server – XSS on marketing websites like craigslist. How does this work on a technical level?

I was wondering how this works.
We have a marketing site in Holland where people can sell second hand goods.
Rumor goes that there is a lot of phishing going on there and XSS code is used in the images that are uploaded to the site for malicious intent.

Can someone explain to me how this works and how people can stay out of trouble?
I have some theoretical understanding of protocols and scripting.
Examples or 3rd party source for clarification are most appreciated.