React's Security Model and XSS Prevention

React's design philosophy includes security as a core consideration, with JSX providing automatic escaping that prevents most XSS attacks. When you use curly braces to insert values into JSX, React automatically escapes any strings to prevent them from being interpreted as HTML or JavaScript. This means that code like <div>{userInput}</div> is safe by default, even if userInput contains malicious scripts. React converts dangerous characters into their HTML entity equivalents, ensuring they're displayed as text rather than executed as code.

However, React's protection has important limitations that developers must understand. The framework only escapes strings in text content and certain attributes. Some attributes, particularly those that accept URLs like href and src, don't receive the same protection. A common vulnerability occurs when developers dynamically set href attributes with user input: <a href={userInput}>Link</a>. If userInput contains "javascript:alert('XSS')", React will faithfully create a link that executes JavaScript when clicked. Developers must validate URLs to ensure they use safe protocols like http: or https:.

React's dangerouslySetInnerHTML prop exists for cases where you need to insert HTML content, but its name serves as a warning. Using this prop bypasses React's escaping, making your application vulnerable if the content isn't properly sanitized. When you must use dangerouslySetInnerHTML, always sanitize the content with a library like DOMPurify first. Never pass user input directly to dangerouslySetInnerHTML, and carefully audit any code that uses this prop during security reviews.