Add notification template without escaping (#18171)

* plaintext template

* remove HTML output format config

* CL

* revert plaintext; render title as HTML in FE

* revert Intellij formatting changes

changelog/unreleased/pr-18171.toml

@@ -0,0 +1,6 @@
+type = "f"
+message = "Fix unintended HTML-escaping in system notification messages."
+
+issues = ["Graylog2/graylog-plugin-enterprise#6525"]
+pulls = ["18171"]
+

graylog2-server/src/test/java/org/graylog/events/notifications/SystemNotificationRenderServiceTest.java

@@ -155,4 +155,22 @@ void missingTemplates() {
                     });
         }
     }
+
+    @Test
+    void htmlEscapingWithSubstitutionTest() {
+        notification = new NotificationImpl()
+                .addNode("node")
+                .addType(Notification.Type.GENERIC)
+                .addDetail("title", "Test: <123>")
+                .addDetail("description", "Test: <abc>")
+                .addTimestamp(DateTime.now(DateTimeZone.UTC));
+        when(notificationService.getByTypeAndKey(any(), any())).thenReturn(Optional.of(notification));
+
+        SystemNotificationRenderService.RenderResponse renderResponse =
+                renderService.render(notification.getType(), null, SystemNotificationRenderService.Format.HTML, null);
+
+        // HTML-escaping applied
+        assertThat(renderResponse.title).contains("Test: &lt;123&gt;");
+        assertThat(renderResponse.description).contains("Test: &lt;abc&gt");
+    }
 }

graylog2-web-interface/src/components/notifications/Notification.tsx

@@ -67,8 +67,7 @@ const Notification = ({ notification }: Props) => {
     <StyledAlert bsStyle="danger"
                  title={(
                    <>
-                     {message.title}{' '}
-
+                     <div dangerouslySetInnerHTML={{__html: _sanitizeDescription(message?.title)}} />
                      <NotificationTimestamp>
                        (triggered <RelativeTime dateTime={notification.timestamp} />)
                      </NotificationTimestamp>