/ 
Mojolicious-1.64
⭐ Starred 2674
/ Mojolicious
Security Advisories (9)
CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies.  An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

NAME

Mojolicious - The Web In A Box!

SYNOPSIS

# Mojolicious application
package MyApp;
use Mojo::Base 'Mojolicious';

sub startup {
  my $self = shift;

  # Routes
  my $r = $self->routes;

  # Default route
  $r->route('/:controller/:action/:id')->to('foo#welcome');
}

# Mojolicious controller
package MyApp::Foo;
use Mojo::Base 'Mojolicious::Controller';

# Say hello
sub welcome {
  my $self = shift;
  $self->render_text('Hi there!');
}

# Say goodbye from a template (foo/bye.html.ep)
sub bye { shift->render }

DESCRIPTION

Back in the early days of the web, many people learned Perl because of a wonderful Perl library called CGI. It was simple enough to get started without knowing much about the language and powerful enough to keep you going, learning by doing was much fun. While most of the techniques used are outdated now, the idea behind it is not. Mojolicious is a new attempt at implementing this idea using state of the art technology.

Features

  • An amazing MVC web framework supporting a simplified single file mode through Mojolicious::Lite.

    Powerful out of the box with RESTful routes, plugins, Perl-ish templates, session management, signed cookies, testing framework, static file server, I18N, first class unicode support and much more for you to discover.

  • Very clean, portable and Object Oriented pure Perl API without any hidden magic and no requirements besides Perl 5.8.7 (although 5.12+ is recommended).

  • Full stack HTTP 1.1 and WebSocket client/server implementation with IPv6, TLS, Bonjour, IDNA, Comet (long polling), chunking and multipart support.

  • Built-in async IO web server supporting epoll, kqueue, UNIX domain sockets and hot deployment, perfect for embedding.

  • Automatic CGI, FastCGI and PSGI detection.

  • JSON and HTML5/XML parser with CSS3 selector support.

  • Fresh code based upon years of experience developing Catalyst.

Installation

All you need is a oneliner, it takes less than a minute.

sudo sh -c "curl -L cpanmin.us | perl - Mojolicious"

Getting Started

These three lines are a whole web application.

use Mojolicious::Lite;

get '/' => {text => 'Hello World!'};

app->start;

To run this example with the built-in development web server just put the code into a file and execute it with perl.

% perl hello.pl daemon
Server available at http://127.0.0.1:3000.

% curl http://127.0.0.1:3000/
Hello World!

Duct Tape For The HTML5 Web

Web development for humans, making hard things possible and everything fun.

use Mojolicious::Lite;

# Simple plain text response
get '/' => sub {
  my $self = shift;
  $self->render_text('Hello World!');
};

# Route associating the "/time" URL to template in DATA section
get '/time' => 'clock';

# RESTful web service sending JSON responses
get '/list/:offset' => sub {
  my $self = shift;
  $self->render_json({list => [0 .. $self->param('offset')]});
};

# Scrape and return information from remote sites
post '/title' => sub {
  my $self = shift;
  my $url  = $self->param('url') || 'http://mojolicio.us';
  $self->render_text(
    $self->ua->get($url)->res->dom->html->head->title->text);
};

# WebSocket echo service
websocket '/echo' => sub {
  my $self = shift;
  $self->on_message(sub {
    my ($self, $message) = @_;
    $self->send_message("echo: $message");
  });
};

app->start;
__DATA__

@@ clock.html.ep
% my ($second, $minute, $hour) = (localtime(time))[0, 1, 2];
<%= link_to clock => begin %>
  The time is <%= $hour %>:<%= $minute %>:<%= $second %>.
<% end %>

Growing

Single file prototypes can easily grow into well-structured applications. A controller collects several actions together.

package MyApp::Example;
use Mojo::Base 'Mojolicious::Controller';

# Plain text response
sub hello {
  my $self = shift;
  $self->render_text('Hello World!');
}

# Render external template "templates/example/clock.html.ep"
sub clock { }

# RESTful web service sending JSON responses
sub restful {
  my $self = shift;
  $self->render_json({list => [0 .. $self->param('offset')]});
}

# Scrape and return information from remote sites
sub title {
  my $self = shift;
  my $url  = $self->param('url') || 'http://mojolicio.us';
  $self->render_text(
    $self->ua->get($url)->res->dom->html->head->title->text);
}

1;

While the application class is unique, you can have as many controllers as you like.

package MyApp::Realtime;
use Mojo::Base 'Mojolicious::Controller';

