fix(fillField): prevent rich-editor keystroke leak to sibling inputs (#5531)

DavertMik · DavertMik · claude · web-flow · commit f40a32c82caf · 2026-04-22T22:26:35.000Z
* fix(fillField): prevent rich-editor keystroke leak to sibling inputs

The IFRAME branch typed via the root-page keyboard against an iframe body
that's not contenteditable (Monaco-style editors), so keystrokes landed on
whatever the outer document had focused. Detection also climbed the DOM
when the matched element looked hidden, which could pick up unrelated
editors elsewhere on the page.

Now: detection only walks down from the user's locator, the IFRAME branch
re-detects the real input surface inside the iframe, and every focus/click
is verified against document.activeElement before typing — a failed focus
throws instead of leaking. Backing-textarea fixtures (TinyMCE legacy,
CKEditor 4/5, CodeMirror 5, Summernote) wrapped so #editor is the visible
container. Adds sibling-input regression coverage for IFRAME, CONTENTEDITABLE
and HIDDEN_TEXTAREA paths plus a negative test for hidden backing locators.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;

* fix(fillField): cross-helper iframe detection + leak guard for hidden form controls

- WebDriver/BiDi rejects element refs as executeScript args from inside a
  switched-frame context, breaking the inner-iframe focus/select calls.
  Run those scripts via document.querySelector on the marker instead, then
  send keystrokes via the already-frame-aware page keyboard.
- Add EDITOR.UNREACHABLE: when the user's locator points at a display:none
  INPUT/TEXTAREA, throw a clear error instead of falling through. Without
  this, Puppeteer's lenient el.type() silently leaks to whatever has focus.
- Test reads outer-input value via executeScript to dodge a pre-existing
  WebDriver grabValueFrom bug that drops empty strings in forEachAsync.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;

---------

Co-authored-by: DavertMik &lt;davert@testomat.io&gt;
Co-authored-by: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/lib/helper/extras/richTextEditor.js b/lib/helper/extras/richTextEditor.js
@@ -7,13 +7,13 @@ const EDITOR = {
   IFRAME: 'iframe',
   CONTENTEDITABLE: 'contenteditable',
   HIDDEN_TEXTAREA: 'hidden-textarea',
+  UNREACHABLE: 'unreachable',
 }
 
 function detectAndMark(el, opts) {
   const marker = opts.marker
   const kinds = opts.kinds
   const CE = '[contenteditable="true"], [contenteditable=""]'
-  const MAX_HIDDEN_ASCENT = 3
 
   function mark(kind, target) {
     document.querySelectorAll('[' + marker + ']').forEach(n => n.removeAttribute(marker))
@@ -27,38 +27,76 @@ function detectAndMark(el, opts) {
   if (tag === 'IFRAME') return mark(kinds.IFRAME, el)
   if (el.isContentEditable) return mark(kinds.CONTENTEDITABLE, el)
 
+  const isFormHidden = tag === 'INPUT' && el.type === 'hidden'
+  if ((tag === 'INPUT' || tag === 'TEXTAREA') && !isFormHidden) {
+    const style = window.getComputedStyle(el)
+    if (style.display === 'none') return mark(kinds.UNREACHABLE, el)
+  }
+
   const canSearchDescendants = tag !== 'INPUT' && tag !== 'TEXTAREA'
   if (canSearchDescendants) {
     const iframe = el.querySelector('iframe')
     if (iframe) return mark(kinds.IFRAME, iframe)
     const ce = el.querySelector(CE)
     if (ce) return mark(kinds.CONTENTEDITABLE, ce)
-    const textarea = el.querySelector('textarea')
+    const textareas = [...el.querySelectorAll('textarea')]
+    const focusable = textareas.find(t => window.getComputedStyle(t).display !== 'none')
+    const textarea = focusable || textareas[0]
     if (textarea) return mark(kinds.HIDDEN_TEXTAREA, textarea)
   }
 
