Encoding, Hashing, and Encryption Schemes
Sometimes you may need to encode or hash values—or use hashes in an encryption scheme. Liquid filters can help you do that! We’ll give you a tour of the whys and whats here; then you can dive deeper in this Auth0.com article. You’ll know when you need to use the filters below because whatever you’re trying to do will explicitly state that you need to encode or hash certain values.
Encoding
Encoding transforms a value for data-handling purposes—it’s not related to information security. For example, we encode strings containing special characters to make them URL-safe (aka, containing only characters that can be transmitted over the internet; this is often called percent encoding) and then decode them to make them easier for humans to read. URL encoding is important to make sure links in your emails work—unencoded URLs can break. Another encoding format is base64, used for embedding image files in HTML and sending email attachments.
Take a look at the escape and url_encode filters. Escape replaces special characters—in this case, quotation marks—with percent-encoded, URL-safe characters:
{{ "Have you read 'How to Train Your Senior Dog'?" | escape }}Have you read 'How to Train Your Senior Dog'?The URL_encode filter converts URL-unsafe characters with percent-encoded characters and converts spaces to a plus sign:
{{ "reach me at lee@email.com" | url_encode }}reach+me+at+lee%40email.comYou can reverse URL encoding with the url_decode filter:
{{ "reach+me+at+lee%40email.com" | url_decode }}reach me at lee@email.comThe base64 filter (available in some Liquid flavors) can also be used to encode strings:
{{ "I love dogs." | base64 }}SSBsb3ZlIGRvZ3MuHashing
Hashing transforms a value in a way that guarantees its integrity. Stated another way, it allows us to check and see if two items are the same. Its most well-known application is passwords.
Since storing passwords would present a huge security risk, typically passwords themselves are not stored in a database. Instead, they are hashed, and the resulting hash is stored. For example, when you create an account on a website, the password you set isn’t sent to the website—an algorithm transforms it into a hash, and that’s what’s actually stored. The next time you log in, the password you enter is hashed and compared to the stored hash of the password you set up initially—if they match, you entered the right password!
Liquid offers several filters that can hash a value: sha1, sha256, and md5. Each represents a different hash algorithm. Here they are in action:
{{ "Customer.io" | md5 }}d52b6a207bf5255c05b1d0056230617e{{ "Customer.io" | sha1}}c197ff0ae0a41983362f35ca972c544061c54d4c{{ "Customer.io" | sha256 }}6dddb773238216bce273133bc3f6a12a824f41dd184d09452f05c7659dae7d57Tricky terminology note: In Ruby (Liquid’s parent language), the word “hash” is also used to mean a collection of keys—the rough equivalent of a JavaScript object. See the For Loops lesson for a brief discussion of hashes in that context.
Hashing in encryption schemes
Encrypting transforms a value in a way that guarantees confidentiality. That is, access is restricted to authorized users. A cryptographic key is required to encrypt the value, and a different cryptographic key is required to decrypt it. (“Key” here means a cryptographic key, not a Liquid key.)
While we don’t actually use Liquid to encrypt data, some encryption schemes will use hashing to verify integrity as one of the many steps in the encryption process. Hash-based message authentication codes, or HMACs, include both a hash function and a secret cryptographic key. You’ll know when to use this type of hashing, because the instructions you’re following will explicitly state it is required—here’s an example about creating the signature needed to pass data to the Twitter API.
Here’s a quick look at HMAC hash filters:
{{ "Customer.io" | hmac_sha1: "some_key" }}2bdf556c9a75766f258d1e2824f6d0e31d1beedc{{ "Customer.io" | hmac_sha256: "some_key" }}6dddb773238216bce273133bc3f6a12a824f41dd184d09452f05c7659dae7d57Those are just the basics of how encoding and hashing are done using filters in Liquid. There’s a lot more to know, so start with this Auth0.com article for a deeper dive if you’ll be working with these filters frequently.