After going through the supplied post on markdown, we felt concerned about potential XSS attacks because one can write regular html in markdown. (We do have multiple authors BTW.) We checked (locally) that it was possible to embed javascript in a post.

It will run when you visit this post. However it will not run in admin panel (as we are composing this). You can check in the console if there is a line output by inline-javascript. there.

We saw some closed issues on XSS at ghost's github repository. There seems to be some XSS filtering. We should probably implement Content-Security-Policy to prohibit inline javascript.