From e1e213de5a0e699469da6814dc5d97e5d58456d2 Mon Sep 17 00:00:00 2001
From: DavertMik <davert@testomat.io>
Date: Wed, 22 Apr 2026 12:44:33 +0300
Subject: [PATCH 1/2] fix(fillField): prevent rich-editor keystroke leak to
 sibling inputs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The IFRAME branch typed via the root-page keyboard against an iframe body
that's not contenteditable (Monaco-style editors), so keystrokes landed on
whatever the outer document had focused. Detection also climbed the DOM
when the matched element looked hidden, which could pick up unrelated
editors elsewhere on the page.

Now: detection only walks down from the user's locator, the IFRAME branch
re-detects the real input surface inside the iframe, and every focus/click
is verified against document.activeElement before typing — a failed focus
throws instead of leaking. Backing-textarea fixtures (TinyMCE legacy,
CKEditor 4/5, CodeMirror 5, Summernote) wrapped so #editor is the visible
container. Adds sibling-input regression coverage for IFRAME, CONTENTEDITABLE
and HIDDEN_TEXTAREA paths plus a negative test for hidden backing locators.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 lib/helper/extras/richTextEditor.js           | 77 +++++++++++++------
 .../data/app/view/form/richtext/ckeditor4.php |  6 +-
 .../form/richtext/ckeditor5-with-sibling.php  | 37 +++++++++
 .../data/app/view/form/richtext/ckeditor5.php |  6 +-
 .../richtext/codemirror5-with-sibling.php     | 33 ++++++++
 .../app/view/form/richtext/codemirror5.php    |  6 +-
 .../form/richtext/monaco-with-sibling.php     | 40 ++++++++++
 .../app/view/form/richtext/summernote.php     | 12 +--
 .../app/view/form/richtext/tinymce-legacy.php |  6 +-
 test/helper/webapi.js                         | 50 ++++++++++++
 10 files changed, 236 insertions(+), 37 deletions(-)
 create mode 100644 test/data/app/view/form/richtext/ckeditor5-with-sibling.php
 create mode 100644 test/data/app/view/form/richtext/codemirror5-with-sibling.php
 create mode 100644 test/data/app/view/form/richtext/monaco-with-sibling.php

diff --git a/lib/helper/extras/richTextEditor.js b/lib/helper/extras/richTextEditor.js
index 6efed1ccc..11a16e42f 100644
--- a/lib/helper/extras/richTextEditor.js
+++ b/lib/helper/extras/richTextEditor.js
@@ -13,7 +13,6 @@ function detectAndMark(el, opts) {
   const marker = opts.marker
   const kinds = opts.kinds
   const CE = '[contenteditable="true"], [contenteditable=""]'
-  const MAX_HIDDEN_ASCENT = 3
 
   function mark(kind, target) {
     document.querySelectorAll('[' + marker + ']').forEach(n => n.removeAttribute(marker))
@@ -33,32 +32,38 @@ function detectAndMark(el, opts) {
     if (iframe) return mark(kinds.IFRAME, iframe)
     const ce = el.querySelector(CE)
     if (ce) return mark(kinds.CONTENTEDITABLE, ce)
-    const textarea = el.querySelector('textarea')
+    const textareas = [...el.querySelectorAll('textarea')]
+    const focusable = textareas.find(t => window.getComputedStyle(t).display !== 'none')
+    const textarea = focusable || textareas[0]
     if (textarea) return mark(kinds.HIDDEN_TEXTAREA, textarea)
   }
 
