One minor issue is that you don't escape the user-input provided when people submit titles to their image.

  * Create an album.
  * Upload N images.
  * On the result page click the "Edit" image link to get a form where you can set a title for that specific image.
  * Enter "[script] .. alert(3) .. [script]".
  * Marvel as the alert-box fires off when the image is re-viewed.

Otherwise good job.

(And you do escape input for the album title. So this looks like an oversight.)