sandbox document() and <exsl:document>

[xworld21]

This is just attaching an issue to #1951. A user can call <exsl:document> and document() in a stylesheet, which raises two issues:

• document() can read from anywhere (even the network); postprocessing can be made safe against malicious input, since it does not allow arbitrary code execution, so it makes sense to sandbox document();
• <exsl:document> can generate text, HTML, XML files, but it will do so relative to the current working folder rather than the destination directory (which would enable postprocessing to generate customizable XML manifests for instance).

#1951 addresses both.

Edit: changed title to emphasise the underlying security issue.