Doc/library/xml.rst: Improve section on XML security

Clarify that:
- it takes parsing for an attack
- that some doors are closed by default
- only version 2.7.2 has all the fixes
- use of the bundle depends on configuration

Author: hartwork

Doc/library/xml.rst

@@ -53,11 +53,21 @@ XML security
 
 An attacker can abuse XML features to carry out denial of service attacks,
 access local files, generate network connections to other machines, or
-circumvent firewalls.
+circumvent firewalls when attacker-controlled XML is being parsed,
+in Python or elsewhere.
 
-Expat versions lower than 2.6.0 may be vulnerable to "billion laughs",
-"quadratic blowup" and "large tokens". Python may be vulnerable if it uses such
-older versions of Expat as a system-provided library.
+The builtin XML parsers of Python rely on library `libexpat`_, commonly
+called Expat, for parsing XML.
+
+By default, Expat itself does not access local files or create network
+connections.
+
+Expat versions lower than 2.7.2 may be vulnerable to "billion laughs",
+"quadratic blowup" and "large tokens" or disproportional use of dynamic memory.
+Python bundles a copy of Expat, and whether the bundled or a system-wide Expat
+is being used by Python, depends on how the Python interpreter
+:doc:`has been configured <../using/configure>` in your environment.
+Python may be vulnerable if it uses such older versions of Expat.
 Check :const:`!pyexpat.EXPAT_VERSION`.
 
 :mod:`xmlrpc` is **vulnerable** to the "decompression bomb" attack.
@@ -90,5 +100,6 @@ large tokens
   be used to cause denial of service in the application parsing XML.
   The issue is known as :cve:`2023-52425`.
 
+.. _libexpat: https://github.com/libexpat/libexpat
 .. _Billion Laughs: https://en.wikipedia.org/wiki/Billion_laughs
 .. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb