SECURITY: Fix XSS on unsubscribed page.

app/controllers/email_controller.rb

@@ -110,6 +110,7 @@ class EmailController < ApplicationController
 
   def unsubscribed
     @email = params[:email]
+    raise Discourse::NotFound if !User.find_by_email(params[:email])
     @topic = Topic.find_by(id: params[:topic_id].to_i) if params[:topic_id]
   end
 

spec/requests/email_controller_spec.rb

@@ -0,0 +1,13 @@
+require 'rails_helper'
+
+RSpec.describe EmailController do
+  describe '#unsubscribed' do
+    describe 'when email is invalid' do
+      it 'should return the right response' do
+        get '/email/unsubscribed', params: { email: 'somerandomstring' }
+
+        expect(response.status).to eq(404)
+      end
+    end
+  end
+end