hi, i'm a noob at this stuff, but my friend hosts a forum (which uses SMF 2.0.2), and as far as i know, anywhere there's a place for user input (be it posting a thread, the title of a thread, the search bar, editing your profile info, etc.), it will convert

" to "
< to &lt;
> to &gt;
' to &#039;

and as such, there seems to be no way to get out of attributes or do anything. also, there's no way to post a link or link to a external site picture (say, for your avatar) w/o it automatically appending an "http://" prefix.

can anyone think of a way to get past all this filtering?

Short answer: no. I'd suggest learning with an easier site; in my experience fully patched forums are very secure.

If you're determined, well you could try to find the places they forgot to filter. Obvious inputs are unlikely to work but the more subtle ones, like the meta-data on uploaded images, might be unfiltered.

Another option is to try to find some bbcode that gets converted into a script. Of course there are many more options.

Probably in plugins developed by it's users. SMF has a lot of them. One issue is the custom signature plugin, it just accepts HTML and JavaScript.