We’ve just released LeafKit which fixes a security vulnerability that would allow XSS injection attacks by injecting unicode extended grapheme clusters into Leaf templates. Using a grapheme cluster such as "́ would bypass escaping, since Swift treats that as a single character and different to ". This caused the escaping function to skip it. HTML on the other hand parses that as two different characters and interprets the quotation mark as a closing attribute: this therefore allowed attackers to inject malicious HTML attributes and execute XSS attacks.
You can read more about it in the security advisory.
Thanks to bawolff for reporting this!