Security Advisories (14)
CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

CVE-2011-1589 (2011-04-05)

Directory traversal vulnerability in Path.pm in Mojolicious before 1.16 allows remote attackers to read arbitrary files via a %2f..%2f (encoded slash dot dot slash) in a URI.

CVE-2010-4803 (2011-05-03)

Mojolicious before 0.999927 does not properly implement HMAC-MD5 checksums, which has unspecified impact and remote attack vectors.

CVE-2010-4802 (2011-05-03)

Commands.pm in Mojolicious before 0.999928 does not properly perform CGI environment detection, which has unspecified impact and remote attack vectors.

CVE-2011-1841 (2011-03-10)

Cross-site scripting (XSS) vulnerability in the link_to helper in Mojolicious before 1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies.  An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

CVE-2026-14803 (2026-07-06)

Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder. The pure-Perl decode path (`_decode_value` dispatching to `_decode_array` and `_decode_object`) recurses with no depth limit, so a small deeply nested JSON document can consume excessive memory. This path is the default when Cpanel::JSON::XS is not installed or `MOJO_NO_JSON_XS=1` is set; the Cpanel::JSON::XS fast path is not affected. Any caller that decodes an untrusted JSON body, for example `Mojo::Message::json` reached through `$c->req->json`, can exhaust process memory and cause denial of service.

NAME

Mojo::DOM - Minimalistic XML DOM Parser With CSS3 Selectors

SYNOPSIS

use Mojo::DOM;

my $dom = Mojo::DOM->new;
$dom->parse('<div><div id="a">A</div><div id="b">B</div></div>');
my $b = $dom->at('#b');
print $b->text;

DESCRIPTION

Mojo::DOM is a minimalistic and very relaxed XML DOM parser with support for CSS3 selectors. Note that this module is EXPERIMENTAL and might change without warning!

SELECTORS

These CSS3 selectors are currently implemented.

*

Any element.

E
my $title = $dom->at('title');

An element of type E.

E[foo]
my $links = $dom->search('a[href]');

An E element with a foo attribute.

E[foo="bar"]
my $fields = $dom->search('input[name="foo"]');

An E element whose foo attribute value is exactly equal to bar.

E[foo^="bar"]
my $fields = $dom->search('input[name^="f"]');

An E element whose foo attribute value begins exactly with the string bar.

E[foo$="bar"]
my $fields = $dom->search('input[name$="o"]');

An E element whose foo attribute value ends exactly with the string bar.

E:root
my $root = $dom->at(':root');

An E element, root of the document.

E F
my $headlines = $dom->search('div h1');

An F element descendant of an E element.

E > F
my $headlines = $dom->search('html > body > div > h1');

An F element child of an E element.

ATTRIBUTES

Mojo::DOM implements the following attributes.

charset

my $charset = $dom->charset;
$dom        = $dom->charset('UTF-8');

Charset used for decoding XML.

tree

my $array = $dom->tree;
$dom      = $dom->tree(['root', ['text', 'lalala']]);

Document Object Model.

METHODS

Mojo::DOM inherits all methods from Mojo::Base and implements the following new ones.

all_text

my $text = $dom->all_text;

Extract all text content from DOM structure.

at

my $result = $dom->at('html title');

Search for a single element with CSS3 selectors.

attributes

my $attrs = $dom->attributes;

Element attributes.

children

my $children = $dom->children;

Children of element.

name

my $name = $dom->name;
$dom     = $dom->name('html');

Element name.

parent

my $parent = $dom->parent;

Parent of element.

parse

$dom = $dom->parse('<foo bar="baz">test</foo>');

Parse XML document.

my $results = $dom->search('html title');

Search for elements with CSS3 selectors.

text

my $text = $dom->text;

Extract text content from element only, not including child elements.

to_xml

my $xml = $dom->to_xml;

Render DOM to XML.

SEE ALSO

Mojolicious, Mojolicious::Guides, http://mojolicious.org.