allow stylesheets to read and write files in the site directory

[xworld21]

Small functionality & security improvement, while working on #1948: stylesheets can read (via document()) and write (via <exsl:document>) files. This PR ensures that read/write operations happen in the site directory.

For security, operations are also restricted to the site directory, and network access is disabled.

Edit: this fixes #2053 in so far as letting exsl:document() write files in the correct place. My sandbox question in #2053 should rather be part of #2218.

[xworld21]

I have removed the libxslt security callback stuff, and kept this PR at a minimum: the point is, XSLT.pm is supposed to run in the site directory, because stylesheets can create additional files via exsl:document() (that could be very convenient to generate additional manifests, search indexes, custom EPUB tocs, etc). Simply changing directory is not controversial, I hope.

The security callbacks will reappear in the --recorder PR.

[dginev]

High-level question to @brucemiller : should LaTeXML's XSLT framework use exsl:document() ?

[dginev]

I would also suggest a defensive check that the change is needed / well-defined:

Suggested change

	my $destdir = $doc->getDestinationDirectory;
	my $orig_cwd = pathname_cwd();
	pathname_chdir($destdir);
	my $newdoc = $doc->new($$self{stylesheet}->transform($doc->getDocument, %params));
	pathname_chdir($orig_cwd);
	my $destdir = $doc->getDestinationDirectory;
	my $orig_cwd = pathname_cwd();
	my $needs_cwd_change = ($destdir ne $orig_cwd) && (-d $destdir);
	pathname_chdir($destdir) if $needs_cwd_change;
	my $newdoc = $doc->new($$self{stylesheet}->transform($doc->getDocument, %params));
	pathname_chdir($orig_cwd) if $needs_cwd_change;

[xworld21]

I suppose we should also canonicalise the paths (especially if mixed path separators are involved) and emit an error/fatal if chdir fail.

[xworld21]

should LaTeXML's XSLT framework use exsl:document() ?

Since this PR is under attention again, I should clarify the intention here, and split @dginev's question into two parts:

• Should LaTeXML use exsl:document for auxiliary files (e.g. EPUB manifest)? Tricky proposition, because the generated files go directly to disk, bypassing the postprocessing pipeline.
• Should LaTeXML support users that want to call exsl:document? This could be useful in e.g. BookML to generate search indices (not the best example, but you get my point I hope).