Pro v3.1 with optimized performance for Google basemaps & lots more is available

Posted on 08 July, 2017

Category:

Pro-Version Releases
Attention: this is not the changelog for the latest stable version 4.29.1 (see related release notes)

After more than 3 months of development and lots of sleepless nights, we are happy to announce the availability of Maps Marker Pro v3.1 🙂

Many special thanks to Thorsten, who although being on a roadtrip through Canada continues adding new features and optimizations for Maps Marker Pro.

So what is new in Maps Marker Pro v3.1?

The highlights of v3.1 are the optimized Google Maps leaflet.js plugin “GoogleMutant”, a recent marker map widget, usability improvements as well as bugfixes and security fixes resulting from our bug bounty program at hackerone.com. For more details about this release please see below.

An update to the latest version is – as always – highly recommended. 


Let us know what you think about this new release by submitting a review or leaving a comment below!

If you want to keep up to date with the latest Maps Marker Pro development, please follow @MapsMarker on twitter (= most current updates), on FacebookGoogle+ or subscribe to news via RSS or via RSS/email.

We would also like to invite you to join our affiliate program which offers commissions up to 50%. If you are interested in becoming a reseller, please visit https://www.mapsmarker.com/reseller


Now let´s get to the highlights of pro v3.1:

optimized performance for Google basemaps 

The (abandoned) Google Maps leaflet implementation by shramov is now replaced with the much more performant GoogleMutant leaflet plugin by Iván Sánchez. 

Before, an instance of the Google Maps JS API was displayed behind the Leaflet container, and synchronized as best as it could be done. As a result the basemap and whatever overlays are on top were off sync. This was noticeable when dragging or zooming a map.

Now, in order to provide the best Leaflet experience, GoogleMutant uses both DOM mutation observers and L.GridLayer from Leaflet 1.0.0. The basemap tiles are still requested through the Google maps JavaScript API, but they switch places to use Leaflet drag and zoom.

The only disadvantage of GoogleMutant is that it is not supported on Internet Explorer 10 or lower and several older browsers versions (maps will automatically switch to OpenStreetMap for those users). Please note that the current browser market share for affected browsers is about 2% (05/2017) and declining steadily.

If you do not want Google basemaps to automatically switch to OpenStreetMap for those outdated browsers, please activate the legacy plugin at Settings / Map Defaults / “Google Maps JavaScript API”:

new widget “show latest marker map”

With this release we added a new widget, which allows you to easily display the latest marker map in your sidebar:

To add this widget, just navigate to Appearance / Widgets and add the widget “Maps Marker Pro – latest marker map” to your sidebar:

loading indicator for GeoJSON download and marker clustering

If your layer maps include hundreds or thousands of markers, loading the according (already optimized) GeoJSON array can take some time.

To improve the usability for map viewers, we now added an animated loading indicator which is displayed until the loading and parsing of the GeoJSON data is finished:

option “HTML filter for popuptexts” to prevent injection of malicious code 

By default, popuptexts are now filtered using wp_kses() which is also used for default WordPress content like posts and pages.

As a result, only allowed HTML element names, attribute names and attribute values plus only sane HTML entities will be displayed – JavaScript code (which could be used for Cross site scripting – XSS for example) is stripped from output.

If you need unfiltered popuptexts to e.g. execute custom Javascript code, you can disable this option at Settings / Misc / Compatibility settings:

list all markers page enhancement: dropdown added to filter markers by layer

On the “List all markers” page on backend we added a layer dropdown selection box, which allows you to dynamically display markers from a specific layer only:

global basemap setting “nowrap”

At Settings / Map Defaults / “Global basemap settings” we added the new setting “nowrap”:

If this setting is set to true, tiles will not load outside the world width instead of repeating.

Setting set to false (=default):

Setting set to true:

Bounty Hunters wanted! 

No technology is perfect, and neither is ours. There will always be things that we can have overlooked. While we can’t avoid having blind spots, we can do something to identify them: We’re calling out to security researchers everywhere to help us find security bugs and security issues in our products.

