Why this matters
The bug. React's default escaping is what makes {text} safe — it sets textContent, not innerHTML. The dangerouslySetInnerHTML prop opts out of that protection; the name has the warning baked in for exactly this reason. Any HTML in text is parsed and executed.
The fix. Render {text} and let React escape. If you genuinely need formatting, parse a restricted markdown subset on the server and ship a sanitized HTML string through a vetted library (DOMPurify); never trust the raw user value.
Heuristic. Grep your codebase for dangerouslySetInnerHTML (and innerHTML =, outerHTML =, document.write). Each instance needs a written reason in the diff and a sanitization step on the input.
Review heuristic
Search the diff for dangerouslySetInnerHTML, innerHTML =, document.write, and v-html. Each of those is an opt-out of the framework's safety. Each one needs a justification in the review and a sanitization step on the input.
External reference: CWE-79: Cross-site Scripting.
↳ OWASP Top 10 A03; CWE-79.