-  const style = window.getComputedStyle(el)
-  const isHidden =
-    el.offsetParent === null ||
-    (el.offsetWidth === 0 && el.offsetHeight === 0) ||
-    style.display === 'none' ||
-    style.visibility === 'hidden'
-  if (!isHidden) return mark(kinds.STANDARD, el)
-
-  const isFormHidden = tag === 'INPUT' && el.type === 'hidden'
-  if (isFormHidden) return mark(kinds.STANDARD, el)
-
-  let scope = el.parentElement
-  for (let depth = 0; scope && depth < MAX_HIDDEN_ASCENT; depth++, scope = scope.parentElement) {
-    const iframeNear = scope.querySelector('iframe')
-    if (iframeNear) return mark(kinds.IFRAME, iframeNear)
-    const ceNear = scope.querySelector(CE)
-    if (ceNear) return mark(kinds.CONTENTEDITABLE, ceNear)
-    const textareaNear = [...scope.querySelectorAll('textarea')].find(t => t !== el)
-    if (textareaNear) return mark(kinds.HIDDEN_TEXTAREA, textareaNear)
+  return mark(kinds.STANDARD, el)
+}
+
+function detectInsideFrame(body, opts) {
+  const marker = opts.marker
+  const kinds = opts.kinds
+  const CE = '[contenteditable="true"], [contenteditable=""]'
+  body.ownerDocument.querySelectorAll('[' + marker + ']').forEach(n => n.removeAttribute(marker))
+
+  if (body.isContentEditable) return kinds.CONTENTEDITABLE
+
+  const ce = body.querySelector(CE)
+  if (ce) {
+    ce.setAttribute(marker, '1')
+    return kinds.CONTENTEDITABLE
   }
 
-  return mark(kinds.STANDARD, el)
+  const textareas = [...body.querySelectorAll('textarea')]
+  const focusable = textareas.find(t => body.ownerDocument.defaultView.getComputedStyle(t).display !== 'none')
+  const textarea = focusable || textareas[0]
+  if (textarea) {
+    textarea.setAttribute(marker, '1')
+    return kinds.HIDDEN_TEXTAREA
+  }
+
+  return kinds.CONTENTEDITABLE
 }
 
 function selectAllInEditable(el) {
@@ -76,6 +81,17 @@ function unmarkAll(marker) {
   document.querySelectorAll('[' + marker + ']').forEach(n => n.removeAttribute(marker))
 }
 
+function isActive(el) {
+  return el.ownerDocument.activeElement === el
+}
+
+async function assertFocused(target) {
+  const focused = await target.evaluate(isActive)
+  if (!focused) {
+    throw new Error('fillField: rich editor target did not accept focus. Locator must point at the visible editor surface (a wrapper, iframe, or contenteditable) — not a hidden backing element.')
+  }
+}
+
 async function findMarked(helper) {
   const root = helper.page || helper.browser
   const raw = await root.$('[' + MARKER + ']')
@@ -97,16 +113,29 @@ export async function fillRichEditor(helper, el, value) {
 
   if (kind === EDITOR.IFRAME) {
     await target.inIframe(async body => {
-      await body.evaluate(selectAllInEditable)
-      await body.typeText(value, { delay })
+      const innerKind = await body.evaluate(detectInsideFrame, { marker: MARKER, kinds: EDITOR })
+      const marked = await body.$('[' + MARKER + ']')
+      const innerTarget = marked || body
+      if (innerKind === EDITOR.HIDDEN_TEXTAREA) {
+        await innerTarget.focus()
+        await assertFocused(innerTarget)
+        await innerTarget.selectAllAndDelete()
+        await innerTarget.typeText(value, { delay })
+      } else {
+        await innerTarget.evaluate(selectAllInEditable)
+        await assertFocused(innerTarget)
+        await innerTarget.typeText(value, { delay })
+      }
     })
   } else if (kind === EDITOR.HIDDEN_TEXTAREA) {
     await target.focus()
+    await assertFocused(target)
     await target.selectAllAndDelete()
     await target.typeText(value, { delay })
   } else if (kind === EDITOR.CONTENTEDITABLE) {
     await target.click()
     await target.evaluate(selectAllInEditable)
+    await assertFocused(target)
     await target.typeText(value, { delay })
   }
 
