diff --git a/src/org/apache/xalan/processor/TransformerFactoryImpl.java b/src/org/apache/xalan/processor/TransformerFactoryImpl.java

index 1298943..96a5e58 100644

--- a/src/org/apache/xalan/processor/TransformerFactoryImpl.java

+++ b/src/org/apache/xalan/processor/TransformerFactoryImpl.java

@@ -335,6 +335,10 @@ public class TransformerFactoryImpl extends SAXTransformerFactory

           reader = XMLReaderFactory.createXMLReader();

         }

+        if(m_isSecureProcessing)

+        {

+            reader.setFeature("http://xml.org/sax/features/external-general-entities",false);

+        }

         // Need to set options!

         reader.setContentHandler(handler);

         reader.parse(isource);

diff --git a/src/org/apache/xalan/processor/XSLTElementProcessor.java b/src/org/apache/xalan/processor/XSLTElementProcessor.java

index b946743..17b7395 100644

--- a/src/org/apache/xalan/processor/XSLTElementProcessor.java

+++ b/src/org/apache/xalan/processor/XSLTElementProcessor.java

@@ -338,17 +338,31 @@ public class XSLTElementProcessor extends ElemTemplateElement

       }

       else

       {

-        // Can we switch the order here:

-

-        boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,

-                             attributes.getQName(i), attributes.getValue(i),

-                             target);

-                             

-        // Now we only add the element if it passed a validation check

-        if (success)

-            processedDefs.add(attrDef);

-        else

-            errorDefs.add(attrDef);

+        //handle secure processing

+        if(handler.getStylesheetProcessor()==null)

+            System.out.println("stylesheet processor null");

+        if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing())

+        {

+            //foreign attributes are not allowed in secure processing mode

+            // Then barf, because this element does not allow this attribute.

+            handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new Object[]{attributes.getQName(i), rawName}, null);//"\""+attributes.getQName(i)+"\""

+            //+ " attribute is not allowed on the " + rawName

+            // + " element!", null);

+        }

+        else

+        {

+

+

+            boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,

+                                 attributes.getQName(i), attributes.getValue(i),

+                                 target);

+

+            // Now we only add the element if it passed a validation check

+            if (success)

+                processedDefs.add(attrDef);

+            else

+                errorDefs.add(attrDef);

+        }

       }

     }

diff --git a/src/org/apache/xalan/transformer/TransformerImpl.java b/src/org/apache/xalan/transformer/TransformerImpl.java

index dd0d4d9..0906d24 100644

--- a/src/org/apache/xalan/transformer/TransformerImpl.java

+++ b/src/org/apache/xalan/transformer/TransformerImpl.java

@@ -438,7 +438,9 @@ public class TransformerImpl extends Transformer

     try

     {

       if (sroot.getExtensions() != null)

-        m_extensionsTable = new ExtensionsTable(sroot);

+        //only load extensions if secureProcessing is disabled

+        if(!sroot.isSecureProcessing())

+            m_extensionsTable = new ExtensionsTable(sroot);

     }

     catch (javax.xml.transform.TransformerException te)

     {te.printStackTrace();}

diff --git a/src/org/apache/xpath/functions/FuncSystemProperty.java b/src/org/apache/xpath/functions/FuncSystemProperty.java

index 4bea356..78ac980 100644

--- a/src/org/apache/xpath/functions/FuncSystemProperty.java

+++ b/src/org/apache/xpath/functions/FuncSystemProperty.java

@@ -58,7 +58,7 @@ public class FuncSystemProperty extends FunctionOneArg

     String fullName = m_arg0.execute(xctxt).str();

     int indexOfNSSep = fullName.indexOf(':');

-    String result;

+    String result = null;

     String propName = "";

     // List of properties where the name of the

@@ -98,14 +98,20 @@ public class FuncSystemProperty extends FunctionOneArg

         try

         {

-          result = System.getProperty(propName);

-

-          if (null == result)

-          {

-

-            // result = System.getenv(propName);

-            return XString.EMPTYSTRING;

-          }

+            //if secure procession is enabled only handle required properties do not not map any valid system property

+            if(!xctxt.isSecureProcessing())

+            {

+                result = System.getProperty(propName);

+            }

+            else

+            {

+                warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,

+                        new Object[]{ fullName });  //"SecurityException when trying to access XSL system property: "+fullName);

+            }

+            if (null == result)

+            {

+                return XString.EMPTYSTRING;

+            }

         }

         catch (SecurityException se)

         {

@@ -120,14 +126,20 @@ public class FuncSystemProperty extends FunctionOneArg

     {

       try

       {

-        result = System.getProperty(fullName);

-

-        if (null == result)

-        {

-

-          // result = System.getenv(fullName);

-          return XString.EMPTYSTRING;

-        }

+          //if secure procession is enabled only handle required properties do not not map any valid system property

+          if(!xctxt.isSecureProcessing())

+          {

+              result = System.getProperty(fullName);

+          }

+          else

+          {

+              warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,

+                      new Object[]{ fullName });  //"SecurityException when trying to access XSL system property: "+fullName);

+          }

+          if (null == result)

+          {

+              return XString.EMPTYSTRING;

+          }

       }

       catch (SecurityException se)

       {