I did the exact same same thing with github.com/wrakky/react-html-parser
Using a Django Rest Framework API - I saved my "page" objects as JSON Fields, so the client could construct the payloads freely. Then the the outgoing payload would just contain a JSON object with key/value and the value was a string of html.
{
"text": "<p>some block of html that is just a string</p>"
}
To my recollection, letting Django handle security was enough - but it was an internal tool so we weren't worried about xss or whatever threat is possible.