Some ZK components handle XSS issues by encoding user input, but not cover all component attributes.
Encoding by default, and use white list.
ZK-5161 page directive's attributes are not encoded before rendering into HTML
ZK-5162 emptyMessage is not escaped with HTML characters