There's one small caveat with your code. If you are using
CGI::Carp _and_ malicious data fails, the data will
be printed out back to the browser, data, which could have been construed just to be sent back to
the browser (for example, the Slashdot-Cookie-Stealer worked that way, by giving you an URL that was like
, which was then printed out by Slashdot back to the browser, and then run in the browser.
My strategy would be to just log taint-failed data into a file, as you never know exactly how that data got to
your machine. Of course, maybe using HTML::Entities could prevent such misuse, as the
text will then come back literally instead of interpretable ...