Ah hah, might be able to help. Spent a long time on an identical problem, and, if this is documented then it's very, very well hidden.
Sure, the Trusted variables fix (
http://forum.x-cart.com/viewtopic.php?t=13682&sid=773e50d2983433efb0fd8d0c 38af9ea3 ) works for html code, but X-Cart is still ripping out other stuff, <Script> included.
Adding this:
define('USE_TRUSTED_SCRIPT_VARS',1);
to the two files mentioned in the above post will have you smiling. Sure, there are security issues if you don't entirely trust any providers who might have access, but, as far as I can see, there are no issues otherwise.
Hope this helps