arrange-act-assert pattern. A common pattern employed when writing unit tests. Its purpose is to make a clear distinction between the setup for the test, the action that is to be tested, and evaluation of the results. In most unit tests the arrange-act-assert occur in the order of arrange, act, and then assert. However, when unit testing JavaScript it is common to define the assert in a callback function that may be defined before the act.

authentication provider. The party responsible for validating a user's credentials and issuing a token that can be used to access other sites. This is the web site you visit to do the actual authentication.

content injection. In a web application that accepts data input from users, content injection refers to the act of an attacker attempting to insert HTML or client script content that will be processed by a client browser, or SQL commands that the server may process. If successful, content injection of HTML or client scripts will cause the website to behave undesirably for any user that views the injected content because it's being processed by their browser as legitimate HTML or client script. Content injection can result in many undesirable effects, such as causing parts of a web page to disappear, diverting user requests to a malicious location, or allowing an attacker to eavesdrop. SQL injection does not affect the client browser, but if a web application accepts user input and uses it to dynamically create a SQL query without verifying the content, an attacker can inject syntax into the SQL query to manipulate the database and even the database server if it's not locked down properly. This type of attack can lead to deleted data, dropped databases, or even allow operating system commands to run as if you were typing them at the command line.

closures. A JavaScript feature that ensures that an inner function always has access to the variables and parameters of its outer function, even after the outer function has returned. For a good explanation of closures, see "A Graphical Explanation of JavaScript Closures in a jQuery Context" by Ben Nadel at

cross-site scripting (XSS). An attack whereby scripts from a malicious source are executed on a client browser as part of a trusted web page. Websites that build pages with data elements originating from other sources, such as user input or shared databases, are vulnerable to XSS attacks.

cross-site request forgery (CSRF). An attack in which a client browser is manipulated into performing malicious actions on a server with which the client has some form of trusted relationship through authentication, HTTPS, or IP filtering. An attacker embeds a link or a script in a piece of untrusted content that does something on the trusted site to which the user is currently authenticated. A simple example is an image element embedded in an HTML email that includes a URL query string, which performs a malicious action. If users click the image, they unknowingly initiate the act on the site where they are authenticated.

data- attributes. HTML5 attributes that provide metadata for HTML elements. They can be used to provide additional information for the JavaScript application, and provide a mechanism for selecting HTML elements via JavaScript without negatively impacting the page's visual design.

Data Model. An object that represents an entity built for data storage services. These are not available for use outside the boundaries of the application and are often encapsulated behind a services layer.

Domain Model. An object that represents an entity in the problem domain, which may also be annotated or extended to support some application features such as validation or authentication. Because these models need to be shared between the server and client browser, they are sometimes contained within view models and used directly for data-binding in HTML forms. Application models and service models are variations of domain models.

eavesdropping. Exploiting a web application using a network data capture utility to find and record HTTP requests and responses between a website and a client. Eavesdropping can lead to disclosure of sensitive information such as passwords, personal, or financial information, and can potentially allow the execution of spoofing, tampering and message replay attacks.

flow diagram. A diagram that defines the pages in the site, actions available on those pages, and navigation between pages. This diagram reflects the user stories identified in the requirements.

Forms authentication. Forms authentication enables user and password validation for web applications that do not require Windows authentication.

Form Model. An entity that represents all of the fields in an HTML form that is specific to a controller action. It contains only the data that is passed into the action. Generally, this corresponds to whatever form is posting back to the server. Form Models (sometimes called Request Models) are a special case of View Models. View Models are more generic in that they may also include additional data needed to render a page. A Form Model might end up being a property on another View Model.

fragment identifier. The portion of a URL identified by the hash (#). With regard to browser navigation, hyperlinks include them to make the hyperlink unique. When used in conjunction with the hashchange event, page content is able to change without performing a full-page reload.

full-page reload. When a user operation such as clicking a hyperlink causes the browser to load an entirely new page from the server. This is in contrast to using Ajax to request data from the server so the client-side JavaScript can update only the parts of the page that should change.

functional mockup. Functioning HTML pages that include CSS and possibly JavaScript. These pages are autonomous and don't yet interact with the server and use fake data when needed. They give you the chance to balance browser capabilities with HTML, CSS, images, and JavaScript before integrating the pages with the server-side implementation.