Photo: Boba Fett cosplayer at the 2012 Phoenix Comicon in Phoenix, Arizona. Author: Gage Skidmore (own work) [CC-BY SA 2.0] via Wikimedia Commons]

Join the ranks of Boba Fett, Greedo & Co.: Become a bounty hunter for Maps Marker Pro

We offer a $ 10 bounty for valid security bugs (for example simple XSS), with the option for larger bounties for more serious bugs, like for example remote code execution exploits, SQL injection or privilege escalation.  In addition, we offer a professional package for Maps Marker Pro that’s valid for 25 domains, including access to updates and support for 3 years (list price: € 499) for each person reporting a valid security bug.

Bounties are paid for source code vulnerabilities, but feel to submit vulnerabilities outside that for an optional smaller bounty. We’ve advertised our bounty hunt on the bug bounty platform HackerOne, where you’ll find a full description of our rewards program with a list of valid targets:  https://hackerone.com/mapsmarker_com_e_u

Looking for developers to recommend to our clients for customizations

Are you a professional WordPress developer who knows the ins and outs of Maps Marker Pro? Great! Get in touch, and maybe we can recommend you to customers who want individual customizations or custom developments based on one of our Maps Marker Pro APIs.

Sometimes, you just need a custom made product – and someone you can trust to create it for you.
Photo by Fancycrave [CC0 Public Domain] via pexels.com

We’re working hard on delivering the best mapping solution for everyone. But from time to time, clients want their own special things: Individual customizations of Maps Marker Pro, hand-crafted to fit their unique business case, in many cases involving one of our Maps Marker Pro APIs. In this case, we like to refer them to our trusted network of experts.

If you are

  • a WordPress developer
  • an experienced user of Maps Marker Pro
  • reliable and quick to respond
  • enjoying working with different clients
  • available for freelance work

then please send us an email, containing a short introduction of yourself, your skills and experience as well as links to previous works.

If we’re a good fit for each other, we will happily add you to our network and, if something comes up, we will recommend you to customers who’s needs for customizations match with your skills.  

We do not want to take any commission – our gain is the happiness of our customers, when we can refer them to someone they can rely on for their further needs.

We’re looking forward to hearing from you!

Other changes and optimizations

  • loading animation to popups with images to help with DOM creation
  • change GPX files mimetype from text/gpx to application/gpx+xml to prevent upload/display issues since WordPress 4.7.1 (thx Thorsten!) 
  • updated HTML5 fullscreen and fullscreen-exit icon (thx P.J. Onori, http://somerandomdude.com!)
  • XLS(X) importer: increase compatibility by also supporting lat+lon values defined as text and with . or , as separator (thx Marius!)
  • optimized GPX URL error handling if URL is not found (show warnings on backend & console output on frontend, disallow GPX URL download)
  • loading indicator when clearing the list of markers search field
  • compatibility check for “WP Super Cache” debug output which can cause layer maps to break 
  • compatibility check for Admin Custom Login which causes the navigation on the settings page to break 
  • compatibility check for Fast Velocity Minify plugin 
  • compatibility check for theme Divi 3+ which can cause maps to break if option “Where to include Javascript files?” is set to footer
  • Autoptimize plugin compatibility check: also verify if option “Also aggregate inline JS?” is set (which is causing maps to break) 
  • enhanced permalink base URL compatibility check to suggest URL if site url ends with /wp/ 
  • increased timeout for license API fallback calls to prevent issues with registering free trial license keys 
  • updated EdgeBuffer plugin for pre-loading tiles beyond the edge of the visible map to v1.0.5 
  • updated es6-promise for IE11/Google Mutant to to v4.1.0 (fixing memory leak)
  • updated Leaflet.fullscreen markercluster codebase to v1.0.6
  • updated PUC (plugin update checker) to v4.1 including optimizations & compatibility fixes (thx Yahnis!) 
  • updated PUS (plugin update server) to v1.2 including optimizations & compatibility fixes (thx Yahnis!) 
  • code refactoring for improved structure, re-usability and sustainability (thx Thorsten!) 
  • email notification to free trial users 3 days before the free trial license key expires
  • finished migration to PHP 7.1 on www.mapsmarker.com for higher performance 
  • multisite/license settings page: show “domain to activate” feature on multisite subdomain installations only

