I rather think that it isn’t even looking for this type of thing.

The web shield often finds stuff that no other AV finds and that can be seen in the many VT results seen in the virus and worms forums and contrary to what most people think they aren’t suspect FPs that they are reporting.

Whilst in this case as Igor said posting exploit code in this case wasn’t dangerous as there didn’t appear to be a way to actually activate it, but the web shield isn’t going to that kind of depth, it just sees the exploit code within the actual page HTML code, etc.

It is just safer to post this type of PoC (Proof of Concept) code in an image, if for no other reason the script kiddies out there don’t just have to do a copy and paste to have a workable exploit.