Although Mendix does allow JavaScript as input and allows it to be saved in the database, the standard Mendix widgets ensure this JavaScript is not executed in the user's browser. Therefore, as long as you use the default widgets, you should be safe.
If you use custom widgets, this JavaScript might be executed. There are two server side measures you can take to protect against this:
* Use the XSSSanitize option from the CommunityCommons module. This strips a string of unwanted JavaScript.
* Create a custom validation which detects JavaScript and disallow saving.