fix(fillField): prevent rich-editor keystroke leak to sibling inputs

DavertMik · claude · DavertMik · commit e1e213de5a0e · 2026-04-22T12:44:33.000+03:00
The IFRAME branch typed via the root-page keyboard against an iframe body
that's not contenteditable (Monaco-style editors), so keystrokes landed on
whatever the outer document had focused. Detection also climbed the DOM
when the matched element looked hidden, which could pick up unrelated
editors elsewhere on the page.

Now: detection only walks down from the user's locator, the IFRAME branch
re-detects the real input surface inside the iframe, and every focus/click
is verified against document.activeElement before typing — a failed focus
throws instead of leaking. Backing-textarea fixtures (TinyMCE legacy,
CKEditor 4/5, CodeMirror 5, Summernote) wrapped so #editor is the visible
container. Adds sibling-input regression coverage for IFRAME, CONTENTEDITABLE
and HIDDEN_TEXTAREA paths plus a negative test for hidden backing locators.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/lib/helper/extras/richTextEditor.js b/lib/helper/extras/richTextEditor.js
@@ -13,7 +13,6 @@ function detectAndMark(el, opts) {
   const marker = opts.marker
   const kinds = opts.kinds
   const CE = '[contenteditable="true"], [contenteditable=""]'
-  const MAX_HIDDEN_ASCENT = 3
 
   function mark(kind, target) {
     document.querySelectorAll('[' + marker + ']').forEach(n => n.removeAttribute(marker))
@@ -33,32 +32,38 @@ function detectAndMark(el, opts) {
     if (iframe) return mark(kinds.IFRAME, iframe)
     const ce = el.querySelector(CE)
     if (ce) return mark(kinds.CONTENTEDITABLE, ce)
-    const textarea = el.querySelector('textarea')
+    const textareas = [...el.querySelectorAll('textarea')]
+    const focusable = textareas.find(t => window.getComputedStyle(t).display !== 'none')
+    const textarea = focusable || textareas[0]
     if (textarea) return mark(kinds.HIDDEN_TEXTAREA, textarea)
   }
 
-  const style = window.getComputedStyle(el)
-  const isHidden =
-    el.offsetParent === null ||
-    (el.offsetWidth === 0 && el.offsetHeight === 0) ||
-    style.display === 'none' ||
-    style.visibility === 'hidden'
-  if (!isHidden) return mark(kinds.STANDARD, el)
-
-  const isFormHidden = tag === 'INPUT' && el.type === 'hidden'
-  if (isFormHidden) return mark(kinds.STANDARD, el)
-
-  let scope = el.parentElement
-  for (let depth = 0; scope && depth < MAX_HIDDEN_ASCENT; depth++, scope = scope.parentElement) {
-    const iframeNear = scope.querySelector('iframe')
-    if (iframeNear) return mark(kinds.IFRAME, iframeNear)
-    const ceNear = scope.querySelector(CE)
-    if (ceNear) return mark(kinds.CONTENTEDITABLE, ceNear)
-    const textareaNear = [...scope.querySelectorAll('textarea')].find(t => t !== el)
-    if (textareaNear) return mark(kinds.HIDDEN_TEXTAREA, textareaNear)
+  return mark(kinds.STANDARD, el)
+}
+
+function detectInsideFrame(body, opts) {
+  const marker = opts.marker
+  const kinds = opts.kinds
+  const CE = '[contenteditable="true"], [contenteditable=""]'
+  body.ownerDocument.querySelectorAll('[' + marker + ']').forEach(n => n.removeAttribute(marker))
+
+  if (body.isContentEditable) return kinds.CONTENTEDITABLE
+
+  const ce = body.querySelector(CE)
+  if (ce) {
+    ce.setAttribute(marker, '1')
+    return kinds.CONTENTEDITABLE
   }
 
-  return mark(kinds.STANDARD, el)
+  const textareas = [...body.querySelectorAll('textarea')]
+  const focusable = textareas.find(t => body.ownerDocument.defaultView.getComputedStyle(t).display !== 'none')
+  const textarea = focusable || textareas[0]
+  if (textarea) {
+    textarea.setAttribute(marker, '1')
+    return kinds.HIDDEN_TEXTAREA
+  }
+
+  return kinds.CONTENTEDITABLE
 }
 
 function selectAllInEditable(el) {
@@ -76,6 +81,17 @@ function unmarkAll(marker) {
   document.querySelectorAll('[' + marker + ']').forEach(n => n.removeAttribute(marker))
 }
 
