Encoding, hashing, and encryption schemes

Sometimes you may need to encode or hash values—or use hashes in an encryption scheme. Liquid filters can help you do that! We’ll give you a tour of the whys and whats here; then you can dive deeper in this Auth0.com article. You’ll know when you need to use the filters below because whatever you’re trying to do will explicitly state that you need to encode or hash certain values. 


Encoding transforms a value for data-handling purposes—it’s not related to information security. For example, we encode strings containing special characters to make them URL-safe (aka, containing only characters that can be transmitted over the internet; this is often called percent encoding) and then decode them to make them easier for humans to read. URL encoding is important to make sure links in your emails work—unencoded URLs can break. Another encoding format is base64, used for embedding image files in HTML and sending email attachments. 

Take a look at the escape and url_encode filters. Escape replaces special characters—in this case, quotation marks—with percent-encoded, URL-safe characters:

Code {{ “Have you read ‘How to Train Your Senior Dog’?” | escape }}
Output Have you read 'How to Train Your Senior Dog'?

The URL_encode filter converts URL-unsafe characters with percent-encoded characters and converts spaces to a plus sign:

Code {{ “reach me at lee@email.com” | url_encode }}
Output reach+me+at+lee%40email.com

You can reverse URL encoding with the url_decode filter

Code {{ “reach+me+at+lee%40email.com” | url_decode }}
Output reach me at lee@email.com

The base64 filter (available in some Liquid flavors) can also be used to encode strings:

Code {{ “I love dogs.”’ | base64 }}
Output SSBsb3ZlIGRvZ3Mu


Hashing transforms a value in a way that guarantees its integrity. Stated another way, it allows us to check and see if two items are the same. Its most well-known application is passwords. 

Since storing passwords would present a huge security risk, typically passwords themselves are not stored in a database. Instead, they are hashed, and the resulting hash is stored. For example, when you create an account on a website, the password you set isn’t sent to the website—an algorithm transforms it into a hash, and that’s what’s actually stored. The next time you log in, the password you enter is hashed and compared to the stored hash of the password you set up initially—if they match, you entered the right password! 

Liquid offers several filters that can hash a value: sha1, sha256, and md5. Each represents a different hash algorithm. Here they are in action:

Code {{ “Customer.io” | md5 }}
Output d52b6a207bf5255c05b1d0056230617e
Code {{ “Customer.io” | sha1}}
Output c197ff0ae0a41983362f35ca972c544061c54d4c
Code {{ “Customer.io” | sha256 }}
Output 6dddb773238216bce273133bc3f6a12a824f41dd184d09452f05c7659dae7d57

Tricky terminology note: In Ruby (Liquid’s parent language), the word “hash” is also used to mean a collection of keys—the rough equivalent of a JavaScript object. See Advanced For Loops [link] for a brief discussion of hashes in that context.

Hashing in encryption schemes   

Encrypting transforms a value in a way that guarantees confidentiality. That is, access is restricted to authorized users. A cryptographic key is required to encrypt the value, and a different cryptographic key is required to decrypt it. (“Key” here means a cryptographic key, not a Liquid key.)

While we don’t actually use Liquid to encrypt data, some encryption schemes will use hashing to verify integrity as one of the many steps in the encryption process. Hash-based message authentication codes, or HMACs, include both a hash function and a secret cryptographic key. You’ll know when to use this type of hashing, because the instructions you’re following will explicitly state it is required—here’s an example about creating the signature needed to pass data to the Twitter API.  

Here’s a quick look at HMAC hash filters:

Code {{ “Customer.io” | hmac_sha1: “some_key” }}
Output 2bdf556c9a75766f258d1e2824f6d0e31d1beedc
Code {{ “Customer.io” | hmac_sha256: “some_key” }}
Output 6dddb773238216bce273133bc3f6a12a824f41dd184d09452f05c7659dae7d57

Those are just the basics of how encoding, hashing, and ASDSD are done using filters in Liquid. There’s a lot more to know, so start with this Auth0.com article for a deeper dive if you’ll be working with these filters frequently.