Multiple fixes and improvements.

Improved security. The work of antiForgeryToken has been fixed.
Added the ability to manage the settings of validators.
Added the ability to handle errors.
HTTP404 error if controller or method of action is not found.
Added support for strict types in the method of converting an array to an object.
Added insert method to RouteProvider.
Added tryBuildUrl method to RouteProvider. The method for building url in the UrlHelper class has been reorganized.
Added the ability to get named segments of a route.
In the absence of a model, the injectModel method now sets the value to null.
Additional tests.

Author: meet-aleksey

src/ActionContext.php

@@ -157,7 +157,27 @@ public function getActionName() {
      * @return bool
      */
     public function actionNameEquals($name) {
-        return $this->actionName == strtolower($name);
+        return strtolower($this->actionName) == strtolower($name);
+    }
+
+    /**
+     * Returns name of the controller.
+     * 
+     * @return string
+     */
+    public function getControllerName() {
+        return $this->getRoute()->values['controller'];
+    }
+
+    /**
+     * Checks the equivalence of the specified string with the name of the controller.
+     * 
+     * @param string $name The string to compare.
+     * 
+     * @return bool
+     */
+    public function controllerNameEquals($name) {
+        return strtolower($this->getControllerName()) == strtolower($name);
     }
 
     /**

src/ActionNameValidationException.php

@@ -0,0 +1,17 @@
+<?php
+namespace PhpMvc;
+
+/**
+ * Occurs if the action name contains illegal characters.
+ */
+final class ActionNameValidationException extends \Exception {
+
+    /**
+     * Initializes a new instance of the ActionNameValidationException.
+     * 
+     */
+    public function __construct() {
+        parent::__construct('Action names can not begin with a "_".');
+    }
+
+}

src/AppBuilder.php

@@ -96,6 +96,26 @@ public static function useSession($sessionProvider = null) {
         self::$config['sessionProvider'] = (isset($sessionProvider) ? $sessionProvider : true);
     }
 
+    /**
+     * Allows to manage HTTP request validators.
+     * By default, all validators are enabled. With this method, you can disable certain validators.
+     * 
+     * WARNING: Disabling HTTP requests validation can jeopardize your site and users of your site.
+     * For security reasons, it is not recommended to disable HTTP request validation.
+     * 
+     * @param array|bool $validators List of validators to use or disable.
+     * For example:
+     * array(
+     *  'crossSiteScripting' => false, // disable CrossSiteScriptingValidation
+     *  'actionName' => false // disable action name validation
+     * )
+     * 
+     * @return void
+     */
+    public static function useValidation($validators) {
+        self::$config['validators'] = $validators;
+    }
+
     /**
      * Sets custom handlers.
      * 
@@ -164,19 +184,29 @@ public static function routes($routes) {
      * @return void
      */
     public static function build() {
-        self::init();
-        self::include();
-
-        $route = self::canRoute();
-
-        if ($route !== false) {
-            $actionContext = self::actionContext($route);
+        try {
+            self::init();
+            self::include();
+    
+            $route = self::canRoute();
+    
+            if ($route !== false) {
+                $actionContext = self::actionContext($route);
+    
+                if ($actionContext !== null && !self::cached($actionContext)) {
+                    self::filters($actionContext);
+                    self::headers();
+                    self::validation();
+                    self::render($actionContext);
+                }
+            }
+        }
+        catch (\Exception $ex) {
+            $errorHandlerEventArgs = new ErrorHandlerEventArgs($ex);
+            self::invokeAll(self::$appContext->getErrorHandler(), array($errorHandlerEventArgs));
 
-            if ($actionContext !== null && !self::cached($actionContext)) {
-                self::filters($actionContext);
-                self::headers();
-                self::validation();
-                self::render($actionContext);
+            if ($errorHandlerEventArgs->getHandled() !== true) {
+                throw $ex;
             }
         }
     }
@@ -423,6 +453,12 @@ private static function actionContext($route) {
 
         InternalHelper::setPropertyValue($actionContext, 'controller', $controllerInstance);
 
+        if (!method_exists($controllerInstance, PHPMVC_ACTION)) {
+            $response->setStatusCode(404);
+            $response->end();
+            return null;
+        }
+
         // get and set model annotations
         $annotations = InternalHelper::getStaticPropertyValue('\\PhpMvc\\Model', 'annotations');
         $modelState = $actionContext->getModelState();
@@ -448,6 +484,9 @@ private static function actionContext($route) {
         // arguments and model state
         self::makeActionState($actionContext);
 
+        // invoke custom handlers
+        self::invokeAll(self::$appContext->getActionContextInit(), array($actionContext));
+
         return $actionContext;
     }
 
