From 15084c58113e0313f588af65f4a5d1042ab3e15f Mon Sep 17 00:00:00 2001
From: Chintan Kavathia <chintankumar.kavathia@siemens.com>
Date: Mon, 31 Mar 2025 11:44:04 +0530
Subject: [PATCH] fix: bind empty message string as plain text to avoid xss

BREAKING CHANGE: `emptyMessage` is no longer interpreted as HTML to prevent XSS attacks.
Use content projection for displaying an HTML empty content message:

```
<ngx-datatable>
   <div empty-content>
      My rich <i>html</i> content.
   </div>
</ngx-datatable>
```
---
 .../src/lib/components/datatable.component.html           | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/projects/ngx-datatable/src/lib/components/datatable.component.html b/projects/ngx-datatable/src/lib/components/datatable.component.html
index ee259867f..57d58b096 100644
--- a/projects/ngx-datatable/src/lib/components/datatable.component.html
+++ b/projects/ngx-datatable/src/lib/components/datatable.component.html
@@ -79,11 +79,9 @@
       </ng-content>
       <ng-content select="[empty-content]" ngProjectAs="[empty-content]">
         <div role="row">
-          <div
-            role="cell"
-            class="empty-row"
-            [innerHTML]="messages.emptyMessage ?? 'No data to display'"
-          ></div>
+          <div role="cell" class="empty-row">
+            {{ messages.emptyMessage ?? 'No data to display' }}
+          </div>
         </div>
       </ng-content>
     </datatable-body>