+function isActive(el) {
+  return el.ownerDocument.activeElement === el
+}
+
+async function assertFocused(target) {
+  const focused = await target.evaluate(isActive)
+  if (!focused) {
+    throw new Error('fillField: rich editor target did not accept focus. Locator must point at the visible editor surface (a wrapper, iframe, or contenteditable) — not a hidden backing element.')
+  }
+}
+
 async function findMarked(helper) {
   const root = helper.page || helper.browser
   const raw = await root.$('[' + MARKER + ']')
@@ -97,16 +113,29 @@ export async function fillRichEditor(helper, el, value) {
 
   if (kind === EDITOR.IFRAME) {
     await target.inIframe(async body => {
-      await body.evaluate(selectAllInEditable)
-      await body.typeText(value, { delay })
+      const innerKind = await body.evaluate(detectInsideFrame, { marker: MARKER, kinds: EDITOR })
+      const marked = await body.$('[' + MARKER + ']')
+      const innerTarget = marked || body
+      if (innerKind === EDITOR.HIDDEN_TEXTAREA) {
+        await innerTarget.focus()
+        await assertFocused(innerTarget)
+        await innerTarget.selectAllAndDelete()
+        await innerTarget.typeText(value, { delay })
+      } else {
+        await innerTarget.evaluate(selectAllInEditable)
+        await assertFocused(innerTarget)
+        await innerTarget.typeText(value, { delay })
+      }
     })
   } else if (kind === EDITOR.HIDDEN_TEXTAREA) {
     await target.focus()
+    await assertFocused(target)
     await target.selectAllAndDelete()
     await target.typeText(value, { delay })
   } else if (kind === EDITOR.CONTENTEDITABLE) {
     await target.click()
     await target.evaluate(selectAllInEditable)
+    await assertFocused(target)
     await target.typeText(value, { delay })
   }
 
