Port to Python 3 and harden unsafe input handling

[Am1rTl]

Summary

This PR modernizes simpleapi for Python 3 and hardens insecure request/serialization paths.

What changed

Python 3 modernization

• Converted package imports/syntax to Python 3.
• Added Python 3 packaging metadata:
  • python_requires >= 3.9
  • updated classifiers
  • modernized setup.py file handling.
• Updated runtime compatibility:
  • inspect.getargspec fallback via getfullargspec.
  • WSGI response body handling now always returns bytes.
  • removed dependency on deprecated/removed cgi parsing in standalone handler.
  • fixed exception/message handling and other Python 3 breakages.

Security hardening

• Unsafe pickle input is now disabled by default
  • If namespace includes pickle in __input__, it is filtered out unless explicitly opted-in.
  • New explicit opt-in: __allow_unsafe_pickle_input__ = True (or legacy alias __allow_unsafe_pickle__).
  • Enabling unsafe pickle input now requires explicit __authentication__.
• JSONP callback validation
  • Rejects invalid callback names to prevent callback injection/XSS.
• Client _mimetype override is blocked by default
  • _mimetype now rejected unless route is created with allow_custom_mimetype=True.
• XML parsing hardening
  • Prefer defusedxml.ElementTree when available.

Tests

• Added tests/test_security.py covering:
  • pickle input blocked by default;
  • explicit opt-in + auth requirement;
  • JSONP callback validation;
  • _mimetype override blocking;
  • normal JSON path still working.
• Legacy Django-only tests are now skipped when Django is not installed.

Verification

python3 -m unittest discover -v

Backward compatibility notes

• This PR intentionally changes insecure defaults:
  • _input=pickle is no longer accepted unless explicitly enabled.
  • _mimetype request override is no longer accepted unless explicitly enabled.
  • invalid JSONP callback values now fail fast.