[nickfrostatx]

They usually set the content type to that of an image so the browser won't execute the JS.

They've messed this up in the past, see this legendary bug bounty report [1]

1. https://whitton.io/articles/xss-on-facebook-via-png-content-...