Lucky for you i had some time to read your source ;-)
in reply to Re: XSS-Bug in HTML::BBCode
in thread XSS-Bug in HTML::BBCode
I think the main-problem is how $attr is handled in sub _do_BB. Basically you should try to filter any content in $attr which is not what you expect. Right now you filter < and >. In addition you should also filter ; and " since ; can begin a new css-attribute and " can end the css altogether and start something new (like i did with onmouseover="").
Maybe it would also be nice to change the behavior from just filtering out all unwanted stuff to changing broken BBCode into text. That would resemble what phpBB actually does.