-  const style = window.getComputedStyle(el)
-  const isHidden =
-    el.offsetParent === null ||
-    (el.offsetWidth === 0 && el.offsetHeight === 0) ||
-    style.display === 'none' ||
-    style.visibility === 'hidden'
-  if (!isHidden) return mark(kinds.STANDARD, el)
+  return mark(kinds.STANDARD, el)
+}
+
+function detectInsideFrame() {
+  const MARKER = 'data-codeceptjs-rte-target'
+  const CE = '[contenteditable="true"], [contenteditable=""]'
+  const CONTENTEDITABLE = 'contenteditable'
+  const HIDDEN_TEXTAREA = 'hidden-textarea'
+  const body = document.body
+  document.querySelectorAll('[' + MARKER + ']').forEach(n => n.removeAttribute(MARKER))
 
-  const isFormHidden = tag === 'INPUT' && el.type === 'hidden'
-  if (isFormHidden) return mark(kinds.STANDARD, el)
-
-  let scope = el.parentElement
-  for (let depth = 0; scope && depth < MAX_HIDDEN_ASCENT; depth++, scope = scope.parentElement) {
-    const iframeNear = scope.querySelector('iframe')
-    if (iframeNear) return mark(kinds.IFRAME, iframeNear)
-    const ceNear = scope.querySelector(CE)
-    if (ceNear) return mark(kinds.CONTENTEDITABLE, ceNear)
-    const textareaNear = [...scope.querySelectorAll('textarea')].find(t => t !== el)
-    if (textareaNear) return mark(kinds.HIDDEN_TEXTAREA, textareaNear)
+  if (body.isContentEditable) return CONTENTEDITABLE
+
+  const ce = body.querySelector(CE)
+  if (ce) {
+    ce.setAttribute(MARKER, '1')
+    return CONTENTEDITABLE
   }
 
-  return mark(kinds.STANDARD, el)
+  const textareas = [...body.querySelectorAll('textarea')]
+  const focusable = textareas.find(t => window.getComputedStyle(t).display !== 'none')
+  const textarea = focusable || textareas[0]
+  if (textarea) {
+    textarea.setAttribute(MARKER, '1')
+    return HIDDEN_TEXTAREA
+  }
+
+  return CONTENTEDITABLE
+}
+
+async function evaluateInFrame(helper, body, fn) {
+  if (body.helperType === 'webdriver') {
+    return helper.executeScript(fn)
+  }
+  return body.element.evaluate(fn)
+}
+
+function focusMarkedInFrameScript() {
+  const el = document.querySelector('[data-codeceptjs-rte-target]') || document.body
+  el.focus()
+  return document.activeElement === el
+}
+
+function selectAllInFrameScript() {
+  const el = document.querySelector('[data-codeceptjs-rte-target]') || document.body
+  el.focus()
+  const range = document.createRange()
+  range.selectNodeContents(el)
+  const sel = window.getSelection()
+  sel.removeAllRanges()
+  sel.addRange(range)
+  return document.activeElement === el
 }
 
 function selectAllInEditable(el) {
@@ -76,6 +114,17 @@ function unmarkAll(marker) {
   document.querySelectorAll('[' + marker + ']').forEach(n => n.removeAttribute(marker))
 }
 
+function isActive(el) {
+  return el.ownerDocument.activeElement === el
+}
+
+async function assertFocused(target) {
+  const focused = await target.evaluate(isActive)
+  if (!focused) {
+    throw new Error('fillField: rich editor target did not accept focus. Locator must point at the visible editor surface (a wrapper, iframe, or contenteditable) — not a hidden backing element.')
+  }
+}
+
 async function findMarked(helper) {
   const root = helper.page || helper.browser
   const raw = await root.$('[' + MARKER + ']')
@@ -91,22 +140,36 @@ export async function fillRichEditor(helper, el, value) {
   const source = el instanceof WebElement ? el : new WebElement(el, helper)
   const kind = await source.evaluate(detectAndMark, { marker: MARKER, kinds: EDITOR })
   if (kind === EDITOR.STANDARD) return false
+  if (kind === EDITOR.UNREACHABLE) {
+    throw new Error('fillField: cannot fill a display:none form control. Locator must point at the visible editor surface (a wrapper, iframe, or contenteditable).')
+  }
 
