Normal Should sanitize pi before sending back to browser
package org.zkoss.web.util.resource; public class ClassWebResource { ... private void web0(..., String pi, ...) { ... data = ("(window.zk&&zk.error?zk.error:alert)('"+pi+" not found');").getBytes("UTF-8"); ... out.write(data); ... } ... }