Security Advisories (13)
CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

CVE-2011-1589 (2011-04-05)

Directory traversal vulnerability in Path.pm in Mojolicious before 1.16 allows remote attackers to read arbitrary files via a %2f..%2f (encoded slash dot dot slash) in a URI.

CVE-2010-4803 (2011-05-03)

Mojolicious before 0.999927 does not properly implement HMAC-MD5 checksums, which has unspecified impact and remote attack vectors.

CVE-2010-4802 (2011-05-03)

Commands.pm in Mojolicious before 0.999928 does not properly perform CGI environment detection, which has unspecified impact and remote attack vectors.

CVE-2011-1841 (2011-03-10)

Cross-site scripting (XSS) vulnerability in the link_to helper in Mojolicious before 1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2026-14803 (2026-07-06)

Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder. The pure-Perl decode path (`_decode_value` dispatching to `_decode_array` and `_decode_object`) recurses with no depth limit, so a small deeply nested JSON document can consume excessive memory. This path is the default when Cpanel::JSON::XS is not installed or `MOJO_NO_JSON_XS=1` is set; the Cpanel::JSON::XS fast path is not affected. Any caller that decodes an untrusted JSON body, for example `Mojo::Message::json` reached through `$c->req->json`, can exhaust process memory and cause denial of service.

NAME

MojoX::Renderer - MIME Type Based Renderer

SYNOPSIS

use MojoX::Renderer;

my $renderer = MojoX::Renderer->new;

DESCRIPTION

MojoX::Renderer is the standard Mojolicious renderer. It turns your stashed data structures into content.

ATTRIBUTES

MojoX::Types implements the follwing attributes.

default_format

my $default = $renderer->default_format;
$renderer   = $renderer->default_format('html');

The default format to render if format is not set in the stash. The renderer will use MojoX::Types to look up the content MIME type.

default_handler

my $default = $renderer->default_handler;
$renderer   = $renderer->default_handler('epl');

The default template handler to use for rendering. There are two handlers in this distribution.

epl

Embedded Perl Lite handled by Mojolicious::Plugin::EplRenderer.

ep

Embedded Perl handled by Mojolicious::Plugin::EpRenderer.

default_status

my $default = $renderer->default_status;
$renderer   = $renderer->default_status(404);

The default status to set when rendering content, defaults to 200.

default_template_class

my $default = $renderer->default_template_class;
$renderer   = $renderer->default_template_class('main');

The renderer will use this class to look for templates in the __DATA__ section.

encoding

my $encoding = $renderer->encoding;
$renderer    = $renderer->encoding('koi8-r');

Will encode the content if set.

handler

my $handler = $renderer->handler;
$renderer   = $renderer->handler({epl => sub { ... }});

Registered handlers.

helper

my $helper = $renderer->helper;
$renderer  = $renderer->helper({url_for => sub { ... }});

Registered helpers.

layout_prefix

my $prefix = $renderer->layout_prefix;
$renderer  = $renderer->layout_prefix('layouts');

Directory to look for layouts in, defaults to layouts.

root

my $root  = $renderer->root;
$renderer = $renderer->root('/foo/bar/templates');

Directory to look for templates in.

types

my $types = $renderer->types;
$renderer = $renderer->types(MojoX::Types->new);

MojoX::Types object to use for looking up MIME types.

METHODS

MojoX::Renderer inherits all methods from Mojo::Base and implements the follwing the ones.

new

my $renderer = MojoX::Renderer->new;

Construct a new renderer.

add_handler

$renderer = $renderer->add_handler(epl => sub { ... });

Add a new handler to the renderer. See Mojolicious::Plugin::EpRenderer for a sample renderer.

add_helper

$renderer = $renderer->add_helper(url_for => sub { ... });

Add a new helper to the renderer. See Mojolicious::Plugin::EpRenderer for sample helpers.

get_inline_template

my $template = $renderer->get_inline_template($c, 'foo.html.ep');

Get an inline template by name, usually used by handlers.

render

my $success = $renderer->render($c);

$c->stash->{partial} = 1;
my $output = $renderer->render($c);

Render output through one of the Mojo renderers. This renderer requires some configuration, at the very least you will need to have a default format and a default handler as well as a template or text/json. See Mojolicious::Controller for a more user friendly interface.

template_name

my $template = $renderer->template_name({
    template => 'foo/bar',
    format   => 'html',
    handler  => 'epl'
});

Builds a template name based on an options hash with template, format and handler.

template_path

my $path = $renderer->template_path({
    template => 'foo/bar',
    format   => 'html',
    handler  => 'epl'
});

Builds a full template path based on an options hash with template, format and handler.

SEE ALSO

Mojolicious, Mojolicious::Book, http://mojolicious.org.