diff --git a/README.md b/README.md
index df327179..8e7ddeaa 100644
--- a/README.md
+++ b/README.md
@@ -37,12 +37,24 @@ php flarum cache:clear
 
 Enable the extension, a new tab will appear on the left hand side. This separate settings page allows you to further configure the extension.
 
+On new installations, a pre-defined regex will be inserted for you that enables image uploads, restricted to safe image types. We now include SVG as safe, due to our SVG sanitization method. Default image types allowed are:
+
+- JPEG
+- PNG
+- GIF
+- WebP
+- AVIF
+- BMP
+- TIFF
+- SVG
+
+The regex for these types is `^image\/(jpeg|png|gif|webp|avif|bmp|tiff|svg\+xml)$`, and can be modified as required. We **STRONGLY** discourage the use of a wildcard such as `^image\/.*`, as this could introduce vulnerabilities in the uploaded files. Versions of `fof/upload` prior to `1.8.0` used this as default, and is considered insecure.
+
 Make sure you configure the upload permission on the permissions page as well.
 
 ### Mimetype regular expression
 
-Regular expressions allow you a lot of freedom, but they are also very difficult to understand. Here are some pointers, but feel free to ask
-for help on the official Flarum forums.
+Regular expressions allow you a lot of freedom, but they are also very difficult to understand. Here are some pointers, but feel free to ask for help on the official Flarum forums, or check out [regex101.com](https://regex101.com/) where you can interactively build and test your regex pattern.
 
 In case you want to allow all regular file types including video, music, compressed files and images, use this:
 
@@ -121,6 +133,30 @@ The following (to resume) will happen when this command is put into a recurring
 - the command will go over all uploads to discover in which posts they have been used
 - delete those files that have been uploaded "last year" that have not been found in posts
 
+## Testing and Security Measures
+
+FoF Upload includes **automated tests** to ensure:
+
+✅ Valid files upload successfully
+✅ Restricted files are blocked
+✅ SVG sanitization removes potential XSS risks
+
+### 🔍 Security Tests for Malicious Files
+We specifically test against:
+- HTML Injection (`.html` disguised as an image)
+- MIME Spoofing (e.g., `.png` containing a script)
+- Polygot Files (Files that act as two different formats)
+- SVG Sanitization (`<script>`, `<foreignObject>`, event handlers, external styles, etc)
+- ZIP & APK Handling (Ensuring APKs are valid and ZIPs are not misclassified)
+
+### Submitting Additional Test Cases
+We welcome community contributes in all our extensions! Especially where security is concerned. If you find a new edge case or a file format that bypasses validation, please:
+- Open an issue on [GitHub](https://github.com/FriendsOfFlarum/upload/issues)
+- Submit a test case as a PR under `tests/`
+- Describe the expected behaviour (Should the file be accepted? Should it be sanitized?)
+
+🚀 These tests ensure FoF Upload remains secure and reliable for all Flarum users! 🚀
+
 ## FAQ
 
 -  __AWS S3__: read the [AWS S3 configuration page](https://github.com/FriendsOfFlarum/upload/wiki/aws-s3).
diff --git a/extend.php b/extend.php
index 1c439080..7a4a2101 100644
--- a/extend.php
+++ b/extend.php
@@ -112,7 +112,9 @@
         ->render(Formatter\TextPreview\FormatTextPreview::class),
 
     (new SvgSanitizer())
-        ->allowTag('animate'),
+        ->allowTag('animate')
+        ->removeTag('image')
+        ->removeTag('style'),
 
