As @WiredPrarie pointed to React automatically screens for XSS .
If you want to render an HTML object in dynamic content, you will run into double escaping problems, since React escapes all the lines you display to prevent a wide range of XSS attacks by default.
An example of a recent vulnerability found can be seen here , but has long been fixed.
Also see the link regarding raw html insertion.
Keep in mind that using isomorphic / server-side rendering can lead to potential vulnerabilities, especially in cases where the initial state is embedded in the page that will be served. See the link.