JForum 2.1.9 is obsolete, the chances of it being fixed are just about zero, IMO. The fix mentioned probably made it into the development version of JForum 3, which has at present no projected release date.
Instead of JForum 2.1.9, you should be using the fork at https://code.google.com/p/jforum2/ (to which I happen to be a committer). I'm not sure if that is still vulnerable; I'll try to find out.
Tests confirm that JForum 2.3.x is not susceptible to this vulnerability. This is not the only XSS vulnerability in JForum 2.1.9 that was fixed along the route to 2.3.x.