Python: Update TemplateInjection.qhelp

Moved things around so there is only a single `<example>` tag (and had to rewrite contents a bit).

python/ql/src/experimental/CWE-074/TemplateInjection.qhelp

@@ -6,16 +6,18 @@
             When an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side is results in Server Side Template Injection.         
         </p>
     </overview>
+    <recommendation>
+        <p>
+            To fix this, ensure that an untrusted value is not used as a template. If the application requirements do not alow this, use a sandboxed environment where access to unsafe attributes and methods is prohibited.
+        </p>
+    </recommendation>
     <example>
         <p>Consider the example given below, an untrusted HTTP parameter `template` is used to generate a Jinja2 template string. This can lead to remote code execution. </p>
         <sample src="jinjaBad.py" />
+        
+        <p>Here we have fixed the problem by using the Jinja sandbox environment for evaluating untrusted code.</p>
+        <sample src="jinjaGood.py" />
     </example>
-    <recommendation>
-        <p>
-            To fix this, ensure that an untrusted value is not used as a template. If the application requirements do not alow this, the Jinja sandbox environment can be used to evaluate untrusted code. In a sandbox, access to unsafe attributes and methods is prohibited. Hence,passing untrusted input to a sandboxed template is safe. Consider the example below, since it uses a `SandboxedEnvironment`, the code is not vulenrable to a Server Side Template Injection issue.
-            <sample src="jinjaGood.py" />
-        </p>
-    </recommendation>
     <references>
         <li>Portswigger : [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection)</li>
     </references>