--- a/spec/util_xml_spec.lua	Fri Feb 04 20:11:18 2022 +0100
+++ b/spec/util_xml_spec.lua	Fri Feb 04 20:47:39 2022 +0100
@@ -42,6 +42,13 @@
 			assert.falsy(ok);
 		end);
 
+		it("should allow processing instructions if asked nicely", function()
+			local x = "<?xml-stylesheet href='make-fancy.xsl'?><foo/>";
+			local stanza = xml.parse(x, {allow_processing_instructions = true});
+			assert.truthy(stanza);
+			assert.are.equal(stanza.name, "foo");
+		end);
+
 		it("should allow an xml declaration", function()
 			local x = "<?xml version='1.0'?><foo/>";
 			local stanza = xml.parse(x);

--- a/util/xml.lua	Fri Feb 04 20:11:18 2022 +0100
+++ b/util/xml.lua	Fri Feb 04 20:47:39 2022 +0100
@@ -72,11 +72,14 @@
 			end
 		end
 		handler.StartDoctypeDecl = restricted_handler;
-		handler.ProcessingInstruction = restricted_handler;
 		if not options or not options.allow_comments then
 			-- NOTE: comments are generally harmless and can be useful when parsing configuration files or other data, even user-provided data
 			handler.Comment = restricted_handler;
 		end
+		if not options or not options.allow_processing_instructions then
+			-- Processing instructions should generally be safe to just ignore
+			handler.ProcessingInstruction = restricted_handler;
+		end
 		local parser = lxp.new(handler, ns_separator);
 		local ok, err, line, col = parser:parse(xml);
 		if ok then ok, err, line, col = parser:parse(); end