diff --git a/app/models/environment.rb b/app/models/environment.rb
index 909249daccaff1bc84a33a227e27b4e81bcbd08e..ed18e6bdea1f4ed7b3c3acc96474233536e2237f 100644
--- a/app/models/environment.rb
+++ b/app/models/environment.rb
@@ -185,8 +185,7 @@ class Environment < ActiveRecord::Base
     public_path = project.public_path_for_source_path(path, commit_sha)
     return unless public_path
 
-    # TODO: Verify this can't be used for XSS
-    URI.join(external_url, public_path).to_s
+    [external_url, public_path].join('/')
   end
 
   private