LeafKit 1.14.1 was just released which fixes a vulnerability where LeafKit would bypass HTML escaping when using unicode extended grapheme clusters such as "́ (U+0022 + U+0301). While Swift treats that as a single character, HTML instead interprets it as two separate code points, where one is ". This would therefore allow XSS injections.
You can check out Leaf-kit html escaping does not work on characters that are part of extended grapheme cluster · Advisory · vapor/leaf-kit · GitHub for more info.
Thanks to bawolff (Brian Wolff) · GitHub for reporting!