Python: Minor tweaks to qldoc and release note.

python/ql/src/Security/CWE-020/examples/IncompleteUrlSubstringSanitization.py

@@ -3,12 +3,16 @@ from urllib.parse import urlparse
 
 app = Flask(__name__)
 
+# Not safe, as "evil-example.net/example.com" would be accepted
+
 @app.route('/some/path/bad1')
 def unsafe1(request):
     target = request.args.get('target', '')
     if "example.com" in target:
         return redirect(target)
 
+# Not safe, as "benign-looking-prefix-example.com" would be accepted
+
 @app.route('/some/path/bad2')
 def unsafe2(request):
     target = request.args.get('target', '')