As switchers from vb to xenforo we had an issue last night. Our Malware-Scanner reportet an included <?php tag in one of the imported avatars. We stored our avatars in our database before. While XenForo itself doesn't permit to upload this picture, it was imported. An option to check for invalid pictures would be good if checking while importing produces to much overhead.