I guess that allowing only /^\w+$/ as values is a sane approach at least for the [color] tag. For the other values, you will need to come up with other ways, I suggest restrictive regular expressions there as well. As long as you keep the permissions restrictive in the sense that your REs describe what's allowed instead of describing what's forbidden, you'll be safe(r).

Especially for the [colour] tag, you could also explicitly list the set of allowed colours in your regular expression.