View the original community article here
Last tested: Jul 13, 2018
_filters is not sanitized for SQL. So it can expose customers to SQL injection. Thus it is not supported in any parameter that uses SQL.
Try using a parameter or templated filter instead.
Or if appropriate, use html: to display it as per this post