[eluser]Twisted1919[/eluser]
You might be right, the limit() method does not seem to escape the values.
Even though the params given to this method should be integers, as you noticed, strings can be passed.
I do type casting for this method anyway[ie: (int)$limit, (int)$offset], but there might be developers who didn't do it, so it will be a security risk after all.
Hope somebody from the development team will look into this.