After you update, your "secure test tool" should not present any more flags regarding your site. Though your tool may flag inlined images linked from third-party sites, or if you allow your users to use avatars linked from other websites.
There really is no other way around it, other than choosing one of the three following options.
Thes apply to linked images for Avatars, Signatures, Posts, Private Messages... and probably Profile Comments, if you have them enabled:
1) Remove all the linked images and disable their ability to use images other than what you've provided or what they've uploaded to you.
2) Disable the ability to hotlink images, and purely rely on user uploaded image attachments. This would mean that you'd be hosting their images.
3a) Just accept it.
3b) Just accept that everything before a certain date (today?) is the way it is, and make the changes so that everything going forward is 100% secure.
If you disable hotlinked images, IIRC, the forum will just display a link to that image, instead of trying to display it. This will pass your tool's test.
