python: update qhelp

Author: yoff

python/ql/src/Security/CWE-643/XpathInjection.qhelp

@@ -2,20 +2,14 @@
 <qhelp>
     <overview>
         <p>
-        Using user-supplied information to construct an XPath query for XML data can
-        result in an XPath injection flaw. By sending intentionally malformed information,
-        an attacker can access data that he may not normally have access to.
-        He/She may even be able to elevate his privileges on the web site if the XML data
-        is being used for authentication (such as an XML based user file).
+        If an XPath expression is built using string concatenation, and the components of the concatenation
+        include user input, it makes it very easy for a user to create a malicious XPath expression.
         </p>
     </overview>
     <recommendation>
         <p>
-        XPath injection can be prevented using parameterized XPath interface or escaping the user input to make it safe to include in a dynamically constructed query.
-        If you are using quotes to terminate untrusted input in a dynamically constructed XPath query, then you need to escape that quote in the untrusted input to ensure the untrusted data can’t try to break out of that quoted context.
-        </p>
-        <p>
-        Another better mitigation option is to use a precompiled XPath query. Precompiled XPath queries are already preset before the program executes, rather than created on the fly after the user’s input has been added to the string. This is a better route because you don’t have to worry about missing a character that should have been escaped.
+        If user input must be included in an XPath expression, either sanitize the data or use variable
+        references to safely embed it without altering the structure of the expression.
         </p>
     </recommendation>
     <example>