I'd need to double check, but I was under the impression that it affects a validation check, but that it didn't actually prevent the input of these characters.
You can catch the 'invalidity' of the input with the `oninvalid` JS event, then use that to `e.preventDefault()` and show a message as to why it it failed.
