If I enter

Check javascript

<script>
alert("Hi!");
</script>

in the editor and press the preview button I get a 'Hi' box. Not really desirable...

Github handles that correctly (as you can easily test with this bug report)

Resolved and closed via commit 9425e14. Thanks for reporting. Injected Scripts/Xss will be removed. To embed a script as text escape the '>' character like this:

<script\>alert ("Hello")</script\>