@Rachit There's no reason to allow the form to post at all, then. You can still filter client-side (which is WAY easier with regular expressions than trying to build filters in the Mkto UI *shudder*). Just discard the form data if you don't like it. Don't bother telling the user you didn't actually post it.
This code will skip the post if a bad value is found, but the user will still see the same Thank You text as if the post went through:
form.onSubmit(function(form){
if ( /(e|i)nquiry/.test(form.getValues().LastName) ) {
form.submittable(false);
this.onSuccess();
}
});
form.onSuccess(function(form,thankYouURL){
this.formElem[0].innerHTML = 'Thank you for submitting.';
return false;
});
Of course if we had control over the remote server, we would duplicate the exact same regex on the server to catch people who maliciously bypassed the validation. But we don't have that capability with Marketo as it is (I bet you don't recheck phone # formats in a Mkto filter, right?) so it's not like it just started to be a problem.
Bottom line, people can force whatever data they want onto the wire, and you'll never catch all the bad stuff on the server with Marketo's filtering syntax, so client-side validate-and-discard is the first and most flexible line of defense against such things.