To prevent Cross-Site Scripting attacks (i.e. JS injection) we validate all input, and block all possible such attacks. For example, it won't be possible to input "<script>badCode();</script>" anymore. This doesn't apply to the WYSIWYG editor of RTF fields, because that input is properly escaped before it is stored. 

JS injection is used as a feature in some parts of the application. To still allow this use case a "Skip Field Validation User Group" is added.