Fix lab format-strings

Add "hints:" (without the field name, it has no contents).

Remove an example of a password in source code.
That is a vulnerability all by itself, we do NOT want to
show how to write *vulnerable* code.

Signed-off-by: David A. Wheeler <[email protected]>

Author: david-a-wheeler

docs/labs/format-strings.html

@@ -21,6 +21,7 @@
 
 <script id="info" type="application/yaml">
 ---
+hints:
 - absent: "user_input"
   text: Make sure the user_input is included in the replacement fields passed to the format function
   examples:
@@ -100,10 +101,7 @@ <h2>Interactive Lab (<span id="grade"></span>)</h2>
 <p>
 <form id="lab">
 <pre><code
-> # Application configuration which should be kept secret from a user
-CONFIG = {
-    'SECRET_KEY': 'super secret key'
-}
+> # CONFIG includes a secret key that must not be revealed
 
 # A event object with a single attribute used by the malicious format string to gain access to the
 # secret application configuration below