/ 
Mojolicious-1.34
⭐ Starred 2674
/ Mojolicious::Controller
Security Advisories (9)
CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies.  An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

NAME

Mojolicious::Controller - Controller Base Class

SYNOPSIS

use Mojo::Base 'Mojolicious::Controller';

DESCRIPTION

Mojolicious::Controller is the base class for your Mojolicious controllers. It is also the default controller class for Mojolicious unless you set controller_class in your application.

ATTRIBUTES

Mojolicious::Controller inherits all attributes from Mojo::Base and implements the following new ones.

app

my $app = $c->app;
$c      = $c->app(Mojolicious->new);

A reference back to the Mojolicious application that dispatched to this controller.

match

my $m = $c->match;

A Mojolicious::Routes::Match object containing the routes results for the current request.

tx

my $tx = $c->tx;

The transaction that is currently being processed, defaults to a Mojo::Transaction::HTTP object.

METHODS

Mojolicious::Controller inherits all methods from Mojo::Base and implements the following new ones.

$c         = $c->cookie(foo => 'bar');
$c         = $c->cookie(foo => 'bar', {path => '/'});
my $value  = $c->cookie('foo');
my @values = $c->cookie('foo');

Access request cookie values and create new response cookies.

finish

$c->finish;

Gracefully end WebSocket connection.

flash

my $flash = $c->flash;
my $foo   = $c->flash('foo');
$c        = $c->flash({foo => 'bar'});
$c        = $c->flash(foo => 'bar');

Data storage persistent for the next request, stored in the session.

$c->flash->{foo} = 'bar';
my $foo = $c->flash->{foo};
delete $c->flash->{foo};

on_finish

$c->on_finish(sub {...});

Callback signaling that the transaction has been finished.

$c->on_finish(sub {
  my $self = shift;
});

on_message

$c = $c->on_message(sub {...});

Receive messages via WebSocket, only works if there is currently a WebSocket connection in progress.

$c->on_message(sub {
  my ($self, $message) = @_;
});

param

my @names = $c->param;
my $foo   = $c->param('foo');
my @foo   = $c->param('foo');
$c        = $c->param(foo => 'ba;r');

Access GET/POST parameters and route captures.

# Only GET parameters
my $foo = $c->req->url->query->param('foo');

# Only GET and POST parameters
my $foo = $c->req->param('foo');

redirect_to

$c = $c->redirect_to('named');
$c = $c->redirect_to('named', foo => 'bar');
$c = $c->redirect_to('/path');
$c = $c->redirect_to('http://127.0.0.1/foo/bar');

Prepare a 302 redirect response, takes the exact same arguments as url_for.

return $c->redirect_to('login') unless $c->session('user');

render

$c->render;
$c->render(controller => 'foo', action => 'bar');
$c->render({controller => 'foo', action => 'bar'});
$c->render(text => 'Hello!');
$c->render(template => 'index');
$c->render(template => 'foo/index');
$c->render(template => 'index', format => 'html', handler => 'epl');
$c->render(handler => 'something');
$c->render('foo/bar');
$c->render('foo/bar', format => 'html');

This is a wrapper around Mojolicious::Renderer exposing pretty much all functionality provided by it. It will set a default template to use based on the controller and action name or fall back to the route name. You can call it with a hash of options which can be preceded by an optional template name. It will also run the before_render plugin hook.

render_data

$c->render_data($bits);
$c->render_data($bits, format => 'png');

Render the given content as raw bytes, similar to render_text but data will not be encoded.

render_exception

$c->render_exception('Oops!');
$c->render_exception(Mojo::Exception->new('Oops!'));

Render the exception template exception.html.$handler and set the response status code to 500.

render_inner

my $output = $c->render_inner;
my $output = $c->render_inner('content');
my $output = $c->render_inner(content => 'Hello world!');
my $output = $c->render_inner(content => sub { 'Hello world!' });

Contains partial rendered templates, used for the renderers layout and extends features.

render_json

$c->render_json({foo => 'bar'});
$c->render_json([1, 2, -3]);

Render a data structure as JSON.

render_later

$c->render_later;

Disable auto rendering, especially for long polling this can be quite useful.

