Personally I found the CERT advisories much more informative (or at least it was in language I understood :)
CERTŪ Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests
Understanding Malicious Content Mitigation for Web Developers

I am wondering if there is a good reason why cgi.pm would not specify a character encoding by default. If someone needed a specific other character encoding it would be easily manually overridable and every-one else gets a bit more protection for free.

--
my $chainsaw = 'Perl';