Escape content before going into google-code-prettify.
marked.js passes raw text, not escaped text, to google-code-prettify.

This results in google-code-prettify highlighting content and otherwise

providing passed text as-is. This causes problems if you have any code

you're trying to highlight that looks like HTML, as it remains HTML.

Of course, this also means that HTML can be injected, leading to

attacks.
We now escape what marked.js gives us, and pass it to

google-code-prettify, which handles escaped content just fine.

Reproduced the bug I saw on /r/4861/. I added code blocks that contained

HTML code, and was able to inject HTML (plus the tags didn't show up

highlighted, as I wanted to see). After this change, I couldn't inject

HTML, and my tag-like code was showing up highlighted properly.