Even if we tried to place restrictions on user
JavaScript or
disable it
entirely, there is no way to protect against that distinct from
general
restrictions on submissions from some user. The malicious user could
trivially substitute JavaScript that comes from their local machine or
another source, a modifying proxy to insert it, or use a different
client-side tool to perform equivalent processing.
It's too bad we can't prevent massive damage that may result from
this. Oh well...