Description
The addAttendee() method at Event.js:586-607 only checks if (\!attendee.email) but never validates email format. Meanwhile, the Event constructor path calls _validateAttendees() (line 305) which properly validates emails using _isValidEmail() (line 834).
Impact
Invalid emails like 'user@domain' or 'invalid@@example.com' can be added post-construction, violating class invariants and creating data integrity issues.
Code Location
- Event.js:586-607 (addAttendee method - missing validation)
- Event.js:305 (constructor calls _validateAttendees)
- Event.js:834 (_isValidEmail method)
Reproduction
const event = new Event({ title: 'Test', start: new Date() });
event.addAttendee({ name: 'John', email: 'invalid@@example.com' }); // Succeeds (should fail)The addAttendee() method should call _isValidEmail() like the constructor does.
Description
The addAttendee() method at Event.js:586-607 only checks
if (\!attendee.email)but never validates email format. Meanwhile, the Event constructor path calls_validateAttendees()(line 305) which properly validates emails using_isValidEmail()(line 834).Impact
Invalid emails like 'user@domain' or 'invalid@@example.com' can be added post-construction, violating class invariants and creating data integrity issues.
Code Location
Reproduction
The addAttendee() method should call
_isValidEmail()like the constructor does.