> HTML isn't code, you can't execute it.

That's exactly a point I wanted to make. See https://www.usenix.org/legacy/publications/login/2011-12/ope... and http://langsec.org/papers/langsec-tr.pdf