Helpers

Helpers are functions intended for usage in templates, to assist with common HTML and text manipulation, higher level constructs like a HTML tag builder (that safely escapes variables), and advanced functionality like Pagination of data sets.

The majority of the helpers available in Pylons are provided by the webhelpers package. Some of these helpers are also used in controllers to prepare data for use in the template by other helpers, such as the secure_form_tag() function which has a corresponding authenticate_form().

To make individual helpers available for use in templates under h, the appropriate functions need to be imported in lib/helpers.py. All the functions available in this file are then available under h just like any other module reference.

By customizing the lib/helpers.py module you can quickly add custom functions and classes for use in your templates.

Helper functions are organized into modules by theme. All HTML generators are under the webhelpers_html package, except for a few third-party modules which are directly under webhelpers. The webhelpers modules are separately documented, see webhelpers.

Secure Form Tag Helpers

For prevention of Cross-site request forgery (CSRF) attacks.

Generates form tags that include client-specific authorization tokens to be verified by the destined web app.

Authorization tokens are stored in the client’s session. The web app can then verify the request’s submitted authorization token with the value in the client’s session.

This ensures the request came from the originating page. See the wikipedia entry for Cross-site request forgery for more information.

Pylons provides an authenticate_form decorator that does this verification on the behalf of controllers.

These helpers depend on Pylons’ session object. Most of them can be easily ported to another framework by changing the API calls.

The helpers are implemented in such a way that it should be easy for developers to create their own helpers if using helpers for AJAX calls.

authentication_token() returns the current authentication token, creating one and storing it in the session if it doesn’t already exist.

auth_token_hidden_field() creates a hidden field containing the authentication token.

secure_form() is form() plus auth_token_hidden_field().