external-schemaLocation property does not override the schema location attribute in the instance

The documentation for the external-schemaLocation and external-noNamespaceSchemaLocation properties state that if specified, the instance document's schemaLocation and noNamespaceSchemaLocation attributes will be effectively ignored. This appears not to be the case. If the schema specified with the external-* properies can not be opened, the parser proceeds to try paths from the schemaLocation and noNamespaceSchemaLocation attributes. I think this does not make much sense and is actually a potential security threat. Normally if one specifies the schema location with the external-* properties they don't want the values from the instance to have any effect.