# WebSocket echo service
sub echo {
  my $self = shift;
  $self->on_message(sub {
    my ($self, $message) = @_;
    $self->send_message("echo: $message");
  });
}

1;

Larger applications benefit from the separation of actions and routes, especially when working in a team.

package MyApp;
use Mojo::Base 'Mojolicious';

# Runs once on application startup
sub startup {
  my $self = shift;
  my $r    = $self->routes;

  # Create a route at "/example" for the "MyApp::Example" controller
  my $example = $r->route('/example')->to('example#');

  # Connect these HTTP GET routes to actions in the controller
  # (paths are relative to the controller)
  $example->get('/')->to('#hello');
  $example->get('/time')->to('#clock');
  $example->get('/list/:offset')->to('#restful');

  # All common HTTP verbs are supported
  $example->post('/title')->to('#title');

  # ... and much, much more
  # (including multiple, auto-discovered controllers)
  $r->websocket('/echo')->to('realtime#echo');
}

1;

Through all of these changes, your action code and templates can stay almost exactly the same.

% my ($second, $minute, $hour) = (localtime(time))[0, 1, 2];
<%= link_to clock => begin %>
  The time is <%= $hour %>:<%= $minute %>:<%= $second %>.
<% end %>

Mojolicious has been designed from the ground up for a fun and unique workflow.

Want To Know More?

Take a look at our excellent documentation in Mojolicious::Guides!

ARCHITECTURE

Loosely coupled building blocks, use what you like and just ignore the rest.

.---------------------------------------------------------------.
|                                                               |
|                .----------------------------------------------'
|                | .--------------------------------------------.
|   Application  | |              Mojolicious::Lite             |
|                | '--------------------------------------------'
|                | .--------------------------------------------.
|                | |                 Mojolicious                |
'----------------' '--------------------------------------------'
.---------------------------------------------------------------.
|                             Mojo                              |
'---------------------------------------------------------------'
.-------. .-----------. .--------. .------------. .-------------.
|  CGI  | |  FastCGI  | |  PSGI  | |  HTTP 1.1  | |  WebSocket  |
'-------' '-----------' '--------' '------------' '-------------'

ATTRIBUTES

Mojolicious inherits all attributes from Mojo and implements the following new ones.

controller_class

my $class = $app->controller_class;
$app      = $app->controller_class('Mojolicious::Controller');

Class to be used for the default controller, defaults to Mojolicious::Controller.

mode

my $mode = $app->mode;
$app     = $app->mode('production');

The operating mode for your application. It defaults to the value of the environment variable MOJO_MODE or development. Mojo will name the log file after the current mode and modes other than development will result in limited log output.

If you want to add per mode logic to your application, you can add a sub to your application named $mode_mode.

sub development_mode {
  my $self = shift;
}

sub production_mode {
  my $self = shift;
}

on_process

my $process = $app->on_process;
$app        = $app->on_process(sub {...});

Request processing callback, defaults to calling the dispatch method. Generally you will use a plugin or controller instead of this, consider it the sledgehammer in your toolbox.

$app->on_process(sub {
  my ($self, $c) = @_;
  $self->dispatch($c);
});

plugins

my $plugins = $app->plugins;
$app        = $app->plugins(Mojolicious::Plugins->new);

The plugin loader, by default a Mojolicious::Plugins object. You can usually leave this alone, see Mojolicious::Plugin if you want to write a plugin.

renderer

my $renderer = $app->renderer;
$app         = $app->renderer(Mojolicious::Renderer->new);

Used in your application to render content, by default a Mojolicious::Renderer object. The two main renderer plugins Mojolicious::Plugin::EpRenderer and Mojolicious::Plugin::EplRenderer contain more specific information.

routes

my $routes = $app->routes;
$app       = $app->routes(Mojolicious::Routes->new);

The routes dispatcher, by default a Mojolicious::Routes object. You use this in your startup method to define the url endpoints for your application.

sub startup {
  my $self = shift;

  my $r = $self->routes;
  $r->route('/:controller/:action')->to('test#welcome');
}

secret

my $secret = $app->secret;
$app       = $app->secret('passw0rd');

A secret passphrase used for signed cookies and the like, defaults to the application name which is not very secure, so you should change it!!! As long as you are using the unsecure default there will be debug messages in the log file reminding you to change your passphrase.

sessions

my $sessions = $app->sessions;
$app         = $app->sessions(Mojolicious::Sessions->new);

Simple signed cookie based sessions, by default a Mojolicious::Sessions object.

static

my $static = $app->static;
$app       = $app->static(Mojolicious::Static->new);

For serving static assets from your public directory, by default a Mojolicious::Static object.

types

my $types = $app->types;
$app      = $app->types(Mojolicious::Types->new);

Responsible for tracking the types of content you want to serve in your application, by default a Mojolicious::Types object. You can easily register new types.

