diff --git a/pyproject.toml b/pyproject.toml
index 42e3e181ae..0897a8a4c4 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -508,6 +508,9 @@ ignore = [
     "TC003", # Move standard library import into a type-checking block
 ]
 
+[tool.ruff.lint.flake8-bandit]
+allowed-markup-calls = ["lxml.html.tostring"]
+
 [tool.ruff.lint.flake8-gettext]
 extend-function-names = ["gettext_lazy"]
 
diff --git a/zerver/views/documentation.py b/zerver/views/documentation.py
index 4ebb197007..8cf4176a84 100644
--- a/zerver/views/documentation.py
+++ b/zerver/views/documentation.py
@@ -288,8 +288,9 @@ class MarkdownDirectoryView(ApiURLView):
             old_class = a.attrib.get("class", "")
             assert isinstance(old_class, str)
             a.attrib["class"] = old_class + " highlighted"
-        sidebar_html = "".join(html.tostring(child, encoding="unicode") for child in tree)
-        context["sidebar_html"] = Markup(sidebar_html)
+        context["sidebar_html"] = Markup().join(
+            Markup(html.tostring(child, encoding="unicode")) for child in tree
+        )
 
         add_google_analytics_context(context)
         return context