Cross-site scripting attack in mapfish-print

An attacker can craft a URL to any of the affected endpoints (e.g., `/print/status/ref.json?jsonp=alert(1)`) and trick a victim into visiting it. The server reflects the `jsonp` parameter value directly into the HTTP response body wrapped as a JavaScript function call, allowing arbitrary script execution in the victim's browser. This is a classic reflected Cross-site Scripting (XSS) attack [CWE-79] that requires no authentication and can be triggered via any web page or email link.

The vulnerability resides in `MapPrinterServlet.java` where multiple endpoints (`getStatus`, `listAppIds`, `getCapabilities`, `getExampleRequest`) accepted a `jsonp` callback parameter and reflected it into the response without sanitization. The patch removes the JSONP callback parameter from all these methods and deletes the associated `appendJsonpCallback`/`appendJsonpCallbackEnd` helper calls, as shown in the diff for `core/src/main/java/org/mapfish/print/servlet/MapPrinterServlet.java` [patch_id=6634927].

The patch removes the `jsonp` request parameter from every endpoint (`getStatus`, `listAppIds`, `getCapabilities`, `getExampleRequest`) and deletes the `appendJsonpCallback`/`appendJsonpCallbackEnd` helper methods that wrapped the response in a user-controlled function call. By eliminating JSONP support entirely, the server no longer reflects attacker-controlled callback names into the response body, which closes the XSS vector [patch_id=6634927]. The corresponding test methods that verified JSONP behavior were also removed.