TransitTeam v1.3.9: Reliability & Security Hardening

Posted on June 7, 2026 by - Release Notes

A large reliability and security hardening pass for TransitTeam — more than fifty fixes — plus a richer driver job list and TransitQuote API integration support.

May–June 2026

This release is a large, behind-the-scenes robustness pass covering more than fifty individual fixes, plus a handful of feature additions that support the TransitQuote API integration.

New Features

  • Richer job list — The driver job list now shows the pickup address, pickup date/time, and an ASAP flag for each job.
  • API integration support — TransitTeam now exposes driver lookup and job-filter helpers (driver, status, and date parameters) so the TransitQuote API can return correctly scoped, driver-specific job data.

Security Hardening

  • Cross-site scripting (XSS) — Output is now properly escaped in the driver welcome email (name and email), the driver distance display, and the driver/status select menus.
  • SQL injection — Table names are now validated against an allowlist before any delete operation.
  • Input sanitisation — Filter status values and “can assign to” values are sanitised with absint(), role slugs are sanitised before use, and posted date values are sanitised with proper exception handling.
  • Debug output removed — Stray debug echoes, print_r output, and commented-out debug directives have been removed; error logging is now gated behind WP_DEBUG_LOG and database debugging defaults to off.
  • External assets — The plugin now uses WordPress’s bundled jQuery UI instead of loading it from an external CDN.

Reliability & PHP 8 Compatibility

  • Added null/false guards across the codebase: array_merge() on null config in several constructors, get_user_by()/get_userdata() false results, and wp_insert_user() WP_Error results are all handled before reuse.
  • Corrected numerous PHP 8 comparison bugs (strpos/stripos/strrpos against false, version_compare value handling, operator precedence in table-existence checks, and a missing-key guard when adding database columns).
  • Migrated legacy driver role slugs on update and made role checks case-insensitive, unifying how the driver role is assigned.
  • Improved AJAX/JSON response consistency for job-detail loading.
  • Added explicit property declarations to suppress PHP 8.2+ dynamic property deprecation notices.
  • Fixed the automatic updater (restored URL encoding and corrected the single-plugin upgrade hook).
  • Fixed the driver job list and API returning duplicate entries for a job that had more than one assignment record — the job query now selects only the most recent assignment per job.
  • Removed a spurious zero-value “extra destination” surcharge row from the quote detail view, matching the plain-text and web quote layouts.