Check performance implications of scanning all HTML files for enabling JSF

We have in this MR some rule for basic support of JSF, but .html and xhtml files are not in the whitelist of lightz-aio (and GLAS), so they are not scanned. It would be great to add those extensions to the whitelist

However, we are concerned about the performance implications of scanning all HTML files.

DoD:

• Run lightz-aio on several projects and measure the overhead of scanning all HTML files.
• Make a decision if enabling scanning HTML files or not.

See https://gitlab.com/gitlab-org/security-products/oxeye/product/oxeye-rulez/-/merge_requests/783#note_2134652712

/cc @dabeles