Python: Show that reflected XSS works now

Also did autoformatting, but the important part is the change to the .expected file

python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-079/ReflectedXss.expected

@@ -1,3 +1,7 @@
 edges
+| reflected_xss.py:8:18:8:29 | ControlFlowNode for Attribute | reflected_xss.py:9:26:9:53 | ControlFlowNode for BinaryExpr |
 nodes
+| reflected_xss.py:8:18:8:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| reflected_xss.py:9:26:9:53 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
 #select
+| reflected_xss.py:9:26:9:53 | ControlFlowNode for BinaryExpr | reflected_xss.py:8:18:8:29 | ControlFlowNode for Attribute | reflected_xss.py:9:26:9:53 | ControlFlowNode for BinaryExpr | Cross-site scripting vulnerability due to $@. | reflected_xss.py:8:18:8:29 | ControlFlowNode for Attribute | a user-provided value |

python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-079/reflected_xss.py

@@ -2,12 +2,14 @@ from flask import Flask, request, make_response, escape
 
 app = Flask(__name__)
 
-@app.route('/unsafe')
-def unsafe():
-    first_name = request.args.get('name', '')
-    return make_response("Your name is " + first_name)
 
-@app.route('/safe')
+@app.route("/unsafe")
+def unsafe():
+    first_name = request.args.get("name", "")
+    return make_response("Your name is " + first_name)  # NOT OK
+
+
+@app.route("/safe")
 def safe():
-    first_name = request.args.get('name', '')
-    return make_response("Your name is " + escape(first_name))
+    first_name = request.args.get("name", "")
+    return make_response("Your name is " + escape(first_name))  # OK