Without some scripting, the form data won't send. So an 'HTML-based' one is meaningless, I'm afraid.
One thing you can do is to use a service to 'obfuscate' the raw email address. That is, you convert it into a mish-mash of code that a spam bot can't read, but which displays fine on screen. These can never be perfect, but they are pretty good. I often use this one, for example: