Asking the dangerous questions

inbox.py

@@ -122,6 +122,7 @@ from webapp_post import individual_post_as_html
 from question import question_update_votes
 from question import is_vote
 from question import is_question
+from question import dangerous_question
 from media import replace_you_tube
 from media import replace_twitter
 from git import is_git_patch
@@ -1219,7 +1220,8 @@ def _person_receive_update(base_dir: str,
 def _receive_update_to_question(recent_posts_cache: {}, message_json: {},
                                 base_dir: str,
                                 nickname: str, domain: str,
-                                system_language: str) -> bool:
+                                system_language: str,
+                                allow_local_network_access: bool) -> bool:
     """Updating a question as new votes arrive
     """
     # message url of the question
@@ -1243,6 +1245,8 @@ def _receive_update_to_question(recent_posts_cache: {}, message_json: {},
     if is_question_filtered(base_dir, nickname, domain,
                             system_language, post_json_object):
         return False
+    if dangerous_question(post_json_object, allow_local_network_access):
+        return False
     # does the actor match?
     if post_json_object['actor'] != message_json['actor']:
         return False
@@ -1460,7 +1464,8 @@ def _receive_update_activity(recent_posts_cache: {}, session, base_dir: str,
     if message_json['object']['type'] == 'Question':
         if _receive_update_to_question(recent_posts_cache, message_json,
                                        base_dir, nickname, domain,
-                                       system_language):
+                                       system_language,
+                                       allow_local_network_access):
             if debug:
                 print('DEBUG: Question update was received')
             return True
@@ -3123,6 +3128,9 @@ def _valid_post_content(base_dir: str, nickname: str, domain: str,
                                 system_language, message_json):
             print('REJECT: incoming question options filter')
             return False
+        if dangerous_question(message_json, allow_local_network_access):
+            print('REJECT: incoming question markup filter')
+            return False
 
     content_str = get_base_content_from_post(message_json, system_language)
     if dangerous_markup(content_str, allow_local_network_access):

question.py

@@ -13,6 +13,7 @@ from utils import load_json
 from utils import save_json
 from utils import has_object_dict
 from utils import text_in_file
+from utils import dangerous_markup
 
 
 def is_vote(base_dir: str, nickname: str, domain: str,
@@ -208,3 +209,18 @@ def is_question(post_json_object: {}) -> bool:
     if not isinstance(post_json_object['object']['oneOf'], list):
         return False
     return True
+
+
+def dangerous_question(question_json: {},
+                       allow_local_network_access: bool) -> bool:
+    """does the given question contain dangerous markup?
+    """
+    if question_json.get('oneOf'):
+        question_options = question_json['oneOf']
+    else:
+        question_options = question_json['object']['oneOf']
+    for option in question_options:
+        if option.get('name'):
+            if dangerous_markup(option['name'], allow_local_network_access):
+                return True
+    return False