Yes, user-uploaded SVG files can indeed pose an XSS (Cross-Site Scripting) risk because SVG files can include executable JavaScript code. While you could sanitize SVG files using regular expression (regex) functions, this approach can be error-prone and might not catch all vulnerabilities.
The recommended best practice is to use specialized and up-to-date sanitization libraries:
Frontend: Use libraries like DOMPurify, which effectively cleans SVG files by removing malicious code.
Server-side: Use libraries such as Jsoup or the OWASP Java HTML Sanitizer, which reliably sanitize SVG and HTML files to mitigate XSS risks.