From 482cc4dfca3cf414587a9a1a70683caafe3bfa79 Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Thu, 11 Dec 2025 16:32:31 -0500
Subject: [PATCH 01/18] wip

---
 resources/lib/UnityHTTPD.php                |  2 +-
 resources/lib/UnityMailer.php               |  2 --
 resources/lib/UnityWebhook.php              |  5 -----
 resources/lib/utils.php                     |  5 +++++
 resources/mail/footer.php                   |  2 +-
 resources/mail/group_created.php            |  2 +-
 resources/mail/group_request_admin.php      |  2 +-
 resources/mail/group_user_added.php         |  2 +-
 resources/mail/group_user_request_owner.php |  2 +-
 resources/mail/user_loginshell.php          |  2 +-
 resources/mail/user_qualified.php           |  2 +-
 resources/mail/user_sshkey.php              |  2 +-
 resources/templates/footer.php              | 10 ++++-----
 resources/templates/header.php              | 23 ++++++++-------------
 webroot/admin/pi-mgmt.php                   |  2 +-
 webroot/admin/user-mgmt.php                 |  2 +-
 webroot/panel/account.php                   |  2 +-
 webroot/panel/groups.php                    |  8 +++----
 webroot/panel/modal/new_key.php             | 12 +++++++----
 webroot/panel/modal/new_pi.php              |  2 +-
 webroot/panel/new_account.php               |  2 +-
 webroot/panel/pi.php                        |  2 +-
 22 files changed, 46 insertions(+), 49 deletions(-)

diff --git a/resources/lib/UnityHTTPD.php b/resources/lib/UnityHTTPD.php
index 7952a176..f434c808 100644
--- a/resources/lib/UnityHTTPD.php
+++ b/resources/lib/UnityHTTPD.php
@@ -42,7 +42,7 @@ public static function die(mixed $x = null, bool $show_user = false): never
     */
     public static function redirect(?string $dest = null): never
     {
-        $dest ??= pathJoin(CONFIG["site"]["prefix"], $_SERVER["REQUEST_URI"]);
+        $dest ??= getURL($_SERVER["REQUEST_URI"]);
         $dest = htmlspecialchars($dest);
         header("Location: $dest");
         http_response_code(302);
diff --git a/resources/lib/UnityMailer.php b/resources/lib/UnityMailer.php
index 51a1aeba..da5b85ef 100644
--- a/resources/lib/UnityMailer.php
+++ b/resources/lib/UnityMailer.php
@@ -13,7 +13,6 @@ class UnityMailer extends PHPMailer
     private string $template_dir = __DIR__ . "/../mail"; // location of all email templates
     private string $override_template_dir = __DIR__ . "/../../deployment/mail_overrides";
 
-    private string $MSG_LINKREF;
     private string $MSG_SENDER_EMAIL;
     private string $MSG_SENDER_NAME;
     private string $MSG_SUPPORT_EMAIL;
@@ -28,7 +27,6 @@ public function __construct()
         parent::__construct();
         $this->isSMTP();
 
-        $this->MSG_LINKREF = CONFIG["site"]["url"] . CONFIG["site"]["prefix"];
         $this->MSG_SENDER_EMAIL = CONFIG["mail"]["sender"];
         $this->MSG_SENDER_NAME = CONFIG["mail"]["sender_name"];
         $this->MSG_SUPPORT_EMAIL = CONFIG["mail"]["support"];
diff --git a/resources/lib/UnityWebhook.php b/resources/lib/UnityWebhook.php
index 80203762..522b644a 100644
--- a/resources/lib/UnityWebhook.php
+++ b/resources/lib/UnityWebhook.php
@@ -7,13 +7,8 @@ class UnityWebhook
     private string $template_dir = __DIR__ . "/../mail";
     private string $override_template_dir = __DIR__ . "/../../deployment/mail_overrides";
     private string $url = CONFIG["webhook"]["url"];
-    private string $MSG_LINKREF;
     private string $Subject; // set by template
 
-    public function __construct()
-    {
-        $this->MSG_LINKREF = CONFIG["site"]["url"] . CONFIG["site"]["prefix"];
-    }
     public function htmlToMarkdown(string $html): string
     {
         // Define regex patterns for each markdown format
diff --git a/resources/lib/utils.php b/resources/lib/utils.php
index a9a04aa8..e3270e51 100644
--- a/resources/lib/utils.php
+++ b/resources/lib/utils.php
@@ -82,3 +82,8 @@ function pathJoin()
     }
     return preg_replace("#/+#", "/", join("/", $paths));
 }
+
+function getURL(...$args)
+{
+    return pathJoin([CONFIG["site"]["url"], CONFIG["site"]["prefix"], ...$args]);
+}
diff --git a/resources/mail/footer.php b/resources/mail/footer.php
index 9e6a712b..5b133d07 100644
--- a/resources/mail/footer.php
+++ b/resources/mail/footer.php
@@ -3,7 +3,7 @@
 >
   <span>
     You are receiving this email because you have an account
-    on the <a target='_blank' href='<?php echo $this->MSG_LINKREF; ?>'>Unity Cluster</a>.
+    on the <a target='_blank' href='<?php echo getURL("/"); ?>'>Unity Cluster</a>.
     If you would like to stop receiving these emails,
     you may request to close your account by replying to this email.
   </span>
diff --git a/resources/mail/group_created.php b/resources/mail/group_created.php
index 618ef57f..b4c64481 100644
--- a/resources/mail/group_created.php
+++ b/resources/mail/group_created.php
@@ -8,7 +8,7 @@
 <p>
 Your request for a PI account on the Unity cluster has been approved.
 You can access the management page for your group
-<a href="<?php echo $this->MSG_LINKREF; ?>/panel/pi.php">on this page</a>.
+<a href="<?php echo getURL("panel/pi.php"); ?>">on this page</a>.
 </p>
 
 <p>Do not hesitate to reply if you have any questions!</p>
diff --git a/resources/mail/group_request_admin.php b/resources/mail/group_request_admin.php
index 8fe51027..96fefac4 100644
--- a/resources/mail/group_request_admin.php
+++ b/resources/mail/group_request_admin.php
@@ -19,6 +19,6 @@
 
 <p>
 You can approve this account
-<a href="<?php echo $this->MSG_LINKREF; ?>/admin/pi-mgmt.php">here</a>
+<a href="<?php echo getURL("admin/pi-mgmt.php"); ?>">here</a>
 .
 </p>
diff --git a/resources/mail/group_user_added.php b/resources/mail/group_user_added.php
index 9c42b8cc..379ae751 100644
--- a/resources/mail/group_user_added.php
+++ b/resources/mail/group_user_added.php
@@ -6,7 +6,7 @@
 <p>Hello,</p>
 
 <p>You have been approved to join the PI group <?php echo $data["group"]; ?>.
-Navigate to the <a href="<?php echo $this->MSG_LINKREF; ?>/panel/groups.php">my groups</a>
+Navigate to the <a href="<?php echo getURL("panel/groups.php"); ?>">my groups</a>
 page to see your PI groups.</p>
 
