This is in contradiction with the first quotation above, according to
which the document() function is one of the "deliberately-excluded
XSLT-defined functions" mentioned above, and isn't allowed to be
called inside a dynamically-evaluated XPath expression.
My questions:
===========
1. Which of the two contradicting texts quoted above is right and
which is wrong?
2. Why function calls to doc()/document() referring to non-local
store is not mentioned as a security risk? What about sending any data
to the remote host, as part of the query component of an URI?
And it certainly will be good to remove this contradiction from the
next version of the XSLT 3.0 specification.
--
Cheers,
Dimitre Novatchev