...further to testing user input/tainted_values:
- use regexes to include the most sane data rather than excluding illegal characters etc. - be especially vigilant about any email generating script/form, as these are easily hi-jacked by script kiddies to deliver their spam - all the other CGI safety precautions apply: e.g. don't read/write anywhere else except safe directories, remove any path entries from your environment, call any binaries with full pathname, etc.