When you build HTML as a string in Angular without using sanitizer.bypassSecurityTrustHtml, Angular will sanitize the content for security. That means it removes certain elements it considers risky — like <input> buttons — to protect against attacks.

That’s why:

• Elements like <a> and <br> still show up — they’re safe.

• The <input type="button"> does not show — Angular blocks it.

When you use sanitizer.bypassSecurityTrustHtml, you’re telling Angular:
I know this HTML is safe — don’t filter it.
So Angular keeps everything, including the input.