XSS works because the browser uses "eval" for some attributes, for example <img src="x" onerror="alert(1)">. React never uses eval internally so this class of attacks cannot happen on the server.

In order to exploit that vulnerability, improper string concatenation is the most used technique (see SQL injection).

    var untrustedURL = 'x" onerror="alert(1)';
    document.body.innerHTML += '<img src="' + untrustedURL + '">';

In React, you don't use string concatenation to build the Virtual DOM. This way you cannot fool React into setting properties that the developer didn't explicitly let you.

    React.renderComponent(document.body, <img src={untrustedURL} />);
    React.renderComponent(document.body, React.DOM.img({src: untrustedURL}));

Another advantage is that each value in React world is typed. It is either a string which is always escaped, or a component. You cannot turn a string into a component unless the developer explicitly let you.

React has been designed with security in mind and prevents by default a large amount of attack vectors that exist in the browser environment.