 <p>If you believe this to be a mistake, please reply to this email as soon as possible.</p>
diff --git a/resources/mail/group_user_request_owner.php b/resources/mail/group_user_request_owner.php
index 9ad4db55..9c32b1e4 100644
--- a/resources/mail/group_user_request_owner.php
+++ b/resources/mail/group_user_request_owner.php
@@ -22,4 +22,4 @@
 </p>
 
 <p>You can approve or deny this user on the
-    <a href="<?php echo $this->MSG_LINKREF; ?>/panel/pi.php">my users</a> page</p>
+    <a href="<?php echo getURL("panel/pi.php"); ?>">my users</a> page</p>
diff --git a/resources/mail/user_loginshell.php b/resources/mail/user_loginshell.php
index c21337dd..4197b9e1 100644
--- a/resources/mail/user_loginshell.php
+++ b/resources/mail/user_loginshell.php
@@ -7,6 +7,6 @@
 
 <p>You have updated your login shell on the Unity cluster to <?php echo $data["new_shell"]; ?>.
 You can view the login shell settings on the
-<a href="<?php echo $this->MSG_LINKREF; ?>/panel/account.php">account settings</a> page</p>
+<a href="<?php echo getURL("panel/account.php"); ?>">account settings</a> page</p>
 
 <p>If you believe this to be a mistake, please reply to this email as soon as possible.</p>
diff --git a/resources/mail/user_qualified.php b/resources/mail/user_qualified.php
index 512930c3..4241bf28 100644
--- a/resources/mail/user_qualified.php
+++ b/resources/mail/user_qualified.php
@@ -15,6 +15,6 @@
 
 <p>Please login to the web portal to access Unity.
     If you need console access, you will need to set your SSH keys in the
-    <a href="<?php echo $this->MSG_LINKREF; ?>/panel/account.php">account settings</a> page.</p>
+    <a href="<?php echo getURL("/panel/account.php"); ?>">account settings</a> page.</p>
 
 <p>If you believe this to be a mistake, please reply to this email as soon as possible.</p>
diff --git a/resources/mail/user_sshkey.php b/resources/mail/user_sshkey.php
index 5a4a8076..20619c63 100644
--- a/resources/mail/user_sshkey.php
+++ b/resources/mail/user_sshkey.php
@@ -15,7 +15,7 @@
 
 <p>
 You can view the SSH public keys attached to your account on the
-<a href="<?php echo $this->MSG_LINKREF; ?>/panel/account.php">account settings</a>
+<a href="<?php echo getURL("/panel/account.php"); ?>">account settings</a>
 page.
 </p>
 
diff --git a/resources/templates/footer.php b/resources/templates/footer.php
index e5cd3d2c..66d1254d 100644
--- a/resources/templates/footer.php
+++ b/resources/templates/footer.php
@@ -10,7 +10,7 @@
     for ($i = 0; $i < count($footer_logos); $i++) {
         echo
         "<a target='_blank' href='" . $footer_links[$i] . "'>
-        <img src='" . CONFIG["site"]["prefix"] . "/assets/" . $footer_logos[$i] . "'
+        <img src='" . getURL("assets", $footer_logos[$i]) . "'
         draggable='false' title='" . $footer_titles[$i] . "'></a>";
     }
     ?>
@@ -30,9 +30,9 @@
 
 </body>
 
-<script src="<?php echo CONFIG["site"]["prefix"]; ?>/js/filter.js"></script>
-<script src="<?php echo CONFIG["site"]["prefix"]; ?>/js/sort.js"></script>
-<script src="<?php echo CONFIG["site"]["prefix"]; ?>/js/global.js"></script>
-<script src="<?php echo CONFIG["site"]["prefix"]; ?>/js/tables.js"></script>
+<script src="<?php echo getURL("js/filter.js") ;?>"></script>
+<script src="<?php echo getURL("js/sort.js"); ?>"></script>
+<script src="<?php echo getURL("js/global.js"); ?>"></script>
+<script src="<?php echo getURL("js/tables.js"); ?>"></script>
 
 </html>
diff --git a/resources/templates/header.php b/resources/templates/header.php
index 3ab4d742..3e165f50 100644
--- a/resources/templates/header.php
+++ b/resources/templates/header.php
@@ -10,7 +10,7 @@
         && ($_POST["form_type"] ?? null) == "clearView"
     ) {
         unset($_SESSION["viewUser"]);
-        UnityHTTPD::redirect(CONFIG["site"]["prefix"] . "/admin/user-mgmt.php");
+        UnityHTTPD::redirect(getURL("/admin/user-mgmt.php"));
     }
     // Webroot files need to handle their own POSTs before loading the header
     // so that they can do UnityHTTPD::badRequest before anything else has been printed.
@@ -26,7 +26,7 @@
         !$_SESSION["user_exists"]
         && !str_ends_with($_SERVER['PHP_SELF'], "/panel/new_account.php")
     ) {
-        UnityHTTPD::redirect(CONFIG["site"]["prefix"] . "/panel/new_account.php");
+        UnityHTTPD::redirect(getURL("/panel/new_account.php"));
     }
 }
 
@@ -51,15 +51,10 @@
   </style>
 
   <?php
-    $prefix = CONFIG["site"]["prefix"];
-    echo "
-        <link rel='stylesheet' type='text/css' href='$prefix/css/global.css'>
-        <link rel='stylesheet' type='text/css' href='$prefix/css/navbar.css'>
-        <link rel='stylesheet' type='text/css' href='$prefix/css/modal.css'>
-        <link rel='stylesheet' type='text/css' href='$prefix/css/tables.css'>
-        <link rel='stylesheet' type='text/css' href='$prefix/css/filters.css'>
-        <link rel='stylesheet' type='text/css' href='$prefix/css/messages.css'>
-    ";
+    foreach (["global", "navbar", "tables", "filters", "messages"] as $x) {
+        $url = getURL("css/$x.css");
+        echo "<link rel='stylesheet' type='text/css' href='$url'>";
+    }
     ?>
 
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
@@ -72,11 +67,11 @@
 
   <header>
     <img id="imgLogo" draggable=false
-    src="<?php echo CONFIG["site"]["prefix"]; ?>/assets/<?php echo CONFIG["site"]["logo"]; ?>">
+    src="<?php echo getURL("assets", CONFIG["site"]["logo"]); ?>">
     <button class="hamburger vertical-align">
       <img
         draggable="false"
-        src="<?php echo CONFIG["site"]["prefix"]; ?>/assets/menu.png"
+        src="<?php echo getURL("assets/menu.png") ?>"
         alt="Menu Button"
       >
     </button>
@@ -138,7 +133,7 @@
       <div class="modalBody"></div>
     </div>
   </div>
-  <script src="<?php echo CONFIG["site"]["prefix"]; ?>/js/modal.js"></script>
+  <script src="<?php echo getURL("/js/modal.js"); ?>"></script>
 
