/ 
Mojolicious-0.999928
⭐ Starred 2674
/ Mojolicious::Controller
Security Advisories (12)
CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

CVE-2011-1841 (2011-03-10)

Mojolicious is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by link_to helper. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVE-2011-1589 (2011-04-05)

Directory traversal vulnerability in Path.pm in Mojolicious before 1.16 allows remote attackers to read arbitrary files via a %2f..%2f (encoded slash dot dot slash) in a URI.

CVE-2011-1841 (2011-05-03)

Cross-site scripting (XSS) vulnerability in the link_to helper in Mojolicious before 1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies.  An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

NAME

Mojolicious::Controller - Controller Base Class

SYNOPSIS

use base 'Mojolicious::Controller';

DESCRIPTION

Mojolicous::Controller is the base class for your Mojolicious controllers. It is also the default controller class for Mojolicious unless you set controller_class in your application.

ATTRIBUTES

Mojolicious::Controller inherits all attributes from MojoX::Dispatcher::Routes::Controller.

METHODS

Mojolicious::Controller inherits all methods from MojoX::Dispatcher::Routes::Controller and implements the following new ones.

client

my $client = $c->client;

A Mojo::Client prepared for the current environment.

my $tx = $c->client->get('http://mojolicious.org');

$c->client->post_form('http://kraih.com/login' => {user => 'mojo'});

$c->client->get('http://mojolicious.org' => sub {
    my $client = shift;
    $c->render_data($client->res->body);
})->process;

For async processing you can use pause and finish.

$c->pause;
$c->client->async->get('http://mojolicious.org' => sub {
    my $client = shift;
    $c->render_data($client->res->body);
    $c->finish;
})->process;

finish

$c->finish;

Similar to resume but will also trigger automatic rendering and the after_dispatch plugin hook, which would normally get disabled once a request gets paused. For WebSockets it will gracefully end the connection.

finished

$c->finished(sub {...});

Callback signaling that the transaction has been finished.

$c->finished(sub {
    my $self = shift;
});

helper

$c->helper('foo');
$c->helper(foo => 23);

Directly call a Mojolicious helper, see Mojolicious::Plugin::DefaultHelpers for a list of helpers that are always available.

pause

$c->pause;

Pause transaction associated with this request, used for async web applications. Note that automatic rendering and some plugins that do state changing operations inside the after_dispatch hook won't work if you pause a transaction.

receive_message

$c = $c->receive_message(sub {...});

Receive messages via WebSocket, only works if there is currently a WebSocket connection in progress.

$c->receive_message(sub {
    my ($self, $message) = @_;
});

redirect_to

$c = $c->redirect_to('named');
$c = $c->redirect_to('named', foo => 'bar');
$c = $c->redirect_to('/path');
$c = $c->redirect_to('http://127.0.0.1/foo/bar');

Prepare a redirect response.

render

$c->render;
$c->render(controller => 'foo', action => 'bar');
$c->render({controller => 'foo', action => 'bar'});
$c->render(text => 'Hello!');
$c->render(template => 'index');
$c->render(template => 'foo/index');
$c->render(template => 'index', format => 'html', handler => 'epl');
$c->render(handler => 'something');
$c->render('foo/bar');
$c->render('foo/bar', format => 'html');
$c->render('foo/bar', {format => 'html'});

This is a wrapper around MojoX::Renderer exposing pretty much all functionality provided by it. It will set a default template to use based on the controller and action name or fall back to the route name. You can call it with a hash of options which can be preceded by an optional template name. Note that all render arguments get localized, so stash values won't be changed after the render call.

render_data

$c->render_data($bits);

Render binary data, similar to render_text but data will not be encoded.

render_exception

$c->render_exception($e);

Render the exception template exception.html.$handler. Will set the status code to 500 meaning Internal Server Error. Takes a Mojo::Exception object or error message and will fall back to rendering a static 500 page using MojoX::Renderer::Static.

render_inner

my $output = $c->render_inner;
my $output = $c->render_inner('content');
my $output = $c->render_inner(content => 'Hello world!');
my $output = $c->render_inner(content => sub { 'Hello world!' });

Contains partial rendered templates, used for the renderers layout and extends features.

render_json

$c->render_json({foo => 'bar'});
$c->render_json([1, 2, -3]);

Render a data structure as JSON.

render_not_found

$c->render_not_found;
$c->render_not_found($resource);

Render the not found template not_found.html.$handler. Also sets the response status code to 404, will fall back to rendering a static 404 page using MojoX::Renderer::Static.

render_partial

my $output = $c->render_partial;
my $output = $c->render_partial(action => 'foo');

Same as render but returns the rendered result.

render_static

$c->render_static('images/logo.png');

Render a static asset using MojoX::Dispatcher::Static.

render_text

$c->render_text('Hello World!');
$c->render_text('Hello World', layout => 'green');

Render the given content as plain text, note that text will be encoded. See render_data for an alternative without encoding.

resume

$c->resume;

Resume transaction associated with this request, used for async web applications.

send_message

$c = $c->send_message('Hi there!');

Send a message via WebSocket, only works if there is currently a WebSocket connection in progress.

url_for

my $url = $c->url_for;
my $url = $c->url_for(controller => 'bar', action => 'baz');
my $url = $c->url_for('named', controller => 'bar', action => 'baz');

Generate a Mojo::URL for the current or a named route.

SEE ALSO

Mojolicious, Mojolicious::Guides, http://mojolicious.org.