feat(alerts): configurable email templates with HTML sanitization #69
Description
Background
The current alert email dispatcher (alertDispatcher.ts) uses a hardcoded HTML template with manual escapeHtml() for output encoding. This works for the current plain-text-into-template approach but limits customization.
From PR #67 review feedback (@koitococo):
- Consider using a template engine like EJS
- Consider using DOMPurify for HTML sanitization
- Make email templates a configurable item
Requirements
Template Engine
- Integrate a template engine (EJS, Handlebars, or similar) for email rendering
- Store email templates in the settings table (JSONB) with sensible defaults
- Provide template variables:
ruleName,ruleType,message,currentValue,threshold,details
HTML Sanitization
- If templates allow user-authored HTML, use DOMPurify (with jsdom for server-side) to sanitize rendered output
- Current
escapeHtml()is correct for plain-text insertion; DOMPurify is needed when users can write arbitrary HTML in templates
Admin UI
- Add a template editor in Settings > Alerts or Settings > Grafana
- Preview rendered template with sample data
- Reset to default template option
Considerations
- Template validation before save (must compile without errors)
- Avoid breaking existing email delivery if template is malformed (fall back to default)
- Consider separate templates per alert rule type (budget, error_rate, latency, quota)
References
- PR feat: add Grafana integration and alert system #67 review: koitococo's comments on
alertDispatcher.ts - Current implementation:
backend/src/services/alertDispatcher.ts(dispatchEmail)