There is already another "params" method, this had been discussed in the mentioned bugzilla threads.

> The problem is not limited to fat comma either. Consider: @k = qw(foo bar baz); @v = (1,bar(),3); %m = zip @k, @v;

If it comes to "comma" and "list flattening" it's a feature not a problem!

I just used (something similar) again in another post (see (undef,my %hash)= ).

But IMHO implementing => as a "fat" version of comma was misleading, because even experienced Perl hackers expect a 1-to-1 relation, and Perl is supposed to DWIM.

NB Perl6's design has => as "pair-operator" not "fat comma" and the propagation of context into subs has been changed too.

But this is a language design thing which IS NOT a security problem as such.

IMHO HTTP-responses returning more than one value for a singular form-element should be sanitized from the beginning.