Example of an exploit kit panel showing infection stats by browser
One of the features most commonly observed in the html code of this infected websites is the injection of iframe or script tags after the html close tag.
Finding a script or iframe element after the close html tag raises the alarm, and many URLs analysis engines will give high importance to this situation, leading even to false positives for legitimate websites. It has been proved that some well known sites keep this bad habit due to their own ignorance or because of third party widgets.
As long as you can, avoid this bad practice if you don’t want to have an unpleasant surprise.