How do the Stack Exchange sites protect themselves from XSS?

It seems to me that because Users can post questions and comments in them with HTML markup (possibly <script> tags), Stack Exchange sites would be very exposed to XSS attacks. How do they protect from this?