Also, i stumble across an old blog post by rsnake where it was possible to execute XSS on an upload function.
an example of something you might test for:
So you upload this file:
This ends up making the page look like:
The Hacka Man