If you allow users to upload their own liquid templates, then yes, you
still need to run any input through your own input sanitizers. Liquid
only protects you from a user running arbitrary ruby code through the
templates, but XSS is a problem when the user's login token can be
stolen via XSS, or the user can be made to do malicious / destructive
things via arbitrary javascript by an attacker.
Your best bet is to run it through HTML::WhiteListSanitizer with your
own desired settings / attributes / tags.