Bugfixes

  • fix missing entries in layer filter with marker clustering disabled (thx Ole & Thorsten!) 
  • markers and layers could not be saved on iOS devices due to a bug in Safari´s datetime-local implementation (thx Natalia!)
  • window width on marker and layer edit pages could not be fully utilized on iOS devices (thx Natalia!)
  • ?highlightmarker= feature was broken on fullscreen view for multi-layer-maps (thx Ole!)
  • list of markers was not fully responsive if images larger than 440px in popuptexts were used (thx Georges!)
  • only dequeue Google Maps API scripts added by other plugins instead of deregistering them if related option is enabled (as this could break dependend scripts & plugins like WP GPX maps) 
  • compatibility check for “Permalink base URL” did not consider active multilingual plugins (thx Jan-Willelm!)
  • home control button on fullscreen layer maps with clustering was broken (thx Sven!) 
  • validity of export files could be broken by warning “cannot modify header information” if Stiphle based on wp-session is used 
  • paging on list all markers page on backend was broken if search was used (thx Thorsten!) 
  • prevent duplicate markers when exporting markers from multi-layer-maps to KML, GeoRSS & Wikitude (thx Eric & Thorsten!) 
  • fix infinite loading when requesting free trial key on specific browsers (thx Thorsten!) 
  • XLS export for marker and layer maps was broken if PHP 7.1+ is used 
  • added more specific JS selector for marker filter to prevent markers from being added to the wrong map, if multiple maps are displayed on the same page (thx Tino!) 
  • marker tooltips were not displayed if popuptext was empty (thx Oleg!) 
  • marker tooltips were not displayed for markers added directly via shortcode only 
  • incorrect paging on list all markers-page for search results 
  • duplicate layer functions did not duplicate filter settings (thx Thorsten!) 
  • marker clusters were always disabled on zoom level 0 even if related setting was empty (thx Thorsten!)
  • list of markers sort order was reversed after successful geolocation (thx Chris & Thorsten!)
  • marker edit page: prevent javascript error on markername change if popuptext is empty
  • fix wrong distances on list of markers when geolocating failed
  • paging for “list all layer”-search results on backend was broken

Security fixes

Since the start of our security bug bounty program on May 19th we have received several vulnerability reports – due to our attention on secure coding and 3 penetration tests in the last 4 years no severe or critical issues were found though. All but the first issue from the list below could only have been exploited by users with backend access – and in most cases with admin users only.

Some additional thoughts why those vulnerabilities were not detected by us so far, although we are doing regular security checks: the attack vector of an admin who e.g. inject malicious code into Maps Marker Pro settings was not completely covered by us so far, as such an attacker would have had direct access to theme or plugin files – making it much easier to e.g. inject malicious code or change database tables directly than to use Maps Marker Pro for Cross site scripting.

Nevertheless although the exploitability of the reported vulnerabilities is low, we take those reports seriously and fixed all of them respectively hardened our entire codebase to prevent future similar vulnerabilities.

  • Medium impact: XSS vulnerability for GPX download URL (thx to kiranreddy via hackerone) 
  • Medium impact: underprivileged backend users could add markers even if permission settings were set not to allow this (not exploitable with default permission settings – thx w31ha0 via hackerone)
  • Low impact: XSS vulnerabilities on marker & layer edit pages (thx to victemz via hackerone) 
  • Low impact: XSS vulnerabilities on marker & layer import log if malicious input file would be used (thx to kiranreddy via hackerone) 
  • Low impact: missing CSRF protection for free trial registration forms (thx to arall via hackerone) 
  • Low impact: CSRF and XSS vulnerabilities on tools page for change marker and layer ID functions (thx to r4s_team via hackerone) 
  • Low impact: command injection vulnerability in marker & layer export files (thx to kiranreddy via hackerone) 
  • Low impact: added brute-force-login protection for customer area on mapsmarker.com (thx to nooboy via hackerone) 
  • Low impact: improper “URL to GPX track” verification could lead to stored XSS (thx to pahan123 via hackerone) 
  • Low impact: stored XSS vulnerability on tools page only if Webapi is enabled (thx whitesector via hackerone) 
  • Low impact: stored XSS vulnerability for createdby and updatedby fields on backend 
  • Low impact: stored XSS vulnerability for custom default marker icon (thx whitesector via hackerone) 
  • Low impact: stored XSS vulnerability for QR code image size (only if Google is set as default QR code provider – thx whitesector via hackerone) 