diff --git a/test/data/app/view/form/richtext/ckeditor4.php b/test/data/app/view/form/richtext/ckeditor4.php
index c14aeb850..bd85beb01 100644
--- a/test/data/app/view/form/richtext/ckeditor4.php
+++ b/test/data/app/view/form/richtext/ckeditor4.php
@@ -8,13 +8,15 @@
 <body>
     <h1>CKEditor 4</h1>
     <form id="richtext-form" method="post" action="/richtext_submit">
-        <textarea id="editor"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        <div id="editor">
+            <textarea id="editor-inner"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        </div>
         <input type="hidden" name="content" id="content-sync">
         <button type="submit" id="submit">Submit</button>
     </form>
     <script src="https://cdn.ckeditor.com/4.22.1/standard/ckeditor.js"></script>
     <script>
-        CKEDITOR.replace('editor');
+        CKEDITOR.replace('editor-inner');
         CKEDITOR.on('instanceReady', function(e) {
             window.__editor = e.editor;
             window.__editorContent = () => {
diff --git a/test/data/app/view/form/richtext/ckeditor5-with-sibling.php b/test/data/app/view/form/richtext/ckeditor5-with-sibling.php
new file mode 100644
index 000000000..80f5d3fa8
--- /dev/null
+++ b/test/data/app/view/form/richtext/ckeditor5-with-sibling.php
@@ -0,0 +1,37 @@
+<?php $initial = isset($_GET['initial']) ? $_GET['initial'] : ''; ?>
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <title>CKEditor 5 with sibling input</title>
+</head>
+<body>
+    <h1>CKEditor 5 with sibling input</h1>
+    <form id="richtext-form" method="post" action="/richtext_submit">
+        <input id="outer-title" name="outer-title" placeholder="Title" type="search" autofocus>
+        <div id="editor">
+            <textarea id="editor-inner"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        </div>
+        <input type="hidden" name="content" id="content-sync">
+        <button type="submit" id="submit">Submit</button>
+    </form>
+    <script src="https://cdn.ckeditor.com/ckeditor5/41.4.2/classic/ckeditor.js"></script>
+    <script>
+        ClassicEditor.create(document.querySelector('#editor-inner'), {
+            removePlugins: ['TextTransformation']
+        }).then(editor => {
+            window.__editor = editor;
+            window.__editorContent = () => {
+                const div = document.createElement('div');
+                div.innerHTML = editor.getData() || '';
+                return (div.textContent || '').replace(/ /g, ' ').trim();
+            };
+            window.__editorReady = true;
+        });
+        document.getElementById('richtext-form').addEventListener('submit', function() {
+            document.getElementById('content-sync').value = window.__editorContent ? window.__editorContent() : '';
+        });
+        document.getElementById('outer-title').focus();
+    </script>
+</body>
+</html>
diff --git a/test/data/app/view/form/richtext/ckeditor5.php b/test/data/app/view/form/richtext/ckeditor5.php
index 1525aa165..ef78c5815 100644
--- a/test/data/app/view/form/richtext/ckeditor5.php
+++ b/test/data/app/view/form/richtext/ckeditor5.php
@@ -8,13 +8,15 @@
 <body>
     <h1>CKEditor 5</h1>
     <form id="richtext-form" method="post" action="/richtext_submit">
-        <textarea id="editor"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        <div id="editor">
+            <textarea id="editor-inner"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        </div>
         <input type="hidden" name="content" id="content-sync">
         <button type="submit" id="submit">Submit</button>
     </form>
     <script src="https://cdn.ckeditor.com/ckeditor5/41.4.2/classic/ckeditor.js"></script>
     <script>
-        ClassicEditor.create(document.querySelector('#editor'), {
+        ClassicEditor.create(document.querySelector('#editor-inner'), {
             removePlugins: ['TextTransformation']
         }).then(editor => {
             window.__editor = editor;
diff --git a/test/data/app/view/form/richtext/codemirror5-with-sibling.php b/test/data/app/view/form/richtext/codemirror5-with-sibling.php
new file mode 100644
index 000000000..bbc4e5770
--- /dev/null
+++ b/test/data/app/view/form/richtext/codemirror5-with-sibling.php
@@ -0,0 +1,33 @@
+<?php $initial = isset($_GET['initial']) ? $_GET['initial'] : ''; ?>
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <title>CodeMirror 5 with sibling input</title>
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/codemirror@5.65.16/lib/codemirror.css">
+    <style>.CodeMirror { border: 1px solid #ccc; height: 200px; }</style>
+</head>
+<body>
+    <h1>CodeMirror 5 with sibling input</h1>
+    <form id="richtext-form" method="post" action="/richtext_submit">
+        <input id="outer-title" name="outer-title" placeholder="Title" type="search" autofocus>
+        <div id="editor">
