Security Advisories (10)

CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

https://github.com/mojolicious/mojo/pull/1791

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CVE-2020-36829 (2020-11-10)

Mojo::Util secure_compare can leak the string length. By immediately returning when the two strings are not the same length, the function allows an attacker to guess the length of the secret string using timing attacks.

https://github.com/mojolicious/mojo/pull/1601

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

https://github.com/mojolicious/mojo/commit/a815d4797145f872ef6e9f1270841eda1d410afb

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.

NAME

Mojo::Template - Perl-ish templates!

SYNOPSIS

use Mojo::Template;
my $mt = Mojo::Template->new;

# Simple
my $output = $mt->render(<<'EOF');
% use Time::Piece;
<!DOCTYPE html>
<html>
  <head><title>Simple</title></head>
  % my $now = localtime;
  <body>Time: <%= $now->hms %></body>
</html>
EOF
say $output;

# More advanced
my $output = $mt->render(<<'EOF', 23, 'foo bar');
% my ($number, $text) = @_;
%= 5 * 5
<!DOCTYPE html>
<html>
  <head><title>More advanced</title></head>
  <body>
    test 123
    foo <% my $i = $number + 2; %>
    % for (1 .. 23) {
    * some text <%= $i++ %>
    % }
  </body>
</html>
EOF
say $output;

DESCRIPTION

Mojo::Template is a minimalistic and very Perl-ish template engine, designed specifically for all those small tasks that come up during big projects. Like preprocessing a configuration file, generating text from heredocs and stuff like that.

See Mojolicious::Guides::Rendering for information on how to generate content with the Mojolicious renderer.

SYNTAX

For all templates strict, warnings and Perl 5.10 features are automatically enabled.

<% Perl code %>
<%= Perl expression, replaced with result %>
<%== Perl expression, replaced with XML escaped result %>
<%# Comment, useful for debugging %>
<%% Replaced with "<%", useful for generating templates %>
% Perl code line, treated as "<% line =%>"
%= Perl expression line, treated as "<%= line %>"
%== Perl expression line, treated as "<%== line %>"
%# Comment line, treated as "<%# line =%>"
%% Replaced with "%", useful for generating templates

Escaping behavior can be reversed with the auto_escape attribute, this is the default in Mojolicious .ep templates for example.

<%= Perl expression, replaced with XML escaped result %>
<%== Perl expression, replaced with result %>

Mojo::ByteStream objects are always excluded from automatic escaping.

<%= Mojo::ByteStream->new('<div>excluded!</div>') %>

Newline characters can be escaped with a backslash.

This is <%= 1 + 1 %> a\
single line

And a backslash in front of a newline character can be escaped with another backslash.

This will <%= 1 + 1 %> result\\
in multiple\\
lines

Whitespace characters around tags can be trimmed with a special tag ending.

<%= All whitespace characters around this expression will be trimmed =%>

You can capture whole template blocks for reuse later with the begin and end keywords.

<% my $block = begin %>
  <% my $name = shift; =%>
  Hello <%= $name %>.
<% end %>
<%= $block->('Baerbel') %>
<%= $block->('Wolfgang') %>

Perl lines can also be indented freely.

% my $block = begin
  % my $name = shift;
  Hello <%= $name %>.
% end
%= $block->('Baerbel')
%= $block->('Wolfgang')

Mojo::Template templates work just like Perl subs (actually they get compiled to a Perl sub internally). That means you can access arguments simply via @_.

% my ($foo, $bar) = @_;
% my $x = shift;
test 123 <%= $foo %>

Templates get compiled to Perl code internally, this can make debugging a bit tricky. But Mojo::Template will return Mojo::Exception objects that stringify to error messages with context.

Bareword "xx" not allowed while "strict subs" in use at template line 4.
2: </head>
3: <body>
4: % my $i = 2; xx
5: %= $i * 2
6: </body>

ATTRIBUTES

Mojo::Template implements the following attributes.

`auto_escape`

my $auto_escape = $mt->auto_escape;
$mt             = $mt->auto_escape(1);

Activate automatic XML escaping.

`append`

my $code = $mt->append;
$mt      = $mt->append('warn "Processed template"');

Append Perl code to compiled template. Note that this code should not contain newline characters, or line numbers in error messages might end up being wrong.

