Deprecation Notice: Some Liquid Functions Prohibited (3.48+)


(Brett Sauve) #1

Looker supports the use of the Liquid templating language in some of its parameters (such as html). Some Liquid functions could potentially be used for malicious behaviors, although only if a bad actor somehow gained access to your Looker instance, and only if they understood where you were using Liquid. Just in case, we’ve disabled these functions in Looker.

These Liquid functions are associated with the Unsafe Liquid Functions legacy feature (for more details see the Legacy Features docs page):

  • From release 3.48 to 4.18, the legacy feature is on by default, which means that you can still use the potentially unsafe Liquid functions
  • From release 4.20 to 4.22, the legacy feature is off by default, which means you cannot use the potentially unsafe functions
  • As of release 5.0, you can never use the potentially unsafe functions

Legacy Features End-of-life Schedule
(Todd) #2

Hi There,

Is there documentation you can direct us to which details out which liquid functions we need to look for in order to replace? The deprecation notice gives HTML as an example, however docs say that’s still valid: https://docs.looker.com/reference/field-params/html. If the doc just hasn’t been updated, that’s fine, we still are looking for some way to check our end for conflicts before we move forward with an upgrade.

Thank you,

  • Todd

(Brett Sauve) #3

@tfoley html is a LookML parameter, not a Liquid function, so it is still supported.

Some of the Liquid functions that you might have used within the html parameter are prohibited now. If you run into any that cause problems support@looker.com can help you out.


(Todd) #4

thank you.