The default CSP header blocks execution of inline-scripts. When a HTML injection vulnerability occurs though, that restriction can be bypassed by uploading a JavaScript file via the file-upload feature (with application/javascript or text/javascript content-type) to include it in a `<script src="<UPLOAD_URL></script>" tag.
https://hackerone.com/reports/1380157