XSS through svg image upload

[octodi]

Describe the bug
Admin users could upload SVG images through the profile page, which leads to self and stored XSS(if another user access their profile)

Details

So the backend doesn't really stop us from uploading svg images even if the UI shows the error
in backend/src/middlewares/uploadMiddleware/utils/LocalfileFilter.js

    const _fileType = [
      'image/jpeg',
      'image/png',
      'image/gif',
      'image/webp',
      'image/svg+xml',
      'application/msword',
      'text/plain',
      'text/csv',
      'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
      'application/vnd.ms-excel',
      'application/pdf',
      'application/zip',
      'application/vnd.rar',
      'video/mp4',
      'video/x-msvideo',
      'audio/mpeg',
      'video/webm',
    ];

    if (type === 'default') {
      return cb(null, true);
    } else {
      let _flag = _fileType.includes(file.mimetype);

      if (type === 'image') {
        if (!file.mimetype.startsWith('image/')) {
          _flag = false;
        }
      }

This check allows any MIME type starting with image/, including image/svg+xml.

Upload Endpoints:
PATCH /api/admin/profile/update - Admin profile photo
PATCH /api/setting/upload/:settingKey - Company logo/settings

To Reproduce
Steps to reproduce the behavior:

1. Create a malicious SVG file:

<svg xmlns="http://www.w3.org/2000/svg">
  <script>
    alert("XSS Executed");
  </script>
</svg>

2. Login as a admin user
3. Visit 'Profile Settings' page
4. Edit the profile and upload the malicious SVG
5. Right and open the user's profile and the XSS will be triggered

XSS-POC.mp4

Expected behavior

1. Since SVG is required, sanitize uploaded SVG files using a library like svg-hash(from cloudflare) or DOMPurify
2. Set Content-Security-Policy headers to prevent inline script execution

Desktop (please complete the following information):

• OS: MacOS
• Browser chromium
• Version 143.0.7499.147

[Shiva903-hue]

I reviewed the upload filter logic and confirmed the issue.
The backend currently allows any MIME type starting with image/, which includes image/svg+xml, enabling stored XSS via SVG uploads.
I propose one of the following fixes:
1:- Preferred: Explicitly allow only safe raster formats (image/jpeg, image/png, image/webp) and block SVG entirely.
2:- If SVG is required: Sanitize SVG server-side using DOMPurify + JSDOM before saving.

I can submit a PR implementing the first approach (simpler + safer), or the second if SVG support is required. Please let me know your preference.