diff --git a/test/data/app/view/form/richtext/ckeditor4.php b/test/data/app/view/form/richtext/ckeditor4.php
@@ -8,13 +8,15 @@
 <body>
     <h1>CKEditor 4</h1>
     <form id="richtext-form" method="post" action="/richtext_submit">
-        <textarea id="editor"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        <div id="editor">
+            <textarea id="editor-inner"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        </div>
         <input type="hidden" name="content" id="content-sync">
         <button type="submit" id="submit">Submit</button>
     </form>
     <script src="https://cdn.ckeditor.com/4.22.1/standard/ckeditor.js"></script>
     <script>
-        CKEDITOR.replace('editor');
+        CKEDITOR.replace('editor-inner');
         CKEDITOR.on('instanceReady', function(e) {
             window.__editor = e.editor;
             window.__editorContent = () => {
diff --git a/test/data/app/view/form/richtext/ckeditor5-with-sibling.php b/test/data/app/view/form/richtext/ckeditor5-with-sibling.php
@@ -0,0 +1,37 @@
+<?php $initial = isset($_GET['initial']) ? $_GET['initial'] : ''; ?>
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <title>CKEditor 5 with sibling input</title>
+</head>
+<body>
+    <h1>CKEditor 5 with sibling input</h1>
+    <form id="richtext-form" method="post" action="/richtext_submit">
+        <input id="outer-title" name="outer-title" placeholder="Title" type="search" autofocus>
+        <div id="editor">
+            <textarea id="editor-inner"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        </div>
+        <input type="hidden" name="content" id="content-sync">
+        <button type="submit" id="submit">Submit</button>
+    </form>
+    <script src="https://cdn.ckeditor.com/ckeditor5/41.4.2/classic/ckeditor.js"></script>
+    <script>
+        ClassicEditor.create(document.querySelector('#editor-inner'), {
+            removePlugins: ['TextTransformation']
+        }).then(editor => {
+            window.__editor = editor;
+            window.__editorContent = () => {
+                const div = document.createElement('div');
+                div.innerHTML = editor.getData() || '';
+                return (div.textContent || '').replace(/ /g, ' ').trim();
+            };
+            window.__editorReady = true;
+        });
+        document.getElementById('richtext-form').addEventListener('submit', function() {
+            document.getElementById('content-sync').value = window.__editorContent ? window.__editorContent() : '';
+        });
+        document.getElementById('outer-title').focus();
+    </script>
+</body>
+</html>
diff --git a/test/data/app/view/form/richtext/ckeditor5.php b/test/data/app/view/form/richtext/ckeditor5.php
@@ -8,13 +8,15 @@
 <body>
     <h1>CKEditor 5</h1>
     <form id="richtext-form" method="post" action="/richtext_submit">
-        <textarea id="editor"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        <div id="editor">
+            <textarea id="editor-inner"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        </div>
         <input type="hidden" name="content" id="content-sync">
         <button type="submit" id="submit">Submit</button>
     </form>
     <script src="https://cdn.ckeditor.com/ckeditor5/41.4.2/classic/ckeditor.js"></script>
     <script>
-        ClassicEditor.create(document.querySelector('#editor'), {
+        ClassicEditor.create(document.querySelector('#editor-inner'), {
             removePlugins: ['TextTransformation']
         }).then(editor => {
             window.__editor = editor;
diff --git a/test/data/app/view/form/richtext/codemirror5-with-sibling.php b/test/data/app/view/form/richtext/codemirror5-with-sibling.php
@@ -0,0 +1,33 @@
+<?php $initial = isset($_GET['initial']) ? $_GET['initial'] : ''; ?>
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <title>CodeMirror 5 with sibling input</title>
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/codemirror@5.65.16/lib/codemirror.css">
+    <style>.CodeMirror { border: 1px solid #ccc; height: 200px; }</style>
+</head>
+<body>
+    <h1>CodeMirror 5 with sibling input</h1>
+    <form id="richtext-form" method="post" action="/richtext_submit">
+        <input id="outer-title" name="outer-title" placeholder="Title" type="search" autofocus>
+        <div id="editor">
+            <textarea id="editor-inner"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        </div>
+        <input type="hidden" name="content" id="content-sync">
+        <button type="submit" id="submit">Submit</button>
+    </form>
+    <script src="https://cdn.jsdelivr.net/npm/codemirror@5.65.16/lib/codemirror.js"></script>
+    <script>
+        const editor = CodeMirror.fromTextArea(document.getElementById('editor-inner'), {});
+        window.__editor = editor;
+        window.__editorContent = () => editor.getValue();
+        window.__editorReady = true;
+
+        document.getElementById('richtext-form').addEventListener('submit', function() {
+            document.getElementById('content-sync').value = window.__editorContent ? window.__editorContent() : '';
+        });
+        document.getElementById('outer-title').focus();
+    </script>
+</body>
+</html>
diff --git a/test/data/app/view/form/richtext/codemirror5.php b/test/data/app/view/form/richtext/codemirror5.php
@@ -10,13 +10,15 @@
 <body>
     <h1>CodeMirror 5</h1>
     <form id="richtext-form" method="post" action="/richtext_submit">
-        <textarea id="editor"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        <div id="editor">
+            <textarea id="editor-inner"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        </div>
         <input type="hidden" name="content" id="content-sync">
         <button type="submit" id="submit">Submit</button>
     </form>
     <script src="https://cdn.jsdelivr.net/npm/codemirror@5.65.16/lib/codemirror.js"></script>
     <script>
-        const editor = CodeMirror.fromTextArea(document.getElementById('editor'), {});
+        const editor = CodeMirror.fromTextArea(document.getElementById('editor-inner'), {});
         window.__editor = editor;
         window.__editorContent = () => editor.getValue();
         window.__editorReady = true;
diff --git a/test/data/app/view/form/richtext/monaco-with-sibling.php b/test/data/app/view/form/richtext/monaco-with-sibling.php
@@ -0,0 +1,40 @@
+<?php $initial = isset($_GET['initial']) ? $_GET['initial'] : ''; ?>
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <title>Monaco in iframe with sibling input</title>
+</head>
+<body>
+    <h1>Monaco in iframe with sibling input</h1>
+    <form id="outer-form" method="post" action="/richtext_submit">
+        <input id="outer-title" name="outer-title" placeholder="Title" type="search" autofocus>