   <main>
 
diff --git a/webroot/admin/pi-mgmt.php b/webroot/admin/pi-mgmt.php
index b4e82554..45b5c6a4 100644
--- a/webroot/admin/pi-mgmt.php
+++ b/webroot/admin/pi-mgmt.php
@@ -146,7 +146,7 @@ class="filterSearch"
         }
     });
 
-    var ajax_url = "<?php echo CONFIG["site"]["prefix"]; ?>/admin/ajax/get_group_members.php?gid=";
+    var ajax_url = "<?php echo getURL("/admin/ajax/get_group_members.php"); ?>?gid=";
 </script>
 
 <?php
diff --git a/webroot/admin/user-mgmt.php b/webroot/admin/user-mgmt.php
index 7e5dc08f..d287ff62 100644
--- a/webroot/admin/user-mgmt.php
+++ b/webroot/admin/user-mgmt.php
@@ -13,7 +13,7 @@
     switch ($_POST["form_type"]) {
         case "viewAsUser":
             $_SESSION["viewUser"] = $_POST["uid"];
-            UnityHTTPD::redirect(CONFIG["site"]["prefix"] . "/panel/account.php");
+            UnityHTTPD::redirect(getURL("/panel/account.php"));
             break;
     }
 }
diff --git a/webroot/panel/account.php b/webroot/panel/account.php
index ee1b8246..d953e818 100644
--- a/webroot/panel/account.php
+++ b/webroot/panel/account.php
@@ -136,7 +136,7 @@
     echo "<p>You are curently a <strong>qualified user</strong> on the Unity Cluster</p>";
 } else {
     $tos_url = CONFIG["site"]["terms_of_service_url"];
-    $sitePrefix = CONFIG["site"]["prefix"];
+    $sitePrefix = substr(getURL(""), strlen(CONFIG["site"]["url"]), -1);
     echo "
         <p>
             You are currently an <strong>unqualified user</strong>, and will be
diff --git a/webroot/panel/groups.php b/webroot/panel/groups.php
index 1cf7b8f7..8601a240 100644
--- a/webroot/panel/groups.php
+++ b/webroot/panel/groups.php
@@ -126,14 +126,14 @@
     echo "
         You are only a member of your own PI group.
         Navigate to the
-        <a href='" . CONFIG["site"]["prefix"] . "/panel/pi.php'>my users</a>
+        <a href='" . getURL("/panel/pi.php") . "'>my users</a>
         page to see your group.
     ";
 }
 
 if (count($PIGroupGIDs) == 0) {
     echo "You are not a member of any groups. Request to join a PI using the button below,
-    or request your own PI account on the <a href='" . CONFIG["site"]["prefix"] .
+    or request your own PI account on the <a href='" . getURL("/panel/groups.php") .
         "/panel/account.php'>account settings</a> page";
 }
 
@@ -185,11 +185,11 @@
 
 <script>
     $("button.btnAddPI").click(function () {
-        openModal("Add New PI", "<?php echo CONFIG["site"]["prefix"]; ?>/panel/modal/new_pi.php");
+        openModal("Add New PI", "<?php echo getURL("/panel/modal/new_pi.php"); ?>");
     });
 
     // tables.js uses ajax_url to populate expandable tables
-    var ajax_url = "<?php echo CONFIG["site"]["prefix"]; ?>/panel/ajax/get_group_members.php?gid=";
+    var ajax_url = "<?php echo getURL("/panel/ajax/get_group_members.php"); ?>?gid=";
 </script>
 
 <style>
diff --git a/webroot/panel/modal/new_key.php b/webroot/panel/modal/new_key.php
index 0421aeb3..c7878383 100644
--- a/webroot/panel/modal/new_key.php
+++ b/webroot/panel/modal/new_key.php
@@ -4,8 +4,12 @@
 use UnityWebPortal\lib\UnityHTTPD;
 ?>
 
-<form id="newKeyform" enctype="multipart/form-data" method="POST"
-action="<?php echo CONFIG["site"]["prefix"]; ?>/panel/account.php">
+<form
+    id="newKeyform"
+    enctype="multipart/form-data"
+    method="POST"
+    action="<?php echo getURL("/panel/account.php"); ?>"
+>
     <?php echo UnityHTTPD::getCSRFTokenHiddenFormInput(); ?>
     <input type='hidden' name='form_type' value='addKey'>
 
@@ -70,7 +74,7 @@ function generateKey(type) {
         var endingSection = "</section>";
 
         $.ajax({
-            url: "<?php echo CONFIG["site"]["prefix"]; ?>/js/ajax/ssh_generate.php?type=" + type,
+            url: "<?php echo getURL("/js/ajax/ssh_generate.php"); ?>?type=" + type,
             success: function(result) {
                 var pubKey = result.substr(result.indexOf(pubSection) + pubSection.length,
                 result.indexOf(endingSection) - result.indexOf(pubSection) - pubSection.length);
@@ -99,7 +103,7 @@ function generateKey(type) {
     $("textarea[name=key]").on("input", function() {
         var key = $(this).val();
         $.ajax({
-            url: "<?php echo CONFIG["site"]["prefix"]; ?>/js/ajax/ssh_validate.php",
+            url: "<?php echo getURL("/js/ajax/ssh_validate.php"); ?>",
             type: "POST",
             data: {
                 key: key
diff --git a/webroot/panel/modal/new_pi.php b/webroot/panel/modal/new_pi.php
index d48277a2..f76bea01 100644
--- a/webroot/panel/modal/new_pi.php
+++ b/webroot/panel/modal/new_pi.php
@@ -7,7 +7,7 @@
 <form
     id="newPIform"
     method="POST"
-    action="<?php echo CONFIG["site"]["prefix"]; ?>/panel/groups.php"
+    action="<?php echo getURL("/panel/groups.php"); ?>"
 >
     <?php echo UnityHTTPD::getCSRFTokenHiddenFormInput(); ?>
     <input type="hidden" name="form_type" value="addPIform">
diff --git a/webroot/panel/new_account.php b/webroot/panel/new_account.php
index e3c13799..b75e2d3b 100644
--- a/webroot/panel/new_account.php
+++ b/webroot/panel/new_account.php
@@ -6,7 +6,7 @@
 use UnityWebPortal\lib\UnityUser;
 
 if ($USER->exists()) {
-    UnityHTTPD::redirect(CONFIG["site"]["prefix"] . "/panel/account.php");
+    UnityHTTPD::redirect(getURL("/panel/account.php"));
 }
 if ($_SERVER["REQUEST_METHOD"] == "POST") {
     UnityHTTPD::validatePostCSRFToken();
diff --git a/webroot/panel/pi.php b/webroot/panel/pi.php
index d4a6eaf8..a49887ea 100644
--- a/webroot/panel/pi.php
+++ b/webroot/panel/pi.php
@@ -46,7 +46,7 @@
 
 if (count($requests) + count($assocs) == 1) {
     echo "<p>You do not have any users attached to your PI account.
-    Ask your users to request to join your account on the <a href='" . CONFIG["site"]["prefix"] .
+    Ask your users to request to join your account on the <a href='" . getURL("/panel/groups.php") .
         "/panel/groups.php'>My PIs</a> page.</p>";
 }
 

