The system validates user input on the client side and then again on the server side.
Server side assumes that client side validation was successful but still performs its own validation. In case if the validation fails due to possible hack or a bug, it sends back generic error code. User then can contact support and report the issue.
Both client and server validation use the same regular expressions to validate inputs. Server side validation does not send back any text but it may send error code for special cases such as session expired. The client side then displays the server error response.
Server side validation goes further providing layer of security. For example, if a user wants to delete object which does not belong to her, validation detects it and does not allow this request to pass further. Combined with another security aspect which checks if the user is authorized to make this call based on her role - services do not have to perform any security tests assuming that everything was checked and the data is valid.