$app->types->type(twitter => 'text/tweet');

METHODS

Mojolicious inherits all methods from Mojo and implements the following new ones.

new

my $app = Mojolicious->new;

Construct a new Mojolicious application. Will automatically detect your home directory and set up logging based on your current operating mode. Also sets up the renderer, static dispatcher and a default set of plugins.

defaults

my $defaults = $app->defaults;
my $foo      = $app->defaults('foo');
$app         = $app->defaults({foo => 'bar'});
$app         = $app->defaults(foo => 'bar');

Default values for the stash, assigned for every new request.

$app->defaults->{foo} = 'bar';
my $foo = $app->defaults->{foo};
delete $app->defaults->{foo};

dispatch

$app->dispatch($c);

The heart of every Mojolicious application, calls the static and routes dispatchers for every request and passes them a Mojolicious::Controller object.

handler

$tx = $app->handler($tx);

Sets up the default controller and calls process for every request.

helper

$app->helper(foo => sub {...});

Add a new helper that will be available as a method of the controller object and the application object, as well as a function in ep templates.

# Helper
$app->helper(add => sub { $_[1] + $_[2] });

# Controller/Application
my $result = $self->add(2, 3);

# Template
<%= add 2, 3 %>

hook

$app->hook(after_dispatch => sub {...});

Extend Mojolicious by adding hooks to named events.

The following events are available and run in the listed order.

after_build_tx

Triggered right after the transaction is built and before the HTTP request gets parsed, the callbacks of this hook run in the order they were added. One use case would be upload progress bars. (Passed the transaction and application instances)

$app->hook(after_build_tx => sub {
  my ($tx, $app) = @_;
});
before_dispatch

Triggered right before the static and routes dispatchers start their work, the callbacks of this hook run in the order they were added. Very useful for rewriting incoming requests and other preprocessing tasks. (Passed the default controller instance)

$app->hook(before_dispatch => sub {
  my $self = shift;
});
after_static_dispatch

Triggered after the static dispatcher determined if a static file should be served and before the routes dispatcher starts its work, the callbacks of this hook run in reverse order. Mostly used for custom dispatchers and postprocessing static file responses. (Passed the default controller instance)

$app->hook(after_static_dispatch => sub {
  my $self = shift;
});
before_render

Triggered right before the renderer turns the stash into a response, the callbacks of this hook run in the order they were added. Very useful for making adjustments to the stash right before rendering. (Passed the current controller instance and argument hash)

$app->hook(before_render => sub {
  my ($self, $args) = @_;
});

Note that this hook is EXPERIMENTAL and might change without warning!

after_dispatch

Triggered after a response has been rendered, the callbacks of this hook run in reverse order. Note that this hook can trigger before after_static_dispatch due to its dynamic nature. Useful for all kinds of postprocessing tasks. (Passed the current controller instance)

$app->hook(after_dispatch => sub {
  my $self = shift;
});

plugin

$app->plugin('something');
$app->plugin('something', foo => 23);
$app->plugin('something', {foo => 23});
$app->plugin('Foo::Bar');
$app->plugin('Foo::Bar', foo => 23);
$app->plugin('Foo::Bar', {foo => 23});

Load a plugin.

The following plugins are included in the Mojolicious distribution as examples.

Mojolicious::Plugin::CallbackCondition

Very versatile route condition for arbitrary callbacks.

Mojolicious::Plugin::Charset

Change the application charset.

Mojolicious::Plugin::Config

Perl-ish configuration files.

Mojolicious::Plugin::DefaultHelpers

General purpose helper collection.

Mojolicious::Plugin::EplRenderer

Renderer for plain embedded Perl templates.

Mojolicious::Plugin::EpRenderer

Renderer for more sophisiticated embedded Perl templates.

Mojolicious::Plugin::HeaderCondition

Route condition for all kinds of headers.

Mojolicious::Plugin::I18n

Internationalization helpers.

Mojolicious::Plugin::JsonConfig

JSON configuration files.

Mojolicious::Plugin::Mount

Mount whole Mojolicious applications.

Mojolicious::Plugin::PodRenderer

Renderer for POD files and documentation browser.

Mojolicious::Plugin::PoweredBy

Add an X-Powered-By header to outgoing responses.

Mojolicious::Plugin::RequestTimer

Log timing information.

