I've never thought about XSS exploits in uploaded photos. When a member uploads a photo the first thing I do is an AV test. Then I check it to be sure the format of the file matches the file's extension. If it passes those tests I attempt to open the file in a server-side photo editor. If that works I watermark the image and save it.