From a1723c641e1d46d1fd104647ebad34228d674f9b Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Fri, 12 Dec 2025 07:37:58 -0500
Subject: [PATCH 02/18] for loop

---
 resources/templates/footer.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/resources/templates/footer.php b/resources/templates/footer.php
index 66d1254d..005ef7b7 100644
--- a/resources/templates/footer.php
+++ b/resources/templates/footer.php
@@ -29,10 +29,10 @@
 </footer>
 
 </body>
-
-<script src="<?php echo getURL("js/filter.js") ;?>"></script>
-<script src="<?php echo getURL("js/sort.js"); ?>"></script>
-<script src="<?php echo getURL("js/global.js"); ?>"></script>
-<script src="<?php echo getURL("js/tables.js"); ?>"></script>
-
+<?php
+foreach (["filter", "sort", "global", "tables"] as $x) {
+    $url = getURL("js/$x.js");
+    echo "<script src='$url'>";
+}
+?>
 </html>

From f5b0bd9907b05ff98c8e9784b01c726fd1db192c Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Fri, 12 Dec 2025 07:39:39 -0500
Subject: [PATCH 03/18] remove leading slashes

---
 resources/templates/header.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/resources/templates/header.php b/resources/templates/header.php
index 3e165f50..268a0cc0 100644
--- a/resources/templates/header.php
+++ b/resources/templates/header.php
@@ -10,7 +10,7 @@
         && ($_POST["form_type"] ?? null) == "clearView"
     ) {
         unset($_SESSION["viewUser"]);
-        UnityHTTPD::redirect(getURL("/admin/user-mgmt.php"));
+        UnityHTTPD::redirect(getURL("admin/user-mgmt.php"));
     }
     // Webroot files need to handle their own POSTs before loading the header
     // so that they can do UnityHTTPD::badRequest before anything else has been printed.
@@ -26,7 +26,7 @@
         !$_SESSION["user_exists"]
         && !str_ends_with($_SERVER['PHP_SELF'], "/panel/new_account.php")
     ) {
-        UnityHTTPD::redirect(getURL("/panel/new_account.php"));
+        UnityHTTPD::redirect(getURL("panel/new_account.php"));
     }
 }
 
@@ -133,7 +133,7 @@
       <div class="modalBody"></div>
     </div>
   </div>
-  <script src="<?php echo getURL("/js/modal.js"); ?>"></script>
+  <script src="<?php echo getURL("js/modal.js"); ?>"></script>
 
   <main>
 

From 4458b54d847a47b208a5e74a0683de915dd03d2b Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Fri, 12 Dec 2025 08:05:36 -0500
Subject: [PATCH 04/18] getHyperlink

---
 resources/lib/utils.php                     | 12 ++++++++++--
 resources/mail/footer.php                   |  2 +-
 resources/mail/group_created.php            |  2 +-
 resources/mail/group_request_admin.php      |  2 +-
 resources/mail/group_user_added.php         |  2 +-
 resources/mail/group_user_request_owner.php |  2 +-
 resources/mail/user_loginshell.php          |  2 +-
 resources/mail/user_qualified.php           |  2 +-
 resources/mail/user_sshkey.php              |  2 +-
 resources/templates/header.php              | 21 ++++++++++-----------
 webroot/panel/groups.php                    |  7 ++++---
 webroot/panel/pi.php                        |  4 ++--
 12 files changed, 34 insertions(+), 26 deletions(-)

diff --git a/resources/lib/utils.php b/resources/lib/utils.php
index e3270e51..80090e29 100644
--- a/resources/lib/utils.php
+++ b/resources/lib/utils.php
@@ -83,7 +83,15 @@ function pathJoin()
     return preg_replace("#/+#", "/", join("/", $paths));
 }
 
-function getURL(...$args)
+function getURL(...$path_components)
 {
-    return pathJoin([CONFIG["site"]["url"], CONFIG["site"]["prefix"], ...$args]);
+    return pathJoin([CONFIG["site"]["url"], CONFIG["site"]["prefix"], ...$path_components]);
+}
+
+function getHyperlink($text, ...$path_components)
+{
+    $text = htmlspecialchars($text);
+    $path_components = array_map("htmlspecialchars", $path_components);
+    $url = getURL(...$path_components);
+    return "<a href='$url'>$text</a>";
 }
diff --git a/resources/mail/footer.php b/resources/mail/footer.php
index 5b133d07..79e80fce 100644
--- a/resources/mail/footer.php
+++ b/resources/mail/footer.php
@@ -3,7 +3,7 @@
 >
   <span>
     You are receiving this email because you have an account
-    on the <a target='_blank' href='<?php echo getURL("/"); ?>'>Unity Cluster</a>.
+    on the <?php echo getHyperlink("Unity Cluster", "/"); ?>.
     If you would like to stop receiving these emails,
     you may request to close your account by replying to this email.
   </span>
diff --git a/resources/mail/group_created.php b/resources/mail/group_created.php
index b4c64481..09c9c7d0 100644
--- a/resources/mail/group_created.php
+++ b/resources/mail/group_created.php
@@ -8,7 +8,7 @@
 <p>
 Your request for a PI account on the Unity cluster has been approved.
 You can access the management page for your group
-<a href="<?php echo getURL("panel/pi.php"); ?>">on this page</a>.
+<?php echo getHyperlink("on this page", "panel/pi.php"); ?>.
 </p>
 
 <p>Do not hesitate to reply if you have any questions!</p>
diff --git a/resources/mail/group_request_admin.php b/resources/mail/group_request_admin.php
index 96fefac4..0dfd8201 100644
--- a/resources/mail/group_request_admin.php
+++ b/resources/mail/group_request_admin.php
@@ -19,6 +19,6 @@
 
 <p>
 You can approve this account
-<a href="<?php echo getURL("admin/pi-mgmt.php"); ?>">here</a>
+<?php echo getHyperlink("here", "admin/pi-mgmt.php"); ?>
 .
 </p>
diff --git a/resources/mail/group_user_added.php b/resources/mail/group_user_added.php
index 379ae751..1fb9d6bd 100644
--- a/resources/mail/group_user_added.php
+++ b/resources/mail/group_user_added.php
@@ -6,7 +6,7 @@
 <p>Hello,</p>
 
 <p>You have been approved to join the PI group <?php echo $data["group"]; ?>.
-Navigate to the <a href="<?php echo getURL("panel/groups.php"); ?>">my groups</a>
+Navigate to the <?php echo getHyperlink("my groups", "panel/groups.php"); ?>
 page to see your PI groups.</p>
 
