Esacping BB tags
when I did it I found that CMS's like older versions of PHP-Fusion, checked the first part of the bb tag such as [color and then closed the tag with the last part ]. Essentially it was possible to put XSS in between the tags [Color <XSS here>]words here[/color]. I am fairly certain these methods are patched on most Open Source CMS's, however if you find a custom CMS it may be possible, especially if they just copied and pasted their source from a tutorial website (as a majority of tutorial sites care more for functionality of their demonstration than security.)
We'd really need to know the exact implementation before being able to do anything. For instance I'd created my own implementation of bbcode. Hosted here: http://www.whiteacid.org/misc/bbcode.php Source here: http://www.whiteacid.org/misc/bbcode.phps and here: http://www.whiteacid.org/misc/bbcodes.xml
For a long time it looked really secure, until a flaw was found in the [ url ] (simple and complex) regexes. In the XML file you can see what they are now, here's what they used to be:
markup<regex>#\[url=([a-z]://)([^\r\n\"\[<]+?)\](.+?)\[/url\]#si</regex>
That's the complex one, you should be able to work out what the simple one was.
SystemOfAHack then told me that [ url=javascript://%0D%0Aalert(document.cookie);]click this.[/url ] would create an injection (I added spaces to prevent it from being parsed). Would that exact injection work in other implementations? Unlikely, it really depends on the regex they use.