[flake8-bandit] Allow raw strings in suspicious-mark-safe-usage (S308) #16702 (#16770)

## Summary
Stop flagging each invocation of `django.utils.safestring.mark_safe`
(also available at, `django.utils.html.mark_safe`) as an error.

Instead, allow string literals as valid uses for `mark_safe`.

Also, update the documentation, pointing at
`django.utils.html.format_html` for dynamic content generation use
cases.

Closes #16702 

## Test Plan
I verified several possible uses, but string literals, are still
flagged.

---------

Co-authored-by: Micha Reiser <micha@reiser.io>

crates/ruff_linter/resources/test/fixtures/flake8_bandit/S308.py

@@ -1,8 +1,16 @@
 from django.utils.safestring import mark_safe
 
 
-def some_func():
-    return mark_safe('<script>alert("evil!")</script>')
+def bad_func():
+    inject = "harmful_input"
+    mark_safe(inject)
+    mark_safe("I will add" + inject + "to my string")
+    mark_safe("I will add %s to my string" % inject)
+    mark_safe("I will add {} to my string".format(inject))
+    mark_safe(f"I will add {inject} to my string")
+
+def good_func():
+    mark_safe("I won't inject anything")
 
 
 @mark_safe
@@ -13,8 +21,16 @@ def some_func():
 from django.utils.html import mark_safe
 
 
-def some_func():
-    return mark_safe('<script>alert("evil!")</script>')
+def bad_func():
+    inject = "harmful_input"
+    mark_safe(inject)
+    mark_safe("I will add" + inject + "to my string")
+    mark_safe("I will add %s to my string" % inject)
+    mark_safe("I will add {} to my string".format(inject))
+    mark_safe(f"I will add {inject} to my string")
+
+def good_func():
+    mark_safe("I won't inject anything")
 
 
 @mark_safe