Another method is to use the drag and drop functionality in HTML5 to hide hidden information and trick the user into dropping and dragging this into say a form control. This is a “ClickJacking” attack.
Another attack is HTML cache poisoning, where you can keep a cache alive longer than it should be so you can steal the user’s credentials or even create an HTML5 generated botnet. As HTML and CSS get more sophisticated, these mark-up languages become even more vulnerable to scripting, tunneling, hijacking and a whole variety of attacks.
Think this is years away? No, it can all be done today on any modern browser – even if your site is in HTML5, even if it isn’t using most HTML5 functionality.
Learn the HTML5 vulnerabilities and then prepare the best you can to eliminate those and the use of vulnerable tagging.