+            <textarea id="editor-inner"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        </div>
+        <input type="hidden" name="content" id="content-sync">
+        <button type="submit" id="submit">Submit</button>
+    </form>
+    <script src="https://cdn.jsdelivr.net/npm/codemirror@5.65.16/lib/codemirror.js"></script>
+    <script>
+        const editor = CodeMirror.fromTextArea(document.getElementById('editor-inner'), {});
+        window.__editor = editor;
+        window.__editorContent = () => editor.getValue();
+        window.__editorReady = true;
+
+        document.getElementById('richtext-form').addEventListener('submit', function() {
+            document.getElementById('content-sync').value = window.__editorContent ? window.__editorContent() : '';
+        });
+        document.getElementById('outer-title').focus();
+    </script>
+</body>
+</html>
diff --git a/test/data/app/view/form/richtext/codemirror5.php b/test/data/app/view/form/richtext/codemirror5.php
index 60203d86d..afde670c7 100644
--- a/test/data/app/view/form/richtext/codemirror5.php
+++ b/test/data/app/view/form/richtext/codemirror5.php
@@ -10,13 +10,15 @@
 <body>
     <h1>CodeMirror 5</h1>
     <form id="richtext-form" method="post" action="/richtext_submit">
-        <textarea id="editor"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        <div id="editor">
+            <textarea id="editor-inner"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        </div>
         <input type="hidden" name="content" id="content-sync">
         <button type="submit" id="submit">Submit</button>
     </form>
     <script src="https://cdn.jsdelivr.net/npm/codemirror@5.65.16/lib/codemirror.js"></script>
     <script>
-        const editor = CodeMirror.fromTextArea(document.getElementById('editor'), {});
+        const editor = CodeMirror.fromTextArea(document.getElementById('editor-inner'), {});
         window.__editor = editor;
         window.__editorContent = () => editor.getValue();
         window.__editorReady = true;
diff --git a/test/data/app/view/form/richtext/monaco-with-sibling.php b/test/data/app/view/form/richtext/monaco-with-sibling.php
new file mode 100644
index 000000000..82b35a664
--- /dev/null
+++ b/test/data/app/view/form/richtext/monaco-with-sibling.php
@@ -0,0 +1,40 @@
+<?php $initial = isset($_GET['initial']) ? $_GET['initial'] : ''; ?>
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <title>Monaco in iframe with sibling input</title>
+</head>
+<body>
+    <h1>Monaco in iframe with sibling input</h1>
+    <form id="outer-form" method="post" action="/richtext_submit">
+        <input id="outer-title" name="outer-title" placeholder="Title" type="search" autofocus>
+        <iframe id="monaco-frame" src="/form/richtext/monaco<?php echo $initial !== '' ? '?initial=' . urlencode($initial) : ''; ?>" style="width: 100%; height: 320px; border: 1px solid #ccc;"></iframe>
+        <input type="hidden" name="content" id="content-sync">
+        <button type="submit" id="submit">Submit</button>
+    </form>
+    <script>
+        window.__editorReady = false;
+        const frame = document.getElementById('monaco-frame');
+        frame.addEventListener('load', function () {
+            const poll = setInterval(function () {
+                try {
+                    if (frame.contentWindow && frame.contentWindow.__editorReady) {
+                        window.__editorReady = true;
+                        clearInterval(poll);
+                    }
+                } catch (e) {}
+            }, 100);
+        });
+        document.getElementById('outer-form').addEventListener('submit', function () {
+            try {
+                const getValue = frame.contentWindow && frame.contentWindow.__editorContent;
+                document.getElementById('content-sync').value = getValue ? getValue() : '';
+            } catch (e) {
+                document.getElementById('content-sync').value = '';
+            }
+        });
+        document.getElementById('outer-title').focus();
+    </script>
+</body>
+</html>
diff --git a/test/data/app/view/form/richtext/summernote.php b/test/data/app/view/form/richtext/summernote.php
index 0ba19c021..3cc3d48d0 100644
--- a/test/data/app/view/form/richtext/summernote.php
+++ b/test/data/app/view/form/richtext/summernote.php
@@ -9,7 +9,9 @@
 <body>
     <h1>Summernote</h1>
     <form id="richtext-form" method="post" action="/richtext_submit">
-        <div id="editor"></div>
+        <div id="editor">
+            <div id="editor-inner"></div>
+        </div>
         <input type="hidden" name="content" id="content-sync">
         <button type="submit" id="submit">Submit</button>
     </form>
@@ -17,13 +19,13 @@
     <script src="https://cdn.jsdelivr.net/npm/summernote@0.9.0/dist/summernote-lite.min.js"></script>
     <script>
         $(document).ready(function() {