Known issues

Geolocation feature does not work anymore with Google Chrome 50+, Safari 10+ and Firefox 55+ unless your site is securely accessible via https

With Chrome 50, Safari 10 and Firefox 55 significant changes to the geolocation support were introduced by the related browser vendors: all applications requesting the current position of the user (not just for Maps Marker Pro´s geolocation feature) are only allowed anymore to retrieve the current position of the user if the site is setup to be delivered securely via https – users will see the following or a similar warning instead:

geolocation-error-info

See more details about this decision by Google at https://developers.google.com/web/updates/2016/04/geolocation-on-secure-contexts-only. Geolocation will still work on non-https sites if the users access the site via alternative browsers like Firefox, Safari or Internet Explorer – anyway it could be likely that those browsers will also add a similar security restriction in the future.

Update November 2016: since iOS 10 also Safari 10+ now requires https to support geolocation. The implementation is even more strict than with Google Chrome – geolocation will not work for example if there are mixed-content warnings on your site.

Update 2017: Firefox 55+ also requires https for accessing geolocation (see details)

So if you need the Maps Marker Pro geolocation featue on your site, it is highly recommended to migrate your site to https. Some hosters already provide free https certificates from letsencrypt.org for example. For configurations needed within your WordPress site in order to configure it to support https, please have a look at tutorials like https://css-tricks.com/moving-to-https-on-wordpress/.

As https has more advantages for your site than just geolocation working again with Google Chrome 50+ and Safari 10+ (like securing the data integrity, sender authentication and user privacy as well as higher Google ranking as https is used as ranking signal), we strongly advise to switch your site to https only if you haven´t done so yet.

If you switched your site to https and still get a geolocation error (like “Geolocation error: user denied geolocation”), please check your device´s location settings if it is allowed for apps/web sites to retrieve the geolocation.

Translations updates

Thanks to many motivated contributors, this release includes the following updated translations:

If you want to contribute to translations (new Hindi translators would be appreciated!), please visit https://translate.mapsmarker.com/projects/lmm for more information.

Please note that translators are also compensated for their contribution – for example if a translation is finished less than 50%, the translator receives a free 25 licenses pack worth €249 as a compensation for completing the translation to 100%.

Outlook – plans for the next releases

We are currently working on a relaunch of our website www.mapsmarker.com which will also feature an updated knowledge base and documentation.

Please understand that we are not able to promise any release dates for new features. We are dynamically aligning our roadmap based on feedback from our users. Anyway we keep the flexibility to add optimizations and bugfixes with rather unplanned minor releases resulting mostly from users feedback.

Please subscribe to this blog (via RSS or Email) or follow @MapsMarker on twitter (= most current updates) if you want to stay up to date with the latest development news.

Full changelog

Changelog for version 3.1 - released on 08.07.2017 (release notes)