     (new Extend\ErrorHandling())
         ->handler(InvalidUploadException::class, ExceptionHandler::class),
diff --git a/migrations/2025_02_06_000000_alter_default_image_mime_expression.php b/migrations/2025_02_06_000000_alter_default_image_mime_expression.php
new file mode 100644
index 00000000..1f90a224
--- /dev/null
+++ b/migrations/2025_02_06_000000_alter_default_image_mime_expression.php
@@ -0,0 +1,81 @@
+<?php
+
+/*
+ * This file is part of fof/upload.
+ *
+ * Copyright (c) FriendsOfFlarum.
+ * Copyright (c) Flagrow.
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+use Illuminate\Database\Schema\Builder;
+
+return [
+    'up' => function (Builder $schema) {
+        $db = $schema->getConnection();
+
+        $oldRegex = '^image\/.*';
+        $newRegex = '^image\/(jpeg|png|gif|webp|avif|bmp|tiff|svg\+xml)$';
+
+        $setting = $db->table('settings')->where('key', 'fof-upload.mimeTypes')->first();
+
+        if ($setting && isset($setting->value)) {
+            $decodedValue = json_decode($setting->value, true);
+
+            if (is_array($decodedValue)) {
+                $updatedValue = [];
+
+                foreach ($decodedValue as $mime => $config) {
+                    if ($mime === $oldRegex) {
+                        // Replace the old regex with the new one
+                        $updatedValue[$newRegex] = $config;
+                    } else {
+                        // Preserve all other settings
+                        $updatedValue[$mime] = $config;
+                    }
+                }
+
+                $jsonUpdated = json_encode($updatedValue, JSON_UNESCAPED_SLASHES);
+
+                if ($jsonUpdated !== $setting->value) {
+                    $db->table('settings')->where('key', 'fof-upload.mimeTypes')->update(['value' => $jsonUpdated]);
+                }
+            }
+        }
+    },
+
+    'down' => function (Builder $schema) {
+        $db = $schema->getConnection();
+
+        $oldRegex = '^image\/(jpeg|png|gif|webp|avif|bmp|tiff|svg\+xml)$';
+        $newRegex = '^image\/.*';
+
+        $setting = $db->table('settings')->where('key', 'fof-upload.mimeTypes')->first();
+
+        if ($setting && isset($setting->value)) {
+            $decodedValue = json_decode($setting->value, true);
+
+            if (is_array($decodedValue)) {
+                $revertedValue = [];
+
+                foreach ($decodedValue as $mime => $config) {
+                    if ($mime === $newRegex) {
+                        // Revert back to the old regex
+                        $revertedValue[$oldRegex] = $config;
+                    } else {
+                        // Preserve all other settings
+                        $revertedValue[$mime] = $config;
+                    }
+                }
+
+                $jsonReverted = json_encode($revertedValue, JSON_UNESCAPED_SLASHES);
+
+                if ($jsonReverted !== $setting->value) {
+                    $db->table('settings')->where('key', 'fof-upload.mimeTypes')->update(['value' => $jsonReverted]);
+                }
+            }
+        }
+    },
+];
diff --git a/src/Helpers/Util.php b/src/Helpers/Util.php
index 1bbdb8da..f0b44e23 100644
--- a/src/Helpers/Util.php
+++ b/src/Helpers/Util.php
@@ -89,7 +89,7 @@ public function defaultMimeTypes(): Collection
         $adapters = $this->getAvailableUploadMethods();
 
         return collect([
-            '^image\/.*' => [
+            '^image\/(jpeg|png|gif|webp|avif|bmp|tiff|svg\+xml)$' => [
                 'adapter'  => $adapters->flip()->last(),
                 'template' => 'image-preview',
             ],
diff --git a/src/Mime/MimeTypeDetector.php b/src/Mime/MimeTypeDetector.php
index 5ede4902..9ac50b02 100644
--- a/src/Mime/MimeTypeDetector.php
+++ b/src/Mime/MimeTypeDetector.php
@@ -63,14 +63,35 @@ public function getMimeType(): ?string
         }
 
         try {
-            $type = $this->getMimeInternally();
+            // Get MIME from php-mime-detector
+            $detectorMime = $this->getMimeInternally();
 
