We've just released LeafKit 1.3.0 which fixes a potential XSS vulnerability. Previously rendered variables were not escaped which could allow an attacker to inject in malicious code to your site.
Note: if you have custom tags that rely on HTML being rendered then these should now conform to UnsafeUnescapedLeafTag instead. If you were relying on the Leaf variable tag to render HTML, this should now be migrated to use unsafeHTML.