Skip to content

feat(alerts): configurable email templates with HTML sanitization #69

Description

@pescn

Background

The current alert email dispatcher (alertDispatcher.ts) uses a hardcoded HTML template with manual escapeHtml() for output encoding. This works for the current plain-text-into-template approach but limits customization.

From PR #67 review feedback (@koitococo):

  • Consider using a template engine like EJS
  • Consider using DOMPurify for HTML sanitization
  • Make email templates a configurable item

Requirements

Template Engine

  • Integrate a template engine (EJS, Handlebars, or similar) for email rendering
  • Store email templates in the settings table (JSONB) with sensible defaults
  • Provide template variables: ruleName, ruleType, message, currentValue, threshold, details

HTML Sanitization

  • If templates allow user-authored HTML, use DOMPurify (with jsdom for server-side) to sanitize rendered output
  • Current escapeHtml() is correct for plain-text insertion; DOMPurify is needed when users can write arbitrary HTML in templates

Admin UI

  • Add a template editor in Settings > Alerts or Settings > Grafana
  • Preview rendered template with sample data
  • Reset to default template option

Considerations

  • Template validation before save (must compile without errors)
  • Avoid breaking existing email delivery if template is malformed (fall back to default)
  • Consider separate templates per alert rule type (budget, error_rate, latency, quota)

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions