I noticed you just shutoff the document function.
I was just about to explain how if you add the onmouseout to that feature you could return it back to normal and it wouldnt be so annoying , but i still think it prob best not to allow it.. I was also explaining how anyone can steal someone cookie using that function, Now that you removed that function you cant do it that way but there are several more holes that still would allow someone to steal anyones cookie, or other data.
Normally misc data doesnt matter much but when a malicious person gets a hold of it but in a forum where the users can be tracked its much more important.
I think the most obvious flaw that somehow in the future will have to be fixed , even though everyone will complain is NO FLASH !! you could embed the same functions in flash and theres no way for the script to check if its in the flash or not.
I already know the flaw works its just a matter of fixing it ..
One possible solution is approved sigs only that data is kept on a GFY server not on remote servers.
Maybe sigs only after 1000 posts ?
Ban html code all together
( i dont think that one will go over to well )