Hm, I hope it still works with whatever version of the SMF-Shop there is now...lol.
SMFShop hasn't really been updated since January 2007, so it'll be fine
Here is the solution:
HTML injection doesn't allow them to obtain the admin password nor hack the forum. They're only injecting the HTML into a page that only they can see anyways, so it's pointless.
The correct fix:
Find:
function onUse() {
Add after:
$_POST['question'] = htmlspecialchars($_POST['question']);