Fenced code blocks not escaped when converting Markdown to HTML5

[PhantomOverride]

Hey,

I'm trying to convert example.md from Markdown to HTML using pandoc. File is attached.
example.md.txt

The command I'm using is:
pandoc --from markdown -t html5 -o 'out.html' 'example.md'

The version I'm using is:

pandoc --version
pandoc 2.7.3
Compiled with pandoc-types 1.17.5.4, texmath 0.11.2.2, skylighting 0.8.1
Default user data directory: /Users/user/.local/share/pandoc or /Users/user/.pandoc
Copyright (C) 2006-2019 John MacFarlane
Web:  http://pandoc.org
This is free software; see the source for copying conditions.
There is no warranty, not even for merchantability or fitness
for a particular purpose

The problem I'm running into is that the fenced code is not escaped as HTML, which makes the fenced JavaScript code execute when viewing the document.

I guess this is because I'm a horrible person using HTML comment tags within the escaped sections, though I would expect pandoc to handle this since they are inside the fenced areas.

Could you please confirm if this is a bug, and if there is any workaround? I can't escape the characters within the fences because that would cause pandoc to double-encode them :(.

[mb21]

This indeed seems to confuse the the markdown reader. Both in the inline code and the code block. Posting example file here for easier readability:

## Example

1. One
2. Two `-->something<!--`
3. Three

~~~html
--><!--<script>alert('Not Escaped!')</script>
~~~

~~~html
Something
~~~

Meanwhile, you might get away with using pandoc -f gfm which uses a commonmark-based parser (with less extensions though).

[PhantomOverride]

Thanks :). We've tried GFM, though it doesn't have the extensions we need unfortunately.

[jgm]

One possible clue is that pandoc is interpreting item 3 as starting a new list here.
(But only when this fenced code block comes after.) I have no idea why, will have to investigate further.