Honestly, client developers should do some field validation here. You shouldn't be able to enter an invalid character here.