Assuming that someone doesn't exploit some security hole in the web server^*, they'll only see whatever the CGI produces. Ideally, this is valid HTML. :)

* There are lots of ways this can happen. Make sure your web server platform is up-to-date on security fixes. If you're running IIS, take extra care to be up-to-date.