Looker supports the use of the Liquid templating language in some of its parameters (such as
html). Some Liquid functions could potentially be used for malicious behaviors, although only if a bad actor somehow gained access to your Looker instance, and only if they understood where you were using Liquid. Just in case, we’ve disabled these functions in Looker.
These Liquid functions are associated with the Unsafe Liquid Functions legacy feature (for more details see the Legacy Features docs page):
- From release 3.48 to 4.18, the legacy feature is on by default, which means that you can still use the potentially unsafe Liquid functions
- From release 4.20 to 4.22, the legacy feature is off by default, which means you cannot use the potentially unsafe functions
- As of release 5.0, you can never use the potentially unsafe functions