Passing XML Parser features to Saxon for stylesheet parsing

In the Saxon API, it is possible to pass XML parser features to the Configuration object using the XML_PARSER_FEATURE Config feature.

But it seems this is only applied to the parsing of the source document, and not of the XSLT stylesheet. Is there a way to configure stylesheet parsing as well, other than plugging in a custom parser?

Concretely, I need to make sure external entities are disabled for security reasons.

First, note that if you don't trust the stylesheet, there are many, many ways it can do damage other than using external entities. So disabling external entities is only one of the steps you need to take: the most important of which is to disable use of reflexive extension functions.

The best way to configure the parser for processing stylesheet modules is to create it yourself. For the main stylesheet module, supply a SAXSource containing an XMLReader configured the way you want it. For included and imported modules, use a URIResolver that allocates an XMLReader and returns a SAXSource.

There's also a configuration option Feature.STYLE_PARSER_CLASS. You can use this to implement your own class that implements the XMLReader interface, delegating the actual parsing to a "real" XMLReader over which you have full control.