As i was looking for a nice BBCode2HTML converter i came across the following behavior of the Module which i think is a bug which could be exploited to insert JS.
[color=blue" onmouseover="this.innerHTML = 'XSS']test[/color]
becomes
<span style="color: blue" onmouseover="this.innerHTML = 'XSS'">test</span>

I used the following script to test this behavior:

use strict;
use warnings;

use HTML::BBCode;

my $bbcode = q~[color=blue" onmouseover="this.innerHTML = 'XSS']test[/
+color]~;
my $bbc = HTML::BBCode->new( {
    no_html      => 1,
    no_jslink    => 1,
    linebreaks   => 1,
} );
print $bbc->parse($bbcode);
print "\n";
[download]

If i made a mistake or there is a workaround other than disabling the color-tag (and maybe other tags, too), please let me know. Also i would like to hear other suggestions for BBCode2HTML converters (doesn't have to be exactly BBCode, could be something similar) that are known to be safe for public websites.