It’s easily circumventable (is that actually a word?) (see the “Tamper Data” Firefox extension), but I suppose you can convince your client you’ve done it using Javascript (not sure how to do that though). However, be sure to do server-side validation as well, because, as I said, it’s easy to work around (you can just disable Javascript).