optimized performance for Google basemaps by enabling GoogleMutant Javascript library for all users
new widget "show latest marker map" (thx Thorsten!)
Bounty Hunters wanted! Find security bugs to earn cash and licenses - click here for more details
global basemap setting "nowrap": (if set to true, tiles will not load outside the world width instead of repeating, default: false)
list all markers page enhancement: dropdown added to filter markers by layer (thx Thorsten!)
loading animation to popups with images to help with DOM creation (thx Thorsten!)
compatibility check for "WP Super Cache" debug output which can cause layer maps to break
loading indicator when clearing the list of markers search field (thx Thorsten!)
compatibility check for Admin Custom Login which causes the navigation on the settings page to break
compatibility check for Fast Velocity Minify plugin
email notification to free trial users 3 days before the free trial license key expires
option "HTML filter for popuptexts" to prevent injection of malicious code - enabled by default (thx jackl via Maps Marker Pro´s hackerone bug bounty program)
Looking for developers to recommend to our clients for customizations - more details at mapsmarker.com/network
loading indicator for GeoJSON download and marker clustering (thx Thorsten!)
compatibility check for theme Divi 3+ which can cause maps to break if option "Where to include Javascript files?" is set to footer
enhanced permalink base URL compatibility check to suggest URL if site url ends with /wp/
increased timeout for license API fallback calls to prevent issues with registering free trial license keys
Autoptimize plugin compatibility check: also verify if option "Also aggregate inline JS?" is set (which is causing maps to break)
finished migration to PHP 7.1 on www.mapsmarker.com for higher performance
updated EdgeBuffer plugin for pre-loading tiles beyond the edge of the visible map to v1.0.5
updated es6-promise for IE11/Google Mutant to v4.1.0 (fixing memory leak)
updated Leaflet markercluster codebase to v1.0.6 (thx jfirebaugh!)
updated PUC (plugin update checker) to v4.1 including optimizations & compatibility fixes (thx Yahnis!)
updated PUS (plugin update server) to v1.2 including optimizations & compatibility fixes (thx Yahnis!)
code refactoring for improved structure, re-usability and sustainability (thx Thorsten!)
change GPX files mimetype from text/gpx to application/gpx+xml to prevent upload/display issues since WordPress 4.7.1 (thx Thorsten!)
optimized GPX URL error handling if URL is not found (show warnings on backend & console output on frontend, disallow GPX URL download)
updated HTML5 fullscreen and fullscreen-exit icon (thx P.J. Onori!)
multisite/license settings page: show "domain to activate" feature on multisite subdomain installations only
XLS(X) importer: increase compatibility by also supporting lat+lon values defined as text and with . or , as separator (thx Marius!)
only dequeue Google Maps API scripts added by other plugins instead of deregistering them if related option is enabled (as this could break dependend scripts & plugins like WP GPX maps)
compatibility check for "Permalink base URL" did not consider active multilingual plugins (thx Jan-Willelm!)
home control button on fullscreen layer maps with clustering was broken (thx Sven!)
validity of export files could be broken by warning "cannot modify header information" if Stiphle based on wp-session is used
paging on list all markers page on backend was broken if search was used (thx Thorsten!)
prevent duplicate markers when exporting markers from multi-layer-maps to KML, GeoRSS & Wikitude (thx Eric & Thorsten!)
fix infinite loading when requesting free trial key on specific browsers (thx Thorsten!)
XLS export for marker and layer maps was broken if PHP 7.1+ is used
added more specific JS selector for marker filter to prevent markers from being added to the wrong map, if multiple maps are displayed on the same page (thx Tino!)
marker tooltips were not displayed if popuptext was empty (thx Oleg!)
marker tooltips were not displayed for markers added directly via shortcode only
incorrect paging on list all markers-page for search results
duplicate layer functions did not duplicate filter settings (thx Thorsten!)
fix missing entries in layer filter with marker clustering disabled (thx Ole & Thorsten!)
markers and layers could not be saved on iOS devices due to a bug in Safari´s datetime-local implementation (thx Natalia!)
?highlightmarker= feature was broken on fullscreen view for multi-layer-maps (thx Ole!)
window width on marker and layer edit pages could not be fully utilized on iOS devices (thx Natalia!)
marker clusters were always disabled on zoom level 0 even if related setting was empty (thx Thorsten!)
list of markers sort order was reversed after successful geolocation (thx Chris & Thorsten!)
marker edit page: prevent javascript error on markername change if popuptext is empty
fix wrong distances on list of markers when geolocating failed
list of markers was not fully responsive if images larger than 440px in popuptexts were used (thx Georges!)
paging for "list all layer"-search results on backend was broken
Medium impact: XSS vulnerability for GPX download URL (thx to kiranreddy via Maps Marker Pro´s hackerone bug bounty program)
Medium impact: underprivileged backend users could add markers even if permission settings were set not to allow this (not exploitable with default permission settings - thx w31ha0 via Maps Marker Pro´s hackerone bug bounty program)
Low impact: XSS vulnerabilities on marker & layer edit pages (thx to victemz via Maps Marker Pro´s hackerone bug bounty program)
Low impact: XSS vulnerabilities on marker & layer import log if malicious input file would be used (thx to kiranreddy via Maps Marker Pro´s hackerone bug bounty program)
Low impact: missing CSRF protection for free trial registration forms (thx to arall via Maps Marker Pro´s hackerone bug bounty program)
Low impact: CSRF and XSS vulnerabilities on tools page for change marker and layer ID functions (thx to r4s_team via Maps Marker Pro´s hackerone bug bounty program)
Low impact: command injection vulnerability in marker & layer export files (thx to kiranreddy via Maps Marker Pro´s hackerone bug bounty program)
Low impact: added brute-force-login protection for customer area on mapsmarker.com (thx to nooboy via Maps Marker Pro´s hackerone bug bounty program)
Low impact: improper "URL to GPX track" verification could lead to stored XSS (thx to pahan123 via Maps Marker Pro´s hackerone bug bounty program)
Low impact: stored XSS vulnerability on tools page only if Webapi is enabled (thx whitesector via Maps Marker Pro´s hackerone bug bounty program)
Low impact: stored XSS vulnerability for createdby and updatedby fields on backend
Low impact: stored XSS vulnerability for custom default marker icon (thx whitesector via Maps Marker Pro´s hackerone bug bounty program)
Low impact: stored XSS vulnerability for QR code image size (only if Google is set as default QR code provider - thx whitesector via Maps Marker Pro´s hackerone bug bounty program)
updated Catalan translation thanks to Roc, Efraim Bayarri, Vicent Cubells and Marta Espinalt→ contribute
updated Chinese translation thanks to John Shen and ck→ contribute
updated German translation by Maps Marker Pro team and Daniel Luttermann→ contribute
updated Indonesian translation thanks to Andy Aditya Sastrawikarta & Emir Hartato and Phibu Reza→ contribute
updated Italian translation thanks to Luca Barbetti and Angelo Giammarresi→ contribute
updated Japanese translations thanks to Shu Higash and Taisuke Shimamoto→ contribute
updated Lithuanian translation thanks to Donatas Liaudaitis and Donatas Liaudaitis→ contribute
updated Russian translation thanks to Ekaterina Golubina (supported by Teplitsa of Social Technologies - http://te-st.ru) and Vyacheslav Strenadko, http://slavblog.ru→ contribute
updated Spanish translation thanks to David Ramí­rez, Alvaro Lara, Victor Guevara, Ricardo Viteri, Juan Valdes & Marta Espinalt and Fernando Coello→ contribute
updated Swedish translation thanks to Olof Odier, Tedy Warsitha, Dan Paulsson, Elger Lindgren, Anton Andreasson and Tony Lygnersjö→ contribute
Geolocation feature does not work anymore with Google Chrome 50+, iOS10+ and Firefox 55+ unless your site is securely accessible via https (details)

