You shouldn't reject keystrokes as that can lead to silent errors when the user thinks they entered something that was not allowed.

And final validation needs to happen on the server side anyway - anything before that is just a usability helper.