Detected while testing MDL-46227, it seems that the "cron" fields available when editing a task schedule are using a relaxed PARAM_RAW without any extra check. See:
It would be great to validate a bit more what's entered in those fields, surely some regexp could reduce at least the available chars, or perhaps that validation/cleaning is already available somewhere in the tasks API. Just current behavior seems too much relaxed.
For your consideration, ciao