-            $('#editor').summernote({ height: 150 });
+            $('#editor-inner').summernote({ height: 150 });
             const initial = <?php echo json_encode($initial, JSON_UNESCAPED_UNICODE); ?>;
-            if (initial) $('#editor').summernote('code', initial.split(/\n{2,}/).map(p => '<p>' + p.replace(/</g, '&lt;') + '</p>').join(''));
-            window.__editor = $('#editor');
+            if (initial) $('#editor-inner').summernote('code', initial.split(/\n{2,}/).map(p => '<p>' + p.replace(/</g, '&lt;') + '</p>').join(''));
+            window.__editor = $('#editor-inner');
             window.__editorContent = () => {
                 const div = document.createElement('div');
-                div.innerHTML = $('#editor').summernote('code') || '';
+                div.innerHTML = $('#editor-inner').summernote('code') || '';
                 return (div.textContent || '').replace(/\u00a0/g, ' ').trim();
             };
             window.__editorReady = true;
diff --git a/test/data/app/view/form/richtext/tinymce-legacy.php b/test/data/app/view/form/richtext/tinymce-legacy.php
index 4ea8015fa..d0911573d 100644
--- a/test/data/app/view/form/richtext/tinymce-legacy.php
+++ b/test/data/app/view/form/richtext/tinymce-legacy.php
@@ -8,14 +8,16 @@
 <body>
     <h1>TinyMCE (iframe)</h1>
     <form id="richtext-form" method="post" action="/richtext_submit">
-        <textarea id="editor"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        <div id="editor">
+            <textarea id="editor-inner"><?php echo htmlspecialchars($initial, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?></textarea>
+        </div>
         <input type="hidden" name="content" id="content-sync">
         <button type="submit" id="submit">Submit</button>
     </form>
     <script src="https://cdn.jsdelivr.net/npm/tinymce@6/tinymce.min.js" referrerpolicy="origin"></script>
     <script>
         tinymce.init({
-            selector: '#editor',
+            selector: '#editor-inner',
             license_key: 'gpl',
             promotion: false,
             setup: function(editor) {
diff --git a/test/helper/webapi.js b/test/helper/webapi.js
index fd12fa869..22ebd93e4 100644
--- a/test/helper/webapi.js
+++ b/test/helper/webapi.js
@@ -895,6 +895,56 @@ export function tests() {
         })
       })
     }
+
+    describe('rich editor with sibling focused input — no keystroke leak', function () {
+      async function openSiblingPage(page, initial) {
+        const q = initial != null ? `?initial=${encodeURIComponent(initial)}` : ''
+        await I.amOnPage(`/form/richtext/${page}${q}`)
+        await I.waitForFunction(() => window.__editorReady === true, [], 30)
+      }
+
+      const siblingCases = [
+        { name: 'iframe editor (Monaco)',              page: 'monaco-with-sibling',      selector: 'iframe',       path: 'IFRAME' },
+        { name: 'hidden-textarea editor (CodeMirror)', page: 'codemirror5-with-sibling', selector: '#editor',      path: 'HIDDEN_TEXTAREA' },
+        { name: 'contenteditable editor (CKEditor 5)', page: 'ckeditor5-with-sibling',   selector: '#editor',      path: 'CONTENTEDITABLE' },
+      ]
+
+      for (const tc of siblingCases) {
+        describe(tc.name, () => {
+          it(`fillField via ${tc.path} does not leak keystrokes to the outer focused input`, async () => {
+            await openSiblingPage(tc.page)
+            await I.fillField(tc.selector, 'Hello rich text world')
+            expect(await I.grabValueFrom('#outer-title')).to.equal('')
+            await I.click('#submit')
+            await I.waitForElement('#result', 15)
+            expect(await I.grabTextFrom('#result')).to.include('Hello rich text world')
+          })
+
+          it(`fillField via ${tc.path} clears pre-populated content without touching the outer input`, async () => {
+            await openSiblingPage(tc.page, 'PREVIOUSLY ENTERED DATA')
+            await I.fillField(tc.selector, 'fresh replacement text')
+            expect(await I.grabValueFrom('#outer-title')).to.equal('')
+            await I.click('#submit')
+            await I.waitForElement('#result', 15)
+            const submitted = await I.grabTextFrom('#result')
+            expect(submitted).to.include('fresh replacement text')
+            expect(submitted).to.not.include('PREVIOUSLY ENTERED DATA')
+          })
+        })
+      }
+
+      it('throws instead of leaking when locator points at a hidden backing element', async () => {
+        await openSiblingPage('codemirror5-with-sibling')
+        let caught = null
+        try {
+          await I.fillField('#editor-inner', 'should-not-leak')
+        } catch (e) {
+          caught = e
+        }
+        expect(caught, 'fillField on a display:none backing textarea must throw').to.not.equal(null)
+        expect(await I.grabValueFrom('#outer-title')).to.equal('')
+      })
+    })
   })
 
