The fix for SECURITY-3047 causes that the reporter output to not show HTML anymore.
This is used by us, to display links and images to belonging ui test screenshots and videos.
The original resulting testng html file displays the html correctly, but now this is not visible anymore using your jenkins plugin which makes analyzing test failures a pain.
Since you have the option "hudson.plugins.testng.Publisher.allowUnescapedHTML=true" and two escape properties for description and stacktrace, could you at least provide an option, to not escape reporter output? This should then be also settable via pipeline.