Hello team,

Use case: A host name or anything else that gets inserted in the e-mail, could have a value that gets interpreted as HTML. E.g. a host with the name “web003 server <!-- IMPORTANT”, which would render the last part of the host name and the rest of the e-mail as a comment and thus not having it shown in a regular e-mail client.

This is potentially a security risk, since someone might do something like inducing network traffic, that inserts a phishing e-mail in the operational data part of an e-mail notification. Or maybe there’s a better example, but this could give rise to it being misused, if things aren’t escaped properly.

I’m thinking it should either be something like a prefix in the macro like {%HOST.HOST} for getting an HTML escaped host name or having {HOST.HOST} be automatically HTML escaped in an HTML e-mail context and then having a syntax for getting the raw HTML included output if necessary.