show all available changelogs

How to download / update

The easiest way to update is to use the WordPress update process: login with an user who has admin privileges, navigate to Dashboard / Updates, select plugins to update and press the button “Update Plugins”. The pro plugin checks every 24 hours if a new version is available. You can also manually trigger the update check by going to Plugins and clicking on the link “Manually check for updates” next to “Maps Marker Pro”:

manual-update-check

If you do not see the link “Check for updates” and are using a version below 1.7, please update manually once by downloading the current package from https://www.mapsmarker.com/download-pro and overwritting the existing plugin files on your server via FTP. This might be needed on several hosts, which use outdated SSL libraries, which prevent Maps Marker Pro from making a secure connection to retrieve the update package from mapsmarker.com. Pro v1.7 includes a workaround for those kind of servers and the following updates should work again as usual. If you are affected and need help, please open a support ticket.

How to verify the integrity of the plugin package

For the SHA-256 hash value and the number of files for this release please check the following file: https://www.mapsmarker.com/SHA256SUMS.txt

This file is digitally signed with our PGP key, key signature file available at https://www.mapsmarker.com/SHA256SUMS.txt.asc

Click here for a tutorial on how to verify the integrity of the plugin package (recommended if the plugin package for a new installation was not downloaded from https://www.mapsmarker.com – verification is not needed though if the automatic update process is used)

Additional update notes for beta tester

No additional actions on plugin update from beta to final version are required.