People have long said the worst things about perl, but that's one thing that scripting language definitely gets right...
It has a -T switch you have to use for every security sensitive script that handles potentially untrusted outside data. That switch is very thorough about not letting you do anything with outside data before sanitizing first (through regexps what else ?) yes, that includes the PATH, environment, locales, stdin... *everything* that's been audited as being a source of outside data.