Python: Escaping only valid with both input/output defined

Problematic part is

```codeql
  /** A escape from string format with `markupsafe.Markup` as the format string. */
  private class MarkupEscapeFromStringFormat extends MarkupSafeEscape, Markup::StringFormat {
    override DataFlow::Node getAnInput() {
      result in [this.getArg(_), this.getArgByName(_)] and
      not result = Markup::instance()
    }

    override DataFlow::Node getOutput() { result = this }
  }
```

since the char-pred still holds even if `getAnInput` has no results...

I will say that doing it this way feels kinda dirty, and we _could_ fix
this by including the logic in `getAnInput` in the char-pred as well.
But as I see it, that would just lead to a lot of code duplication,
which isn't very nice.

Author: RasmusWL

python/ql/src/semmle/python/Concepts.qll

@@ -303,7 +303,12 @@ module SqlExecution {
 class Escaping extends DataFlow::Node {
   Escaping::Range range;
 
-  Escaping() { this = range }
+  Escaping() {
+    this = range and
+    // escapes that don't have _both_ input/output defined are not valid
+    exists(range.getAnInput()) and
+    exists(range.getOutput())
+  }
 
   /** Gets an input that will be escaped. */
   DataFlow::Node getAnInput() { result = range.getAnInput() }

python/ql/test/library-tests/frameworks/markupsafe/taint_test.py

@@ -38,7 +38,7 @@ def test():
         m_unsafe.format(SAFE), # $ escapeInput=SAFE escapeKind=html escapeOutput=m_unsafe.format(..) MISSING: tainted
         m_unsafe + ts, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr MISSING: tainted
 
-        m_safe.format(m_unsafe), # $ escapeKind=html escapeOutput=m_safe.format(..) MISSING: tainted
+        m_safe.format(m_unsafe), # $ tainted
 
         escape(ts).unescape(), # $ escapeInput=ts escapeKind=html escapeOutput=escape(..) MISSING: tainted
         escape_silent(ts).unescape(), # $ escapeInput=ts escapeKind=html escapeOutput=escape_silent(..) MISSING: tainted