Currently, no escaping at all is done on the HTML generated by Marked. This can be a cause for XSS (but then again, there is nothing to be gained from performing XSS on one's own vault... or is there?).