-            // If mime_content_type returns application/zip or empty, perform magic byte detection
-            if ($type === 'application/zip' || empty($type)) {
-                return $this->detectUsingMagicBytes();
+            // Get MIME from PHP Fileinfo
+            $fileinfoMime = mime_content_type($this->filePath);
+
+            // Special handling for APKs (before mismatch rejection)
+            if ($detectorMime === 'application/zip' || $fileinfoMime === 'application/zip') {
+                if ($this->isApk($this->filePath)) {
+                    return 'application/vnd.android.package-archive';
+                }
+            }
+
+            // Reject if MIME mismatch occurs (AFTER checking for APKs)
+            if ($detectorMime !== $fileinfoMime) {
+                $message = "MIME type mismatch detected: $detectorMime vs $fileinfoMime";
+                resolve('log')->error("[fof/upload] $message");
+
+                // Check if the file exists, if it does, delete it.
+                if (file_exists($this->filePath)) {
+                    unlink($this->filePath);
+                }
+
+                throw new ValidationException([
+                    'upload' => $message,
+                ]);
             }
 
-            return $type;
+            return $detectorMime;
         } catch (\Exception $e) {
             throw new ValidationException(['upload' => 'Could not detect MIME type.']);
         }
@@ -90,37 +111,6 @@ private function getMimeInternally(): bool|string
         return $mime;
     }
 
-    /**
-     * Detect MIME type using file magic bytes.
-     *
-     * @return string|null
-     */
-    private function detectUsingMagicBytes(): ?string
-    {
-        $handle = fopen($this->filePath, 'rb');
-        if (!$handle) {
-            return null;
-        }
-
-        $magicBytes = fread($handle, 4); // Read the first 4 bytes
-        fclose($handle);
-
-        foreach ($this->getMappings() as $mapping) {
-            foreach ($mapping['magicBytes'] as $bytes) {
-                if ($magicBytes === $bytes) {
-                    // Additional checks for APK-specific files
-                    if ($mapping['extension'] === 'apk' && !$this->isApk($this->filePath)) {
-                        continue; // Not an APK, fallback to other mappings
-                    }
-
-                    return $mapping['mime'];
-                }
-            }
-        }
-
-        return null;
-    }
-
     /**
      * Check if the file is a valid APK by inspecting its contents.
      *
@@ -132,18 +122,19 @@ private function isApk(string $filePath): bool
     {
         $zip = new \ZipArchive();
         if ($zip->open($filePath) === true) {
-            // APKs should contain "AndroidManifest.xml" and "classes.dex"
             $requiredFiles = ['AndroidManifest.xml', 'classes.dex'];
+
             foreach ($requiredFiles as $file) {
                 if ($zip->locateName($file) === false) {
                     $zip->close();
 
-                    return false; // Required APK-specific file not found
+                    return false; // Required file not found, reject as non-APK
                 }
             }
+
             $zip->close();
 
-            return true; // All required files found
+            return true; // Valid APK structure detected
         }
 
         return false; // Not a valid ZIP file
diff --git a/src/Repositories/FileRepository.php b/src/Repositories/FileRepository.php
index 24aa7eb4..a25d3e3b 100644
--- a/src/Repositories/FileRepository.php
+++ b/src/Repositories/FileRepository.php
@@ -173,7 +173,12 @@ protected function handleUploadError($code): void
 
     public function removeFromTemp(Upload $file): bool
     {
-        return $this->getTempFilesystem($file->getPath())->delete($file->getBasename());
+        $filesystem = $this->getTempFilesystem($file->getPath());
+        if ($filesystem->has($file->getBasename())) {
+            return $filesystem->delete($file->getBasename());
+        }
+
+        return true;
     }
 
