Hi BlenderHead,
The implication of HTTP_REFERER is that where session info is present in the url of the page, that info will be contained in the HTTP_REFERER header, this can be abused to extract info of poorly guarded sessions to capture currently running session.

The issue with your script's output is the HTML::Entity encoding of data within XML files, in this case the item.description. To resolve use HTML::Entity to decode the encoded chars, however you should then use HTML::Scrubber on the resulting output if you do not trust the originating source.

And Corion's advice about not displaying images from remote/untrusted sources is wise until you have developed a security policy for this scenario. Happy reading ;)