Mojolicious::Plugin::TagHelpers

Template specific helper collection.

start

Mojolicious->start;
Mojolicious->start('daemon');

Start the Mojolicious::Commands command line interface for your application.

startup

$app->startup;

This is your main hook into the application, it will be called at application startup.

sub startup {
  my $self = shift;
}

HELPERS

In addition to the attributes and methods above you can also call helpers on instances of Mojolicious. This includes all helpers from Mojolicious::Plugin::DefaultHelpers and Mojolicious::Plugin::TagHelpers.

$app->log->debug($app->dumper({foo => 'bar'}));

SUPPORT

Web

http://mojolicio.us

IRC

#mojo on irc.perl.org

Mailing-List

http://groups.google.com/group/mojolicious

DEVELOPMENT

Repository

http://github.com/kraih/mojo

BUNDLED FILES

Mojolicious ships with a few popular static files bundled in the public directory.

Mojolicious Artwork

Copyright (C) 2010-2011, Sebastian Riedel.

Licensed under the CC-SA License, Version 3.0 http://creativecommons.org/licenses/by-sa/3.0.

jQuery

Version 1.6.2

jQuery is a fast and concise JavaScript Library that simplifies HTML document traversing, event handling, animating, and Ajax interactions for rapid web development. jQuery is designed to change the way that you write JavaScript.

Copyright 2011, John Resig.

Licensed under the MIT License, http://creativecommons.org/licenses/MIT.

prettify.js

Version 1-Jun-2011

A Javascript module and CSS file that allows syntax highlighting of source code snippets in an html page.

Copyright (C) 2006, Google Inc.

Licensed under the Apache License, Version 2.0 http://www.apache.org/licenses/LICENSE-2.0.

CODE NAMES

Every major release of Mojolicious has a code name, these are the ones that have been used in the past.

1.4, Smiling Face With Sunglasses (u1F60E)

1.3, Tropical Drink (u1F379)

1.1, Smiling Cat Face With Heart-Shaped Eyes (u1F63B)

1.0, Snowflake (u2744)

0.999930, Hot Beverage (u2615)

0.999927, Comet (u2604)

0.999920, Snowman (u2603)

AUTHOR

Sebastian Riedel, sri@cpan.org.

CORE DEVELOPERS EMERITUS

Retired members of the core team, we thank you dearly for your service.

Viacheslav Tykhanovskyi, vti@cpan.org.

CREDITS

In alphabetical order.

Abhijit Menon-Sen

Adam Kennedy

Adriano Ferreira

Al Newkirk

Alex Salimon

Alexey Likhatskiy

Anatoly Sharifulin

Andre Vieth

Andrew Fresh

Andreas Koenig

Andy Grundman

Aristotle Pagaltzis

Ashley Dev

Ask Bjoern Hansen

Audrey Tang

Ben van Staveren

Breno G. de Oliveira

Brian Duggan

Burak Gursoy

Ch Lamprecht

Charlie Brady

Chas. J. Owens IV

Christian Hansen

chromatic

Curt Tilmes

Daniel Kimsey

Danijel Tasov

David Davis

Dmitriy Shalashov

Dmitry Konstantinov

Eugene Toropov

Gisle Aas

Glen Hinkle

Graham Barr

Henry Tang

Hideki Yamamura

James Duncan

Jan Jona Javorsek

Jaroslav Muhin

Jesse Vincent

John Kingsley

Jonathan Yu

Kazuhiro Shibuya

Kevin Old

KITAMURA Akatsuki

Lars Balker Rasmussen

Leon Brocard

Maik Fischer

Marcus Ramberg

Mark Stosberg

Matthew Lineen

Maksym Komar

Maxim Vuets

Michael Harris

Mirko Westermeier

Mons Anderson

Moritz Lenz

Nils Diewald

Oleg Zhelo

Pascal Gaudette

Paul Tomlin

Pedro Melo

Peter Edwards

Pierre-Yves Ritschard

Quentin Carbonneaux

Rafal Pocztarski

Randal Schwartz

Robert Hicks

Robin Lee

Roland Lammel

Ryan Jendoubi

Sascha Kiefer

Sergey Zasenko

Simon Bertrang

Simone Tampieri

Shu Cho

Stanis Trendelenburg

Tatsuhiko Miyagawa

Terrence Brannon

The Perl Foundation

Tomas Znamenacek

Ulrich Habel

Ulrich Kautz

Uwe Voelker

Victor Engmark

Yaroslav Korshak

Yuki Kimoto

Zak B. Elep

COPYRIGHT AND LICENSE

Copyright (C) 2008-2011, Sebastian Riedel.

This program is free software, you can redistribute it and/or modify it under the terms of the Artistic License version 2.0.