Security Advisories (10)

CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

https://github.com/mojolicious/mojo/pull/1791

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CVE-2020-36829 (2020-11-10)

Mojo::Util secure_compare can leak the string length. By immediately returning when the two strings are not the same length, the function allows an attacker to guess the length of the secret string using timing attacks.

https://github.com/mojolicious/mojo/pull/1601

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

https://github.com/mojolicious/mojo/commit/a815d4797145f872ef6e9f1270841eda1d410afb

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.

NAME

Mojo::Template - Perl-ish templates!

SYNOPSIS

use Mojo::Template;
my $mt = Mojo::Template->new;

# Simple
my $output = $mt->render(<<'EOF');
<!DOCTYPE html>
<html>
  <head><title>Simple</title></head>
  <body>Time: <%= localtime(time) %></body>
</html>
EOF
say $output;

# More complicated
my $output = $mt->render(<<'EOF', 23, 'foo bar');
%= 5 * 5
% my ($number, $text) = @_;
test 123
foo <% my $i = $number + 2; %>
% for (1 .. 23) {
* some text <%= $i++ %>
% }
EOF
say $output;

DESCRIPTION

Mojo::Template is a minimalistic and very Perl-ish template engine, designed specifically for all those small tasks that come up during big projects. Like preprocessing a configuration file, generating text from heredocs and stuff like that.

<% Perl code %>
<%= Perl expression, replaced with result %>
<%== Perl expression, replaced with XML escaped result %>
<%# Comment, useful for debugging %>
<%% Replaced with "<%", useful for generating templates %>
% Perl code line, treated as "<% line =%>"
%= Perl expression line, treated as "<%= line %>"
%== Perl expression line, treated as "<%== line %>"
%# Comment line, treated as "<%# line =%>"
%% Replaced with "%", useful for generating templates

Automatic escaping

Escaping behavior can be reversed with the auto_escape attribute, this is the default in Mojolicious .ep templates for example.

<%= Perl expression, replaced with XML escaped result %>
<%== Perl expression, replaced with result %>

Mojo::ByteStream objects are always excluded from automatic escaping.

<%= b('<div>excluded!</div>') %>

Trimming

Whitespace characters around tags can be trimmed with a special tag ending.

<%= All whitespace characters around this expression will be trimmed =%>

Blocks

You can capture whole template blocks for reuse later with the begin and end keywords.

<% my $block = begin %>
  <% my $name = shift; =%>
  Hello <%= $name %>.
<% end %>
<%= $block->('Baerbel') %>
<%= $block->('Wolfgang') %>

Indentation

Perl lines can also be indented freely.

% my $block = begin
  % my $name = shift;
  Hello <%= $name %>.
% end
%= $block->('Baerbel')
%= $block->('Wolfgang')

Arguments

Mojo::Template templates work just like Perl subs (actually they get compiled to a Perl sub internally). That means you can access arguments simply via @_.

% my ($foo, $bar) = @_;
% my $x = shift;
test 123 <%= $foo %>

More escaping

You can use escaped tags and lines to generate templates.

%% my $number = <%= 20 + 3 %>;
The number is <%%= $number %>

A newline can be escaped with a backslash.

This is <%= 23 * 3 %> a\
single line

And a backslash in front of a newline can be escaped with another backslash.

% use Data::Dumper;
This will\\
result <%=  Dumper {foo => 'bar'} %>\\
in multiple lines

Exceptions

Templates get compiled to Perl code internally, this can make debugging a bit tricky. But Mojo::Template will return Mojo::Exception objects that stringify to error messages with context.

Bareword "xx" not allowed while "strict subs" in use at template line 4.
2: </head>
3: <body>
4: % my $i = 2; xx
5: %= $i * 2
6: </body>

Caching

Mojo::Template does not support caching by itself, but you can easily build a wrapper around it.

# Compile and store code somewhere
my $mt = Mojo::Template->new;
$mt->parse($template);
$mt->build;
my $code = $mt->code;

# Load code and template (template for debug trace only)
$mt->template($template);
$mt->code($code);
$mt->compile;
my $output = $mt->interpret(@args);

ATTRIBUTES

Mojo::Template implements the following attributes.

`auto_escape`

my $auto_escape = $mt->auto_escape;
$mt             = $mt->auto_escape(1);

Activate automatic XML escaping.

