Googling for '.NET bbcode' results in this at the top of the page: http://bbcode.codeplex.com. Looks promising, and even confirms what we are after in the blurb:
We have used Pex (http://research.microsoft.com/en-us/projects/Pex/) to extensively test some important properties of this BBCode-Parser. We used Pex to ensure that the parser never crashes and that it never emits any dangerous tag such as <script>, no matter what the input was. The user can type any HTML he wants but it will just get encoded, even when it is in unusual places like the href-attribute of the url-tag. If you have any questions about this you can post them on http//codekicker.de if you speak german. In other cases you can contact us by email in english.
Excellent, even singles out security. 60 seconds into a test ourselves, and we have this:
So what went wrong. Well the first thing is the way in which [url] tags are dealt with:
Which results in the following HTML:
OK bad start, but it requires a user to click the link to execute, not the end of the world right? Well lets have a look at the [img] tag to see if that is any better:
OK, not fantastic. So whats the takeaway from this, well OWASP Top 10 for 2013 has this at number 9:
'Using Components With Known Vulnerabilities'
And for good reason. It's extremely easy to google for a library and have multiple sources tell you 'this is secure, use this'. Always remember to security test your libraries before implementing.
Thanks to http://jeffchannell.com/Other/bbcode-xss-howto.html for the excellent bbcode injection examples and a great resource if you are attempting to test your own BBCode solution.