SECURITY: ERB execution in custom Email Style

app/helpers/email_helper.rb

@@ -25,12 +25,8 @@ module EmailHelper
     raw "<a href='#{Discourse.base_url}#{url}' style='color: ##{@anchor_color}'>#{title}</a>"
   end
 
-  def email_html_template(binding_arg)
+  def email_html_template
-    template = EmailStyle.new.html.sub(
+    EmailStyle.new.html.sub('%{email_content}', yield).html_safe
-      '%{email_content}',
-      '<%= yield %><% if defined?(html_body) %><%= html_body %><% end %>'
-    )
-    ERB.new(template).result(binding_arg)
   end
 
   protected

app/views/layouts/email_template.html.erb

@@ -2,5 +2,8 @@
   <%= yield %>
   <% if defined?(html_body) %><%= html_body %><% end %>
 <% else %>
-  <%= email_html_template(binding).html_safe %>
+  <%= email_html_template do %>
+    <%= yield %>
+    <% if defined?(html_body) %><%= html_body %><% end %>
+  <% end %>
 <% end %>

spec/integration/email_style_spec.rb

@@ -3,6 +3,16 @@
 require "rails_helper"
 
 describe EmailStyle do
+
+  context "ERB evaluation" do
+    it "does not evaluate ERB outside of the email itself" do
+      SiteSetting.email_custom_template = "<div>%{email_content}</div><%= (111 * 333) %>"
+      html = Email::Renderer.new(UserNotifications.signup(Fabricate(:user))).html
+      expect(html).not_to match("36963")
+    end
+  end
+
+  context "with a custom template" do
     before do
       SiteSetting.email_custom_template = "<body><h1>FOR YOU</h1><div>%{email_content}</div></body>"
       SiteSetting.email_custom_css = 'h1 { color: red; } div.body { color: #FAB; }'
@@ -127,4 +137,5 @@ describe EmailStyle do
         expect(mail_html).to include(popular_topic.title)
       end
     end
+  end
 end