OK, I discovered the problems with my previous code and I think that they will be instructional for others who doubt or disregard the advice given regularly by the sages at PM.

Mistake #1. I arrived at the solution by following standard advice given regarding:
use CGI::Carp qw(fatalsToBrowser); which had I known about when I originally wrote the application would have immediately led me to the source of the problem (pun intended).

I happen to be a sysadmin, so I can't blame not having access to the system logs because I did. Since I never received any error messages in the browser and the applications appeared to work despite the original problem I described, it never occurred to me to look in the logs.

Mistake #2. I relied on my memory of the steps I took to debug the problem (this was over 9 months ago) and thought that I had tested the query string by substituting "GET" for "POST". Apparently I hadn't because after I replied to hacker, I began second guessing myself and actually wrote some code to test it. Well, the whole TEXTAREA contents were displayed to browser location bar. I apologize for the mistaken assumption and realize that I should have gone back and retested my claim before making it.

Mistake #3. As Trimbach suggested, I was relying on a handrolled solution for retrieving CGI parameters. Well, actually I pieced together snippets I'd found from various sources and wrote my own sub. I actually was going to post a question about substituting my own code with CGI::import_names but after some research decided that I could figure that out on my own. Instead, I wrote the first post in this thread which has brought me back full circle.

In my previous applications I used the following code to assign my CGI params. I am already aware of how horrible this is, even though I thought at the time that I had insured the "untaintedness" of my data, I didn't realize the other implications (see this thread).

HTML:

<html>
<form name="Survey" method="get" action="/cgi-bin/textarea.pl">
    <table border=0 width="100%">
       <tr><td><TEXTAREA NAME="xiv" ROWS="6" COLS="55" wrap="soft"></T
+EXTAREA></td></tr>
       <tr><td><input type="submit" name="Submit" value="Submit"></td>
+</tr>
    </table>
</form>
</html>
[download]

CGI:

use CGI;
use CGI::Carp qw(fatalsToBrowser);
doGetCGIvars();
print "Content-type: text/html\n\n";
# my $query = new CGI;
# my $xiv = $query->param('xiv');
print "<html><body>\$xiv=$xiv</body></html>";

sub doGetCGIvars {
    ### for future revisions look into CGI::import_names
    my $VarName;
    my $query = new CGI;
    foreach $VarName ($query->param) {
       $assign = "\$$VarName = '" . $query->param($VarName) . "'";
       &UnTaint($assign);
###       print "$assign<br>";
       eval($assign);
    }
}

sub UnTaint {
    my $test = shift;
    unless ($test =~ /^([^<]*)$/) {
          die "Couldn't untaint variable \$test:\n\n";
    }
}
[download]

The problem is that if you comment out the line use CGI::Carp qw(fatalsToBrowser);, you don't get error messages to the browser, and since the $xiv assignment broke as demonstrated by fatalsToBrowser:

Software error:

Substitution pattern not terminated at (eval 5) line 2. 

For help, please send mail to the webmaster (xxx@yyyyyyyyyy), giving t
+his error message and the time and date of the error. Content-type:
text/html $xiv=
[download]

$xiv has an undefined value.

--Jim