docs(uspto): improve documentation of USPTO XML parser security config

[ceberam]

Summary

This PR clarifies the security configuration of the USPTO XML parser. The analysis shows that the original configuration was actually secure, but the security rationale was not well documented.

Key Security Insight

defusedxml distinguishes between:

• Entity DECLARATION (defining entities in DTD) - controlled by forbid_* flags
• Entity RESOLUTION/FETCHING (actually expanding/fetching entities) - controlled by feature_external_* flags

The critical protection comes from feature_external_ges=False, which prevents external entities from being resolved/fetched, regardless of whether they're declared.

Why This Configuration is Secure

1. XXE attacks are blocked because external entities are never fetched, even though they can be declared
2. Billion Laughs is mitigated by defusedxml's expansion limits
3. NDATA entities are safe because they're unparsed entities that don't expand inline
4. USPTO compatibility is maintained because the format requires DTDs and NDATA entities

Checklist:

• Documentation has been updated, if necessary.
• Examples have been added, if necessary.
• Tests have been added, if necessary.

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

• title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert)(?:\(.+\))?(!)?:

[github-actions]

✅ DCO Check Passed

Thanks @ceberam, all your commits are properly signed off. 🎉

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!