First of all, I’m not asking about the process of the upload itself using a server side language.
I just want to know which safety considerations I should take when using an uploaded image as a css background on my site.
The feature is exactly the same as Twitter does, allowing user use its own background image.
For example, is it safe to just place the image on the server and start using it? Can they inject some kind of code on the pages using that background?
I usually resize the image to a lower size, is this enough to remove unwanted “meta” data included on it?
There have been plenty of browser security flaws over the years that have been buffer overflows triggered by specially crafted malicious image files.
I don’t know that there’s any known flaws of this nature in current browser releases, but plenty of people will have old versions without any security patches, and of course new flaws do come to light every now and then.
This is tricky to resolve (and virtually impossible to be 100% secure against), but you can do some basic checks that the file is actually an image of the type claimed when it’s uploaded. And resizing an image will almost certainly mangle any malicious code embedded in it.
There’s also the more obvious risk that an image may show unsuitable material that you wouldn’t want associated with your site. This can only be resolved by vetting images manually before allowing them to be used.
So yes, there are risks. But the risks are much lower if the images are to be viewed by the person who uploaded them (ie as a personalisation feature, in the way you describe on Twitter), rather than to be viewed by anyone. Obviously a person is less likely to want to hack their own computer, so the malicious image issue would be reduced, and if someone wants to put a nasty image on your site, but only they get to see it…. well, they obviously know what it is, or they wouldn’t be uploading it.