Defenses: <script> tags stripped, event handlers stripped, javascript: stripped. The page uses named DOM elements to configure behavior.
The page reads window.config.href to create a navigation link. Your HTML injection could overwrite window.config...
CONCEPT: DOM Clobbering
In browsers, HTML elements with an id or name attribute automatically become properties of the window object. For example, <div id="foo"> makes window.foo reference that element. This is called DOM clobbering — injected HTML can overwrite global JavaScript variables without any script execution. If application code reads properties from window.someVar (e.g., window.config, window.settings), an attacker can inject HTML elements with matching IDs to hijack those values. Nested clobbering (using <form> + child elements, or <a> for .href) allows overwriting dot-notation paths like config.href. The <a> element's .href property is special — the browser resolves HTML entities and returns the full URL, making it a powerful clobber target.