 <p>If you believe this to be a mistake, please reply to this email as soon as possible.</p>
diff --git a/resources/mail/group_user_request_owner.php b/resources/mail/group_user_request_owner.php
index 9c32b1e4..b2db8638 100644
--- a/resources/mail/group_user_request_owner.php
+++ b/resources/mail/group_user_request_owner.php
@@ -22,4 +22,4 @@
 </p>
 
 <p>You can approve or deny this user on the
-    <a href="<?php echo getURL("panel/pi.php"); ?>">my users</a> page</p>
+    <?php echo getHyperlink("my users", "panel/pi.php"); ?> page</p>
diff --git a/resources/mail/user_loginshell.php b/resources/mail/user_loginshell.php
index 4197b9e1..393bfdc5 100644
--- a/resources/mail/user_loginshell.php
+++ b/resources/mail/user_loginshell.php
@@ -7,6 +7,6 @@
 
 <p>You have updated your login shell on the Unity cluster to <?php echo $data["new_shell"]; ?>.
 You can view the login shell settings on the
-<a href="<?php echo getURL("panel/account.php"); ?>">account settings</a> page</p>
+<?php echo getHyperlink("account settings", "panel/account.php"); ?> page</p>
 
 <p>If you believe this to be a mistake, please reply to this email as soon as possible.</p>
diff --git a/resources/mail/user_qualified.php b/resources/mail/user_qualified.php
index 4241bf28..e3c348bc 100644
--- a/resources/mail/user_qualified.php
+++ b/resources/mail/user_qualified.php
@@ -15,6 +15,6 @@
 
 <p>Please login to the web portal to access Unity.
     If you need console access, you will need to set your SSH keys in the
-    <a href="<?php echo getURL("/panel/account.php"); ?>">account settings</a> page.</p>
+    <?php echo getHyperlink("account settings", "/panel/account.php"); ?> page.</p>
 
 <p>If you believe this to be a mistake, please reply to this email as soon as possible.</p>
diff --git a/resources/mail/user_sshkey.php b/resources/mail/user_sshkey.php
index 20619c63..8ec90a86 100644
--- a/resources/mail/user_sshkey.php
+++ b/resources/mail/user_sshkey.php
@@ -15,7 +15,7 @@
 
 <p>
 You can view the SSH public keys attached to your account on the
-<a href="<?php echo getURL("/panel/account.php"); ?>">account settings</a>
+<?php echo getHyperlink("account settings", "/panel/account.php"); ?>
 page.
 </p>
 
diff --git a/resources/templates/header.php b/resources/templates/header.php
index 268a0cc0..c110dac0 100644
--- a/resources/templates/header.php
+++ b/resources/templates/header.php
@@ -79,9 +79,8 @@
 
   <nav class="mainNav">
     <?php
-    $prefix = CONFIG["site"]["prefix"];
     // Public Items - Always Visible
-    echo "<a href='$prefix/index.php'>Home</a>";
+    echo getHyperlink("Home", "index.php");
 
     $num_additional_items = count(CONFIG["menuitems"]["labels"]);
     for ($i = 0; $i < $num_additional_items; $i++) {
@@ -91,13 +90,13 @@
 
     if (isset($_SESSION["user_exists"]) && $_SESSION["user_exists"]) {
         // Menu Items for Present Users
-        echo "<a href='$prefix/panel/support.php'>Support</a>";
-        echo "<a href='$prefix/panel/account.php'>Account Settings</a>";
-        echo "<a href='$prefix/panel/groups.php'>My PIs</a>";
+        echo getHyperlink("Support", "panel/support.php");
+        echo getHyperlink("Account Settings", "panel/account.php");
+        echo getHyperlink("My PIs", "panel/groups.php");
 
         if (isset($_SESSION["is_pi"]) && $_SESSION["is_pi"]) {
             // PI only pages
-            echo "<a href='$prefix/panel/pi.php'>My Users</a>";
+            echo getHyperlink("My Users", "panel/pi.php");
         }
 
         // additional branding items
@@ -113,13 +112,13 @@
         ) {
             echo "<hr class='navHR'>";
             // Admin only pages
-            echo "<a href='$prefix/admin/user-mgmt.php'>User Management</a>";
-            echo "<a href='$prefix/admin/pi-mgmt.php'>PI Management</a>";
-            echo "<a href='$prefix/admin/notices.php'>Cluster Notices</a>";
-            echo "<a href='$prefix/admin/content.php'>Content Management</a>";
+            echo getHyperlink("User Management", "admin/user-mgmt.php");
+            echo getHyperlink("PI Management", "admin/pi-mgmt.php");
+            echo getHyperlink("Cluster Notices", "admin/notices.php");
+            echo getHyperlink("Content Management", "admin/content.php");
         }
     } else {
-        echo "<a href='$prefix/panel/account.php'>Login / Request Account</a>";
+        echo getHyperlink("Login / Request Account", "panel/account.php");
     }
     ?>
   </nav>
diff --git a/webroot/panel/groups.php b/webroot/panel/groups.php
index 8601a240..4635fdad 100644
--- a/webroot/panel/groups.php
+++ b/webroot/panel/groups.php
@@ -123,18 +123,19 @@
 echo "<h5>Current Groups</h5>";
 
 if ($USER->isPI() && count($PIGroupGIDs) == 1) {
+    $url = getURL("/panel/pi.php");
     echo "
         You are only a member of your own PI group.
         Navigate to the
-        <a href='" . getURL("/panel/pi.php") . "'>my users</a>
+        <a href='$url'>my users</a>
         page to see your group.
     ";
 }
 
 if (count($PIGroupGIDs) == 0) {
+    $url = getURL("panel/groups.php");
     echo "You are not a member of any groups. Request to join a PI using the button below,
-    or request your own PI account on the <a href='" . getURL("/panel/groups.php") .
-        "/panel/account.php'>account settings</a> page";
+    or request your own PI account on the <a href='$url'>account settings</a> page";
 }
 
 echo "<table>";
diff --git a/webroot/panel/pi.php b/webroot/panel/pi.php
index a49887ea..ac6ee9e2 100644
--- a/webroot/panel/pi.php
+++ b/webroot/panel/pi.php
@@ -45,9 +45,9 @@
 $assocs = $group->getGroupMembers();
 
 if (count($requests) + count($assocs) == 1) {
+    $url = getURL("/panel/groups.php");
     echo "<p>You do not have any users attached to your PI account.
-    Ask your users to request to join your account on the <a href='" . getURL("/panel/groups.php") .
-        "/panel/groups.php'>My PIs</a> page.</p>";
+    Ask your users to request to join your account on the <a href='$url'>My PIs</a> page.</p>";
 }
 
 if (count($requests) > 0) {

From 9de9b9ea231324a7f6b9564b04722e33897e7a3e Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Fri, 12 Dec 2025 08:08:55 -0500
Subject: [PATCH 05/18] cleanup

