Ok I have done this. It wasn’t a security issue, just a false positive that was triggering mod_security. Once I got mod_security on I was able to test that it fixes it.
Basically it doesn’t like the http:// being submitted to the form so I moved it out of the input so they just have to enter theirdomain.com instead of the full http:// theirdomain.com.
I found another bug that prevents us from editing the form fields which I am going to fix next. But until then you could just remove it from your database directly if you are familiar with phpMyAdmin or if your host has some other method of editing the database you can use.
If you want to do this by editing the database directly all you have to do is edit the form_field table and remove the http:// from the field_init column for the URL so that it’s empty. Then you have to apply the patches to the files I linked to below.
If you would rather wait for me to fix the form editing bug you can just edit the form and remove the http:// from the initial value field and I can explain that more detailed if you like once I fix the bug if you go that route.
If you are using the dev snapshot you can update these files or if you are using the original version you can manually patch them. The changes are shown here: http://tinyurl.com/bxlty6p
and then a little css change I forgot to add: