Exactly: Due to security concerns, many functions that access or modify external resources are blocked. In particular, the 'permission' option of xquery:eval (which is used to evaluate the user input) is set to 'none' [1].