You probably already knew that. The problem with it being client side is that you have no contol over it. Code in some server side validation and it should help. I use ereg to detect href or bbcode url tags. You could disallow other things too. (For example, the name fields were being answered "unknown" so I disallowed that response.)
The key, though, is to do it server-side.