Fix watcher self-notification, unescaped output in views

- NotificationHelper::notifyWatchers: excludeUserId parameter was
  accepted but never used; actors were notified of their own actions.
  Fix: add AND tw.user_id != ? clause to watcher query when exclusion
  is requested.

- TicketView.php: formatAction() default case returned raw
  $event['action_type'] unescaped into HTML context. Fix: wrap with
  htmlspecialchars().

- Admin views: field_id, recurring_id, template_id, transition_id
  in data-id attributes were uncast; field_type was unescaped in
  CustomFieldsView; from/to_status slugs derived from DB values were
  used directly in class attributes in WorkflowDesignerView.
  Fix: (int) cast for IDs, htmlspecialchars for field_type,
  preg_replace to sanitize DB-derived CSS class slugs.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

helpers/NotificationHelper.php

@@ -156,10 +156,16 @@ class NotificationHelper {
             return;
         }
 
-        // Fetch watcher usernames
-        $sql  = "SELECT u.username FROM ticket_watchers tw JOIN users u ON tw.user_id = u.user_id WHERE tw.ticket_id = ?";
-        $stmt = $conn->prepare($sql);
-        $stmt->bind_param("i", $ticketId);
+        // Fetch watcher usernames, excluding the actor so they don't notify themselves
+        if ($excludeUserId !== null) {
+            $sql  = "SELECT u.username FROM ticket_watchers tw JOIN users u ON tw.user_id = u.user_id WHERE tw.ticket_id = ? AND tw.user_id != ?";
+            $stmt = $conn->prepare($sql);
+            $stmt->bind_param("ii", $ticketId, $excludeUserId);
+        } else {
+            $sql  = "SELECT u.username FROM ticket_watchers tw JOIN users u ON tw.user_id = u.user_id WHERE tw.ticket_id = ?";
+            $stmt = $conn->prepare($sql);
+            $stmt->bind_param("i", $ticketId);
+        }
         $stmt->execute();
         $result = $stmt->get_result();
         $stmt->close();