Loading...
Related tags:

Google Maps : A Has No Properties

February 12, 2008 5 Comments Tagged as: google javascript mashups

I've been playing with creating a framework for easy mashups, starting with a little Yahoo! Pipes, and the using the data generated with other web services. One of these services was Google Maps. I went out and got my Maps API developer key and started hacking. After doing a few good little tests, I got to what I really wanted to try out: a mashup that'll help my wife and I find a new apartment by taking all the craigslist postings, pare it down to the number of bedrooms we need, the fact that we have a puppy that needs a yard, the area that we want to live, and post all the good matches to a Google map.

After I got the whole map set up, I found that Firebug was showing a javascript error 'a has no properties' There are tons of people asking the question, and the answers aren't quite as plentiful. In fact, most people recommended switching the API version from 2 to 2.s (whatever that means). All that did was get me a 'has no properties' for a different variable. My code looked like this (ignore the Django markup):

    <script type="text/javascript">
    //<![CDATA[
    
    function loadpoints() {
      if (GBrowserIsCompatible()) {
        var map = new GMap2(document.getElementById("map"));
        map.addControl(new GSmallMapControl());
        map.addControl(new GMapTypeControl());
        map.enableDragging();
        map.enableScrollWheelZoom();
        map.setCenter(new GLatLng({{lat}}, {{lon}}), 11);

        {% for location in locations %}
        {% if location.geo_long %}
        point = new GLatLng({{location.geo_lat}}, {{location.geo_long}});
        marker = new GMarker(point);
        GEvent.addListener(marker, "click", function() {
          var content = '<a href="{{location.link}}">{{location.title}}</a>';
          marker.openInfoWindowHtml(content);
        });
        map.addOverlay(marker);
      {% endif %}
      {% endfor %}
      }
    }
    //]]>
    </script>

I went through and commented out lines of javascript a bit at a time. I eventually found the issue, but it was quite a pain, and quite undocumented. The issue is this: I created my map, add some controls, set the center of the map to a GLatLng, and then started adding markers. Well, apparently, the first thing that needs to be done to a map is to set the center of the map. I couldn't find any documentation to reflect that, but it's the only way my mashup would work. So now, my code looks like this:

    <script type="text/javascript">
    //<![CDATA[
    
    function loadpoints() {
      if (GBrowserIsCompatible()) {
        var map = new GMap2(document.getElementById("map"));
        map.setCenter(new GLatLng({{lat}}, {{lon}}), 11);
        map.addControl(new GSmallMapControl());
        map.addControl(new GMapTypeControl());
        map.enableDragging();
        map.enableScrollWheelZoom();

        {% for location in locations %}
        {% if location.geo_long %}
        point = new GLatLng({{location.geo_lat}}, {{location.geo_long}});
        marker = new GMarker(point);
        GEvent.addListener(marker, "click", function() {
          var content = '<a href="{{location.link}}">{{location.title}}</a>';
          marker.openInfoWindowHtml(content);
        });
        map.addOverlay(marker);
      {% endif %}
      {% endfor %}
      }
    }
    //]]>
    </script>

After looking through the documentation, it appears that the GMap2 constructor could take a opts.center option on instantiation, but it's not completely clear, and I'm far too lazy to actually try it out. Regardless, my rental mashup is working now, and I've got enough information to start working on my mashup framework, so that's all the information I need.

AttackAPI : Metasploit for the Web

October 15, 2007 Tagged as: javascript security xss

Recently, I've begun to be much more interested in cross site scripting (XSS). As I've read more about it, and experimented more with it, I find it to be a bigger animal than I ever thought. For the most part, I've ignored it, thinking there were only a few vectors to use it, and as long as I was careful about sterilizing data, it would be easily avoidable. Not so. There are hundreds of way to use XSS in web applications.

There are many resources on the net for web vulnerabilities, much of which consist in part or entirely of XSS vectors. ha.ckers.org is a good site for information, and sample vectors. sla.ckers.org is a great forum with a lot of knowledgeable people around to suggest new vectors or new spins on old vectors. I've also found 0x000000.com to be invaluable in my quest to learn more about how to find vectors, and then how to exploit them.

After an exhaustive search, I stumbled upon a goldmine. AttackAPI is a javascript library designed with the idea of using it to find and exploit browser "vulnerabilities." I use the word vulnerability loosely, because from my experience, most of these problems are features, not bugs, but can be used in a most malicious method. They've got a (somewhat unused) Google group, 3.x source code available, but I found the documentation non-existent. If I'm wrong, I'd love to know about it. However, that's why I described it as the Metasploit of the web. It's got a great featureset, but the documentation is horrible (as is Metasploit's).

The version 3 framework is supposed to be much more full featured. We'll see.