/ 
Mojolicious-4.21
River stage four • 1090 direct dependents • 1236 total dependents
⭐ Starred 2674 GitHub stars
/ Mojo::JSON
Security Advisories (10)
CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CVE-2020-36829 (2020-11-10)

Mojo::Util secure_compare can leak the string length. By immediately returning when the two strings are not the same length, the function allows an attacker to guess the length of the secret string using timing attacks.

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.

NAME

Mojo::JSON - Minimalistic JSON

SYNOPSIS

# Encode and decode JSON
use Mojo::JSON;
my $json  = Mojo::JSON->new;
my $bytes = $json->encode({foo => [1, 2], bar => 'hello!', baz => \1});
my $hash  = $json->decode($bytes);

# Check for errors
my $json = Mojo::JSON->new;
if (defined(my $hash = $json->decode($bytes))) { say $hash->{message} }
else { say 'Error: ', $json->error }

# Use the alternative interface
use Mojo::JSON 'j';
my $bytes = j({foo => [1, 2], bar => 'hello!', baz => \1});
my $hash  = j($bytes);

DESCRIPTION

Mojo::JSON is a minimalistic and relaxed implementation of RFC 4627. While it is possibly the fastest pure-Perl JSON parser available, you should not use it for validation.

It supports normal Perl data types like Scalar, Array reference, Hash reference and will try to call the TO_JSON method on blessed references, or stringify them if it doesn't exist. Differentiating between strings and numbers in Perl is hard, depending on how it has been used, a Scalar can be both at the same time. Since numeric comparisons on strings are very unlikely to happen intentionally, the numeric value always gets priority, so any Scalar that has been used in numeric context is considered a number.

[1, -2, 3]     -> [1, -2, 3]
{"foo": "bar"} -> {foo => 'bar'}

Literal names will be translated to and from Mojo::JSON constants or a similar native Perl value. In addition Scalar references will be used to generate booleans, based on if their values are true or false.

true  -> Mojo::JSON->true
false -> Mojo::JSON->false
null  -> undef

Decoding UTF-16 (LE/BE) and UTF-32 (LE/BE) will be handled transparently, encoding will only generate UTF-8. The two Unicode whitespace characters u2028 and u2029 will always be escaped to make JSONP easier.

FUNCTIONS

Mojo::JSON implements the following functions.

j

my $bytes = j([1, 2, 3]);
my $bytes = j({foo => 'bar'});
my $array = j($bytes);
my $hash  = j($bytes);

Encode Perl data structure or decode JSON and return undef if decoding fails.

ATTRIBUTES

Mojo::JSON implements the following attributes.

error

my $err = $json->error;
$json   = $json->error('Parser error');

Parser errors.

METHODS

Mojo::JSON inherits all methods from Mojo::Base and implements the following new ones.

decode

my $array = $json->decode($bytes);
my $hash  = $json->decode($bytes);

Decode JSON to Perl data structure and return undef if decoding fails.

encode

my $bytes = $json->encode([1, 2, 3]);
my $bytes = $json->encode({foo => 'bar'});

Encode Perl data structure to JSON.

false

my $false = Mojo::JSON->false;
my $false = $json->false;

False value, used because Perl has no native equivalent.

true

my $true = Mojo::JSON->true;
my $true = $json->true;

True value, used because Perl has no native equivalent.

SEE ALSO

Mojolicious, Mojolicious::Guides, http://mojolicio.us.