To clarify, it appears that both genius.it and genius.com use Markdown which allows HTML. Their code sanitizes it, so that you can't include attributes of tags, and you can't include certain tags such as <script>, <style>, <link>, or <meta>. I spent about 10 minutes on it and could not break it. That isn't to say it cannot be broken, just that it's not wide open and obvious attacks are mitigated.

I was able to XSS myself: when I added certain types of malicious code it did execute, but if I reload the page the malicious part is not rendered. In other words, it's filtered on the output, not input, and the rendering is different for content fetched from the server vs content you just created. You can execute code in your own browser, but not for anyone else (as far as I was able to).

Their team is very responsive and took my concerns over this seriously.