I'm not a security expert. I'm not even a web developer.
Furthermore, these slides are not very meaningful without the talk to accompany them. But, enjoy!
ERRATA 1: Cal Evans pointed out that the StackOverflow answer I quoted isn't quite right. It claims that if you convert all < characters to < then you're safe. But some older browsers are vulnerable to a crazy UTF-7 XSS attack that can succeed even when < is escaped. Newer browsers do not have this bug.
ERRATA 2: Markdown doesn't strip out or escape HTML tags by itself. Some Markdown libraries support a special "safe mode" that does this.