/ 
Mojolicious-0.999922
⭐ Starred 2674 / Mojolicious::Lite
Security Advisories (14)
CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CVE-2010-4802 (2011-05-03)

Commands.pm in Mojolicious before 0.999928 does not properly perform CGI environment detection, which has unspecified impact and remote attack vectors.

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

CVE-2011-1841 (2011-03-10)

Mojolicious is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by link_to helper. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVE-2011-1589 (2011-04-05)

Directory traversal vulnerability in Path.pm in Mojolicious before 1.16 allows remote attackers to read arbitrary files via a %2f..%2f (encoded slash dot dot slash) in a URI.

CVE-2010-4803 (2011-05-03)

Mojolicious before 0.999927 does not properly implement HMAC-MD5 checksums, which has unspecified impact and remote attack vectors.

CVE-2011-1841 (2011-05-03)

Cross-site scripting (XSS) vulnerability in the link_to helper in Mojolicious before 1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies.  An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

NAME

Mojolicious::Lite - Micro Web Framework

SYNOPSIS

# Using Mojolicious::Lite will enable "strict" and "warnings"
use Mojolicious::Lite;

# Route with placeholder
get '/:foo' => sub {
    my $self = shift;
    $self->render_text('Yea baby!');
};

# Start the Mojolicious command system
shagadelic;

DESCRIPTION

Mojolicous::Lite is a micro web framework built around Mojolicious.

A minimal application looks like this.

#!/usr/bin/env perl

use Mojolicious::Lite;

get '/' => sub {
    my $self = shift;
    $self->render_text('Yea baby!');
};

shagadelic;

There is also a helper command to generate a small example application.

% mojolicious generate lite_app

All the normal Mojolicious command options are available from the command line. Note that CGI and FastCGI environments can usually be auto detected and will just work without commands.

% ./myapp.pl daemon
Server available at http://127.0.0.1:3000.

% ./myapp.pl daemon --listen http://*:8080
Server available at http://127.0.0.1:8080.

% ./myapp.pl daemon_prefork
Server available at http://127.0.0.1:3000.

% ./myapp.pl cgi
...CGI output...

% ./myapp.pl fastcgi
...Blocking FastCGI main loop...

The shagadelic call that starts the Mojolicious command system can be customized to override normal @ARGV use.

shagadelic('cgi');

Your application will automatically reload itself if you set the --reload option, so you don't have to restart the server after every change.

% ./myapp.pl daemon --reload
Server available at http://127.0.0.1:3000.

Routes are basically just fancy paths that can contain different kinds of placeholders.

# /foo
get '/foo' => sub {
    my $self = shift;
    $self->render_text('Yea baby!');
};

All routes can have a name associated with them, this allows automatic template detection and back referencing with url_for. Names are always the last argument.

# /
get '/' => 'index';

# /foo
get '/foo' => 'foo';

# /bar
get '/bar' => sub {
    my $self = shift;
    $self->render_text('Hi!')
} => 'bar';

__DATA__

@@ index.html.ep
<a href="<%= url_for 'foo' %>">Foo</a>.
<a href="<%= url_for 'bar' %>">Bar</a>.

@@ foo.html.ep
<a href="<%= url_for 'index' %>">Home</a>.

Templates can have layouts.

# GET /with_layout
get '/with_layout' => sub {
    my $self = shift;
    $self->render('with_layout', layout => 'green');
};

__DATA__

@@ with_layout.html.ep
We've got content!

@@ layouts/green.html.ep
<!doctype html><html>
    <head><title>Green!</title></head>
    <body><%= content %></body>
</html>

Templates can also pass around blocks of captured content and extend each other.

# GET /
get '/' => 'first';

# GET /second
get '/second' => 'second';

__DATA__

@@ first.html.ep
% extends 'second';
%{ content header =>
    <title>Howdy!</title>
%}
First!

@@ second.html.ep
% layout 'third';
%{ content header =>
    <title>Welcome!</title>
%}
Second!

@@ layouts/third.html.ep
<!doctype html><html>
    <head>
        <%{= content header => %>
            <title>Lame default title...</title>
        <%}%>
    </head>
    <body><%= content %></body>
</html>

Route placeholders allow capturing parts of a request path until a / or . separator occurs, results will be stored by name in the stash and param.

# /foo/*
get '/foo/:bar' => sub {
    my $self = shift;
    my $bar  = $self->stash('bar');
    $self->render_text("Our :bar placeholder matched $bar");
};

# /*something/foo
get '/(:bar)something/foo' => sub {
    my $self = shift;
    my $bar  = $self->param('bar');
    $self->render_text("Our :bar placeholder matched $bar");
};

Relaxed placeholders allow matching of everything until a / occurs.

# GET /hello/*
get '/hello/(.you)' => sub {
    shift->render('groovy');
};

__DATA__

@@ groovy.html.ep
Your name is <%= $you %>.

Wildcard placeholders allow matching absolutely everything, including / and ..

# /hello/*
get '/hello/(*you)' => sub {
    shift->render('groovy');
};

__DATA__

@@ groovy.html.ep
Your name is <%= $you %>.

Routes can be restricted to specific request methods.