     protected function getTempFilesystem(string $path): Filesystem
diff --git a/tests/fixtures/Example.apk b/tests/fixtures/Example.apk
new file mode 100644
index 00000000..fd69aba0
Binary files /dev/null and b/tests/fixtures/Example.apk differ
diff --git a/tests/fixtures/Example.zip b/tests/fixtures/Example.zip
new file mode 100644
index 00000000..020edee0
Binary files /dev/null and b/tests/fixtures/Example.zip differ
diff --git a/tests/fixtures/Malicious.html b/tests/fixtures/Malicious.html
new file mode 100644
index 00000000..cc1cc39a
--- /dev/null
+++ b/tests/fixtures/Malicious.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Malicious Upload</title>
+</head>
+<body>
+    <script>alert("XSS Attack!");</script>
+    <p>This is a test file.</p>
+</body>
+</html>
diff --git a/tests/fixtures/Malicious.svg b/tests/fixtures/Malicious.svg
new file mode 100644
index 00000000..79581cfe
--- /dev/null
+++ b/tests/fixtures/Malicious.svg
@@ -0,0 +1,36 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" 
+    "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="100" height="100" xmlns="http://www.w3.org/2000/svg"
+    xmlns:xlink="http://www.w3.org/1999/xlink" onload="alert('SVG onload XSS!')">
+    
+    <!-- Inline JavaScript -->
+    <script type="text/javascript">
+        alert('SVG XSS Attack!');
+    </script>
+
+    <!-- External Image Reference -->
+    <image x="0" y="0" width="100" height="100" xlink:href="https://attacker.com/malicious.png"/>
+
+    <!-- Embedded Data URI -->
+    <image x="10" y="10" width="80" height="80" 
+        href="data:image/svg+xml;base64,PHN2ZyBvbm1vdXNlPWJvbWIoJ3hzc1Rlc3QnKQ=="/>
+
+    <!-- Foreign Object (Can inject arbitrary HTML) -->
+    <foreignObject width="100" height="50">
+        <body xmlns="http://www.w3.org/1999/xhtml">
+            <p style="color:red" onclick="alert('Clicked!')">Click me!</p>
+        </body>
+    </foreignObject>
+
+    <!-- Malicious CSS -->
+    <style>
+        <![CDATA[
+            @import url("https://attacker.com/malicious.css");
+            circle { fill: url('https://attacker.com/xss-gradient'); }
+        ]]>
+    </style>
+
+    <!-- Basic Circle -->
+    <circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red"/>
+</svg>
diff --git a/tests/fixtures/Polyglot.flif b/tests/fixtures/Polyglot.flif
new file mode 100644
index 00000000..a3839a55
--- /dev/null
+++ b/tests/fixtures/Polyglot.flif
@@ -0,0 +1,7 @@
+FLIF<?xml foo="bar"?>
+<!DOCTYPE html><html>
+<script>
+alert("XSS Attack!");
+</script>
+<p>Blaklis!</p>
+</html>
diff --git a/tests/fixtures/Polyglot.jpg b/tests/fixtures/Polyglot.jpg
new file mode 100644
index 00000000..25707e91
--- /dev/null
+++ b/tests/fixtures/Polyglot.jpg
@@ -0,0 +1,8 @@
+FFD8FFE000104A46494600010101006000600000FFDB00430008060607060508...
+<!-- HTML inside a JPEG file -->
+<!DOCTYPE html>
+<html>
+<body>
+    <script>alert('This is a Polyglot attack!');</script>
+</body>
+</html>
diff --git a/tests/fixtures/Safe.svg b/tests/fixtures/Safe.svg
new file mode 100644
index 00000000..b53302ee
--- /dev/null
+++ b/tests/fixtures/Safe.svg
@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
+  <circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="green"/>
+</svg>
diff --git a/tests/fixtures/SpoofedMime.png b/tests/fixtures/SpoofedMime.png
new file mode 100644
index 00000000..2115ef84
--- /dev/null
+++ b/tests/fixtures/SpoofedMime.png
@@ -0,0 +1,11 @@
+89504E470D0A1A0A0000000D49484452000000640000006408060000005702F987...
+<!-- Fake PNG, actual content is HTML -->
+<!DOCTYPE html>
+<html>
+<head>
+    <script>alert("Spoofed MIME Attack!");</script>
+</head>
+<body>
+    <p>This file is not actually a PNG!</p>
+</body>
+</html>
diff --git a/tests/fixtures/TextFileWithPngExtension.png b/tests/fixtures/TextFileWithPngExtension.png
new file mode 100644
index 00000000..7a8013e1
--- /dev/null
+++ b/tests/fixtures/TextFileWithPngExtension.png
@@ -0,0 +1 @@
+This is a text file pretending to be an image.
diff --git a/tests/integration/api/FileUploadSecurityTest.php b/tests/integration/api/FileUploadSecurityTest.php
new file mode 100644
index 00000000..eecd5783
--- /dev/null
+++ b/tests/integration/api/FileUploadSecurityTest.php
@@ -0,0 +1,140 @@
+<?php
+
+/*
+ * This file is part of fof/upload.
+ *
+ * Copyright (c) FriendsOfFlarum.
+ * Copyright (c) Flagrow.
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace FoF\Upload\Tests\integration\api;
+
+use Flarum\Foundation\Paths;
+use Flarum\Testing\integration\RetrievesAuthorizedUsers;
+use FoF\Upload\Tests\EnhancedTestCase;
+
+class FileUploadSecurityTest extends EnhancedTestCase
