SECURITY: Fix XSS on unsubscribed page.

app/controllers/email_controller.rb

@@ -110,6 +110,7 @@ class EmailController < ApplicationController
 
   def unsubscribed
     @email = params[:email]
+    raise Discourse::NotFound if !User.find_by_email(params[:email])
     @topic = Topic.find_by(id: params[:topic_id].to_i) if params[:topic_id]
   end
 

app/controllers/invites_controller.rb

@@ -96,6 +96,7 @@ class InvitesController < ApplicationController
 
     guardian.ensure_can_invite_to_forum!(groups)
     topic = Topic.find_by(id: params[:topic_id])
+    guardian.ensure_can_see_topic?(topic)
     group_ids = groups.map(&:id)
 
     invite_exists = Invite.where(email: params[:email], invited_by_id: current_user.id).first

app/views/email/unsubscribed.html.erb

@@ -3,12 +3,12 @@
   <h2><%=t "unsubscribed.title"%></h2>
   <br>
   <p>
-    <%=t("unsubscribed.description", email: @email, url: path("/my/preferences")).html_safe %>
+    <%= t("unsubscribed.description", email: @email, url: path("/my/preferences")).html_safe %>
   </p>
 
   <% if @topic %>
   <p>
-    <%=t("unsubscribed.topic_description", link: render_topic_title(@topic)).html_safe%>
+    <%= t("unsubscribed.topic_description", link: render_topic_title(@topic)).html_safe%>
   </p>
   <% end %>
 </div>

spec/requests/email_controller_spec.rb

@@ -0,0 +1,13 @@
+require 'rails_helper'
+
+RSpec.describe EmailController do
+  describe '#unsubscribed' do
+    describe 'when email is invalid' do
+      it 'should return the right response' do
+        get '/email/unsubscribed', params: { email: 'somerandomstring' }
+
+        expect(response.status).to eq(404)
+      end
+    end
+  end
+end