# GET /bye
get '/bye' => sub { shift->render_text('Bye!') };

# POST /bye
post '/bye' => sub { shift->render_text('Bye!') };

# GET|POST|DELETE /bye
any [qw/get post delete/] => '/bye' => sub {
    shift->render_text('Bye!');
};

# /baz
any '/baz' => sub {
    my $self   = shift;
    my $method = $self->req->method;
    $self->render_text("You called /baz with $method");
};

All placeholders get compiled to a regex internally, with regex constraints this process can be easily customized.

# /*
any '/:bar' => [bar => qr/\d+/] => sub {
    my $self = shift;
    my $bar  = $self->param('bar');
    $self->render_text("Our :bar placeholder matched $bar");
};

Routes allow default values to make placeholders optional.

# /hello/*
get '/hello/:name' => {name => 'Sebastian'} => sub {
    my $self = shift;
    $self->render('groovy', format => 'txt');
};

__DATA__

@@ groovy.txt.ep
My name is <%= $name %>.

All those features can be easily used together.

# /everything/*?name=*
get '/everything/:stuff' => [stuff => qr/\d+/] => {stuff => 23} => sub {
    shift->render('welcome');
};

__DATA__

@@ welcome.html.ep
Stuff is <%= $stuff %>.
Query param name is <%= param 'name' %>.

Here's a fully functional example for a html form handling application using multiple features at once.

#!/usr/bin/env perl

use Mojolicious::Lite;

get '/' => 'index';

post '/form' => sub {
    my $self = shift;

    my $groovy = $self->param('groovy') || 'Austin Powers';
    $groovy =~ s/[^\w\s]+//g;

    $self->render(
        template => 'welcome',
        layout   => 'funky',
        groovy   => $groovy
    );
} => 'form';

shagadelic;
__DATA__

@@ index.html.ep
% layout 'funky';
Who is groovy?
<form action="<%= url_for 'form' %>" method="POST">
    <input type="text" name="groovy" />
    <input type="submit" value="Woosh!">
</form>

@@ welcome.html.ep
<%= $groovy %> is groovy!
<%= include 'menu' %>

@@ menu.html.ep
<a href="<%= url_for 'index' %>">Try again</a>

@@ layouts/funky.html.ep
<!doctype html><html>
    <head><title>Funky!</title></head>
    <body><%= content %>
    </body>
</html>

Ladders can be used for authentication and to share code between multiple routes. All routes following a ladder are only evaluated if the ladder returns a true value.

use Mojolicious::Lite;

# Authenticate based on name parameter
ladder sub {
    my $self = shift;

    # Authenticated
    my $name = $self->param('name') || '';
    return 1 if $name eq 'Bender';

    # Not authenticated
    $self->render('denied');
    return;
};

# GET / (with ladder authentication)
get '/' => 'index';

shagadelic;
__DATA__;

@@ denied.html.ep
You are not Bender, permission denied!

@@ index.html.ep
Hi Bender!

Conditions such as agent allow even more powerful route constructs.

# /foo
get '/foo' => (agent => qr/Firefox/) => sub {
    shift->render_text('Congratulations, you are using a cool browser!');
}

# /foo
get '/foo' => (agent => qr/Internet Explorer/) => sub {
    shift->render_text('Dude, you really need to upgrade to Firefox!');
}

Formats can be automatically detected by looking at file extensions.

# /detection.html
# /detection.txt
get '/detection' => sub {
    my $self = shift;
    $self->render('detected');
};

__DATA__

@@ detected.html.ep
<!doctype html><html>
    <head><title>Detected!</title></head>
    <body>HTML was detected.</body>
</html>

@@ detected.txt.ep
TXT was detected.

External templates will be searched by the renderer in a templates directory.

# /external
any '/external' => sub {
    my $self = shift;

    # templates/foo/bar.html.ep
    $self->render('foo/bar');
};

Static files will be automatically served from the public directory if it exists.

% mkdir public
% mv something.js public/something.js

Testing your application is as easy as creating a t directory and filling it with normal Perl unit tests like t/funky.t.

use Test::More tests => 3;
use Test::Mojo;

use FindBin;
require "$FindBin::Bin/../myapp.pl";

my $t = Test::Mojo->new;
$t->get_ok('/')->status_is(200)->content_like(qr/Funky!/);

Run all unit tests with the test command.

% ./myapp.pl test

To disable debug messages later in a production setup you can change the Mojolicious mode, default will be development.

% MOJO_MODE=production ./myapp.pl

Log messages will be automatically written to a log/$mode.log file if a log directory exists.

% mkdir log

For more control the Mojolicious instance can be accessed directly.

app->log->level('error');
app->routes->route('/foo/:bar')->via('get')->to(callback => sub {
    my $self = shift;
    $self->render_text('Hello Mojo!');
});

In case a lite app needs to grow, lite and real Mojolicous applications can be easily mixed to make the transition process very smooth.

package MyApp::Foo;
use base 'Mojolicious::Controller';

sub index { shift->render_text('It works!') }

package main;
use Mojolicious::Lite;

get '/bar' => sub { shift->render_text('This too!') };

app->routes->namespace('MyApp');
app->routes->route('/foo/:action')->via('get')->to('foo#index');

shagadelic;

ATTRIBUTES

Mojolicious::Lite inherits all attributes from Mojolicious.

METHODS

Mojolicious::Lite inherits all methods from Mojolicious.

SEE ALSO

Mojolicious, Mojolicious::Guides, http://mojolicious.org.