+{
+    use RetrievesAuthorizedUsers;
+    use UploadFileTrait;
+
+    public function setUp(): void
+    {
+        parent::setUp();
+
+        $this->extension('fof-upload');
+
+        $this->prepareDatabase([
+            'users' => [
+                $this->normalUser(),
+            ],
+        ]);
+    }
+
+    /**
+     * @test
+     *
+     * We allow SVG due to the built in santization. Here we test that <script> tags any any external content is removed.
+     */
+    public function user_with_permission_can_upload_svg_containing_malicious_content_and_is_sanitized()
+    {
+        $this->giveNormalUserUploadPermission();
+
+        $response = $this->send(
+            $this->request('POST', '/api/fof/upload', [
+                'authenticatedAs' => 2,
+                'multipart'       => [
+                    $this->uploadFile($this->fixtures('Malicious.svg')),
+                ],
+            ])
+        );
+
+        $this->assertEquals(200, $response->getStatusCode());
+
+        $json = json_decode($response->getBody()->getContents(), true);
+
+        $pathToFile = $json['data'][0]['attributes']['path'];
+        $this->assertNotEmpty($pathToFile);
+
+        $file_contents = file_get_contents(resolve(Paths::class)->public.'/assets/files/'.$pathToFile);
+
+        $this->assertNotEmpty($file_contents);
+
+        // Check that JavaScript is removed
+        $this->assertStringNotContainsString('<script', $file_contents, 'SVG still contains a <script> tag.');
+        $this->assertStringNotContainsString('javascript:', $file_contents, 'SVG still contains JavaScript URLs.');
+        $this->assertStringNotContainsString('onload=', $file_contents, 'SVG still contains an onload event.');
+        $this->assertStringNotContainsString('onclick=', $file_contents, 'SVG still contains an onclick event.');
+
+        // Check that external resources are removed
+        $this->assertStringNotContainsString('xlink:href="http', $file_contents, 'SVG still contains an external xlink:href.');
+        $this->assertStringNotContainsString('href="http', $file_contents, 'SVG still contains an external href.');
+
+        // Check that data URIs are removed
+        $this->assertStringNotContainsString('data:image', $file_contents, 'SVG still contains a data URI.');
+
+        // Check that <foreignObject> is removed
+        $this->assertStringNotContainsString('<foreignObject', $file_contents, 'SVG still contains a <foreignObject>.');
+
+        // Check that inline CSS doesn't contain @import
+        $this->assertStringNotContainsString('@import', $file_contents, 'SVG still contains @import in a <style> block.');
+    }
+
+    /**
+     * @test
+     */
+    public function user_with_permission_can_upload_an_svg_if_safe()
+    {
+        $this->giveNormalUserUploadPermission();
+
+        $response = $this->send(
+            $this->request('POST', '/api/fof/upload', [
+                'authenticatedAs' => 2,
+                'multipart'       => [
+                    $this->uploadFile($this->fixtures('Safe.svg')),
+                ],
+            ])
+        );
+
+        $this->assertEquals(200, $response->getStatusCode());
+    }
+
+    public function MaliciousFiles(): array
+    {
+        return [
+            ['Polyglot.jpg'],
+            ['Polyglot.flif'],
+            ['SpoofedMime.png'],
+            ['TextFileWithPngExtension.png'],
+            ['Malicious.html'],
+        ];
+    }
+
+    /**
+     * @test
+     *
+     * @dataProvider MaliciousFiles
+     */
+    public function user_with_permission_cannot_upload_malicious_files(string $fixture, ?string $allowMime = null)
+    {
+        $this->giveNormalUserUploadPermission();
+
+        $response = $this->send(
+            $this->request('POST', '/api/fof/upload', [
+                'authenticatedAs' => 2,
+                'multipart'       => [
+                    $this->uploadFile($this->fixtures($fixture)),
+                ],
+            ])
+        );
+
+        $this->assertEquals(422, $response->getStatusCode());
+
+        $json = json_decode($response->getBody()->getContents(), true);
+        $this->assertArrayHasKey('errors', $json);
+        $this->assertEquals('validation_error', $json['errors'][0]['code']);
+    }
+}
diff --git a/tests/integration/api/FileUploadTest.php b/tests/integration/api/FileUploadTest.php
index 5d902694..3226c197 100644
--- a/tests/integration/api/FileUploadTest.php
+++ b/tests/integration/api/FileUploadTest.php
@@ -34,27 +34,6 @@ public function setUp(): void
         ]);
     }
 
