[security issue] : cross-scripting with the signature functionality

Hi,

I found a security issue while working with the signature functionnality. If you are allowing html tags with the signature, you could do cross scripting attacks :
<a href="http://my-shield.com"><script>alert("");</script>my-shield.com</a>
Each page that contains the signature of this user will raise a popup message.

That’s really strange because I use this plugin with buddypress, and profil fields are protected by escaping the html tags.

So, without any white list for html tags, you should not use the signature functionality !

For now, I didn’t find any way to avoid this security issue.

https://wordpress.org/plugins/gd-bbpress-tools/