Funny at first, but this could have been exploited maliciously by let's displaying a message telling the user he has been disconnected and redirecting him to a phishing page.
If this was purely a CSS injection—as I understand it was—then I don't think it would be possible to redirect on any technical level the user anywhere (e.g. by providing a link).
But telling user to do something would still be on the table.
