Cross-site scripting in bootstrap.jsp

An attacker can inject malicious script input that is not properly neutralized before being rendered in `bootstrap.jsp`, leading to cross-site scripting (XSS) [CWE-79]. The advisory states that OpenNMS installations are intended for private networks and should not be directly accessible from the Internet, so the attacker likely needs network access to the internal OpenNMS web interface. The injected script can then access confidential session information of other users viewing the affected page.

The vulnerability resides in `opennms-webapp/src/main/java/org/opennms/web/utils/Bootstrap.java`. The patch replaces Guava collection utilities (`Lists.newArrayList()`, `Sets.newHashSet()`) with standard Java collections (`new ArrayList<>()`, `new HashSet<>()`). The advisory does not specify which function or code path in `bootstrap.jsp` is vulnerable, only that cross-site scripting occurs there.

The patch removes Guava collection imports (`Lists`, `Sets`) and replaces `Lists.newArrayList()` and `Sets.newHashSet()` with standard Java `new ArrayList<>()` and `new HashSet<>()` [patch_id=1640650]. While the commit message says "No guava," this change alone does not directly fix an XSS vulnerability; it appears to be a cleanup that accompanies a more substantive fix not shown in this diff. The advisory recommends upgrading to Horizon 32.0.5 or Meridian 2023.1.9, which include the complete fix.