+        <iframe id="monaco-frame" src="/form/richtext/monaco<?php echo $initial !== '' ? '?initial=' . urlencode($initial) : ''; ?>" style="width: 100%; height: 320px; border: 1px solid #ccc;"></iframe>
+        <input type="hidden" name="content" id="content-sync">
+        <button type="submit" id="submit">Submit</button>
+    </form>
+    <script>
+        window.__editorReady = false;
+        const frame = document.getElementById('monaco-frame');
+        frame.addEventListener('load', function () {
+            const poll = setInterval(function () {
+                try {
+                    if (frame.contentWindow && frame.contentWindow.__editorReady) {
+                        window.__editorReady = true;
+                        clearInterval(poll);
+                    }
+                } catch (e) {}
+            }, 100);
+        });
+        document.getElementById('outer-form').addEventListener('submit', function () {
+            try {
+                const getValue = frame.contentWindow && frame.contentWindow.__editorContent;
+                document.getElementById('content-sync').value = getValue ? getValue() : '';
+            } catch (e) {
+                document.getElementById('content-sync').value = '';
+            }
+        });
+        document.getElementById('outer-title').focus();
+    </script>
+</body>
+</html>
diff --git a/test/data/app/view/form/richtext/summernote.php b/test/data/app/view/form/richtext/summernote.php
@@ -9,21 +9,23 @@
 <body>
     <h1>Summernote</h1>
     <form id="richtext-form" method="post" action="/richtext_submit">
-        <div id="editor"></div>
+        <div id="editor">
+            <div id="editor-inner"></div>
+        </div>
         <input type="hidden" name="content" id="content-sync">
         <button type="submit" id="submit">Submit</button>
     </form>
     <script src="https://code.jquery.com/jquery-3.7.1.min.js"></script>
     <script src="https://cdn.jsdelivr.net/npm/summernote@0.9.0/dist/summernote-lite.min.js"></script>
     <script>
         $(document).ready(function() {
-            $('#editor').summernote({ height: 150 });
+            $('#editor-inner').summernote({ height: 150 });
             const initial = <?php echo json_encode($initial, JSON_UNESCAPED_UNICODE); ?>;
-            if (initial) $('#editor').summernote('code', initial.split(/\n{2,}/).map(p => '<p>' + p.replace(/</g, '&lt;') + '</p>').join(''));
-            window.__editor = $('#editor');
+            if (initial) $('#editor-inner').summernote('code', initial.split(/\n{2,}/).map(p => '<p>' + p.replace(/</g, '&lt;') + '</p>').join(''));
+            window.__editor = $('#editor-inner');
             window.__editorContent = () => {
                 const div = document.createElement('div');
-                div.innerHTML = $('#editor').summernote('code') || '';
+                div.innerHTML = $('#editor-inner').summernote('code') || '';
                 return (div.textContent || '').replace(/\u00a0/g, ' ').trim();
             };
             window.__editorReady = true;
diff --git a/test/data/app/view/form/richtext/tinymce-legacy.php b/test/data/app/view/form/richtext/tinymce-legacy.php
@@ -8,14 +8,16 @@
 <body>
     <h1>TinyMCE (iframe)</h1>
     <form id="richtext-form" method="post" action="/richtext_submit">
-        <textarea id="editor"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        <div id="editor">
+            <textarea id="editor-inner"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        </div>
         <input type="hidden" name="content" id="content-sync">
         <button type="submit" id="submit">Submit</button>
     </form>
     <script src="https://cdn.jsdelivr.net/npm/tinymce@6/tinymce.min.js" referrerpolicy="origin"></script>
     <script>
         tinymce.init({
-            selector: '#editor',
+            selector: '#editor-inner',
             license_key: 'gpl',
             promotion: false,
             setup: function(editor) {
diff --git a/test/helper/webapi.js b/test/helper/webapi.js
@@ -895,6 +895,56 @@ export function tests() {
         })
       })
     }
+
+    describe('rich editor with sibling focused input — no keystroke leak', function () {
+      async function openSiblingPage(page, initial) {
+        const q = initial != null ? `?initial=${encodeURIComponent(initial)}` : ''
+        await I.amOnPage(`/form/richtext/${page}${q}`)
+        await I.waitForFunction(() => window.__editorReady === true, [], 30)
+      }
+
+      const siblingCases = [
+        { name: 'iframe editor (Monaco)',              page: 'monaco-with-sibling',      selector: 'iframe',       path: 'IFRAME' },
+        { name: 'hidden-textarea editor (CodeMirror)', page: 'codemirror5-with-sibling', selector: '#editor',      path: 'HIDDEN_TEXTAREA' },
+        { name: 'contenteditable editor (CKEditor 5)', page: 'ckeditor5-with-sibling',   selector: '#editor',      path: 'CONTENTEDITABLE' },
+      ]
+
+      for (const tc of siblingCases) {
+        describe(tc.name, () => {
+          it(`fillField via ${tc.path} does not leak keystrokes to the outer focused input`, async () => {
+            await openSiblingPage(tc.page)
+            await I.fillField(tc.selector, 'Hello rich text world')
+            expect(await I.grabValueFrom('#outer-title')).to.equal('')
+            await I.click('#submit')
+            await I.waitForElement('#result', 15)
+            expect(await I.grabTextFrom('#result')).to.include('Hello rich text world')
+          })
+
+          it(`fillField via ${tc.path} clears pre-populated content without touching the outer input`, async () => {
+            await openSiblingPage(tc.page, 'PREVIOUSLY ENTERED DATA')
+            await I.fillField(tc.selector, 'fresh replacement text')
+            expect(await I.grabValueFrom('#outer-title')).to.equal('')
+            await I.click('#submit')
+            await I.waitForElement('#result', 15)
+            const submitted = await I.grabTextFrom('#result')
+            expect(submitted).to.include('fresh replacement text')
+            expect(submitted).to.not.include('PREVIOUSLY ENTERED DATA')
+          })
+        })
+      }
+
+      it('throws instead of leaking when locator points at a hidden backing element', async () => {
+        await openSiblingPage('codemirror5-with-sibling')
+        let caught = null
+        try {
+          await I.fillField('#editor-inner', 'should-not-leak')
+        } catch (e) {
+          caught = e
+        }
+        expect(caught, 'fillField on a display:none backing textarea must throw').to.not.equal(null)
+        expect(await I.grabValueFrom('#outer-title')).to.equal('')
+      })
+    })
   })
 
   describe('#clearField', () => {