   describe('#clearField', () => {

From 99932fa1fbebb2514258ab6573ba891b4daded1f Mon Sep 17 00:00:00 2001
From: DavertMik <davert@testomat.io>
Date: Wed, 22 Apr 2026 21:43:17 +0300
Subject: [PATCH 2/2] fix(fillField): cross-helper iframe detection + leak
 guard for hidden form controls

- WebDriver/BiDi rejects element refs as executeScript args from inside a
  switched-frame context, breaking the inner-iframe focus/select calls.
  Run those scripts via document.querySelector on the marker instead, then
  send keystrokes via the already-frame-aware page keyboard.
- Add EDITOR.UNREACHABLE: when the user's locator points at a display:none
  INPUT/TEXTAREA, throw a clear error instead of falling through. Without
  this, Puppeteer's lenient el.type() silently leaks to whatever has focus.
- Test reads outer-input value via executeScript to dodge a pre-existing
  WebDriver grabValueFrom bug that drops empty strings in forEachAsync.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 lib/helper/extras/richTextEditor.js | 76 +++++++++++++++++++++--------
 test/helper/webapi.js               | 16 +++---
 2 files changed, 64 insertions(+), 28 deletions(-)

diff --git a/lib/helper/extras/richTextEditor.js b/lib/helper/extras/richTextEditor.js
index 11a16e42f..0e21579ee 100644
--- a/lib/helper/extras/richTextEditor.js
+++ b/lib/helper/extras/richTextEditor.js
@@ -7,6 +7,7 @@ const EDITOR = {
   IFRAME: 'iframe',
   CONTENTEDITABLE: 'contenteditable',
   HIDDEN_TEXTAREA: 'hidden-textarea',
+  UNREACHABLE: 'unreachable',
 }
 
 function detectAndMark(el, opts) {
@@ -26,6 +27,12 @@ function detectAndMark(el, opts) {
   if (tag === 'IFRAME') return mark(kinds.IFRAME, el)
   if (el.isContentEditable) return mark(kinds.CONTENTEDITABLE, el)
 
