I think this is a problem with older versions of CGI.pm. In older versions on the module (and I can't remember when it changed) the escape subroutine didn't have a OO interface, so it expected its first parameter to be the string to be escaped.
By calling it with an OO interface, as you have, you give it the CGI object as the first parameter. escape tries to URL encode that object and returned the URL encoded version. When you print out the return code, you the string representation of the object, which is the type and reference - hence the output you see.
Solutions: 1/ Get a more recent version of CGI.pm. 2/ Call escape using the functional interface like this:
$escaped = escape('some text');