Add a rule which warns when xml encoding is used without sanitisation

[ccojocar]

Summary

There is a recent vulnerability which was reported in encoding/xml package. See https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/ and https://github.com/mattermost/xml-roundtrip-validator/tree/master/advisories for more details.

It doesn't seem to be entirely mitigated in the upcoming Go release, therefore it would be nice to have a rule which warns people when they are using the xml encoding without sanitisation.

See also this xml input validator https://github.com/mattermost/xml-roundtrip-validator

Steps to reproduce the behavior

gosec version

Go version (output of 'go version')

Operating system / Environment

Expected behavior

Actual behavior