-    protected function giveNormalUserUploadPermission()
-    {
-        $this->prepareDatabase(
-            [
-                'group_permission' => [
-                    ['group_id' => 3, 'permission' => 'fof-upload.upload'],
-                ],
-            ]
-        );
-    }
-
-    protected function addType(string $mime, string $adapter = 'local', string $template = 'just-url')
-    {
-        $this->setting('fof-upload.mimeTypes', json_encode([
-            $mime => [
-                'adapter'   => $adapter,
-                'template'  => $template,
-            ],
-        ]));
-    }
-
     protected function setMaxUploadSize(int $max)
     {
         $this->setting('fof-upload.maxFileSize', $max);
@@ -222,4 +201,44 @@ public function admin_can_upload_a_file_and_then_delete_it()
 
         $this->assertNull($file);
     }
+
+    /**
+     * @test
+     */
+    public function user_can_upload_zip_file_when_configured()
+    {
+        $this->addType('application\/zip');
+        $this->giveNormalUserUploadPermission();
+
+        $response = $this->send(
+            $this->request('POST', '/api/fof/upload', [
+                'authenticatedAs' => 2,
+                'multipart'       => [
+                    $this->uploadFile($this->fixtures('Example.zip')),
+                ],
+            ])
+        );
+
+        $this->assertEquals(200, $response->getStatusCode());
+    }
+
+    /**
+     * @test
+     */
+    public function user_can_upload_apk_file_when_configured()
+    {
+        $this->addType('application\/vnd.android.package-archive');
+        $this->giveNormalUserUploadPermission();
+
+        $response = $this->send(
+            $this->request('POST', '/api/fof/upload', [
+                'authenticatedAs' => 2,
+                'multipart'       => [
+                    $this->uploadFile($this->fixtures('Example.apk')),
+                ],
+            ])
+        );
+
+        $this->assertEquals(200, $response->getStatusCode());
+    }
 }
diff --git a/tests/integration/api/UploadFileTrait.php b/tests/integration/api/UploadFileTrait.php
index 3c6e0a03..b3de0e74 100644
--- a/tests/integration/api/UploadFileTrait.php
+++ b/tests/integration/api/UploadFileTrait.php
@@ -31,4 +31,25 @@ protected function fixtures(string $file): string
     {
         return __DIR__.'/../../fixtures/'.$file;
     }
+
+    protected function addType(string $mime, string $adapter = 'local', string $template = 'just-url')
+    {
+        $this->setting('fof-upload.mimeTypes', json_encode([
+            $mime => [
+                'adapter'   => $adapter,
+                'template'  => $template,
+            ],
+        ]));
+    }
+
+    protected function giveNormalUserUploadPermission()
+    {
+        $this->prepareDatabase(
+            [
+                'group_permission' => [
+                    ['group_id' => 3, 'permission' => 'fof-upload.upload'],
+                ],
+            ]
+        );
+    }
 }