Yes, the code is a little terse (to say the least) but please consider the fact that we're implementing a whitelist-based HTML filter without the aid of HTML::Parser. The HTML filter code already accounts for half the lines in guestbook.pl, so anything that makes it longer has to be considered with care.

I think you're mistaken about the HTML comment vulnerability, it didn't work when I tried your example. I've put up a page where you can apply input to the filter, please test any exploits you can think of at this test page.