You are basically right, however I don't think this line is correct.

print a({-href => $dangerous}, escapeHTML($dangerous));
[download]

in this case, you have to uri-escape the filename except for the slashes. Suppose for example that the filename is "a?b<c". Than the above example would print <a href="a?b&lt;c">a?b&lt;c</a>. When the viewer clicks on the link, the browser will html-unescape the attribute, and load a?b<c prepended with the current base url. The web server would however interpret this as loading the file a with the GET parameter being b<c. The code should have instead printed <a href="a%3Fb%3Cc">a?b&lt;c</a>.