fix: do not blindly escape a notification's bodyLong

For 7+ years we were escaping this value, but it is in many cases already sanitized (as it may be a post content). For those cases when it is not, I now run it through parse.raw.

Instead of escaping, it now strips p, img, and a tags.

src/posts/queue.js

@@ -95,7 +95,7 @@ module.exports = function (Posts) {
 			nid: `post-queue-${id}`,
 			mergeId: 'post-queue',
 			bodyShort: '[[notifications:post_awaiting_review]]',
-			bodyLong: data.content,
+			bodyLong: await plugins.hooks.fire('filter:parse.raw', data.content),
 			path: '/post-queue',
 		});
 		await notifications.push(notifObj, uids);