Can HTML Injection or XSS Injection be done on a web page that does not accept data entry (search, username, password, etc.)?
Yes. DOM-Based XSS vulnerability does not need a REST endpoint to even exist. The attack goes directly to the DOM model of the web page. Actually one of the most troublesome versions of XSS out there.