Should I check NOT IN “exe|bat|php|js” and allow all other types?

No. Whitelisting is better than blacklisting. There are many, many more dangerous filetypes than you are likely to know about. Those four barely scratch the surface.

If I add “xml” into the list? can they cause any security issue?

Yes it can, [X][HT]ML may contain scripting which operates in the security context of the site that served it. Which allows anyone who can upload documents to your site to inject JavaScript into your site (stealing cookies, request forgery etc).

However… it doesn’t actually add any security issue you don’t already have. Because even whitelisting by filetype/extension is not secure, thanks to IE and its misbegotten type-sniffing. You can upload a .txt file, and serve it correctly using the Content-Type: text/plain header, but if it contains sequences that IE thinks look like HTML, IE will ignore you and render it as HTML — boom, XSS.

(The same is true of any other type really, but .txt is the most openly vulnerable.)

There are two approaches to fixing this mess:

1. serve all user-uploaded files from a different hostname to the main application site, so that they are in different JS security contexts and do not share cookies or authentication data.

2. serve all user-uploaded files with the Content-Disposition: attachment header so that they will always be downloaded and not displayed within the browser.

(2) on its own should be watertight, but in practice in the past there have been ways around it due to browser and plugin exploits, so I’m not sure I’d completely trust in it. (1) on its own stops XSS, but it doesn’t stop other nasties like HTML files containing iframes to exploit sites.

So it’s best to do both.