5.x Middleware and routing security hardening

[odan]

This PR improves middleware security by hardening JSON/XML body parsing, preventing XXE-style XML parsing risks and enforcing configured router base paths.

Removed

• Removed Slim\Middleware\CorsMiddleware and the corresponding CORS middleware tests.

Changed

• BasePathMiddleware now detects the base path and stores it on the router instead of passing it via a request attribute.
• RoutingMiddleware now reads base path only from the router.
• Requests outside a configured base path now return 404 instead of matching unprefixed routes.
• MethodOverrideMiddleware now only honors method overrides on original POST requests because method override exists to support HTML-form style submissions, while allowing a GET or other method to become DELETE, PUT, or PATCH can bypass security assumptions in CSRF checks, proxies, caches, and route handling.
• MethodOverrideMiddleware now ignores unsupported override methods to prevent clients from injecting arbitrary or nonstandard HTTP verbs into downstream routing and middleware logic.
• JSON body parsing now always throws HttpBadRequestException for invalid JSON using JSON_THROW_ON_ERROR.
• XML body parsing now uses LIBXML_NONET and LIBXML_NO_XXE when available to make XML parsing safer by blocking external network access and, on PHP versions that support it, explicitly disabling XML External Entity processing.
  That reduces the risk of XXE-style attacks, where a malicious XML payload tries to make the parser fetch remote resources or expose local files through external entities.
• Route registration APIs now return RouteInterface instead of concrete Route.
• 405 exception messages no longer include the allowed method list.
  • Method not allowed. instead of: Method not allowed. Must be one of: GET, POST

Fixed

• Fixed base path auto-detection for subdirectory deployments.
• Fixed URL generation after base path auto-detection.
• Fixed routing behavior when the request URI does not start with the configured base path.
• Added regression coverage for invalid JSON, method override validation, and base path routing.

[coveralls]

coverage: 96.432% (-0.3%) from 96.768% — odan:5.x-middleware-security-hardening into slimphp:5.x