Good reply from zerpas which clears up the part that js plays in security - that is - none at all.
Whatever comes from the internet must be treated as highly suspicious as it could contain code which could damage your system, or cause damage to (in this case) whoever opens your emails. Not what you want.
The basic premise is this: Filter Input, Escape Output (FIEO) with that you can do more searching and familiarise yourself with these two principles.
eg
you have a box for a phone number call it $tel, so if $tel contains anything other than digits, spaces and say a dash - then you either:
a) abort or b) tell the user they got it wrong, try again.
You could say that b) can be done in JS - the user cannot submit the form unless the pattern they enter matches - and that would be a good example of PHP working in tandem with JS.
So if you take the trouble to explain to your users that $tel should only be digits, spaces and a dash - and you enforce that in JS and something other than that arrives - you have to make a decision, do you try and clean the data up and carry on, or just quit.
I invariably just do a) and quit.
So that is an example of Filtering Input against expectations.
If you are storing data from the internet into your database you have to Escape it in order to protect your database from sql injection (see Little Bobby Tables to see a humorous take what that could mean).
If you are sending an email you need to likewise escape the data to make sure you did not miss something in your Filtering in order to protect the user from XSS attacks.
So you Escape the data in order to protect the next environment that data is headed for…
One way to think about this is that PHP is the man in the middle.
In the left hand arrives data, is it what I expected? If yes, pass it to the right hand and decide what, if anything will I do with that data? Escape it to protect that next environment.
PHP has pretty much all of the functions you need to handle this work.
http://php.net/manual/en/book.filter.php
is a good place to start, though there are many other tricks you can employ.
[fphp]htmlentities[/fphp]
[fphp]htmlspecialchars[/fphp]
et al
[fphp]mysql_real_escape_string[/fphp]
Although for databases most common wisdom since the advent of PHP5 has been to favour using prepared statements with mysqli or PDO.