That's quite surprising, it's a textbook XSS vulnerability. It seems to me that their markdown library should escape entities by default or they will have many other vulns.