Symbol protects React from XSS attacks

If your server has a hole that lets the user store an arbitrary JSON object while the client code expects a string, React would be vulnerable to an XSS attack.The fix in React 0.14 was to tag every React element with a Symbol. So even if the server has a security hole and returns JSON instead of text, that JSON can’t include Symbol.for('react.element').

Source: Why do React Elements Have typeof Property

If the browser doesen't support Symbols (what??), React could use an arbitrary value instead. The chosen value was the nummber 0xeac7. Why this number? It has a special property.