Be sure to set default_escape => 'html' in the HTML::Template constructor, it's the best you can do against XSS.