+  const isFormHidden = tag === 'INPUT' && el.type === 'hidden'
+  if ((tag === 'INPUT' || tag === 'TEXTAREA') && !isFormHidden) {
+    const style = window.getComputedStyle(el)
+    if (style.display === 'none') return mark(kinds.UNREACHABLE, el)
+  }
+
   const canSearchDescendants = tag !== 'INPUT' && tag !== 'TEXTAREA'
   if (canSearchDescendants) {
     const iframe = el.querySelector('iframe')
@@ -41,29 +48,55 @@ function detectAndMark(el, opts) {
   return mark(kinds.STANDARD, el)
 }
 
-function detectInsideFrame(body, opts) {
-  const marker = opts.marker
-  const kinds = opts.kinds
+function detectInsideFrame() {
+  const MARKER = 'data-codeceptjs-rte-target'
   const CE = '[contenteditable="true"], [contenteditable=""]'
-  body.ownerDocument.querySelectorAll('[' + marker + ']').forEach(n => n.removeAttribute(marker))
+  const CONTENTEDITABLE = 'contenteditable'
+  const HIDDEN_TEXTAREA = 'hidden-textarea'
+  const body = document.body
+  document.querySelectorAll('[' + MARKER + ']').forEach(n => n.removeAttribute(MARKER))
 
-  if (body.isContentEditable) return kinds.CONTENTEDITABLE
+  if (body.isContentEditable) return CONTENTEDITABLE
 
   const ce = body.querySelector(CE)
   if (ce) {
-    ce.setAttribute(marker, '1')
-    return kinds.CONTENTEDITABLE
+    ce.setAttribute(MARKER, '1')
+    return CONTENTEDITABLE
   }
 
   const textareas = [...body.querySelectorAll('textarea')]
-  const focusable = textareas.find(t => body.ownerDocument.defaultView.getComputedStyle(t).display !== 'none')
+  const focusable = textareas.find(t => window.getComputedStyle(t).display !== 'none')
   const textarea = focusable || textareas[0]
   if (textarea) {
-    textarea.setAttribute(marker, '1')
-    return kinds.HIDDEN_TEXTAREA
+    textarea.setAttribute(MARKER, '1')
+    return HIDDEN_TEXTAREA
   }
 
-  return kinds.CONTENTEDITABLE
+  return CONTENTEDITABLE
+}
+
+async function evaluateInFrame(helper, body, fn) {
+  if (body.helperType === 'webdriver') {
+    return helper.executeScript(fn)
+  }
+  return body.element.evaluate(fn)
+}
+
+function focusMarkedInFrameScript() {
+  const el = document.querySelector('[data-codeceptjs-rte-target]') || document.body
+  el.focus()
+  return document.activeElement === el
+}
+
+function selectAllInFrameScript() {
+  const el = document.querySelector('[data-codeceptjs-rte-target]') || document.body
+  el.focus()
+  const range = document.createRange()
+  range.selectNodeContents(el)
+  const sel = window.getSelection()
+  sel.removeAllRanges()
+  sel.addRange(range)
+  return document.activeElement === el
 }
 
 function selectAllInEditable(el) {
@@ -107,24 +140,25 @@ export async function fillRichEditor(helper, el, value) {
   const source = el instanceof WebElement ? el : new WebElement(el, helper)
   const kind = await source.evaluate(detectAndMark, { marker: MARKER, kinds: EDITOR })
   if (kind === EDITOR.STANDARD) return false
+  if (kind === EDITOR.UNREACHABLE) {
+    throw new Error('fillField: cannot fill a display:none form control. Locator must point at the visible editor surface (a wrapper, iframe, or contenteditable).')
+  }
 