   const target = await findMarked(helper)
   const delay = helper.options.pressKeyDelay
 
   if (kind === EDITOR.IFRAME) {
     await target.inIframe(async body => {
-      await body.evaluate(selectAllInEditable)
-      await body.typeText(value, { delay })
+      const innerKind = await evaluateInFrame(helper, body, detectInsideFrame)
+      if (innerKind === EDITOR.HIDDEN_TEXTAREA) {
+        const focused = await evaluateInFrame(helper, body, focusMarkedInFrameScript)
+        if (!focused) throw new Error('fillField: rich editor target inside iframe did not accept focus.')
+        await body.selectAllAndDelete()
+        await body.typeText(value, { delay })
+      } else {
+        const focused = await evaluateInFrame(helper, body, selectAllInFrameScript)
+        if (!focused) throw new Error('fillField: rich editor target inside iframe did not accept focus.')
+        await body.typeText(value, { delay })
+      }
     })
   } else if (kind === EDITOR.HIDDEN_TEXTAREA) {
     await target.focus()
+    await assertFocused(target)
     await target.selectAllAndDelete()
     await target.typeText(value, { delay })
   } else if (kind === EDITOR.CONTENTEDITABLE) {
     await target.click()
     await target.evaluate(selectAllInEditable)
+    await assertFocused(target)
     await target.typeText(value, { delay })
   }
 
