Don't let your users get pwned via email HTML injection` is a security vulnerability where an application accepts user input and maliciously embedded into HTML code, allowing attackers to inject malicious HTML into emails. This can lead to Cross-Site Scripting (XSS) attacks, where the injected HTML is executed in the browser of unknowing victims. To prevent this, it's essential to never trust user input, encode it before embedding it into code, and use Query Parameterization instead of embedding user input into SQL queries. Additionally, emails can be vulnerable to HTML injection if they are sent using plain text or HTML content-type, making it crucial to check website applications for this vulnerability. To fix the issue, developers can employ techniques such as encoding user input with HtmlEncoder, using templating engines that automatically encode variables, or sending emails with Dynamic Transactional Templates or Marketing Campaigns Email Designs that use Handlebar templating and automatically encode user input.