/ 
Mojolicious-0.999932
⭐ Starred 2674
/ Mojolicious::Controller
Security Advisories (12)
CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

CVE-2011-1841 (2011-03-10)

Mojolicious is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by link_to helper. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVE-2011-1589 (2011-04-05)

Directory traversal vulnerability in Path.pm in Mojolicious before 1.16 allows remote attackers to read arbitrary files via a %2f..%2f (encoded slash dot dot slash) in a URI.

CVE-2011-1841 (2011-05-03)

Cross-site scripting (XSS) vulnerability in the link_to helper in Mojolicious before 1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies.  An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

NAME

Mojolicious::Controller - Controller Base Class

SYNOPSIS

use base 'Mojolicious::Controller';

DESCRIPTION

Mojolicous::Controller is the base class for your Mojolicious controllers. It is also the default controller class for Mojolicious unless you set controller_class in your application.

ATTRIBUTES

Mojolicious::Controller inherits all attributes from MojoX::Dispatcher::Routes::Controller.

METHODS

Mojolicious::Controller inherits all methods from MojoX::Dispatcher::Routes::Controller and implements the following new ones.

client

my $client = $c->client;

A Mojo::Client prepared for the current environment.

my $tx = $c->client->get('http://mojolicious.org');

$c->client->post_form('http://kraih.com/login' => {user => 'mojo'});

$c->client->get('http://mojolicious.org' => sub {
    my $client = shift;
    $c->render_data($client->res->body);
})->start;

For async processing you can use finish.

$c->client->async->get('http://mojolicious.org' => sub {
    my $client = shift;
    $c->render_data($client->res->body);
    $c->finish;
})->start;

finish

$c->finish;

Gracefully end WebSocket connection.

on_finish

$c->on_finish(sub {...});

Callback signaling that the transaction has been finished.

$c->on_finish(sub {
    my $self = shift;
});

on_message

$c = $c->on_message(sub {...});

Receive messages via WebSocket, only works if there is currently a WebSocket connection in progress.

$c->on_message(sub {
    my ($self, $message) = @_;
});

redirect_to

$c = $c->redirect_to('named');
$c = $c->redirect_to('named', foo => 'bar');
$c = $c->redirect_to('/path');
$c = $c->redirect_to('http://127.0.0.1/foo/bar');

Prepare a 302 redirect response.

render

$c->render;
$c->render(controller => 'foo', action => 'bar');
$c->render({controller => 'foo', action => 'bar'});
$c->render(text => 'Hello!');
$c->render(template => 'index');
$c->render(template => 'foo/index');
$c->render(template => 'index', format => 'html', handler => 'epl');
$c->render(handler => 'something');
$c->render('foo/bar');
$c->render('foo/bar', format => 'html');

This is a wrapper around MojoX::Renderer exposing pretty much all functionality provided by it. It will set a default template to use based on the controller and action name or fall back to the route name. You can call it with a hash of options which can be preceded by an optional template name. Note that all render arguments get localized, so stash values won't be changed after the render call.

render_data

$c->render_data($bits);

Render binary data, similar to render_text but data will not be encoded.

render_exception

$c->render_exception($e);

Render the exception template exception.html.$handler. Will set the status code to 500 meaning Internal Server Error. Takes a Mojo::Exception object or error message and will fall back to rendering a static 500 page using MojoX::Renderer::Static.

render_inner

my $output = $c->render_inner;
my $output = $c->render_inner('content');
my $output = $c->render_inner(content => 'Hello world!');
my $output = $c->render_inner(content => sub { 'Hello world!' });

Contains partial rendered templates, used for the renderers layout and extends features.

render_json

$c->render_json({foo => 'bar'});
$c->render_json([1, 2, -3]);

Render a data structure as JSON.

render_not_found

$c->render_not_found;
$c->render_not_found($resource);

Render the not found template not_found.html.$handler. Also sets the response status code to 404, will fall back to rendering a static 404 page using MojoX::Renderer::Static.

render_partial

my $output = $c->render_partial;
my $output = $c->render_partial(action => 'foo');

Same as render but returns the rendered result.

render_static

$c->render_static('images/logo.png');
$c->render_static('../lib/MyApp.pm');

Render a static file using MojoX::Dispatcher::Static relative to the public directory of your application.

render_text

$c->render_text('Hello World!');
$c->render_text('Hello World', layout => 'green');

Render the given content as plain text, note that text will be encoded. See render_data for an alternative without encoding.

rendered

$c->rendered;

Finalize response and run after_dispatch plugin hook. Note that this method is EXPERIMENTAL and might change without warning!

send_message

$c = $c->send_message('Hi there!');

Send a message via WebSocket, only works if there is currently a WebSocket connection in progress.

url_for

my $url = $c->url_for;
my $url = $c->url_for(controller => 'bar', action => 'baz');
my $url = $c->url_for('named', controller => 'bar', action => 'baz');

Generate a Mojo::URL for the current or a named route.

write

$c->write;
$c->write('Hello!');
$c->write(sub {...});
$c->write('Hello!', sub {...});

Write dynamic content matching the corresponding Content-Length header chunk wise, the optional drain callback will be invoked once all data has been written to the kernel send buffer or equivalent.

$c->res->headers->content_length(6);
$c->write('Hel');
$c->write('lo!');

Note that this method is EXPERIMENTAL and might change without warning!

write_chunk

$c->write_chunk;
$c->write_chunk('Hello!');
$c->write_chunk(sub {...});
$c->write_chunk('Hello!', sub {...});

Write dynamic content chunk wise with the chunked Transfer-Encoding which doesn't require a Content-Length header, the optional drain callback will be invoked once all data has been written to the kernel send buffer or equivalent. An empty chunk marks the end of the stream.

$c->write_chunk('Hel');
$c->write_chunk('lo!');
$c->write_chunk('');

Note that this method is EXPERIMENTAL and might change without warning!

SEE ALSO

Mojolicious, Mojolicious::Guides, http://mojolicious.org.