diff --git a/test/data/app/view/form/richtext/ckeditor4.php b/test/data/app/view/form/richtext/ckeditor4.php
@@ -8,13 +8,15 @@
 <body>
     <h1>CKEditor 4</h1>
     <form id="richtext-form" method="post" action="/richtext_submit">
-        <textarea id="editor"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        <div id="editor">
+            <textarea id="editor-inner"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        </div>
         <input type="hidden" name="content" id="content-sync">
         <button type="submit" id="submit">Submit</button>
     </form>
     <script src="https://cdn.ckeditor.com/4.22.1/standard/ckeditor.js"></script>
     <script>
-        CKEDITOR.replace('editor');
+        CKEDITOR.replace('editor-inner');
         CKEDITOR.on('instanceReady', function(e) {
             window.__editor = e.editor;
             window.__editorContent = () => {
diff --git a/test/data/app/view/form/richtext/ckeditor5-with-sibling.php b/test/data/app/view/form/richtext/ckeditor5-with-sibling.php
@@ -0,0 +1,37 @@
+<?php $initial = isset($_GET['initial']) ? $_GET['initial'] : ''; ?>
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <title>CKEditor 5 with sibling input</title>
+</head>
+<body>
+    <h1>CKEditor 5 with sibling input</h1>
+    <form id="richtext-form" method="post" action="/richtext_submit">
+        <input id="outer-title" name="outer-title" placeholder="Title" type="search" autofocus>
+        <div id="editor">
+            <textarea id="editor-inner"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        </div>
+        <input type="hidden" name="content" id="content-sync">
+        <button type="submit" id="submit">Submit</button>
+    </form>
+    <script src="https://cdn.ckeditor.com/ckeditor5/41.4.2/classic/ckeditor.js"></script>
+    <script>
+        ClassicEditor.create(document.querySelector('#editor-inner'), {
+            removePlugins: ['TextTransformation']
+        }).then(editor => {
+            window.__editor = editor;
+            window.__editorContent = () => {
+                const div = document.createElement('div');
+                div.innerHTML = editor.getData() || '';
+                return (div.textContent || '').replace(/ /g, ' ').trim();
+            };
+            window.__editorReady = true;
+        });
+        document.getElementById('richtext-form').addEventListener('submit', function() {
+            document.getElementById('content-sync').value = window.__editorContent ? window.__editorContent() : '';
+        });
+        document.getElementById('outer-title').focus();
+    </script>
+</body>
+</html>
diff --git a/test/data/app/view/form/richtext/ckeditor5.php b/test/data/app/view/form/richtext/ckeditor5.php
@@ -8,13 +8,15 @@
 <body>
     <h1>CKEditor 5</h1>
     <form id="richtext-form" method="post" action="/richtext_submit">
-        <textarea id="editor"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        <div id="editor">
+            <textarea id="editor-inner"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        </div>
         <input type="hidden" name="content" id="content-sync">
         <button type="submit" id="submit">Submit</button>
     </form>
     <script src="https://cdn.ckeditor.com/ckeditor5/41.4.2/classic/ckeditor.js"></script>
     <script>
-        ClassicEditor.create(document.querySelector('#editor'), {
+        ClassicEditor.create(document.querySelector('#editor-inner'), {
             removePlugins: ['TextTransformation']
         }).then(editor => {
             window.__editor = editor;
diff --git a/test/data/app/view/form/richtext/codemirror5-with-sibling.php b/test/data/app/view/form/richtext/codemirror5-with-sibling.php
@@ -0,0 +1,33 @@
+<?php $initial = isset($_GET['initial']) ? $_GET['initial'] : ''; ?>
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <title>CodeMirror 5 with sibling input</title>
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/codemirror@5.65.16/lib/codemirror.css">
+    <style>.CodeMirror { border: 1px solid #ccc; height: 200px; }</style>
+</head>
+<body>
+    <h1>CodeMirror 5 with sibling input</h1>
+    <form id="richtext-form" method="post" action="/richtext_submit">
+        <input id="outer-title" name="outer-title" placeholder="Title" type="search" autofocus>
+        <div id="editor">
+            <textarea id="editor-inner"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        </div>
+        <input type="hidden" name="content" id="content-sync">
+        <button type="submit" id="submit">Submit</button>
+    </form>
+    <script src="https://cdn.jsdelivr.net/npm/codemirror@5.65.16/lib/codemirror.js"></script>
+    <script>
+        const editor = CodeMirror.fromTextArea(document.getElementById('editor-inner'), {});
+        window.__editor = editor;
+        window.__editorContent = () => editor.getValue();
+        window.__editorReady = true;
+
+        document.getElementById('richtext-form').addEventListener('submit', function() {
+            document.getElementById('content-sync').value = window.__editorContent ? window.__editorContent() : '';
+        });
+        document.getElementById('outer-title').focus();
+    </script>
+</body>
+</html>
diff --git a/test/data/app/view/form/richtext/codemirror5.php b/test/data/app/view/form/richtext/codemirror5.php
@@ -10,13 +10,15 @@
 <body>
     <h1>CodeMirror 5</h1>
