new capacity bits (#67)

tests/fixtures/xpath_injection/python/unsafe_xpath_query.py

@@ -0,0 +1,12 @@
+# Unsafe: tainted form data concatenated into an XPath expression and passed
+# to lxml's `tree.xpath()`.  Suffix matching on `xpath` catches the
+# bound-receiver call directly.
+from lxml import etree
+from flask import request
+
+
+def lookup():
+    tree = etree.parse("users.xml")
+    user = request.form["user"]
+    expr = "//user[name='" + user + "']"
+    return tree.xpath(expr)