The markdown library (marked) used in this demo does not properly handle HTML entities (even with the sanitize option set to true). This leads to a stored XSS in this demo.

The marked project also appears to be abandoned. I suggest using something else in the demo. I know this is not intended to be production code, but people will follow this as an example. You can also see this in action on the main https://facebook.github.io/react/ page under "A Component Using External Plugins" as a "self xss"

POC:

Run the project and submit a comment with the following markdown:

[XSS](javascript&#58document;alert(1))

References:

The pull request I opened to them (a long time ago):
markedjs/marked#592

A full writeup on the actual issue:
https://snyk.io/blog/marked-xss-vulnerability/

The Node Security Advisory:
https://nodesecurity.io/advisories/101

As well as RetireJS:
http://retirejs.github.io/retire.js/