Forum OpenACS Q&A: Re: Switching from ACS3.2 to OACS4.6 : i'm a bit disoriented.
2 - its in user_preferences now
3 - If you allow <script> tags in user inputted html code then you're open to all sorts of cross site scripting tags. There is a parameter setting that allows you to list the allowed tags for user input: sitemap -> acs-kernel -> All. This changes the allowed input for the whole installation. It might make sense though to only change this for the adserver module, in this case you have to find ad_page_contract of the page that checks that input and change the filter from :html to :allhtml.
Maybe that would make sense as standard behaviour, e.g. admins may post any html in adserver, others just restricted. Feel free to post bug in bugtracker.