</script> must be able to close a
<script> tag. What this means is that you can never have a
</script><script>//your evil code here</script>.
The simple fix for this is to find any instance of
</script>, and replace it with
</'+'script> before passing it to marked.
In any case, I accidentally had this vulnerability since I switched to marked, and I've now fixed it. Fortunately, no one has exploited it, so I dodged a bullet there. As always, cyber security is about remaining vigilant. I haven't magically fixed everything, and no one ever can.
Edit: And when I originally posted this, I discovered another bug, fortunately this time not leading to an XSS vulnerability (as far as I know). I never escaped backslashes (you know, these: \) in here. That was leading to this post not even appearing!