==== Operators are to be classified as dangerous

As a rule of thumb if no operators are needed, you should generally reject user
input containing them. If some operators are necessary, you should restrict
their use.

Some operators execute JavaScript, and their use should be restricted for both
untrusted input and internal code. +
These operators include:

* `$where`
* `$function`
* `$accumulator`
* `mapReduce`

Depending on your use case, you should first try using regular
API calls before using any of these operators. +
For example, using a `$where` operator is unnecessarily complex when only a
simple search is required. It also leads to performance problems.

**Note**: https://www.mongodb.com/docs/manual/reference/operator/query/where/#javascript-enablement[Server-side scripting can be disabled].

Regular operators can also lead to data leaks. +
For example, attackers can use "comparison query operators" in their attack
data to trick the backend database into giving hints about sensitive
information or entirely giving it out.