/ 
Mojolicious-2.21
⭐ Starred 2674
/ Mojolicious
Security Advisories (10)
CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CVE-2020-36829 (2020-11-10)

Mojo::Util secure_compare can leak the string length. By immediately returning when the two strings are not the same length, the function allows an attacker to guess the length of the secret string using timing attacks.

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.

NAME

Mojolicious - Real-time web framework

SYNOPSIS

# Application
package MyApp;
use Mojo::Base 'Mojolicious';

# Route
sub startup {
  my $self = shift;
  $self->routes->get('/hello')->to('foo#hello');
}

# Controller
package MyApp::Foo;
use Mojo::Base 'Mojolicious::Controller';

# Action
sub hello {
  my $self = shift;
  $self->render_text('Hello World!');
}

DESCRIPTION

Take a look at our excellent documentation in Mojolicious::Guides!

ATTRIBUTES

Mojolicious inherits all attributes from Mojo and implements the following new ones.

controller_class

my $class = $app->controller_class;
$app      = $app->controller_class('Mojolicious::Controller');

Class to be used for the default controller, defaults to Mojolicious::Controller.

mode

my $mode = $app->mode;
$app     = $app->mode('production');

The operating mode for your application, defaults to the value of the MOJO_MODE environment variable or development. You can also add per mode logic to your application by defining methods named ${mode}_mode in the application class, which will be called right before startup.

sub development_mode {
  my $self = shift;
  ...
}

sub production_mode {
  my $self = shift;
  ...
}

Right before calling startup and mode specific methods, Mojolicious will pick up the current mode, name the log file after it and raise the log level from debug to info if it has a value other than development.

on_process

my $process = $app->on_process;
$app        = $app->on_process(sub {...});

Request processing callback, defaults to calling the dispatch method. Generally you will use a plugin or controller instead of this, consider it the sledgehammer in your toolbox.

my $next = $app->on_process;
$app->on_process(sub {
  my ($self, $c) = @_;
  return $c->render(text => 'Hello world!')
    if $c->req->url->path->contains('/hello');
  $self->$next($c);
});

plugins

my $plugins = $app->plugins;
$app        = $app->plugins(Mojolicious::Plugins->new);

The plugin loader, defaults to a Mojolicious::Plugins object. You can usually leave this alone, see Mojolicious::Plugin if you want to write a plugin or the plugin method below if you want to load a plugin.

renderer

my $renderer = $app->renderer;
$app         = $app->renderer(Mojolicious::Renderer->new);

Used in your application to render content, defaults to a Mojolicious::Renderer object. The two main renderer plugins Mojolicious::Plugin::EPRenderer and Mojolicious::Plugin::EPLRenderer contain more information.

routes

my $routes = $app->routes;
$app       = $app->routes(Mojolicious::Routes->new);

The routes dispatcher, defaults to a Mojolicious::Routes object. You use this in your startup method to define the url endpoints for your application.

sub startup {
  my $self = shift;

  my $r = $self->routes;
  $r->route('/:controller/:action')->to('test#welcome');
}

secret

my $secret = $app->secret;
$app       = $app->secret('passw0rd');

A secret passphrase used for signed cookies and the like, defaults to the application name which is not very secure, so you should change it!!! As long as you are using the unsecure default there will be debug messages in the log file reminding you to change your passphrase.

sessions

my $sessions = $app->sessions;
$app         = $app->sessions(Mojolicious::Sessions->new);

Simple signed cookie based sessions, defaults to a Mojolicious::Sessions object. You can usually leave this alone, see "session" in Mojolicious::Controller for more information about working with session data.

static

my $static = $app->static;
$app       = $app->static(Mojolicious::Static->new);

For serving static assets from your public directory, defaults to a Mojolicious::Static object.

types

my $types = $app->types;
$app      = $app->types(Mojolicious::Types->new);

Responsible for connecting file extensions with MIME types, defaults to a Mojolicious::Types object.

$app->types->type(twt => 'text/tweet');

METHODS

Mojolicious inherits all methods from Mojo and implements the following new ones.

new

my $app = Mojolicious->new;

Construct a new Mojolicious application. Will automatically detect your home directory and set up logging based on your current operating mode. Also sets up the renderer, static dispatcher and a default set of plugins.

build_tx

my $tx = $app->build_tx;

Transaction builder, defaults to building a Mojo::Transaction::HTTP object.

defaults

my $defaults = $app->defaults;
my $foo      = $app->defaults('foo');
$app         = $app->defaults({foo => 'bar'});
$app         = $app->defaults(foo => 'bar');

Default values for the stash, assigned for every new request.