given-when-then template. A helpful template for defining acceptance criteria that include the context of the test (given), the action being tested (when), and the expected outcome (then). This template provides clear and concise documentation that can be understood by team members and can be used to generate both manual and automated test scripts.

hybrid-design web application. Web application with the same characteristics as the server-rendered web application, except that it relies heavily on client-side JavaScript to deliver an engaging experience. This type of application has pages that act as islands of interactivity that do not require full-page reloads as well as pages that do require a full-page reload. Mileage Stats is an example of a hybrid design.

integrator. A role on the team building a web application that is responsible for combining the images, HTML, CSS, and JavaScript with the server-side technologies in a way that closely represents the final implementation. The person responsible for this role may not be a specialist in design or development, but has a solid grasp of all technologies involved.

jQuery selectors. A syntactical aspect of jQuery that allows you to select all DOM elements based on specific criteria (tag name, id, attribute name, value, and more). Once the selection is made, jQuery is used to operate on the selected elements.

jQuery templates. HTML markup with inline JavaScript expressions that are used to populate values in the markup. The jQuery Template plug-in applies data to the template and renders the output into the DOM.

Jump List. List of commonly used tasks and destinations, enabling easy user access to destinations by eliminating the need to launch the browser and then load the relevant content. Also allows users to perform common tasks without launching the web application in advance. This is a feature of Windows® Internet Explorer® 9.

JSON hijack. If an attacker gets a user to click on a malicious link that makes a JavaScript Object Notation (JSON) request via HTTP GET and that request returns a JSON array, the attacking code within the link may gain access to the contents of the array in the response, which may become accessible to the attacker.

malicious input. Bad data that causes your system to behave undesirably and/or corrupts data.

message replay attack. An attack that alters the contents of a captured HTTP request and re-submits it to the website.

message tampering. When an attacker maliciously alters the content of request and/or response messages flowing between two parties across a network. For example, if a customer submits an order for 100 widgets to an online merchant, an attacker might alter the order request to order 10,000 widgets instead. Message tampering can be part of a message replay attack or a man-in-the-middle attack.

mock. The typical strategy for isolating your component under test is to supply an alternative component or function that the component calls instead of supplying the real component. These alternative components may also be referred to as fakes, doubles, or stubs.

mockup. A visual representation that shows what the site will eventually look like. Mockups contain details such as typography, color, gradients, images, and transparency, but no functionality. Mockups should communicate all necessary details of the UI. To do so, multiple mockups for a single page may be required to convey details of the different states of the application.

mood board. A visual collage made up of images and color palettes from a variety of sources that communicate the emotional connection the application aims to have with the users.

persona. A representation of a particular type of user the team can identify with. A persona is a user in context that embodies work style, role, motivation, skills, and goals. If you have a complicated or large application, some features might target multiple personas.

pinned site. A feature of Windows Internet Explorer 9 that integrates your website with the Windows 7 desktop. Pinned sites enable easy access to favorite websites and add shortcut functionality similar to shortcuts in Microsoft® Windows applications. With pinned sites enabled for a website, users can pin the site to the Windows 7 taskbar or add the site to the desktop or Start menu. With this feature, you can add site metadata, create custom jump lists, notification icons, and Thumbnail Preview toolbar controls for the websites you develop.

polyfill. Polyfills and shims consist of JavaScript, HTML, and CSS code that helps to provide the technology and functionality that you expect the browser to provide natively. In simple terms, they provide support for missing features. With polyfills, the code tries to replicate the real, standards-based API, making it easier to port your applications once a standard feature is included in a future version of a browser. This makes it easier to "future-proof" your code since you shouldn't have to change anything for the new feature to work. For more information about polyfills, see "Making HTML4 and CSS3 work with polyfills and shims" by Rey Bango in .net magazine at

Plain Old CLR Object (POCO). Refers to a class in the Microsoft .NET Framework that does not have any dependencies on external libraries such as the Entity Framework. For example, if a class inherits from a base class provided in an external library, it is not a POCO.

progressive enhancement. Adds features to the client-side experience based on browser capabilities.

prototype. A prototype is a JavaScript object from which other objects inherit their members. Every object has a prototype and any object can be used as a prototype for creating new objects. For more information on prototypes, see "Prototypes and Inheritance in JavaScript" by Scott Allen on Script Junkie at

Publish/Subscribe pattern (pub/sub). A messaging pattern that enables loose communication between publishers and subscribers. A pub/sub object manages communication, relieving the publishers and subscribers from having direct knowledge of one another.

relying party. The party trying to validate a user based on a security token that was issued by an authentication provider.

repository. A set of interfaces and implementations providing methods for data access.

