Some ZK components handle XSS issues by encoding user input, but not cover all component attributes.
Encoding by default, and use white list.
ZK-5161 page directive's attributes are not encoded before rendering into HTML
ZK-5162 emptyMessage is not escaped with HTML characters
ZK-5260 chosenbox options don't escape HTML characters