is the ad content screened/filtered for malicious code?

I can't find any info on what type of ads users can insert. can they only insert HTML or JS code too?