`capture_end`

my $capture_end = $mt->capture_end;
$mt             = $mt->capture_end('end');

Keyword indicating the end of a capture block, defaults to end.

<% my $block = begin %>
  Some data!
<% end %>

`capture_start`

my $capture_start = $mt->capture_start;
$mt               = $mt->capture_start('begin');

Keyword indicating the start of a capture block, defaults to begin.

<% my $block = begin %>
  Some data!
<% end %>

`code`

my $code = $mt->code;
$mt      = $mt->code($code);

Compiled template code.

`comment_mark`

my $comment_mark = $mt->comment_mark;
$mt              = $mt->comment_mark('#');

Character indicating the start of a comment, defaults to #.

<%# This is a comment %>

`encoding`

my $encoding = $mt->encoding;
$mt          = $mt->encoding('UTF-8');

Encoding used for template files.

`escape_mark`

my $escape_mark = $mt->escape_mark;
$mt             = $mt->escape_mark('=');

Character indicating the start of an escaped expression, defaults to =.

<%== $foo %>

`expression_mark`

my $expression_mark = $mt->expression_mark;
$mt                 = $mt->expression_mark('=');

Character indicating the start of an expression, defaults to =.

<%= $foo %>

`line_start`

my $line_start = $mt->line_start;
$mt            = $mt->line_start('%');

Character indicating the start of a code line, defaults to %.

% $foo = 23;

`name`

my $name = $mt->name;
$mt      = $mt->name('foo.mt');

Name of template currently being processed, defaults to template. Note that this method is attribute and might change without warning!

`namespace`

my $namespace = $mt->namespace;
$mt           = $mt->namespace('main');

Namespace used to compile templates, defaults to Mojo::Template::SandBox.

`prepend`

my $code = $mt->prepend;
$mt      = $mt->prepend('my $self = shift;');

Prepend Perl code to compiled template. Note that this code should not contain newline characters, or line numbers in error messages might end up being wrong.

`replace_mark`

my $replace_mark = $mt->replace_mark;
$mt              = $mt->replace_mark('%');

Character used for escaping the start of a tag or line, defaults to %.

<%% my $foo = 23; %>

`tag_start`

my $tag_start = $mt->tag_start;
$mt           = $mt->tag_start('<%');

Characters indicating the start of a tag, defaults to <%.

<% $foo = 23; %>

`tag_end`

my $tag_end = $mt->tag_end;
$mt         = $mt->tag_end('%>');

Characters indicating the end of a tag, defaults to %>.

<%= $foo %>

`template`

my $template = $mt->template;
$mt          = $mt->template($template);

Raw template.

`tree`

my $tree = $mt->tree;
$mt      = $mt->tree($tree);

Parsed tree.

`trim_mark`

my $trim_mark = $mt->trim_mark;
$mt           = $mt->trim_mark('-');

Character activating automatic whitespace trimming, defaults to =.

<%= $foo =%>

METHODS

Mojo::Template inherits all methods from Mojo::Base and implements the following new ones.

`new`

my $mt = Mojo::Template->new;

Construct a new Mojo::Template object.

`build`

$mt = $mt->build;

Build template.

`compile`

my $exception = $mt->compile;

Compile template.

`interpret`

my $output = $mt->interpret;
my $output = $mt->interpret(@args);

Interpret template.

# Reuse template
say $mt->render('Hello <%= $_[0] %>!', 'Bender');
say $mt->interpret('Fry');
say $mt->interpret('Leela');

`parse`

$mt = $mt->parse($template);

Parse template.

`render`

my $output = $mt->render($template);
my $output = $mt->render($template, @args);

Render template.

say $mt->render('Hello <%= $_[0] %>!', 'Bender');

`render_file`

my $output = $mt->render_file('/tmp/foo.mt');
my $output = $mt->render_file('/tmp/foo.mt', @args);

Render template file.

DEBUGGING

You can set the MOJO_TEMPLATE_DEBUG environment variable to get some advanced diagnostics information printed to STDERR.

MOJO_TEMPLATE_DEBUG=1

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

NAME

SYNOPSIS

DESCRIPTION

SYNTAX

ATTRIBUTES

auto_escape

append

capture_end

capture_start

code

comment_mark

encoding

escape_mark

expression_mark

line_start

name

namespace

prepend

replace_mark

tag_start

tag_end

template

tree

trim_mark