Security Advisories (10)

CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

https://github.com/mojolicious/mojo/pull/1791

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CVE-2020-36829 (2020-11-10)

Mojo::Util secure_compare can leak the string length. By immediately returning when the two strings are not the same length, the function allows an attacker to guess the length of the secret string using timing attacks.

https://github.com/mojolicious/mojo/pull/1601

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

https://github.com/mojolicious/mojo/commit/a815d4797145f872ef6e9f1270841eda1d410afb

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.

NAME

Mojolicious::Plugin::DefaultHelpers - Default helpers plugin

SYNOPSIS

# Mojolicious
$self->plugin('DefaultHelpers');

# Mojolicious::Lite
plugin 'DefaultHelpers';

DESCRIPTION

Mojolicious::Plugin::DefaultHelpers is a collection of renderer helpers for Mojolicious.

This is a core plugin, that means it is always enabled and its code a good example for learning to build new plugins, you're welcome to fork it.

See "PLUGINS" in Mojolicious::Plugins for a list of plugins that are available by default.

HELPERS

Mojolicious::Plugin::DefaultHelpers implements the following helpers.

accepts

my $formats = $c->accepts;
my $format  = $c->accepts('html', 'json', 'txt');

Select best possible representation for resource from Accept request header, format stash value or format GET/POST parameter with "accepts" in Mojolicious::Renderer, defaults to returning the first extension if no preference could be detected.

# Check if JSON is acceptable
$c->render(json => {hello => 'world'}) if $c->accepts('json');

# Check if JSON was specifically requested
$c->render(json => {hello => 'world'}) if $c->accepts('', 'json');

# Unsupported representation
$c->render(data => '', status => 204)
  unless my $format = $c->accepts('html', 'json');

# Detected representations to select from
my @formats = @{$c->accepts};

app

%= app->secrets->[0]

Alias for "app" in Mojolicious::Controller.

b

%= b('test 123')->b64_encode

Turn string into a Mojo::ByteStream object.

c

%= c(qw(a b c))->shuffle->join

Turn list into a Mojo::Collection object.

config

%= config 'something'

Alias for "config" in Mojo.

content

%= content foo => begin
  test
% end
%= content bar => 'Hello World!'
%= content 'foo'
%= content 'bar'
%= content

Store partial rendered content in named buffer and retrieve it, defaults to retrieving the named buffer content, which is commonly used for the renderers layout and extends features. Note that new content will be ignored if the named buffer is already in use.

content_for

% content_for foo => begin
  test
% end
%= content_for 'foo'

Append partial rendered content to named buffer and retrieve it. Note that named buffers are shared with the "content" helper.

% content_for message => begin
  Hello
% end
% content_for message => begin
  world!
% end
%= content_for 'message'

csrf_token

%= csrf_token

Get CSRF token from "session", and generate one if none exists.

current_route

% if (current_route 'login') {
  Welcome to Mojolicious!
% }
%= current_route

Check or get name of current route.

delay

$c->delay(sub {...}, sub {...});

Disable automatic rendering and use "delay" in Mojo::IOLoop to manage callbacks and control the flow of events, which can help you avoid deep nested closures and memory leaks that often result from continuation-passing style. Calls "render_exception" in Mojolicious::Controller if an error occured in one of the steps, breaking the chain.

# Longer version
$c->render_later;
my $delay = Mojo::IOLoop->delay(sub {...}, sub {...});
$delay->catch(sub { $c->render_exception(pop) })->wait;

dumper

%= dumper {some => 'data'}

Dump a Perl data structure with "dumper" in Mojo::Util.

extends

% extends 'blue';
% extends 'blue', title => 'Blue!';

Set extends stash value, all additional pairs get merged into the "stash".

flash

%= flash 'foo'

Alias for "flash" in Mojolicious::Controller.

inactivity_timeout

$c->inactivity_timeout(3600);

Use "stream" in Mojo::IOLoop to find the current connection and increase timeout if possible.

# Longer version
Mojo::IOLoop->stream($c->tx->connection)->timeout(3600);

include

%= include 'menubar'
%= include 'menubar', format => 'txt'

Alias for Mojolicious::Controller/"render_to_string".

layout

% layout 'green';
% layout 'green', title => 'Green!';

Set layout stash value, all additional pairs get merged into the "stash".

param

%= param 'foo'

Alias for "param" in Mojolicious::Controller.

session

%= session 'foo'

Alias for "session" in Mojolicious::Controller.

stash

%= stash 'foo'
% stash foo => 'bar';

Alias for "stash" in Mojolicious::Controller.

%= stash('name') // 'Somebody'

title

% title 'Welcome!';
% title 'Welcome!', foo => 'bar';
%= title

Set title stash value, all additional pairs get merged into the "stash".

ua

%= ua->get('mojolicio.us')->res->dom->at('title')->text

Alias for "ua" in Mojo.

url_for

%= url_for 'named', controller => 'bar', action => 'baz'

Alias for "url_for" in Mojolicious::Controller.

url_with

%= url_with 'named', controller => 'bar', action => 'baz'

Does the same as "url_for", but inherits query parameters from the current request.

%= url_with->query([page => 2])

validation

%= validation->param('foo')

Alias for "validation" in Mojolicious::Controller.

METHODS

Mojolicious::Plugin::DefaultHelpers inherits all methods from Mojolicious::Plugin and implements the following new ones.

register

$plugin->register(Mojolicious->new);

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)