#!/usr/bin/perl

use strict;
use warnings;
use CGI;
use HTML::Entities;

my $bad_userinput = "<script>alert('test');</script>";
my %options = (
    'option 1' => 1,
    'option 2' => 2,
);

my $escaped_input = encode_entities( $bad_userinput );

print CGI->start_html() . 
      CGI->p( 'Boese Benutzereingabe ' . $escaped_input ) .
      CGI->popup_menu(
          -values => [ keys %options ],
          -labels => \%options,
      ) . 
      CGI->end_html();