Restrict text/template modelling to known call targets

Otherwise it's too easy to define a common interface to both text/template, which doesn't sanitize, and html/template, which does.

Author: smowton

Diff for: go/ql/lib/semmle/go/frameworks/stdlib/TextTemplate.qll

@@ -88,7 +88,7 @@ module TextTemplate {
   private class ExecuteTemplateFieldReader extends DataFlow::ImplicitFieldReadNode {
     override predicate shouldImplicitlyReadAllFields(DataFlow::Node n) {
       exists(ExecuteTemplateMethod m, DataFlow::MethodCallNode cn |
-        cn.getACalleeIncludingExternals().asFunction() = m and
+        cn.getTarget() = m and
         n = cn.getArgument(m.getInputArgIdx())
       )
     }