BUG: Rule is matched on HTML comments

[IlluminatiFish]

It appears that the implementation for the html modifier matches on anything found in the DOM response from URLScan which leads to rules being flagged incorrectly.

In the example above both the base64-encoded-body & hex-encoded-body get matched however, the latter is nested within a HTML comment

[bradleyjkemp]

Hmm that's a tricky one.

There's definitely a slight bug here where the html matcher actually uses the URLScan DOM (not quite the same) but in general some amount of false positives are inevitable.

HTML can't be properly parsed using the simple regex based language IOK uses and so while we could try to filter out some false positives, we'd never get all of them

[IlluminatiFish]

Hmm that's a tricky one.

There's definitely a slight bug here where the html matcher actually uses the URLScan DOM (not quite the same) but in general some amount of false positives are inevitable.

HTML can't be properly parsed using the simple regex based language IOK uses and so while we could try to filter out some false positives, we'd never get all of them

Yeah, definitely a tricky problem, not sure if it could be solved