$app->defaults->{foo} = 'bar';
my $foo = $app->defaults->{foo};
delete $app->defaults->{foo};

dispatch

$app->dispatch($c);

The heart of every Mojolicious application, calls the static and routes dispatchers for every request and passes them a Mojolicious::Controller object.

handler

$tx = $app->handler($tx);

Sets up the default controller and calls process for every request.

helper

$app->helper(foo => sub {...});

Add a new helper that will be available as a method of the controller object and the application object, as well as a function in ep templates.

# Helper
$app->helper(add => sub { $_[1] + $_[2] });

# Controller/Application
my $result = $self->add(2, 3);

# Template
%= add 2, 3

hook

$app->hook(after_dispatch => sub {...});

Extend Mojolicious by adding hooks.

These hooks are currently available and are emitted in the listed order:

after_build_tx

Emitted in reverse order right after the transaction is built and before the HTTP request gets parsed.

$app->hook(after_build_tx => sub {
  my ($tx, $app) = @_;
});

One use case would be upload progress bars. (Passed the transaction and application instances)

before_dispatch

Emitted right before the static and routes dispatchers start their work.

$app->hook(before_dispatch => sub {
  my $self = shift;
});

Very useful for rewriting incoming requests and other preprocessing tasks. (Passed the default controller instance)

after_static_dispatch

Emitted in reverse order after the static dispatcher determined if a static file should be served and before the routes dispatcher starts its work.

$app->hook(after_static_dispatch => sub {
  my $self = shift;
});

Mostly used for custom dispatchers and postprocessing static file responses. (Passed the default controller instance)

after_dispatch

Emitted in reverse order after a response has been rendered. Note that this hook can trigger before after_static_dispatch due to its dynamic nature.

$app->hook(after_dispatch => sub {
  my $self = shift;
});

Useful for all kinds of postprocessing tasks. (Passed the current controller instance)

plugin

$app->plugin('some_thing');
$app->plugin('some_thing', foo => 23);
$app->plugin('some_thing', {foo => 23});
$app->plugin('SomeThing');
$app->plugin('SomeThing', foo => 23);
$app->plugin('SomeThing', {foo => 23});
$app->plugin('MyApp::Plugin::SomeThing');
$app->plugin('MyApp::Plugin::SomeThing', foo => 23);
$app->plugin('MyApp::Plugin::SomeThing', {foo => 23});

Load a plugin with "register_plugin" in Mojolicious::Plugins.

These plugins are included in the Mojolicious distribution as examples:

Mojolicious::Plugin::Charset

Change the application charset.

Mojolicious::Plugin::Config

Perl-ish configuration files.

Mojolicious::Plugin::DefaultHelpers

General purpose helper collection.

Mojolicious::Plugin::EPLRenderer

Renderer for plain embedded Perl templates.

Mojolicious::Plugin::EPRenderer

Renderer for more sophisiticated embedded Perl templates.

Mojolicious::Plugin::HeaderCondition

Route condition for all kinds of headers.

Mojolicious::Plugin::I18N

Internationalization helpers.

Mojolicious::Plugin::JSONConfig

JSON configuration files.

Mojolicious::Plugin::Mount

Mount whole Mojolicious applications.

Mojolicious::Plugin::PODRenderer

Renderer for POD files and documentation browser.

Mojolicious::Plugin::PoweredBy

Add an X-Powered-By header to outgoing responses.

Mojolicious::Plugin::RequestTimer

Log timing information.

Mojolicious::Plugin::TagHelpers

Template specific helper collection.

start

Mojolicious->start;
Mojolicious->start('daemon');

Start the Mojolicious::Commands command line interface for your application.

startup

$app->startup;

This is your main hook into the application, it will be called at application startup.

sub startup {
  my $self = shift;
}

HELPERS

In addition to the attributes and methods above you can also call helpers on instances of Mojolicious. This includes all helpers from Mojolicious::Plugin::DefaultHelpers and Mojolicious::Plugin::TagHelpers. Note that application helpers are always called with a new controller_class instance, so they can't depend on or change controller state, which includes request, response and stash.

