How safe is client-side HTML Sanitization?

Question

I have been looking at Pagedown.js lately for the allure of using mark-down on my pages instead of ugly readonly textareas.

I am extremely cautious though as it seem

Answer 1

You can't sanitize client side. Anyone could always turn off JavaScript or change the values and submit them to your server.

The server needs to double check that. Client side in my mind is really just a usability feature. So they know as they type whether they are wrong or right.

In response to the edit:

Most of them are convenience or provide functionality. For example unobtrusive validation will make my text boxes red if they put in an invalid number. That is nice, and I didn't need to post and check and then change the text box border blablablabla...

But when they do post I still need to validate their data. I usually keep that in a core library which could be shared across applications (web, web service, mobile app, thick client etc)

The usability validation varies platform to platform. But at the core, before any application trusts the data, it has to check it within its trust barrier. No one can change the value behind my if on the server, but anyone can change the value in their browser without tripping my JS.