Well, first off the 2006 LJ issue predates the implementation of HttpOnly cookies I think. They're a fairly recent invention.

HttpOnly doesn't really fix the issue though. It prevents evil js from straight-out stealing the cookie, but it can still make HTTP requests that will include the cookies. Therefore the script could still do bad things the user's behalf (add or remove friends, scrape private data, post spam, etc...)

The LJ story is just an example of a general lesson: if you can put user-generated content in a different domain (i.e. browser security context) than your authentication-critical cookies you are in a better position. That way any javascript leakage at evil-user.yourdomain.com can't harm your users any more than if they were viewing it at www.evil-users-domain.com.