Data::Dumper does perl-escaping (defaults have some caveats)

Data::Dump::pp() does better perl-escaping by default

Neither ddumper does HTML-escaping

You can alway do  my $cgi = CGI->new; print $cgi->header, $cgi->Dump ; to see whats inside $query