Re server-side filtering, no argument from me, but I always do both sides. To address Jake's other concern around JS, we don't allow content to be submitted if it isn't coming via the editor. This check isn't bulletproof, but it discourages the less persistent kiddies, and the server validation / translation sorts out the rest.
(We don't deal with submissions so big that simple formula text manipulation can't deal with them).
Re server-side filtering, no argument from me, but I always do both sides. To address Jake's other concern around JS, we don't allow content to be submitted if it isn't coming via the editor. This check isn't bulletproof, but it discourages the less persistent kiddies, and the server validation / translation sorts out the rest.
(We don't deal with submissions so big that simple formula text manipulation can't deal with them).