval are automatically repaired on upgrade

1.1.7

• i18n: Added full translations for Chinese Simplified (zh_CN), Vietnamese (vi), and Spanish (Spanish) (es_ES)
• Removed all hardcoded salon-specific default values (business name, address, phone, website URLs)
• Added Business Address and Business Website fields to Contact Information settings
• Booking confirmation screen now dynamically renders address/phone/website from settings (hidden when blank)
• Unified business phone option key to yatoon_business_phone

1.1.6

• Added i18n infrastructure: all user-facing strings wrapped with translation functions
• Added languages/ directory with .pot template file

1.1.5

• Fixed: All color option values in class-yatoon-frontend.php now wrapped with sanitize_hex_color() before CSS injection
• Fixed: admin/views/bookings.php ABSPATH check moved before global $wpdb

1.1.3

• Fixed: Replaced all $table_xxx variables in SQL queries with {$wpdb->prefix}tablename directly (resolves InterpolatedNotPrepared + UnescapedDBParameter)
• Fixed: All date() calls replaced with gmdate() (25 instances)
• Fixed: strip_tags() replaced with wp_strip_all_tags()
• Fixed: Added phpcs:disable/enable to all view files for NonPrefixedVariableFound (view files are included partials, not global scope)
• Fixed: Added nonce verification to ajax_get_staff_services and ajax_update_staff_services
• Fixed: ExceptionNotEscaped in cron.php – exceptions are logged, not echoed to users
• Fixed: UnfinishedPrepare – $placeholders and $ph contain %d format strings
• Fixed: NonPrefixedFunctionFound – sbs_resolve_font renamed to yatoon_resolve_font
• Fixed: SBS_* backward-compat constants annotated with phpcs:ignore
• Fixed: MissingTranslatorsComment – added /* translators: */ comments
• Fixed: EscapeOutput remaining instances in admin views

1.1.2

• Compliance: Renamed all plugin prefixes from ybs_/sbs_ to yatoon_ (≥4 chars) per WP.org guidelines
• Compliance: Renamed all class names from SBS_* to YATOON_*
• Compliance: Added == External Services == documentation to readme.txt
• Security: Replaced all _e() with esc_html_e() for proper escaping (68 instances)
• Security: Added nonce verification to Google OAuth callback (state parameter)
• Security: Replaced remaining stripslashes() with wp_unslash()
• Security: Added sanitize_text_field() to $_SESSION reads
• Security: Added wp_unslash() to all JSON POST data reads
• i18n: Added missing text domain to __() calls in activator.php
• i18n: Fixed shortcode names to yatoon_booking and yatoon_customer_portal
• Compatibility: Updated Tested up to WordPress 6.9

1.1.1

• Security: Added direct file access protection (ABSPATH check) to all PHP files
• Security: Added nonce verification to sync_bookings_from_square, debug_square_availability, debug_date_bookings handlers
• Security: Replaced wp_redirect() with wp_safe_redirect() throughout
• Security: Added wp_unslash() to all sanitize calls for POST/GET input
• Security: Escaped all unescaped output in admin and public views
• Security: Sanitized $_SERVER[‘REMOTE_ADDR’] via sanitize_text_field()
• Compatibility: Removed unnecessary load_plugin_textdomain() call (not needed for WP 6.0+)
• i18n: Fixed text domain — unified all strings to ‘yatoon-booking-system’
• i18n: Fixed admin page slug URL references
• Tested up to WordPress 6.8

1.1.0

• Initial public release on WordPress.org