---
 webroot/admin/content.php      | 4 ++--
 webroot/panel/account.php      | 8 ++++----
 webroot/panel/modal/new_pi.php | 4 ++--
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/webroot/admin/content.php b/webroot/admin/content.php
index 0336e380..e318ede9 100644
--- a/webroot/admin/content.php
+++ b/webroot/admin/content.php
@@ -53,10 +53,10 @@
         .catch(error => {
             console.error(error)
         });
-    const prefix = '<?php echo CONFIG["site"]["prefix"]; ?>';
+    const url = '<?php echo getURL("admin/ajax/get_page_contents.php"); ?>';
     $("#pageForm > select[name=pageSel]").change(function(e) {
         $.ajax({
-            url: `${prefix}/admin/ajax/get_page_contents.php?pageid=` + $(this).val(),
+            url: `${url}?pageid=` + $(this).val(),
             success: function(result) {
             mainEditor.setData(result);
         }});
diff --git a/webroot/panel/account.php b/webroot/panel/account.php
index d953e818..7fb7343c 100644
--- a/webroot/panel/account.php
+++ b/webroot/panel/account.php
@@ -136,7 +136,7 @@
     echo "<p>You are curently a <strong>qualified user</strong> on the Unity Cluster</p>";
 } else {
     $tos_url = CONFIG["site"]["terms_of_service_url"];
-    $sitePrefix = substr(getURL(""), strlen(CONFIG["site"]["url"]), -1);
+    $form_url = getURL("panel/groups.php");
     echo "
         <p>
             You are currently an <strong>unqualified user</strong>, and will be
@@ -145,7 +145,7 @@
             Do not request a PI group if you are a student.
         </p>
         <br>
-        <form action='$sitePrefix/panel/groups.php' method='GET'>
+        <form action='$form_url' method='GET'>
             <label>
                 <input type='checkbox' name='tos' value='agree' required />
                 I have read and accept the
@@ -294,11 +294,11 @@
 ?>
 
 <script>
-    const sitePrefix = '<?php echo CONFIG["site"]["prefix"]; ?>';
+    const url = '<?php echo getURL("panel/modal/new_key.php")?>';
     const ldapLoginShell = '<?php echo $USER->getLoginShell(); ?>';
 
     $("button.btnAddKey").click(function() {
-        openModal("Add New Key", `${sitePrefix}/panel/modal/new_key.php`);
+        openModal("Add New Key", url);
     });
 
     $("#loginSelector option").each(function(i, e) {
diff --git a/webroot/panel/modal/new_pi.php b/webroot/panel/modal/new_pi.php
index f76bea01..a975d7a2 100644
--- a/webroot/panel/modal/new_pi.php
+++ b/webroot/panel/modal/new_pi.php
@@ -28,9 +28,9 @@
 <script>
     $("input[type=text][name=pi]").keyup(function() {
         var searchWrapper = $("div.searchWrapper");
-        const prefix = '<?php echo CONFIG["site"]["prefix"]; ?>';
+        const url = '<?php echo getURL("panel/modal/pi_search.php") ?>';
         $.ajax({
-            url: `${prefix}/panel/modal/pi_search.php?search=` + $(this).val(),
+            url: `${url}?search=` + $(this).val(),
             success: function(result) {
                 searchWrapper.html(result);
 

From d5b6f2dca13b6b97f277b81c9e5ccb4e77ed49fd Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Fri, 12 Dec 2025 08:13:12 -0500
Subject: [PATCH 06/18] fix bug

---
 resources/lib/utils.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/lib/utils.php b/resources/lib/utils.php
index 80090e29..65f14d04 100644
--- a/resources/lib/utils.php
+++ b/resources/lib/utils.php
@@ -85,7 +85,7 @@ function pathJoin()
 
 function getURL(...$path_components)
 {
-    return pathJoin([CONFIG["site"]["url"], CONFIG["site"]["prefix"], ...$path_components]);
+    return pathJoin(CONFIG["site"]["url"], CONFIG["site"]["prefix"], ...$path_components);
 }
 
 function getHyperlink($text, ...$path_components)

From 07c6e561e4420fc433205468d877b13c31aa7897 Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Fri, 12 Dec 2025 08:14:29 -0500
Subject: [PATCH 07/18] close script element

---
 resources/templates/footer.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/templates/footer.php b/resources/templates/footer.php
index 005ef7b7..a363d91a 100644
--- a/resources/templates/footer.php
+++ b/resources/templates/footer.php
@@ -32,7 +32,7 @@
 <?php
 foreach (["filter", "sort", "global", "tables"] as $x) {
     $url = getURL("js/$x.js");
-    echo "<script src='$url'>";
+    echo "<script src='$url'></script>";
 }
 ?>
 </html>

From aa2f8776ed8ea96c03015ab5bad81ec695375d84 Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Fri, 12 Dec 2025 08:15:30 -0500
Subject: [PATCH 08/18] no leading slashes

---
 webroot/admin/pi-mgmt.php       | 2 +-
 webroot/admin/user-mgmt.php     | 2 +-
 webroot/panel/groups.php        | 6 +++---
 webroot/panel/modal/new_key.php | 6 +++---
 webroot/panel/modal/new_pi.php  | 2 +-
 webroot/panel/new_account.php   | 2 +-
 webroot/panel/pi.php            | 2 +-
 7 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/webroot/admin/pi-mgmt.php b/webroot/admin/pi-mgmt.php
index 45b5c6a4..ec388b0e 100644
--- a/webroot/admin/pi-mgmt.php
+++ b/webroot/admin/pi-mgmt.php
@@ -146,7 +146,7 @@ class="filterSearch"
         }
     });
 
-    var ajax_url = "<?php echo getURL("/admin/ajax/get_group_members.php"); ?>?gid=";
+    var ajax_url = "<?php echo getURL("admin/ajax/get_group_members.php"); ?>?gid=";
 </script>
 
 <?php
diff --git a/webroot/admin/user-mgmt.php b/webroot/admin/user-mgmt.php
index d287ff62..e969f9bf 100644
--- a/webroot/admin/user-mgmt.php
+++ b/webroot/admin/user-mgmt.php
@@ -13,7 +13,7 @@
     switch ($_POST["form_type"]) {
         case "viewAsUser":
             $_SESSION["viewUser"] = $_POST["uid"];
-            UnityHTTPD::redirect(getURL("/panel/account.php"));
+            UnityHTTPD::redirect(getURL("panel/account.php"));
             break;
     }
 }
diff --git a/webroot/panel/groups.php b/webroot/panel/groups.php
index 4635fdad..562c6d0f 100644
--- a/webroot/panel/groups.php
+++ b/webroot/panel/groups.php
@@ -123,7 +123,7 @@
 echo "<h5>Current Groups</h5>";
 
 if ($USER->isPI() && count($PIGroupGIDs) == 1) {
-    $url = getURL("/panel/pi.php");
+    $url = getURL("panel/pi.php");
     echo "
         You are only a member of your own PI group.
         Navigate to the
@@ -186,11 +186,11 @@
 