`append`

my $code = $mt->append;
$mt      = $mt->append('warn "Processed template"');

Append Perl code to compiled template.

`capture_end`

my $capture_end = $mt->capture_end;
$mt             = $mt->capture_end('end');

Keyword indicating the end of a capture block, defaults to end.

<% my $block = begin %>
  Some data!
<% end %>

`capture_start`

my $capture_start = $mt->capture_start;
$mt               = $mt->capture_start('begin');

Keyword indicating the start of a capture block, defaults to begin.

<% my $block = begin %>
  Some data!
<% end %>

`code`

my $code = $mt->code;
$mt      = $mt->code($code);

Compiled template code.

`comment_mark`

my $comment_mark = $mt->comment_mark;
$mt              = $mt->comment_mark('#');

Character indicating the start of a comment, defaults to #.

<%# This is a comment %>

`encoding`

my $encoding = $mt->encoding;
$mt          = $mt->encoding('UTF-8');

Encoding used for template files.

`escape_mark`

my $escape_mark = $mt->escape_mark;
$mt             = $mt->escape_mark('=');

Character indicating the start of an escaped expression, defaults to =.

<%== $foo %>

`expression_mark`

my $expression_mark = $mt->expression_mark;
$mt                 = $mt->expression_mark('=');

Character indicating the start of an expression, defaults to =.

<%= $foo %>

`line_start`

my $line_start = $mt->line_start;
$mt            = $mt->line_start('%');

Character indicating the start of a code line, defaults to %.

% $foo = 23;

`name`

my $name = $mt->name;
$mt      = $mt->name('foo.mt');

Name of template currently being processed, defaults to template. Note that this method is attribute and might change without warning!

`namespace`

my $namespace = $mt->namespace;
$mt           = $mt->namespace('main');

Namespace used to compile templates, defaults to Mojo::Template::SandBox.

`prepend`

my $code = $mt->prepend;
$mt      = $mt->prepend('my $self = shift;');

Prepend Perl code to compiled template.

`replace_mark`

my $replace_mark = $mt->replace_mark;
$mt              = $mt->replace_mark('%');

Character used for escaping the start of a tag or line, defaults to %.

<%% my $foo = 23; %>

`tag_start`

my $tag_start = $mt->tag_start;
$mt           = $mt->tag_start('<%');

Characters indicating the start of a tag, defaults to <%.

<% $foo = 23; %>

`tag_end`

my $tag_end = $mt->tag_end;
$mt         = $mt->tag_end('%>');

Characters indicating the end of a tag, defaults to %>.

<%= $foo %>

`template`

my $template = $mt->template;
$mt          = $mt->template($template);

Raw template.

`tree`

my $tree = $mt->tree;
$mt      = $mt->tree($tree);

Parsed tree.

`trim_mark`

my $trim_mark = $mt->trim_mark;
$mt           = $mt->trim_mark('-');

Character activating automatic whitespace trimming, defaults to =.

<%= $foo =%>

METHODS

Mojo::Template inherits all methods from Mojo::Base and implements the following new ones.

`new`

my $mt = Mojo::Template->new;

Construct a new Mojo::Template object.

`build`

$mt = $mt->build;

Build template.

`compile`

my $exception = $mt->compile;

Compile template.

`interpret`

my $output = $mt->interpret;
my $output = $mt->interpret(@args);

Interpret template.

`parse`

$mt = $mt->parse($template);

Parse template.

`render`

my $output = $mt->render($template);
my $output = $mt->render($template, @args);

Render template.

`render_file`

my $output = $mt->render_file($template_file);
my $output = $mt->render_file($template_file, @args);

Render template file.

`render_file_to_file`

my $exception = $mt->render_file_to_file($template_file, $output_file);
my $exception = $mt->render_file_to_file(
  $template_file, $output_file, @args
);

Render template file to a specific file.

`render_to_file`

my $exception = $mt->render_to_file($template, $output_file);
my $exception = $mt->render_to_file($template, $output_file, @args);

Render template to a specific file.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

NAME

SYNOPSIS

DESCRIPTION

Automatic escaping

Trimming

Blocks

Indentation

Arguments

More escaping

Exceptions

Caching

ATTRIBUTES

auto_escape

append

capture_end

capture_start

code

comment_mark

encoding

escape_mark

expression_mark

line_start

name

namespace

prepend

replace_mark

tag_start

tag_end

template

tree

trim_mark