As a general rule, removing "special" (whatever that may mean in a particular context) characters is a much more dangerous and fragile solution than removing everything but "normal" characters. Figure out what you want to allow, and then remove (or throw errors for) anything else.

You'll have to do the checking yourself, or use a form validator module (Search CPAN for the module that suits your needs)

Not sure exactly what you are looking for, but here's some Perl that grabs the form value and then tests it for unwanted characters and untaints in the same step. I have a bunch of validation methods depending on what I'm testing for.

Calling script:

($sql{'name'}, $error) = $self->val_text( 1, 64, $self->query->param('
+name') );
   if ( $error-> { msg } ) { push @error_list, { "name" => $error->{ m
+sg } }; }
[download]

Validation script

sub val_alphanum {
   my $self = shift;
   my ($mand, $len, $value) = @_;
   if (!$value && $mand) {
      return (undef, { msg => 'cannot be blank' });
   } elsif ($len && (length($value) > $len) ) {
    return (undef, { msg => 'is limited to '.$len.' characters.' });  
   } elsif ($value && $value !~ /^(\w*)$/) {
      return (undef, { msg => 'can only use letters, numbers and _'  
   } else {
      my $tf = new HTML::TagFilter;
      return ($tf->filter($1));
   }
}
[download]

I've put a lot of work in to figuring out this CGI stuff—you can see more complete examples at Using Perl, jQuery, and JSON for Web development and A Tutorial for CGI::Application.

Also, avoid dumping raw text from user input into comments: all the user has to do is figure out you're doing that and preface any of the XSS exploits on the page with '-->' to close your comment early...