 <script>
     $("button.btnAddPI").click(function () {
-        openModal("Add New PI", "<?php echo getURL("/panel/modal/new_pi.php"); ?>");
+        openModal("Add New PI", "<?php echo getURL("panel/modal/new_pi.php"); ?>");
     });
 
     // tables.js uses ajax_url to populate expandable tables
-    var ajax_url = "<?php echo getURL("/panel/ajax/get_group_members.php"); ?>?gid=";
+    var ajax_url = "<?php echo getURL("panel/ajax/get_group_members.php"); ?>?gid=";
 </script>
 
 <style>
diff --git a/webroot/panel/modal/new_key.php b/webroot/panel/modal/new_key.php
index c7878383..0312e4bf 100644
--- a/webroot/panel/modal/new_key.php
+++ b/webroot/panel/modal/new_key.php
@@ -8,7 +8,7 @@
     id="newKeyform"
     enctype="multipart/form-data"
     method="POST"
-    action="<?php echo getURL("/panel/account.php"); ?>"
+    action="<?php echo getURL("panel/account.php"); ?>"
 >
     <?php echo UnityHTTPD::getCSRFTokenHiddenFormInput(); ?>
     <input type='hidden' name='form_type' value='addKey'>
@@ -74,7 +74,7 @@ function generateKey(type) {
         var endingSection = "</section>";
 
         $.ajax({
-            url: "<?php echo getURL("/js/ajax/ssh_generate.php"); ?>?type=" + type,
+            url: "<?php echo getURL("js/ajax/ssh_generate.php"); ?>?type=" + type,
             success: function(result) {
                 var pubKey = result.substr(result.indexOf(pubSection) + pubSection.length,
                 result.indexOf(endingSection) - result.indexOf(pubSection) - pubSection.length);
@@ -103,7 +103,7 @@ function generateKey(type) {
     $("textarea[name=key]").on("input", function() {
         var key = $(this).val();
         $.ajax({
-            url: "<?php echo getURL("/js/ajax/ssh_validate.php"); ?>",
+            url: "<?php echo getURL("js/ajax/ssh_validate.php"); ?>",
             type: "POST",
             data: {
                 key: key
diff --git a/webroot/panel/modal/new_pi.php b/webroot/panel/modal/new_pi.php
index a975d7a2..57064837 100644
--- a/webroot/panel/modal/new_pi.php
+++ b/webroot/panel/modal/new_pi.php
@@ -7,7 +7,7 @@
 <form
     id="newPIform"
     method="POST"
-    action="<?php echo getURL("/panel/groups.php"); ?>"
+    action="<?php echo getURL("panel/groups.php"); ?>"
 >
     <?php echo UnityHTTPD::getCSRFTokenHiddenFormInput(); ?>
     <input type="hidden" name="form_type" value="addPIform">
diff --git a/webroot/panel/new_account.php b/webroot/panel/new_account.php
index b75e2d3b..732c5f20 100644
--- a/webroot/panel/new_account.php
+++ b/webroot/panel/new_account.php
@@ -6,7 +6,7 @@
 use UnityWebPortal\lib\UnityUser;
 
 if ($USER->exists()) {
-    UnityHTTPD::redirect(getURL("/panel/account.php"));
+    UnityHTTPD::redirect(getURL("panel/account.php"));
 }
 if ($_SERVER["REQUEST_METHOD"] == "POST") {
     UnityHTTPD::validatePostCSRFToken();
diff --git a/webroot/panel/pi.php b/webroot/panel/pi.php
index ac6ee9e2..7cdd3f58 100644
--- a/webroot/panel/pi.php
+++ b/webroot/panel/pi.php
@@ -45,7 +45,7 @@
 $assocs = $group->getGroupMembers();
 
 if (count($requests) + count($assocs) == 1) {
-    $url = getURL("/panel/groups.php");
+    $url = getURL("panel/groups.php");
     echo "<p>You do not have any users attached to your PI account.
     Ask your users to request to join your account on the <a href='$url'>My PIs</a> page.</p>";
 }

From fd15a93d470f79d8f27e7000f8efcd411574dbb8 Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Fri, 12 Dec 2025 08:17:07 -0500
Subject: [PATCH 09/18] don't delete modal.css

---
 resources/templates/header.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/templates/header.php b/resources/templates/header.php
index c110dac0..e8c8b26c 100644
--- a/resources/templates/header.php
+++ b/resources/templates/header.php
@@ -51,7 +51,7 @@
   </style>
 
   <?php
-    foreach (["global", "navbar", "tables", "filters", "messages"] as $x) {
+    foreach (["global", "navbar", "modal", "tables", "filters", "messages"] as $x) {
         $url = getURL("css/$x.css");
         echo "<link rel='stylesheet' type='text/css' href='$url'>";
     }

From e4b8fc93e58588fbd51d273004a4ab073ef469f0 Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Fri, 12 Dec 2025 08:53:15 -0500
Subject: [PATCH 10/18] dev environment does not have https

---
 defaults/config.ini.default | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/defaults/config.ini.default b/defaults/config.ini.default
index 11d6140b..443111cc 100644
--- a/defaults/config.ini.default
+++ b/defaults/config.ini.default
@@ -8,7 +8,7 @@ repo = "https://github.com/UnityHPC/unity-web-portal"  ; Upstream URL for the we
 [site]
 prefix = ""  ; prefix of website, no ending / should be included
 name = "Unity Cluster"  ; Name of the website
-url = "https://127.0.0.1:8000/"  ; URL of the website
+url = "http://127.0.0.1:8000/"  ; URL of the website
 description = "The Unity Web Portal is a lightweight HPC cluster front-end"  ; Description of the website
 logo = "logo.png"  ; path to logo file, in the webroot/assets/branding folder
 terms_of_service_url = "https://github.com" ; this can be external or a portal page created with "content management"

From bec6b1ead3f0c685d462c6246d583a9ecda70ecf Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Fri, 12 Dec 2025 08:53:26 -0500
Subject: [PATCH 11/18] respect URL scheme in pathJoin

---
 resources/lib/utils.php | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/resources/lib/utils.php b/resources/lib/utils.php
index 65f14d04..b396c2e7 100644
--- a/resources/lib/utils.php
+++ b/resources/lib/utils.php
@@ -72,15 +72,22 @@ function mbDetectEncoding(string $string, ?array $encodings = null, mixed $_ = n
 }
 
 /* https://stackoverflow.com/a/15575293/18696276 */
-function pathJoin()
+function pathNormalize(string $path)
 {
-    $paths = [];
-    foreach (func_get_args() as $arg) {
-        if ($arg !== "") {
-            $paths[] = $arg;
-        }
+    return preg_replace("#/+#", "/", $path);
+}
+
+function pathJoin(...$path_components)
+{
+    $path = join("/", $path_components);
+    // if URL starts with a "scheme" like "https://", do not try to alter the slashes in the scheme
+    if (preg_match("#^\w+://#", $path)) {
+        $matches = [];
+        preg_match("#(^\w+://)(.*)#", $path, $matches);
+        return $matches[1] . pathNormalize($matches[2]);
+    } else {
+        return pathNormalize($path);
     }
-    return preg_replace("#/+#", "/", join("/", $paths));
 }
 
 function getURL(...$path_components)