$app->log->debug($app->dumper({foo => 'bar'}));

SUPPORT

Web

http://mojolicio.us

IRC

#mojo on irc.perl.org

Mailing-List

http://groups.google.com/group/mojolicious

DEVELOPMENT

Repository

http://github.com/kraih/mojo

BUNDLED FILES

Mojolicious ships with a few popular static files bundled in the public directory.

Mojolicious Artwork

Copyright (C) 2010-2011, Sebastian Riedel.

Licensed under the CC-SA License, Version 3.0 http://creativecommons.org/licenses/by-sa/3.0.

jQuery

Version 1.6.3

jQuery is a fast and concise JavaScript Library that simplifies HTML document traversing, event handling, animating, and Ajax interactions for rapid web development. jQuery is designed to change the way that you write JavaScript.

Copyright 2011, John Resig.

Licensed under the MIT License, http://creativecommons.org/licenses/MIT.

prettify.js

Version 1-Jun-2011

A Javascript module and CSS file that allows syntax highlighting of source code snippets in an html page.

Copyright (C) 2006, Google Inc.

Licensed under the Apache License, Version 2.0 http://www.apache.org/licenses/LICENSE-2.0.

CODE NAMES

Every major release of Mojolicious has a code name, these are the ones that have been used in the past.

2.0, Leaf Fluttering In Wind (u1F343)

1.4, Smiling Face With Sunglasses (u1F60E)

1.3, Tropical Drink (u1F379)

1.1, Smiling Cat Face With Heart-Shaped Eyes (u1F63B)

1.0, Snowflake (u2744)

0.999930, Hot Beverage (u2615)

0.999927, Comet (u2604)

0.999920, Snowman (u2603)

AUTHOR

Sebastian Riedel, sri@cpan.org.

CREDITS

In alphabetical order:

Abhijit Menon-Sen

Adam Kennedy

Adriano Ferreira

Al Newkirk

Alex Salimon

Alexey Likhatskiy

Anatoly Sharifulin

Andre Vieth

Andrew Fresh

Andreas Koenig

Andy Grundman

Aristotle Pagaltzis

Ashley Dev

Ask Bjoern Hansen

Audrey Tang

Ben van Staveren

Breno G. de Oliveira

Brian Duggan

Burak Gursoy

Ch Lamprecht

Charlie Brady

Chas. J. Owens IV

Christian Hansen

chromatic

Curt Tilmes

Daniel Kimsey

Danijel Tasov

David Davis

Dmitriy Shalashov

Dmitry Konstantinov

Eugene Toropov

Gisle Aas

Glen Hinkle

Graham Barr

Henry Tang

Hideki Yamamura

James Duncan

Jan Jona Javorsek

Jaroslav Muhin

Jesse Vincent

John Kingsley

Jonathan Yu

Kazuhiro Shibuya

Kevin Old

KITAMURA Akatsuki

Lars Balker Rasmussen

Leon Brocard

Magnus Holm

Maik Fischer

Marcus Ramberg

Mark Stosberg

Matthew Lineen

Maksym Komar

Maxim Vuets

Michael Harris

Mirko Westermeier

Mons Anderson

Moritz Lenz

Nils Diewald

Oleg Zhelo

Pascal Gaudette

Paul Tomlin

Pedro Melo

Peter Edwards

Pierre-Yves Ritschard

Quentin Carbonneaux

Rafal Pocztarski

Randal Schwartz

Robert Hicks

Robin Lee

Roland Lammel

Ryan Jendoubi

Sascha Kiefer

Sergey Zasenko

Simon Bertrang

Simone Tampieri

Shu Cho

Skye Shaw

Stanis Trendelenburg

Tatsuhiko Miyagawa

Terrence Brannon

The Perl Foundation

Tomas Znamenacek

Ulrich Habel

Ulrich Kautz

Uwe Voelker

Viacheslav Tykhanovskyi

Victor Engmark

Viliam Pucik

Yaroslav Korshak

Yuki Kimoto

Zak B. Elep

COPYRIGHT AND LICENSE

Copyright (C) 2008-2011, Sebastian Riedel.

This program is free software, you can redistribute it and/or modify it under the terms of the Artistic License version 2.0.