> the original posting you had did use parse-xml with an external entity,
> I am not sure why you now bring up unparsed-text

Eek, that was a typo.  I meant parse-xml.

Sorry Martin, but may I ask of you one more time to review this for accuracy:

SAXON has a configuration property allowedProtocols that can be set to
"https,http" to allow only HTTPS and HTTP URIs to be resolved, while file URI
access should fail (i.e., access to the file should be blocked). However, when
allowedProtocols is set, SAXON fails to block file access when the string
given to parse-xml() contains a user-defined entity--via an ENTITY declaration
(in a DOCTYPE or in a DTD)--and the entity references a file.

Workaround: prevent parse-xml() from doing any DTD/DOCTYPE access; disable
DTD/DOCTYPE (https://saxonica.plan.io/issues/6711#note-12)