While I don't believe the author is mistaken that he successfully injected HTML into the email, the email snippet quoted in the article is properly escaped, because none is needed, because the email is not HTML:
Content-Type: text/plain; charset=UTF-8
[ snip ]
<pre>This order was placed by</pre>
Content-Type: multipart/alternative; boundary="(AlternativeBoundary)"
(These are so email clients that don't support HTML — or are configured to ignore — can fall back on something.)