Have a look at perldoc CGI; CGI.pm includes an escapeHTML() function that you might find useful:

$escaped_string = escapeHTML("unescaped string");
[download]

It only accepts strings, though; not sure if a function exists for any data structure.