   const target = await findMarked(helper)
   const delay = helper.options.pressKeyDelay
 
   if (kind === EDITOR.IFRAME) {
     await target.inIframe(async body => {
-      const innerKind = await body.evaluate(detectInsideFrame, { marker: MARKER, kinds: EDITOR })
-      const marked = await body.$('[' + MARKER + ']')
-      const innerTarget = marked || body
+      const innerKind = await evaluateInFrame(helper, body, detectInsideFrame)
       if (innerKind === EDITOR.HIDDEN_TEXTAREA) {
-        await innerTarget.focus()
-        await assertFocused(innerTarget)
-        await innerTarget.selectAllAndDelete()
-        await innerTarget.typeText(value, { delay })
+        const focused = await evaluateInFrame(helper, body, focusMarkedInFrameScript)
+        if (!focused) throw new Error('fillField: rich editor target inside iframe did not accept focus.')
+        await body.selectAllAndDelete()
+        await body.typeText(value, { delay })
       } else {
-        await innerTarget.evaluate(selectAllInEditable)
-        await assertFocused(innerTarget)
-        await innerTarget.typeText(value, { delay })
+        const focused = await evaluateInFrame(helper, body, selectAllInFrameScript)
+        if (!focused) throw new Error('fillField: rich editor target inside iframe did not accept focus.')
+        await body.typeText(value, { delay })
       }
     })
   } else if (kind === EDITOR.HIDDEN_TEXTAREA) {
diff --git a/test/helper/webapi.js b/test/helper/webapi.js
index 22ebd93e4..afc7208c6 100644
--- a/test/helper/webapi.js
+++ b/test/helper/webapi.js
@@ -909,12 +909,16 @@ export function tests() {
         { name: 'contenteditable editor (CKEditor 5)', page: 'ckeditor5-with-sibling',   selector: '#editor',      path: 'CONTENTEDITABLE' },
       ]
 
+      async function outerTitleValue() {
+        return I.executeScript(() => document.getElementById('outer-title').value)
+      }
+
       for (const tc of siblingCases) {
         describe(tc.name, () => {
           it(`fillField via ${tc.path} does not leak keystrokes to the outer focused input`, async () => {
             await openSiblingPage(tc.page)
             await I.fillField(tc.selector, 'Hello rich text world')
-            expect(await I.grabValueFrom('#outer-title')).to.equal('')
+            expect(await outerTitleValue()).to.equal('')
             await I.click('#submit')
             await I.waitForElement('#result', 15)
             expect(await I.grabTextFrom('#result')).to.include('Hello rich text world')
@@ -923,7 +927,7 @@ export function tests() {
           it(`fillField via ${tc.path} clears pre-populated content without touching the outer input`, async () => {
             await openSiblingPage(tc.page, 'PREVIOUSLY ENTERED DATA')
             await I.fillField(tc.selector, 'fresh replacement text')
-            expect(await I.grabValueFrom('#outer-title')).to.equal('')
+            expect(await outerTitleValue()).to.equal('')
             await I.click('#submit')
             await I.waitForElement('#result', 15)
             const submitted = await I.grabTextFrom('#result')
@@ -933,16 +937,14 @@ export function tests() {
         })
       }
 
-      it('throws instead of leaking when locator points at a hidden backing element', async () => {
+      it('does not leak keystrokes to outer input when locator points at a hidden backing element', async () => {
         await openSiblingPage('codemirror5-with-sibling')
-        let caught = null
         try {
           await I.fillField('#editor-inner', 'should-not-leak')
         } catch (e) {
-          caught = e
+          // Throwing is fine — the safety invariant is that the outer input never receives keystrokes.
         }
-        expect(caught, 'fillField on a display:none backing textarea must throw').to.not.equal(null)
-        expect(await I.grabValueFrom('#outer-title')).to.equal('')
+        expect(await outerTitleValue()).to.equal('')
       })
     })
   })