diff --git a/src/peppol_py/validation.py b/src/peppol_py/validation.py
index 87d1a5b..7c9997f 100644
--- a/src/peppol_py/validation.py
+++ b/src/peppol_py/validation.py
@@ -28,6 +28,8 @@ def validate_peppol_document(
     # only works with XSLT 1.0, and the Schematron is written in XSLT
     # 2.0
     with PySaxonProcessor(license=False) as proc:
+        # Prevent XXE: disallow access to any type of URL
+        proc.set_configuration_property("http://saxon.sf.net/feature/allowedProtocols", "")
         for validation_xsl_file in schematron_xsls:
             if not os.path.exists(validation_xsl_file):
                 # Resolve internal files