If you are really wary of hackers, do your validation server-side in cgi anyway - you can do the javascript client-side validation, but someone could download all the files of the page used to call the cgi and poison your server code that way. You can give friendly "Invalid IPv6 address" or something more intelligent in javascript and have a final regex check in the cgi that returns "Don't hack me, bro." if it's still wrong
