Am I crazy here or is there no validation on the user input signature image URL at all?
Basically a user can input whatever they want and it will be pushed to other users?
Also, why is the URL signature db size set to 32_000?
Why would anyone need 32000 characters for a URL to an image?
Spooky 
I modified the css to this in order to hard code a max height and width;
.signature-img {
max-width: 600px;
max-height: 100px;
width: auto;
height: auto;
display: block;
margin: 5px 0;
}
I changed signature URL max size to 250 in plugin.rb
register_user_custom_field_type("signature_url", :string, max_length: 250)
register_user_custom_field_type("signature_raw", :string, max_length: 250)
I added this to the bottom of “on(:user_updated) do |user|” in plugin.rb (I won’t be using advanced mode)
# Validate the URL if not in advanced mode
if !SiteSetting.signatures_advanced_mode && user.custom_fields["signature_url"]
url = user.custom_fields["signature_url"]
# Strict validation: only HTTPS, only certain image file types
unless url =~ /\Ahttps:\/\/[a-zA-Z0-9.\-\/_]+\.(png|jpe?g|gif|webp)(\?[a-zA-Z0-9=&]+)?\z/
Rails.logger.warn("[discourse-signatures] Rejected invalid signature_url for user #{user.id}: #{url.inspect}")
user.custom_fields["signature_url"] = nil
user.save
end
end
If I’m doing anything wrong here (Never worked with Discourse before), please correct it and show me the right way to do it.