The user can manualy set any number out of range, and other characters

The user can manualy set any number out of range, and other characters

This is more of a feature than a bug. It would be quite hard to completely prevent the user from typing invalid values. The invalid values are not however sent to the server. (unless you set the allowInvalidValues flag introduced in 1.2)