20061113

Which Definition Ought we to Use?

I tend to use the dictionary or technical definition for a term, and a lot of time it gets me into trouble. I frequently have debates with Mrs. von Stuppe about terminology, where I'm using a more accurate definition, and she's assuming the more commonly-used term for it. And another example just came up with a co-worker.

The discussion with the co-worker was about the DOM. He wants to represent arbitrary data-structures in memory (dynamically defining the structure) in a variety of languages. I told him that's what XML is for, and his response was that a lot of the arbitrary data structures would be on legacy systems that don't support XML or the files are in a non-XML format. I assumed that, and meant from the perspective of having a common nomenclature in memory in each of the target languages you hope to support, it would be easier to use DOM than trying to work it out to hashes, hash references, first-class objects, etc., etc. in each of the target languages. A debate then ensued because I assumed everybody in the world thought DOM was XML. But my friend has what is probably the more common understanding of what DOM is, which relates to manipulating HTML. Strangely, they're one and the same - DOM in terms of HTML is a means by which to manipulate the presentation by manipulating the underlying document tree. But I think there are so many mis-uses of the term that people's general understanding of DOM is that it's how you dynamically alter a web page.

Another example, but purely the reverse, is Cross-site Scripting. The term XSS is generally understood as any means of injecting something dynamically into a web page. However, the name "cross-site" implies that either the script came from another site, or it causes the user to do something on another site, neither one of which is the typical scenario. So I've gone to using the term "HTML Injection" or "Response Injection" or "Output Injection" because if I inject an <img> tag, it contains no script, and may not contain something cross-site. If I do a URL injection for an exit page, I've injected no script, either. And modern browsers are pretty good about disallowing things that happen cross-site, for example, I can't script an XmlHttpRequest on site A that communicates with site B. So "Cross-site" scripting is a bit of a misnomer - it's really just output injection (and sometimes, one of the things you can do with that is script somebody cross-site.)

So which is right? I thought the reason we had dictionaries was so that people would have a common vernacular. I guess this is why when you have a true UFL or NFL (forensics, not football) debate, one very important aspect of 1AC (first affirmative construction) is to define the terms you'll be using, so there's no confusion.

0 comments: