This is something that T383362: Provide special page to show warning to users clicking on external or non-forwarded interwiki links could fix, though it's seeing some opposition.

I kind of wonder if this is the sort of thing better handled by simply blocking users who do things like this. Even if we banned external links in sigs, nothing is stopping the user from manually writing out their preferred "signature" instead of using ~~~~. Restrictions on signatures more serve to prevent people who don't know better from doing annoying things. Its not really a good security measure against actually malicious users.

[As an aside, wasn't this an exact issue on /. back in the day?]

It should not be possible to use {{SUBST:Plain link| (or {{SUBST: in general) for a custom signature. Sure, it's easy to get around it and maybe impossible to stop it completely, if someone really wants to vandalize that way, but some basic safeguards should be in place for custom signatures.

There was a suggestion that the signature handler was being used to bypass some other control, if so please provide a bit more information on that which could be treated as a 'bug'.

If this is only about the broader request, "External links should not be allowed in the custom signature" that seems like a feature request that would need broader discussion.

In T394522#10838447, @Xaosflux wrote:

There was a suggestion that the signature handler was being used to bypass some other control,

I believe you're thinking of this comment: if using this method bypasses the blacklist, it makes the blacklist pointless to would be vandals.
I don't think that was a suggestion, but more of a question about how it currently works. But from what I know the signature doesn't bypass the blacklist (or the abuse filter).

In T394522#10838447, @Xaosflux wrote:

There was a suggestion that the signature handler was being used to bypass some other control, if so please provide a bit more information on that which could be treated as a 'bug'.

If this is only about the broader request, "External links should not be allowed in the custom signature" that seems like a feature request that would need broader discussion.

The original user who brought up this problem, @Johnuniq, said he believed that this method of adding a link through the custom signature was used in the past to bypass the blacklist, and that’s what my comment was in reference to. I tried to look in the logs for past tickets, but I didn’t see couldn’t find any about that specific problem on here.

Custom signatures can be set in Special:Preferences. When a user changes their custom signature, that customisation should be checked against MediaWiki:Spamblacklist. If it's problematic, then an error should be thrown.