Repository pattern. This pattern assists the data model in separating data storage concerns from the application logic. The interfaces do not expose any data storage-specific types and the implementation classes use them. You can choose how many repositories to create based on how granular you want to factor the methods and the expected data access pattern from your application.

rule of thirds. This is a rule of thumb for visual composition that states that an image should be imagined as divided into nine equal parts by two equally-spaced horizontal lines and two equally-spaced vertical lines. Important compositional elements should be placed along these lines or their intersections.

safe list. A list that limits input by only allowing what is known to be valid. The advantage of safe lists is that anything that falls outside of the valid set of characters is not allowed.

salt. A salt is a value combined with a cryptographic key to make the output of an encryption algorithm more random and less susceptible to attack.

sandboxing. Technique that allows components of the application to be tested before the entire application is complete. It also makes testing more robust by preventing software defects in one module from blocking or affecting the testing of other modules.

server rendered web application. Web application where the server dynamically assembles each page from one or more source files and incorporates data and calculated values during the rendering. The client-side script in these applications might perform some data validation or simple hover effects, but few Ajax calls. As each page is navigated to, the browser performs a full-page reload. ASP.NET applications that don't make heavy use of client-side JavaScript are examples of server rendered web applications.

Single-Page Interface (SPI) pattern. A pattern for web applications that reduces the number of full-page reloads during user navigation. When a user performs an action, such as selecting a hyperlink, which traditionally requires the site to load a new web page, the application instead modifies the current web page without reloading it.

single-page interface web application. Web application where the user is only required to perform a full-page load once. From that point on, all page changes and data loading is performed without a full-page reload. Hotmail, Office Live, and Twitter are examples of single-page interface web applications.

shim. Polyfills and shims consist of JavaScript, HTML, and CSS code that helps to provide the technology and functionality that you expect the browser to provide natively. In simple terms, they provide support for missing features. Shims offer features that are not available in the standard implementation and no polyfill is available. For more information about shims, see "Making HTML4 and CSS3 work with polyfills and shims" by Rey Bango in .net magazine at

sliding expiration. A pre-determined amount of time where an authenticated user can use the site. The amount of time is reset whenever the user makes a new request to the server. The advantage of using a sliding expiration is that it does not force the user to authenticate again if he or she maintains a reasonable level of activity in the application. Otherwise, the user would be redirected to the authentication page after a fixed amount of time had elapsed after the initial authentication.

static web application. Web sites consisting of static HTML pages, CSS, and images. As each page is navigated to, the browser performs a full-page reload.

structure. The HTML of the page as it relates to the hierarchy of elements that make up the page, rather than the visual appearance or layout of the UI.

topic. The message between the publisher and subscriber in a pub/sub environment. This message, also often referred to as an event, represents the contract between the sender and receiver, and is made up of a name and an optional message body.

user gestures. A specific action that a user takes in order to interact with an application. Traditionally, gestures include mouse clicks and keys presses. However, many modern applications also employ interactions in which a user acts more directly on an application. For example, they may touch a screen to swipe, pinch, or pull content.

ViewBag. The name/value keyed collection that lets you store any loosely typed data. ASP.NET MVC 3 introduced the ViewBag (called ViewData in previous versions) in addition to View.Model.

View Models. Models contained within the MVC application which are built solely for a view to data-bind against. They often follow the same composition hierarchy as the views and partial views.

widget. An object attached to a page element that supplies services for managing lifetime, state, inheritance, theming, and communication with other widgets or JavaScript objects. A widget is a jQuery plug-in.

widget method. The method that represents the primary interface for applying the widget to elements and using the widget after it's applied. The widget method is named after the name of the widget.

wireframe. A diagram that depicts rough placement of the text, data, and basic controls of a UI. These diagrams are tools used to help organize the page's information. A wireframe does not show details of the page.

wrapped set. A wrapped set is the result of a query that uses a jQuery selector to find elements in the DOM. To call a method on a wrapped set of elements, a selector is used to select elements in the DOM. For example, to add the listing CSS class to all ul elements directly inside a div element, you can use $('div ul').addClass('listing').