The short answer: you're modifying a copy of $_, so the caller doesn't see the modification. You should probably return the value, something like this:

   # Note we assign the return value of the sub to $txt
   $txt = escape_html_character($txt);

   sub escape_html_characters {
      my $string = shift;
      $string =~ s/...some chars here.../...some escape.../g;
      # Note we return the modified string
      return $string;
   }
[download]

The key points here are that the modified string is returned from the subroutine and you assign the return value of the subroutine back into the $txt variable.

The long answer:

• You probably want "use warnings" turned on.
• You don't really want to be using 'local' and 'local $_' in modern code. So-called 'lexical' variables declared with 'my' are much safer and less likely to cause problems like this.
• Escaping characters like this is likely to be a solved problem, done by people who are likely to have exhaustively gone through all needed characters, so I'd first look for a module to do this on CPAN. In fact, within the CGI module you're already using, there is the 'escapeHTML' function which looks like what you need.

Have fun.