$c->render_later;
Mojo::IOLoop->timer(2 => sub {
  $c->render(text => 'Delayed by 2 seconds!');
});

render_not_found

$c->render_not_found;
$c->render_not_found($resource);

Render the not found template not_found.html.$handler and set the response status code to 404.

render_partial

my $output = $c->render_partial('menubar');
my $output = $c->render_partial('menubar', format => 'txt');

Same as render but returns the rendered result.

render_static

$c->render_static('images/logo.png');
$c->render_static('../lib/MyApp.pm');

Render a static file using Mojolicious::Static relative to the public directory of your application.

render_text

$c->render_text('Hello World!');
$c->render_text('Hello World', layout => 'green');

Render the given content as Perl characters, which will be encoded to bytes. See render_data for an alternative without encoding. Note that this does not change the content type of the response, which is text/html;charset=UTF-8 by default.

$c->render_text('Hello World!', format => 'txt');

rendered

$c->rendered;

Finalize response and run after_dispatch plugin hook.

req

my $req = $c->req;

Alias for $c->tx->req. Usually refers to a Mojo::Message::Request object.

res

my $res = $c->res;

Alias for $c->tx->res. Usually refers to a Mojo::Message::Response object.

send_message

$c = $c->send_message('Hi there!');
$c = $c->send_message('Hi there!', sub {...});

Send a message via WebSocket, only works if there is currently a WebSocket connection in progress.

session

my $session = $c->session;
my $foo     = $c->session('foo');
$c          = $c->session({foo => 'bar'});
$c          = $c->session(foo => 'bar');

Persistent data storage, by default stored in a signed cookie. Note that cookies are generally limited to 4096 bytes of data.

$c->session->{foo} = 'bar';
my $foo = $c->session->{foo};
delete $c->session->{foo};
$c         = $c->signed_cookie(foo => 'bar');
$c         = $c->signed_cookie(foo => 'bar', {path => '/'});
my $value  = $c->signed_cookie('foo');
my @values = $c->signed_cookie('foo');

Access signed request cookie values and create new signed response cookies. Cookies failing signature verification will be automatically discarded.

stash

my $stash = $c->stash;
my $foo   = $c->stash('foo');
$c        = $c->stash({foo => 'bar'});
$c        = $c->stash(foo => 'bar');

Non persistent data storage and exchange.

$c->stash->{foo} = 'bar';
my $foo = $c->stash->{foo};
delete $c->stash->{foo};

ua

my $ua = $c->ua;

A Mojo::UserAgent prepared for the current environment.

# Blocking
my $tx = $c->ua->get('http://mojolicio.us');
my $tx = $c->ua->post_form('http://kraih.com/login' => {user => 'mojo'});

# Non-blocking
$c->ua->get('http://mojolicio.us' => sub {
  my $tx = pop;
  $c->render_data($tx->res->body);
});

url_for

my $url = $c->url_for;
my $url = $c->url_for(controller => 'bar', action => 'baz');
my $url = $c->url_for('named', controller => 'bar', action => 'baz');
my $url = $c->url_for('/perldoc');
my $url = $c->url_for('http://mojolicio.us/perldoc');

Generate a portable Mojo::URL object with base for a route, path or URL.

write

$c->write;
$c->write('Hello!');
$c->write(sub {...});
$c->write('Hello!', sub {...});

Write dynamic content matching the corresponding Content-Length header chunk wise, the optional drain callback will be invoked once all data has been written to the kernel send buffer or equivalent.

$c->res->headers->content_length(6);
$c->write('Hel');
$c->write('lo!');

write_chunk

$c->write_chunk;
$c->write_chunk('Hello!');
$c->write_chunk(sub {...});
$c->write_chunk('Hello!', sub {...});

Write dynamic content chunk wise with the chunked Transfer-Encoding which doesn't require a Content-Length header, the optional drain callback will be invoked once all data has been written to the kernel send buffer or equivalent.

$c->write_chunk('Hel');
$c->write_chunk('lo!');
$c->write_chunk('');

An empty chunk marks the end of the stream.

3
Hel
3
lo!
0

SEE ALSO

Mojolicious, Mojolicious::Guides, http://mojolicio.us.