This code bypass React protections to XSS. Is there any other malicious way?

<td>{props.seller.webpage ? <Button as="a" href={props.seller.webpage} target="_blank">Open</Button> : "N/A"} </td>

because if instead of props.seller.webpage there is

javascript:window.opener.alert('Malicious code is now running :)');window.close()

it works…..

is there any other situation where xss can happen in react? Aparte from dangerouslySetInnerHTML?