This made it much easier to debug the current alerts on tests at least.
Notice that it's important that we have `strictconcat` and not just
`concat`, since `concat` will also allow flow to sinks that are not
vulnerable to any kind of XML vulnerability :|
The tests for type-trackers were not that interesting, since they did
not have XML input in both cases, which is the problem we were trying
hard to solve.
I did keep the test-case of not-user-supplied url alive as well though
👍
I added OK/NOT OK annotations.
Notice that we report all 4 kinds of vulnerabilities on line 93
