Replace extension blacklist with an extension allowlist.

[thaumanovic]

Spotted PR #1042, got me thinking about whether or not we're doing this the right way. It's a big list of extensions that surely is not exhaustive. If we've missed an extension that could cause harm, the worst case is that systems become compromised.

If we change this to an allow list of extensions that we know to be safe (cs, md, txt, json, xml, etc), the worst case scenario is that someone can't upload a file until it's deemed to be safe and added to the list.

Thoughts?