Since you are going to stuff the whole file into a scalar anyway, let Perl do that for you:

my $source;
{
  open INPUT, $file;
  local $/ = undef;
  $source = <INPUT>;  
  close INPUT;
}
[download]

You caught the need to escape the tag characters in the code, but there are some cases that will slip through. CGI's escapeHTML function can filter the whole file at once; I'm sure there are other implementations too.