Don't be afraid to show the user how you validate the input. Hiding them does not increase security in any way.

What is the relationship between regex and XSS?
On the user's side - logic validation. On the server side, re-validation of the logic and appropriate escaping/transformation to keep this data safe and harmless. If in the database the saving is prepared statements, the output to HTML is htmlspecialchars, the output to JSON is json_encode, the output is somewhere else - the corresponding transformations for this particular format.

Like most hamsters, aftor confuses data validation and output formatting.
As correctly noted by the post above, these two things have nothing to do with each other. Generally. Only because if you rely on incoming validation, you can run into a second-order injection, just like in the case of SQL.
Therefore, the validation should be left as is, and the formatting should be done without fail in automatic mode, using the template engine. At the same time, taking into account the environment into which the data is output. For SQL, HTML, JS and many other different output options, formatting should be DIFFERENT

You have porridge in your head.

There is an idea to put it in a json file available via http and load it into Javascript.

Bad thought.

How dangerous is this, because there is no 100% confidence in the full coverage of all possible XSS?
Those. Knowing regexp IMHO is easier to pick up malicious input parameters than not knowing. But most CMS, forums, etc. with open source code, for some reason, are not very afraid of this.

If the data is displayed in the form that was entered, the protection is elementary (roughly speaking, protection is not needed at all, it is enough just to display the data correctly).
If the data will be processed (BB, markdown, HTML), then it is possible to make a mistake in the handler. Therefore, it is necessary to use a popular open source implementation - bugs are quickly found and fixed.