Tuesday, October 25th, 2005

WebORB Map Chat

Category: Showcase

The Midnight Coders are at it again. They have released a chat application that is a little different. This has to be the Ajax example we have all be waiting for as it marries a Google Maps interface with a chat interface, both of which have been covered seperately many times :)

This example demonstrates bi-directional messaging between heterogeneous (Flash and AJAX) clients and WebORB Message Server. The server performs additional processing to geolocate chat users, injects necessary information in messages so users can plotted on the map.

WebORB Map Chat

Posted by Dion Almaer at 7:51 am

3.8 rating from 10 votes


Comments feed

Impressive but full of javascript security hole. Attributes are not cleaned in html tagged (onClick..)
And users succeed in making popup open in all visitors screen and finally crash the apps.

too bad, that was an obvious risk

Comment by Nel — October 25, 2005

Yes. Try saying this :-)

<script type=”text/javascript”>document.getElementById(‘map’).innerHTML='<iframe src=”http://www.cgisecurity.com/articles/xss-faq.shtml#nofix” width=”500″ height=”200″ />’;</script>

Comment by Anonymous Coward — October 25, 2005

Not anymore. The “javascript security hole” has all been fixed yesterday with a simple regex. So there’s nothing to worry about that.

There will also be flood protection built in.

And there will be a downloadable package priced at around $50 to $100 (according to the developer who was in the room), so people can use the Map Chat on their own website.
This, however, requires the “WebORB” server (on .NET) but they are planning to make a reduced server version that can be bundled with the Map Chat app. Woot!

All in all, an incredibly cool Ajax application that combines lots of things (Ajax chat, presence notification, geolocating with around 80% accuracy, Google Maps, the incredible “Map Sharing” feature and more) while still running quite fast.

Kudos to the Midnight Coders for this one!

I really don’t care about “javascript security hole” or XSS knowing that these things can and will easily be fixed. Why did you only comment on that? *sigh*
I’m sure that the next version will blow your mind.

Comment by Yoda — October 26, 2005

I really don’t care about “javascript security hole” or XSS knowing that these things can and will easily be fixed. Why did you only comment on that?

Because such a blatantly obvious hole should be plugged *before* going live. The hole was wide open for at least 12 hours. The site was pretty busy. An awful lot of web sessions could have been hijacked by a malicious user. But if you don’t care, because you’re willing to take the risk that it won’t be *your* session that gets bugged, then that’s fine. But Midnight Coders should care.

Comment by Anonymous Coward — October 26, 2005

Leave a comment

You must be logged in to post a comment.