Using xsi:schemaLocation and xsi:noNamespaceSchemaLocation attributes

In general, these attributes have no effect on the validation process unless explicitly enabled. This is for security reasons. Not only do these attributes cause the processor to read arbitrary resources, they also allow the intent of validation to be subverted: for example they can be used to invoke validation using a schema quite different from the one that the application intended.

In Saxon 13, any schema loaded using these attributes affects the current validation episode only; it has no effect on the validation of other documents. (In earlier releases, any schema definitions loaded using these attributes were added to the global pool of schema components maintained at the level of the Saxon Configuration, meaning that they impacted all subsequent validation episodes within that Configuration.)

Schema components loaded using the xsi:schemaLocation and xsi:noNamespaceSchemaLocation attributes coexist with schema components present in any base schema used for validation, and must be consistent with the base schema. For example, it is not possible to override the definition of a type that is present in the base schema, except by defining new types by restriction or extension.

Use of these attributes may be enabled globally (for a Configuration) using the configuration property Feature.USE_XSI_SCHEMA_LOCATION. This is not recommended because of the security implications. It may also be enabled more selectively via interfaces such as SchemaValidator.setUseXsiSchemaLocation(). If XPath 4.0 is enabled then it is also possible to control schema validation via options to the fn:doc() and fn:parse-xml() functions.