diff --git a/src/strass/strass_app/tests/test_views_candidate.py b/src/strass/strass_app/tests/test_views_candidate.py
index 0878e97ccc359514fccc3fb11e3118e4cb3816b9..88480e5bde98fb9ef1ae3b44c69dbab845f3ff8f 100644
--- a/src/strass/strass_app/tests/test_views_candidate.py
+++ b/src/strass/strass_app/tests/test_views_candidate.py
@@ -395,6 +395,25 @@ class ViewsTestCase(BaseTestCase):
         self.assertIn("<script", content_str, "check page will still work")
         self.assertIn(expected_html, content_str, "check markdown still work")
 
+    def test_candidate_html_injection_with_markdown_killed(self):
+        live_settings.markdown_enabled = False
+        injection_script = '<script>window.alter("HTML INJECTION!")</script>'
+        str_part = 'hello world'
+        ok_md = '\n\n## ' + str_part
+        expected_html = '<h2>' + str_part
+
+        candidate = self.candidate_with_account.get_associated_candidate()
+        candidate.motivation = f"foobar {injection_script} zoorrr {ok_md} tt"
+        candidate.save()
+        url = reverse('strass:candidate-detail-me')
+        self.client.force_login(self.candidate_with_account)
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 200)
+        content_str = str(response.content)
+        self.assertNotIn(injection_script, content_str, "script injection should be prevented")
+        self.assertIn("<script", content_str, "check page will still work")
+        self.assertNotIn(expected_html, content_str, "check markdown is killed")
+
 
 class ViewsTooledTestCase(TooledTestCase):
     def test_delete_user(self):
diff --git a/src/strass/strass_app/tests/test_views_others.py b/src/strass/strass_app/tests/test_views_others.py
index de5de7de2efc5f069dd396cb05bc271c01f97ebd..5b02197b2a0f64b3f4fbedcecc3ee45b70f4eded 100644
--- a/src/strass/strass_app/tests/test_views_others.py
+++ b/src/strass/strass_app/tests/test_views_others.py
@@ -573,6 +573,25 @@ class OtherWithDataTestCase(BaseTestCase):
         self.assertIn(img_tag_from_md, content_str, "<img should produced after ![image]")
         self.assertNotIn(script_tag, content_str, "<script should still be prevented")
 
+    def test_call_markdown_killed(self):
+        live_settings.markdown_enabled = False
+        h2_str = "hello world"
+        h2_html = '<h2>' + h2_str
+        img_tag = '<img src="foo.bar"/>'
+        img_tag_md = '![image](daa.too)'
+        img_tag_from_md = markdown(img_tag_md)
+        script_tag = '<script foo="bar>'
+        models.CallContent.objects.update(content=f'## {h2_str}\n\n{img_tag}\n\n{script_tag}\n\n{img_tag_md}')
+        url = reverse('home')
+        #######################################################################
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 200)
+        content_str = str(response.content)
+        self.assertNotIn(h2_html, content_str, "an h2 should not be rendered as markdown is killed")
+        self.assertNotIn(img_tag, content_str, "<img is not allowed yet")
+        self.assertNotIn(img_tag_from_md, content_str, "<img should NOT be produced as markdown is killed")
+        self.assertNotIn(script_tag, content_str, "<script should still be prevented")
+
     def test_autocomplete_email(self):
         u = reverse('strass:autocomplete-mail-view')
         urls = [u, u + '?term=ada']