Gridfield export of summary fields incorrectly escapes various characters, breaks CSV format

[axllent]

Affected Version

Silverstripe framework 4.12.2 (including previous versions)

Description

When exporting data via the Gridfield export, any column data defined in the $summary_fields is incorrectly escaped in the CSV.

Steps to Reproduce

• Update any Member in the Security section to include a ' or " in their first name
• Export to CSV.

All ' characters are converted to ', and " is converted to ", and in the case where a single word including a single " (no spaces) actually breaks the exported data structure. If however the exported data is not included in the $summary_fields it appears not to be affected by this bug. This is not limited to just the Security section, but all Gridfields.

As an example, I have two Members in my test database, the first has the FirstName Default 'Admin, and the second test":

"First Name",Surname,Email
"Default 'Admin",,admin
test",,testing

I can provide a working patch which would change https://github.com/silverstripe/silverstripe-framework/blob/4.12.2/src/Forms/GridField/GridFieldExportButton.php#L246-L248 to something like

$value = strip_tags(
    html_entity_decode($gridFieldColumnsComponent->getColumnContent($gridField, $item, $columnSource), ENT_QUOTES) ?? ''
);

which fixes the issue, resulting in:

"First Name",Surname,Email
"Default 'Admin",,admin
"test""",,testing

... however I feel that's more of a band aid. Unfortunately what happens under the hood within the Gridfield components is a somewhat a maze, so I'm not sure of the best approach to fixing this bug.

Your thoughts and suggestions please.

UPDATE

This happens with a combination of the GridFieldDataColumns component and fields being in summary_fields. Specifically, the html is escaped using nl2br() and Convert::raw2xml() in GridFieldDataColumns::castValue() and therefore affects more than just quotes (e.g. <, >, &, \n will all be affected).
See #10659 (review) for more information.

PRs

• Fix GridField CSV export value escaping #10659

[michalkleiner]

Thanks for raising the issue, @axllent. If you had time, could you create a PR with the suggested fix from/against the 4.12 branch? Thanks!

[axllent]

Awesome, I have just done so @michalkleiner!

[axllent]

Just putting this here for reference as I suspect it'll get overlooked as it's labeled as affects/v4, but this bug impacts Silverstripe 5 too.