For security reasons, you should not test for valid file types using javascript. Javascript is client-side only, therefore your script could easily be evaded or the user could simply rename their file with a separate extension and your checkpoint would fail.
Look into MIME types and server-side validation of user-upload files. It's a complicated subject and it's up to you to decide how much time you want to spend on it. Security increases with more thorough checks.
The checks I use are file size, MIME type, and upload location (to make sure no one is trying to upload a script from a remote site). These functions in PHP are filesize
, fileinfo
, mime_content_type
, and is_uploaded_file
. Similar functions exist in other languages.
You could go even further and test the bits of the file to ensure it is not malicious code or a file pretending to be a JPEG by tricking the MIME headers, for example.