From 9c4e4747c9c39c5753436ec3c124156c4ea6b2d8 Mon Sep 17 00:00:00 2001
From: Hamish Friedlander <hamish@silverstripe.com>
Date: Sat, 28 Jul 2012 15:42:39 +1200
Subject: [PATCH] BUG 15e2efb55d broke the Page ListView.

---
 forms/gridfield/GridFieldDataColumns.php | 27 ++++++++++++++++++------
 1 file changed, 20 insertions(+), 7 deletions(-)

diff --git a/forms/gridfield/GridFieldDataColumns.php b/forms/gridfield/GridFieldDataColumns.php
index 9d135c35a..34f993147 100644
--- a/forms/gridfield/GridFieldDataColumns.php
+++ b/forms/gridfield/GridFieldDataColumns.php
@@ -133,13 +133,14 @@ class GridFieldDataColumns implements GridField_ColumnProvider {
 			$value = $gridField->getDataFieldValue($record, $columnName);
 		}
 
-		$value = $this->formatValue($gridField, $record, $columnName, $value);
+		// Turn $value, whatever it is, into a HTML embeddable string
 		$value = $this->castValue($gridField, $columnName, $value);
+		// Make any formatting tweaks
+		$value = $this->formatValue($gridField, $record, $columnName, $value);
+		// Do any final escaping
 		$value = $this->escapeValue($gridField, $value);
 
-		return (is_object($value) && $value instanceof Object && $value->hasMethod('forTemplate')) 
-			? $value->forTemplate()
-			: Convert::raw2xml($value);
+		return $value;
 	}
 	
 	/**
@@ -200,6 +201,7 @@ class GridFieldDataColumns implements GridField_ColumnProvider {
 	}
 	
 	/**
+	 * Casts a field to a string which is safe to insert into HTML
 	 *
 	 * @param GridField $gridField
 	 * @param string $fieldName
@@ -207,11 +209,22 @@ class GridFieldDataColumns implements GridField_ColumnProvider {
 	 * @return string 
 	 */
 	protected function castValue($gridField, $fieldName, $value) {
+		// If a fieldCasting is specified, we assume the result is safe
 		if(array_key_exists($fieldName, $this->fieldCasting)) {
-			return $gridField->getCastedValue($value, $this->fieldCasting[$fieldName]);
-		} elseif(is_object($value) && method_exists($value, 'Nice')) {
-			return $value->Nice();
+			$value = $gridField->getCastedValue($value, $this->fieldCasting[$fieldName]);
 		}
+		// If the value is an object, we do one of two things
+		else if(is_object($value)) {
+			// If it has a "Nice" method, call that & make sure the result is safe
+			if (method_exists($value, 'Nice')) Convert::raw2xml($value->Nice());
+			// Otherwise call forTemplate - the result of this should already be safe
+			else $value = $value->forTemplate();
+		}
+		// Otherwise, just treat as a text string & make sure the result is safe
+		else {
+			$value = Convert::raw2xml($value);
+		}
+
 		return $value;
 	}