[runnerup]

Interestingly it appears this check happens clientside so a super-knowledgeable user could bypass the check by using the browser console to empty the “bad words” array.

[feoren]

It's common for the same checks to happen client-side (for user convenience and good error messages) and server-side (for the actual security/validation).

[duxup]

I tend to do checks on both client and server side.

Client side so they get immediate feedback, nice error indicators and etc.

Server side for other/ additional checks.