From 7866dc5ad82bf4aba503c57dbfbde1a4a46d7eaa Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <anders@zulip.com>
Date: Fri, 14 Mar 2025 15:40:16 -0700
Subject: [PATCH] ruff: Fix S704 Unsafe use of `markupsafe.Markup` detected.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
---
 pyproject.toml                | 3 +++
 zerver/views/documentation.py | 5 +++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 42e3e181ae..0897a8a4c4 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -508,6 +508,9 @@ ignore = [
     "TC003", # Move standard library import into a type-checking block
 ]
 
+[tool.ruff.lint.flake8-bandit]
+allowed-markup-calls = ["lxml.html.tostring"]
+
 [tool.ruff.lint.flake8-gettext]
 extend-function-names = ["gettext_lazy"]
 
diff --git a/zerver/views/documentation.py b/zerver/views/documentation.py
index 4ebb197007..8cf4176a84 100644
--- a/zerver/views/documentation.py
+++ b/zerver/views/documentation.py
@@ -288,8 +288,9 @@ class MarkdownDirectoryView(ApiURLView):
             old_class = a.attrib.get("class", "")
             assert isinstance(old_class, str)
             a.attrib["class"] = old_class + " highlighted"
-        sidebar_html = "".join(html.tostring(child, encoding="unicode") for child in tree)
-        context["sidebar_html"] = Markup(sidebar_html)
+        context["sidebar_html"] = Markup().join(
+            Markup(html.tostring(child, encoding="unicode")) for child in tree
+        )
 
         add_google_analytics_context(context)
         return context