If not only the poster but also other people are to see the filled-in-values-page then I'd suggest you use tainting (discussed in the perlsec manpage, just type perldoc perlsec). Suppose somebody filled in the value:

<img src="www.site.com/realcheesyadvertisement.gif">
[download]

your page will display an advertisement. This is relatively harmless, but worse things can be done by adding some javascript code to the filled-in value (this is called "cross site scripting").

A solution is tainting-mode (perl -T), where you can only use variables 'from the outside' if you've untainted them first. This untainting is done by checking all variables against a regex, that for instance only allowes \w-characters.