     <form id="richtext-form" method="post" action="/richtext_submit">
-        <textarea id="editor"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        <div id="editor">
+            <textarea id="editor-inner"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        </div>
         <input type="hidden" name="content" id="content-sync">
         <button type="submit" id="submit">Submit</button>
     </form>
     <script src="https://cdn.jsdelivr.net/npm/codemirror@5.65.16/lib/codemirror.js"></script>
     <script>
-        const editor = CodeMirror.fromTextArea(document.getElementById('editor'), {});
+        const editor = CodeMirror.fromTextArea(document.getElementById('editor-inner'), {});
         window.__editor = editor;
         window.__editorContent = () => editor.getValue();
         window.__editorReady = true;
diff --git a/test/data/app/view/form/richtext/monaco-with-sibling.php b/test/data/app/view/form/richtext/monaco-with-sibling.php
@@ -0,0 +1,40 @@
+<?php $initial = isset($_GET['initial']) ? $_GET['initial'] : ''; ?>
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <title>Monaco in iframe with sibling input</title>
+</head>
+<body>
+    <h1>Monaco in iframe with sibling input</h1>
+    <form id="outer-form" method="post" action="/richtext_submit">
+        <input id="outer-title" name="outer-title" placeholder="Title" type="search" autofocus>
+        <iframe id="monaco-frame" src="/form/richtext/monaco<?php echo $initial !== '' ? '?initial=' . urlencode($initial) : ''; ?>" style="width: 100%; height: 320px; border: 1px solid #ccc;"></iframe>
+        <input type="hidden" name="content" id="content-sync">
+        <button type="submit" id="submit">Submit</button>
+    </form>
+    <script>
+        window.__editorReady = false;
+        const frame = document.getElementById('monaco-frame');
+        frame.addEventListener('load', function () {
+            const poll = setInterval(function () {
+                try {
+                    if (frame.contentWindow && frame.contentWindow.__editorReady) {
+                        window.__editorReady = true;
+                        clearInterval(poll);
+                    }
+                } catch (e) {}
+            }, 100);
+        });
+        document.getElementById('outer-form').addEventListener('submit', function () {
+            try {
+                const getValue = frame.contentWindow && frame.contentWindow.__editorContent;
+                document.getElementById('content-sync').value = getValue ? getValue() : '';
+            } catch (e) {
+                document.getElementById('content-sync').value = '';
+            }
+        });
+        document.getElementById('outer-title').focus();
+    </script>
+</body>
+</html>
diff --git a/test/data/app/view/form/richtext/summernote.php b/test/data/app/view/form/richtext/summernote.php
@@ -9,21 +9,23 @@
 <body>
     <h1>Summernote</h1>
     <form id="richtext-form" method="post" action="/richtext_submit">
-        <div id="editor"></div>
+        <div id="editor">
+            <div id="editor-inner"></div>
+        </div>
         <input type="hidden" name="content" id="content-sync">
         <button type="submit" id="submit">Submit</button>
     </form>
     <script src="https://code.jquery.com/jquery-3.7.1.min.js"></script>
     <script src="https://cdn.jsdelivr.net/npm/summernote@0.9.0/dist/summernote-lite.min.js"></script>
     <script>
         $(document).ready(function() {
-            $('#editor').summernote({ height: 150 });
+            $('#editor-inner').summernote({ height: 150 });
             const initial = <?php echo json_encode($initial, JSON_UNESCAPED_UNICODE); ?>;
-            if (initial) $('#editor').summernote('code', initial.split(/\n{2,}/).map(p => '<p>' + p.replace(/</g, '&lt;') + '</p>').join(''));
-            window.__editor = $('#editor');
+            if (initial) $('#editor-inner').summernote('code', initial.split(/\n{2,}/).map(p => '<p>' + p.replace(/</g, '&lt;') + '</p>').join(''));
+            window.__editor = $('#editor-inner');
             window.__editorContent = () => {
                 const div = document.createElement('div');
-                div.innerHTML = $('#editor').summernote('code') || '';
+                div.innerHTML = $('#editor-inner').summernote('code') || '';
                 return (div.textContent || '').replace(/\u00a0/g, ' ').trim();
             };
             window.__editorReady = true;
diff --git a/test/data/app/view/form/richtext/tinymce-legacy.php b/test/data/app/view/form/richtext/tinymce-legacy.php
@@ -8,14 +8,16 @@
 <body>
     <h1>TinyMCE (iframe)</h1>
     <form id="richtext-form" method="post" action="/richtext_submit">
-        <textarea id="editor"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        <div id="editor">
+            <textarea id="editor-inner"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        </div>
         <input type="hidden" name="content" id="content-sync">
         <button type="submit" id="submit">Submit</button>
     </form>
     <script src="https://cdn.jsdelivr.net/npm/tinymce@6/tinymce.min.js" referrerpolicy="origin"></script>
     <script>
         tinymce.init({
-            selector: '#editor',
+            selector: '#editor-inner',
             license_key: 'gpl',
             promotion: false,
             setup: function(editor) {
diff --git a/test/helper/webapi.js b/test/helper/webapi.js
