fix: bind empty message string as plain text to avoid xss

chintankavathia · spike-rabbit · commit 15084c58113e · 2025-03-31T10:54:30.000+02:00
BREAKING CHANGE: `emptyMessage` is no longer interpreted as HTML to prevent XSS attacks.
Use content projection for displaying an HTML empty content message:

```
&lt;ngx-datatable&gt;
   &lt;div empty-content&gt;
      My rich &lt;i&gt;html&lt;/i&gt; content.
   &lt;/div&gt;
&lt;/ngx-datatable&gt;
```
diff --git a/projects/ngx-datatable/src/lib/components/datatable.component.html b/projects/ngx-datatable/src/lib/components/datatable.component.html
@@ -79,11 +79,9 @@
       </ng-content>
       <ng-content select="[empty-content]" ngProjectAs="[empty-content]">
         <div role="row">
-          <div
-            role="cell"
-            class="empty-row"
-            [innerHTML]="messages.emptyMessage ?? 'No data to display'"
-          ></div>
+          <div role="cell" class="empty-row">
+            {{ messages.emptyMessage ?? 'No data to display' }}
+          </div>
         </div>
       </ng-content>
     </datatable-body>
