React DOM escapes any values embedded in JSX before rendering them. Thus it ensures that the users can never inject anything which is not explicitly written in their application. Everything is converted to a string before being rendered.
For example, we can embed user input as below,
const name = response.potentiallyMaliciousInput;
const element = <h1>{name}</h1>;
This way users can prevent XSS(Cross-site-scripting) attacks in the application.