There's no security risk here in most systems, because the output of CGI is not generally parsed for SSI. Methinks you have a hair-trigger on that. :)

Even having said that,

$var =~ s/ < ! - - ( . | \ n ) * - - >//g;
[download]

is poor performing code. You want something like this instead:

$var =~ s/<!--.*?-->//gi;
[download]