As a rule of thumb I would always sanitize any user input. I know it may sound bad but basically, don't trust your users! That being said, I don't think there is an easy way to hack file inputs but obviously someone could upload a malicious file which normally comes in the form of an .exe or .zip both of which I would eliminate from being uploaded.
If I were you, I would check out validate.js, it offers client-side validation and is pretty simple to set up. You can specify what file types to accept and an upload size for file input.
As it stands you can echo back the filename without any worrying about sanitizing the filename.