This comment was in the "TO DO" section of the pod, meaning that the module author/maintainer was noting that he should do it, not you. Of course, you as the module "consumer" want to know that there may be a security problem in the module. The best thing to do in this case is to "Use the Source, Luke!":

The Source

There, you'll see the following little function, that might be of interest:

sub _cleanup_hdrs {
  my $hdrs = shift;
  my $h;
  foreach $h (values %$hdrs) {
    foreach (ref($h) ? @{$h} : $h) {
      s/\n\s*/ /g;
      s/\s+$//;
    }
  }
}
[download]

So, in my estimation, this is "DONE", and no longer "TO DO". Perhaps you should contact the maintainer and request that the pod be updated? That's your call...

Update: Oh yeah, forgot to mention that you should make sure that you've got the latest VERSION (1.65) of Mail::Mailer, so you can rest assured that you have got the fix.

This is the basic advice that you should never trust input read from a file or read from the internet or any other input to your script. In this specific case, you should always make sure that you accept nothing that looks like a newline and pass it on to the Mail::send_headers method. You should run your script with taint mode switched on, in any case.

An easy/simple way to validate your data so that it doesn't contain embedded newlines is the following:

my $subject = $query->param('subject');
$subject = '(Disallowed char in subject)'
  if $subject =~ m!\n!sm;
[download]

You should never read the recipient of a mail from a HTML form!

It's CPAN, there's more than one module to do it :)

I've used Mail::Sender, and it seems to do the trick. (Requires access to a SMTP server)