I tried entering some scripts or html as values in string custom fields and they are entered normally.
I suppose that since they are simple strings such characters should be cleaned
Also noticed that they are displayed in the front-end without being cleaned or encoded either
Because you are admin. Check the same as non admin, or take a look in the ACL to get the difference.