Thanks for reporting!
I'll see if I can patch it asap. Any pointers on how to prevent this in a nice way could be helpful :-)
All code is usually tested, but rarely trusted.
I guess that allowing only /^\w+$/ as values is a sane approach at least for the [color] tag. For the other values, you will need to come up with other ways, I suggest restrictive regular expressions there as well. As long as you keep the permissions restrictive in the sense that your REs describe what's allowed instead of describing what's forbidden, you'll be safe(r).
Especially for the [colour] tag, you could also explicitly list the set of allowed colours in your regular expression.
Lucky for you i had some time to read your source ;-)
I think the main-problem is how $attr is handled in sub _do_BB. Basically you should try to filter any content in $attr which is not what you expect. Right now you filter < and >. In addition you should also filter ; and " since ; can begin a new css-attribute and " can end the css altogether and start something new (like i did with onmouseover="").
Maybe it would also be nice to change the behavior from just filtering out all unwanted stuff to changing broken BBCode into text. That would resemble what phpBB actually does.