Warning needed about HTML Injection (Sanitized) with user-entered data

[samueldmeyer]

HTML Injection is possible if users of this library make [data] use user-supplied text

Expected result

A developer using this library is likely to assume that a name like "<i>italic</i>" would appear exactly as is.

Actual result

Today, a name like "<i>italic</i>" will be rendered as HTML.

Steps to reproduce

Add a name with HTML in the data.

https://stackblitz.com/edit/angular-ng-autocomplete-with-images-yowqbm?file=src%2Fapp%2Fapp.component.ts

Context

It is not clear from the documentation that HTML will be passed to the template (yes, I realize innerHTML should be a large hint, but I saw it missed). Can the example in the README be updated to note that user-generated text needs to be escaped?