XSS can be used

[SilverBut]

Enter the following code in the source area:

"><script>alert(1);</script>

and then you will find a message box appeared.

Entity all characters is suggested to solve this problem.

[cloose]

Some links: https://github.com/showdownjs/showdown/wiki/Markdown's-XSS-Vulnerability-%28and-how-to-mitigate-it%29 https://michelf.ca/blog/2010/markdown-and-xss/