The problem is in [glow] and [shadow] tag,yabb doesn't ****** the charactor in this tag,attack needn't visitor to click any links,just when the vistor read the thread,XSS code will be executed.
HomePage: [Only registered and activated users can see links]