Stupid me. I missread the code and did a proof of concept in jsbin just adding "</script><script>alert('XSS');</script><script>" as a hobby. Now I realise that I added it in the HTML view so I was just closing the original <script> tag. So, no XSS issues, AFAIK. I am updating my original response to reflect this.
Nevertheless, using a framework like React protects you automatically from accidentally adding XSS vulnerabilities.
Thanks, I thought I missed some XSS unknown to me in that code. Agree with you about React and other frameworks making it hard to accidentally introduce XSS.
Nevertheless, using a framework like React protects you automatically from accidentally adding XSS vulnerabilities.