XSS Section is good, but clarify `text/template`

[lojikil]

We mention that text/template won't save you from XSS, but the documentation explicitly states that it is unsafe for handling user input. We should clarify that the threat model for text/template does not handle user input, and that html/template is only safe iff passed user data as parameters (e.g. we need to avoid Template Injection)