Right, JS validation should be to save a round-trip to the server and back not as a replacement for sanitizing on the server side. Trusting something a user sends you is just asking for trouble.