It depends on the client driver. They have insert, delete, save etc. which send those commands with the user supplied data encoded, but most of the drivers also have an exec or execute which dumps what the user enters straight onto the db.

for eg.

http://www.php.net/manual/en/mongodb.execute.php

"This method allows you to run arbitary JavaScript on the database."