@@ -803,8 +842,62 @@ private static function filters($actionContext) {
      * @return void
      */
     private static function validation() {
-        if (substr(PHPMVC_ACTION, 0, 2) == '__') {
-            throw new \Exception('Action names can not begin with a "_".');
+        if (isset(self::$config['validators'])) {
+            $validators = self::$config['validators'];
+        }
+        else {
+            $validators = true;
+        }
+
+        // action name validation
+        if ($validators === true || (!isset($validators['actionName']) || $validators['actionName'] === true)) {
+            if (substr(PHPMVC_ACTION, 0, 2) == '__') {
+                throw new ActionNameValidationException();
+            }
+        }
+
+        // request verification token
+        if ($validators === true || (!isset($validators['antiForgeryToken']) || $validators['antiForgeryToken'] === true)) {
+            if (($request = self::$config['httpContext']->getRequest())->isPost()) {
+                $post = $request->post();
+                $expected = $request->cookies('__requestVerificationToken');
+
+                if (!isset($post)) { $post = array(); }
+
+                if ((isset($expected) && (!isset($post['__requestVerificationToken']) || $post['__requestVerificationToken'] != $expected)) || (isset($post['__requestVerificationToken']) && empty($expected))) {
+                    throw new HttpAntiForgeryException();
+                }
+            }
+        }
+
+        // cross site scripting validation
+        if ($validators === true || (!isset($validators['crossSiteScripting']) || $validators['crossSiteScripting'] === true)) {
+            $request = self::$config['httpContext']->getRequest();
+
+            $get = $request->get();
+            $post = $request->post();
+
+            if (!isset($get)) { $get = array(); }
+            if (!isset($post)) { $post = array(); }
+
+            $items = array_merge($get, $post);
+
+            foreach ($items as $key => $value) {
+                $isDangerousString = CrossSiteScriptingValidation::IsDangerousString($key) || CrossSiteScriptingValidation::IsDangerousString($value);
+    
+                if ($isDangerousString) {
+                    $source = null;
+
+                    if (!empty($get[$key])) {
+                        $source = '$_GET';
+                    }
+                    elseif (!empty($post[$key])) {
+                        $source = '$_POST';
+                    }
+    
+                    throw new HttpRequestValidationException($source, $key, $value);
+                }
+            }
         }
     }
 
@@ -927,8 +1020,9 @@ private static function makeActionState($actionContext) {
         $hasModel = false;
         $request = $actionContext->getHttpContext()->getRequest();
 
-        // route values
+        // route
         $route = $actionContext->getRoute();
+        $segments = $route->getSegments(true);
 
         // params of get http
         // TODO: подумать о возможности управлять этим
@@ -937,27 +1031,8 @@ private static function makeActionState($actionContext) {
         // change case of keys
         $get = array_change_key_case($get, CASE_LOWER);
 
-        // params of post
+        // post
         $isPost = $request->isPost();
-        $postData = $isPost ? $request->post() : null;
-        $post =  null;
-
-        if (!empty($postData)) {
-            $post = InternalHelper::arrayToObject($postData);
-        }
-        
-        if (empty($post) && $isPost) {
-            $contentType = $request->contentType();
-
-            if (strrpos($contentType, '/json') !== false) {
-                $requestBody = file_get_contents('php://input');
-
-                $post = json_decode($requestBody);
-            }
-            else {
-                // TODO...
-            }
-        }
 
         // get params of action method
         $r = new \ReflectionMethod(get_class($actionContext->getController()), $actionContext->getActionName());
@@ -976,14 +1051,49 @@ private static function makeActionState($actionContext) {
             }
             else {
                 // parameter not found
-                if ($isPost && !$hasModel && !isset($get[$name])) {
+                if ($isPost && !$hasModel && !isset($get[$name]) && !isset($segments[$name])) {
+                    $postData = $request->post();
+                    $paramTypeName = '\stdClass';
+                    $post = null;
+
+                    if (isset($postData) && isset($postData['__requestVerificationToken'])) {
+                        unset($postData['__requestVerificationToken']);
+                    }
+
+                    if ($param->hasType()) {
+                        if ($param->getType()->isBuiltin()) {
+                            $arguments[$name] = ($param->isOptional() ? $param->getDefaultValue() : null);
+                            continue;
+                        }
+
+                        if (($paramTypeName = $param->getClass()) !== null) {
+                            $paramTypeName = $paramTypeName->getName();
+                        }
+                    }
+
+                    if (!empty($postData)) {
+                        InternalHelper::arrayToObject($postData, $post, $paramTypeName);
+                    }
+                    
+                    if (empty($post)) {
+                        $contentType = $request->contentType();
+            
+                        if (strrpos($contentType, '/json') !== false) {
+                            $requestBody = file_get_contents('php://input');
+                            InternalHelper::arrayToObject(json_decode($requestBody, true), $post, $paramTypeName);
+                        }
+                        else {
+                            // TODO...
+                        }
+                    }
+
                     // post method and model not yet received
                     if ($post == null) {
                         throw new \Exception('"' . $name . ' is required.');
                     }
 
                     $arguments[$name] = $post;
-                    
+
                     // parse post data
                     foreach (get_object_vars($post) as $key => $value) {
                         $modelState[$key] = new ModelStateEntry($key, $value);