React escapes most of the strings to prevent the possibility of cross-site scripting (XSS) attacks. However, there are certain cases where escaping does not happen by default.
The API for creating elements looks like this -
React.createElement( type, [props], [...children] )
When passed a dangerous value to
That said, dangerous values passed as
[props] will not be escaped, and any value given to it will be treated as code in the page rendered. So values passed to props must be sanitized both at the frontend and the backend.