Add trusted options to XML functions

[GuntherRademacher]

This PR adds support for the XQuery 4.0 trusted option to fn:doc, fn:doc-available, fn:parse-xml, and fn:parse-xml-fragment.

It also renames xsi-schema-location to use-xsi-schema-location (this is a breaking change).

External-resource features are now protected on two levels:

• Perm.CREATE is required for options that may trigger external access (dtd, dtd-validation, xinclude, and use-xsi-schema-location with active XSD validation)
• the fn-level trusted option decides whether this access is actually allowed, otherwise FODC0016 is raised

dtd-validation may now trigger external DTD loading independently of dtd.

The implementation-defined default for omitted fn-level trusted is controlled by FNXMLTRUSTED. It defaults to true for backwards-compatible behavior. The QT3 test driver sets FNXMLTRUSTED to false to test the spec default.

[ChristianGruen]

Some feedback:

• Maybe we need to spend more thoughts on the MainOptions.trusted flag. I think we must at least adopt its value from a parent MainOptions instance (see the resolver variable).
• trusted must generally be inherited, and false must not be overriden with true.
• The user management should determine the static trust property: If the current BaseX permission is ADMIN/CREATE, trusted should be true, otherwise false (for example for a client with READ-only permissions).
• The spec says for fn:json-doc and other functions: “The ability to access external resources depends on whether the calling code is ·trusted.”. Is it planned to tackle this separately?
• We may need to check whether we want a trusted option for fn:parse-xml-fragment (not provided by the spec).
• We can rename FNXMLTRUSTED to TRUSTED.