Include changes from review

Author: Porcupiney Hairs

python/ql/src/experimental/Security/CWE-094/Js2Py.qhelp

@@ -9,7 +9,10 @@
     <recommendation>
         <p> This vulnerability can be prevented either by preventing an untrusted user input to flow
             to an <code>eval_js</code> call. Or, the impact of this vulnerability can be
-            significantly reduced by disabling imports from the interepreted code. </p>
+            significantly reduced by disabling imports from the interepreted code (note that in a <a
+                href="https://github.com/PiotrDabkowski/Js2Py/issues/45#issuecomment-258724406">
+            comment</a> the author of the library highlights that Js2Py is still insecure with this
+            option).</p>
     </recommendation>
     <example>
         <p>In the example below, the Javascript code being evaluated is controlled by the user and

python/ql/src/experimental/Security/CWE-094/Js2Py.ql

@@ -33,4 +33,5 @@ from Js2PyFlow::PathNode source, Js2PyFlow::PathNode sink
 where
   Js2PyFlow::flowPath(source, sink) and
   not exists(API::moduleImport("js2py").getMember("disable_pyimport").getACall())
-select sink, source, sink, "This can lead to arbitrary code execution"
+select sink, source, sink, "This input to Js2Py depends on a $@.", source.getNode(),
+  "user-provided value"