9.4. Preventing XSS in React#
React is safe-by-default, so there are fewer places where you need to be careful regarding XSS. In general, JSX knows what is HTML and what is not, and properly HTML-escapes whatever is not meant to be markup.
The one place where you need to be careful is when using the aptly named dangerouslySetInnerHTML.