From 3a7b7cf0ac4f9795fd9fbfee12a922570f93f126 Mon Sep 17 00:00:00 2001
From: Kristiyan Kostadinov <crisbeto@abv.bg>
Date: Tue, 25 Nov 2025 14:02:59 +0100
Subject: [PATCH] refactor: set up function for setting innerHTML

When setting `innerHTML`, we have to go through a different API internally. These changes add a file that we can replace during the sync process.
---
 .ng-dev/google-sync-config.json |  1 +
 src/cdk/private/BUILD.bazel     |  1 +
 src/cdk/private/inner-html.ts   | 26 ++++++++++++++++++++++++++
 3 files changed, 28 insertions(+)
 create mode 100644 src/cdk/private/inner-html.ts

diff --git a/.ng-dev/google-sync-config.json b/.ng-dev/google-sync-config.json
index c8fdea37cb24..a35504343075 100644
--- a/.ng-dev/google-sync-config.json
+++ b/.ng-dev/google-sync-config.json
@@ -28,6 +28,7 @@
     "src/**/*spec.ts",
     "src/cdk/schematics/**/*",
     "src/cdk/testing/private/**/*",
+    "src/cdk/private/inner-html.ts",
     "src/material/schematics/**/*",
     "src/material/schematics/ng-generate/theme-color/**/*.bazel",
     "src/material/schematics/ng-generate/theme-color/index_bundled.d.ts",
diff --git a/src/cdk/private/BUILD.bazel b/src/cdk/private/BUILD.bazel
index 47ab5a1a5b2f..82598dc142ea 100644
--- a/src/cdk/private/BUILD.bazel
+++ b/src/cdk/private/BUILD.bazel
@@ -11,6 +11,7 @@ ng_project(
     assets = [":visually-hidden-styles"],
     deps = [
         "//:node_modules/@angular/core",
+        "//:node_modules/@angular/platform-browser",
     ],
 )
 
diff --git a/src/cdk/private/inner-html.ts b/src/cdk/private/inner-html.ts
new file mode 100644
index 000000000000..d7417e7daa94
--- /dev/null
+++ b/src/cdk/private/inner-html.ts
@@ -0,0 +1,26 @@
+/**
+ * @license
+ * Copyright Google LLC All Rights Reserved.
+ *
+ * Use of this source code is governed by an MIT-style license that can be
+ * found in the LICENSE file at https://angular.dev/license
+ */
+
+import {SecurityContext} from '@angular/core';
+import {DomSanitizer, SafeHtml} from '@angular/platform-browser';
+import {trustedHTMLFromString} from './trusted-types';
+
+// !!!Note!!! this file isn't synced into g3, but is replaced with a version that uses
+// internal-specific APIs. The internal version may have to be updated if the signature of
+// the function changes.
+
+/** Sanitizes and sets the `innerHTML` of an element. */
+export function _setInnerHtml(element: HTMLElement, html: SafeHtml, sanitizer: DomSanitizer): void {
+  const cleanHtml = sanitizer.sanitize(SecurityContext.HTML, html);
+
+  if (cleanHtml === null && (typeof ngDevMode === 'undefined' || ngDevMode)) {
+    throw new Error(`Could not sanitize HTML: ${html}`);
+  }
+
+  element.innerHTML = trustedHTMLFromString(cleanHtml || '') as unknown as string;
+}