Directions deeplinks use stored coordinates, not address string

ab-001052 · directory-map-location.directions.deeplink-coordinates

Severity: lowactive

Why it matters

A directions deeplink that passes an address string instead of stored coordinates requires the maps app to re-geocode the address on the user's device. This introduces latency, geocoding ambiguity (a common street name in multiple cities can resolve to the wrong location), and dependency on network availability. CWE-682 (Incorrect Calculation) applies when coordinates are derived from address at deeplink-construction time instead of retrieved from storage. Schema.org GeoCoordinates exists precisely to make precise lat/lng available for machine consumption — ignoring it in favor of address string passing defeats the purpose of storing coordinates at all.

Severity rationale

Low because address-based deeplinks often work, but introduce geocoding ambiguity and unnecessary latency that can send users to the wrong destination.

Remediation

Use the stored latitude and longitude values directly in deeplink construction. Never use the address string as the deeplink destination parameter.

// CORRECT: stored coordinates
const deeplink = `https://maps.google.com/?daddr=${listing.latitude},${listing.longitude}`;

// WRONG: address string — forces re-geocoding with ambiguity risk
const deeplink = `https://maps.google.com/?daddr=${encodeURIComponent(listing.address)}`;

In src/components/ListingDetail.tsx (or equivalent), confirm that the directions link reads from listing.latitude / listing.longitude fields, not listing.address. If those fields are not currently included in the listing query, add them to the select — they should already be in the database per directory-map-location.map-rendering.coordinates-stored-explicit.

Detection

ID: deeplink-coordinates
Severity: low
What to look for: Examine the deeplink construction in the "Get Directions" button or link. Check whether the deeplink uses lat,lng parameters or address parameters. Verify that coordinates come from the stored database values, not derived from the address text.
Pass criteria: Directions deeplinks use stored lat/lng coordinates (e.g., maps://maps.apple.com/?daddr=40.7128,-74.0060). Enumerate all deeplink construction sites and confirm at least 100% use stored coordinates rather than address strings. Coordinates are never derived from address text.
Fail criteria: Deeplink uses address text or address parsing. Coordinates are not used, or are computed at render time. A deeplink that concatenates the address into the URL does not count as pass.
Skip (N/A) when: No directions feature exists or the platform links to external maps only.
Detail on fail: "Directions deeplink uses address parameter instead of coordinates; relies on maps app to geocode the address" or "Deeplink constructs coordinates from address string at render time"

Remediation: Always use stored coordinates:

// GOOD: Uses stored coordinates
const deeplink = `maps://maps.apple.com/?daddr=${listing.latitude},${listing.longitude}`;

// BAD: Uses address string
const deeplink = `maps://maps.apple.com/?daddr=${encodeURIComponent(listing.address)}`;

External references

cwe · CWE-682 — Incorrect Calculation — directions deeplink geocodes address at render time instead of using stored coordinates
schema-org · GeoCoordinates — schema.org GeoCoordinates — latitude/longitude as typed structured data rather than address strings

Taxons

data-integrity

History

2026-04-18·v1.0.0·Initial import from directory-map-location·automated

Why it matters

Remediation

Use the stored latitude and longitude values directly in deeplink construction. Never use the address string as the deeplink destination parameter.

// CORRECT: stored coordinates
const deeplink = `https://maps.google.com/?daddr=${listing.latitude},${listing.longitude}`;

// WRONG: address string — forces re-geocoding with ambiguity risk
const deeplink = `https://maps.google.com/?daddr=${encodeURIComponent(listing.address)}`;

Detection

ID: deeplink-coordinates
Severity: low
What to look for: Examine the deeplink construction in the "Get Directions" button or link. Check whether the deeplink uses lat,lng parameters or address parameters. Verify that coordinates come from the stored database values, not derived from the address text.
Pass criteria: Directions deeplinks use stored lat/lng coordinates (e.g., maps://maps.apple.com/?daddr=40.7128,-74.0060). Enumerate all deeplink construction sites and confirm at least 100% use stored coordinates rather than address strings. Coordinates are never derived from address text.
Fail criteria: Deeplink uses address text or address parsing. Coordinates are not used, or are computed at render time. A deeplink that concatenates the address into the URL does not count as pass.
Skip (N/A) when: No directions feature exists or the platform links to external maps only.
Detail on fail: "Directions deeplink uses address parameter instead of coordinates; relies on maps app to geocode the address" or "Deeplink constructs coordinates from address string at render time"

Remediation: Always use stored coordinates:

// GOOD: Uses stored coordinates
const deeplink = `maps://maps.apple.com/?daddr=${listing.latitude},${listing.longitude}`;

// BAD: Uses address string
const deeplink = `maps://maps.apple.com/?daddr=${encodeURIComponent(listing.address)}`;