Looker supports the use of the Liquid templating language in some of its parameters (such as
html). Some Liquid functions could potentially be used for malicious behaviors, although only if a bad actor somehow gained access to your Looker instance, and only if they understood where you were using Liquid. Just in case, we’ve disabled these functions in Looker.
These Liquid functions are associated with the Unsafe Liquid Functions legacy feature (for more details see the Legacy Features docs page):
- From release 3.48 to 4.18, the legacy feature is on by default, which means that you can still use the potentially unsafe Liquid functions
- From release 4.20 to 4.22, the legacy feature is off by default, which means you cannot use the potentially unsafe functions
- As of release 5.0, you can never use the potentially unsafe functions
Is there documentation you can direct us to which details out which liquid functions we need to look for in order to replace? The deprecation notice gives HTML as an example, however docs say that’s still valid: https://docs.looker.com/reference/field-params/html. If the doc just hasn’t been updated, that’s fine, we still are looking for some way to check our end for conflicts before we move forward with an upgrade.
htmlis a LookML parameter, not a Liquid function, so it is still supported.
Some of the Liquid functions that you might have used within the
htmlparameter are prohibited now. If you run into any that cause problems help.looker.com can help you out.