diff --git a/forms/TableListField.php b/forms/TableListField.php
index ac76bf36a..18a866233 100755
--- a/forms/TableListField.php
+++ b/forms/TableListField.php
@@ -1178,6 +1178,28 @@ JS
 		
 		return $link;
 	}
+
+	/**
+	 * Overloaded to automatically add security token.
+	 * 
+	 * @param String $action
+	 * @return String
+	 */
+	function Link($action = null) {
+		$form = $this->getForm();
+ 		if($form) {
+			$token = $form->getSecurityToken();
+			$parentUrlParts = parse_url(parent::Link($action));
+			$queryPart = (isset($parentUrlParts['query'])) ? '?' . $parentUrlParts['query'] : null;
+			// Ensure that URL actions not routed through Form->httpSubmission() are protected against CSRF attacks.
+			if($form->securityTokenEnabled()) $queryPart = $token->addtoUrl($queryPart);
+			return Controller::join_links($parentUrlParts['path'], $action, $queryPart);
+		} else {
+			// allow for instanciation of this FormField outside of a controller/form
+			// context (e.g. for unit tests)
+			return false;
+		}
+	}
 	
 	function BaseLink() {
 		user_error("TableListField::BaseLink() deprecated, use Link() instead", E_USER_NOTICE);
@@ -1414,9 +1436,12 @@ class TableListField_Item extends ViewableData {
 	}
 	
 	function Link($action = null) {
- 		if($this->parent->getForm()) {
+		$form = $this->parent->getForm();
+ 		if($form) {
 			$parentUrlParts = parse_url($this->parent->Link());
 			$queryPart = (isset($parentUrlParts['query'])) ? '?' . $parentUrlParts['query'] : null;
+			// Ensure that URL actions not routed through Form->httpSubmission() are protected against CSRF attacks.
+			if($form->securityTokenEnabled()) $queryPart = $token->addtoUrl($queryPart);
 			return Controller::join_links($parentUrlParts['path'], 'item', $this->item->ID, $action, $queryPart);
 		} else {
 			// allow for instanciation of this FormField outside of a controller/form