


Happily, React protects us from this by default, sanitizing text before rendering it. They're hoping our application will inadvertently run their code and let them access stuff in memory, make trusted network requests, stuff like that.

In these attacks, malevolent users slip a bit of code through a query parameter or into a text field. There is a genre of attack known as cross-site scripting (XSS). You may have noticed that here's a lot of ceremony and warnings around injecting a script tag like this, and for good reason!
