Unfortunately, that is absolutely not true in any implementation derived from the original Markdown.pl without a whole lot of bugfixes
Because of the chickenshit way he attempted to escape things by replacing them with their MD5 hashes and then switching them back, you can encode anything you want to be output by the markdown processor. Reddit was owned by a viral XSS comment because of this in 2009, it's been exploited a few other times since.
He enjoys the credit for being the creator of something used by millions every day, but is entirely unwilling to take the responsibility that comes with that creation being a very public mess.
It works for his usage, but all the ambiguities and undefined behaviors affect a huge number of people, and his only response he's made for eight years has been to retain sole moral authority and refuse to use it.
The perceived simplicity of the format (driven by the naivete of the implementation) played a significant role in making it popular, but lays a minefield of bugs and ambiguities for implementors especially if they want any combination of sanity and interoperability.
The thing is this isn't something new, I and a number of other people have been enraged by this for eight years now.
Over those years it's grown in usage exponentially, and so has his fame as a sportswriter for team Apple. Throughout that period he's continued to brush off all kinds of attempts to clean up bugs, define ambiguous behavior, or fix the security vulnerabilities. It hasn't mattered what approach people have taken, he just does not give a shit. Here's an example from last week: http://six.pairlist.net/pipermail/markdown-discuss/2012-Octo...
He's spent so long burning off any goodwill I would have for him on the matter, being cordial just isn't a priority anymore. NERD RAGE.
John Gruber's original Markdown.pl is one of the worst small programs I have ever read, completely riddled with outright bugs and misfeatures that continually bite its users in the ass. It's awful even by the already low standards of hand-written many-pass regex-based spaghetti-parsers.
Nobody should be using the original script, and unfortunately many of the other implementations out there are direct transliterations that replicate all of its absurd errors, like where if you mention the MD5 hash of another token in the document, the hash will be replaced with the token, because it uses that as an inline escaping mechanism! Reddit got hit with a XSS virus that got through their filters because of it: http://blog.reddit.com/2009/09/we-had-some-bugs-and-it-hurt-...
See the changelog for what started as a PHP transliteration and turned into a rewrite that squashed 125 (!) unacknowledged bugs: http://michelf.com/projects/php-markdown/
The worst part is that he outright refuses to either disclaim or fix his implementation, and so far he's repudiated everyone else's attempts to do so. He's a terrible programmer and a worse maintainer, he really still thinks the documentation on his site is comprehensive and canonical. As much as Jeff Atwood leaps at every chance to play the fool, there's no way his directorship can be anything but an improvement.
Except that VBScript is implemented as a DOM scripting language in IE!
I've had several mid-end managed switches where the web configuration UI used it and was unusable outside of IE with no sign as to why unless you read the source.
One implementation can never be enough.