Why open yourself up to risk if you don't have to? I highly recommend using something akin to CGI::Session and storing the data attached to a session, just providing the user with a cryptograpicly generated cookie (sessionid).

If you *really* must specify this data via a form, you shouldn't worry about special characters. You should decide what characters are acceptable and filter everything else out. (Or bitch if the value has anything unacceptable.)