From 3cebda2648537d5f0e622a314be9484dc6980216 Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Fri, 12 Dec 2025 09:15:10 -0500
Subject: [PATCH 12/18] rename

---
 resources/lib/utils.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/resources/lib/utils.php b/resources/lib/utils.php
index b396c2e7..14a23e06 100644
--- a/resources/lib/utils.php
+++ b/resources/lib/utils.php
@@ -90,15 +90,15 @@ function pathJoin(...$path_components)
     }
 }
 
-function getURL(...$path_components)
+function getURL(...$url_components)
 {
-    return pathJoin(CONFIG["site"]["url"], CONFIG["site"]["prefix"], ...$path_components);
+    return pathJoin(CONFIG["site"]["url"], CONFIG["site"]["prefix"], ...$url_components);
 }
 
-function getHyperlink($text, ...$path_components)
+function getHyperlink($text, ...$url_components)
 {
     $text = htmlspecialchars($text);
-    $path_components = array_map("htmlspecialchars", $path_components);
-    $url = getURL(...$path_components);
+    $url_components = array_map("htmlspecialchars", $url_components);
+    $url = getURL(...$url_components);
     return "<a href='$url'>$text</a>";
 }

From 6a83ea55c364eb884d30cd2e19ac42fbe255362f Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Fri, 12 Dec 2025 09:17:47 -0500
Subject: [PATCH 13/18] refactor

---
 resources/lib/utils.php | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/resources/lib/utils.php b/resources/lib/utils.php
index 14a23e06..bcb5d816 100644
--- a/resources/lib/utils.php
+++ b/resources/lib/utils.php
@@ -77,24 +77,23 @@ function pathNormalize(string $path)
     return preg_replace("#/+#", "/", $path);
 }
 
-function pathJoin(...$path_components)
+function getURL(...$relative_url_components)
 {
-    $path = join("/", $path_components);
+    $url_components = array_merge(
+        [CONFIG["site"]["url"], CONFIG["site"]["prefix"]],
+        $relative_url_components,
+    );
+    $url = join("/", $url_components);
     // if URL starts with a "scheme" like "https://", do not try to alter the slashes in the scheme
-    if (preg_match("#^\w+://#", $path)) {
+    if (preg_match("#^\w+://#", $url)) {
         $matches = [];
-        preg_match("#(^\w+://)(.*)#", $path, $matches);
+        preg_match("#(^\w+://)(.*)#", $url, $matches);
         return $matches[1] . pathNormalize($matches[2]);
     } else {
-        return pathNormalize($path);
+        return pathNormalize($url);
     }
 }
 
-function getURL(...$url_components)
-{
-    return pathJoin(CONFIG["site"]["url"], CONFIG["site"]["prefix"], ...$url_components);
-}
-
 function getHyperlink($text, ...$url_components)
 {
     $text = htmlspecialchars($text);

From 63b375aa59db97b2abeaaf3590582850c3ad7611 Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Fri, 12 Dec 2025 09:25:58 -0500
Subject: [PATCH 14/18] add unit tests

---
 test/unit/UtilsTest.php | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/test/unit/UtilsTest.php b/test/unit/UtilsTest.php
index f5ee8ba8..0ccf76f0 100644
--- a/test/unit/UtilsTest.php
+++ b/test/unit/UtilsTest.php
@@ -79,4 +79,29 @@ public function testTestValidSSHKey(bool $expected, string $key)
     {
         $this->assertEquals($expected, testValidSSHKey($key));
     }
+
+    public static function URLComponentProvider()
+    {
+        if (CONFIG["site"]["prefix"] != "http://127.0.0.1:8000") {
+            throw new RuntimeException("site prefix has changed!");
+        }
+        return [
+            [["", ""], "http://127.0.0.1:8000"],
+            [["", "/"], "http://127.0.0.1:8000/"],
+            [["/", "a"], "http://127.0.0.1:8000/a"],
+            [["/", "/a"], "http://127.0.0.1:8000/a"],
+            [["abc", "def"], "http://127.0.0.1:8000/abc/def"],
+            [["abc", "/def"], "http://127.0.0.1:8000/abc/def"],
+            [["/abc", "def"], "http://127.0.0.1:8000/abc/def"],
+            [["/abc", "def///"], "http://127.0.0.1:8000/abc/def/"],
+            [["", "foo.jpg"], "http://127.0.0.1:8000/foo.jpg"],
+            [["dir", "0", "a.jpg"], "http://127.0.0.1:8000/dir/0/a.jpg"],
+        ];
+    }
+
+    #[DataProvider("URLComponentProvider")]
+    public function testGetURL(array $relative_url_components, string $expected)
+    {
+        $this->assertEquals($expected, getURL(...$relative_url_components));
+    }
 }

From 1495c4c9bec3ecbe3c68466162b1a2d2dffcae09 Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Fri, 12 Dec 2025 09:40:02 -0500
Subject: [PATCH 15/18] rewrite getURL

---
 resources/lib/utils.php | 20 ++++++++------------
 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/resources/lib/utils.php b/resources/lib/utils.php
index bcb5d816..4250cfd6 100644
--- a/resources/lib/utils.php
+++ b/resources/lib/utils.php
@@ -79,19 +79,15 @@ function pathNormalize(string $path)
 
 function getURL(...$relative_url_components)
 {
-    $url_components = array_merge(
-        [CONFIG["site"]["url"], CONFIG["site"]["prefix"]],
-        $relative_url_components,
-    );
-    $url = join("/", $url_components);
-    // if URL starts with a "scheme" like "https://", do not try to alter the slashes in the scheme
-    if (preg_match("#^\w+://#", $url)) {
-        $matches = [];
-        preg_match("#(^\w+://)(.*)#", $url, $matches);
-        return $matches[1] . pathNormalize($matches[2]);
-    } else {
-        return pathNormalize($url);
+    if (!preg_match("#^\w+://#", CONFIG["site"]["url"])) {
+        throw new RuntimeException('CONFIG[site][url] does not have a scheme! (ex: "https://")');
     }
+    $matches = [];
+    preg_match("#(^\w+://)(.*)#", CONFIG["site"]["url"], $matches);
+    [$_, $site_url_scheme, $site_url_noscheme] = $matches;
+    $path = join("/", [$site_url_noscheme, CONFIG["site"]["prefix"], ...$relative_url_components]);
+    $path_normalized = pathNormalize($path);
+    return $site_url_scheme . $path_normalized;
 }
 
 function getHyperlink($text, ...$url_components)

From 08cf60b594aacd85f085cffacd0ddc7a85dbcb4e Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Fri, 12 Dec 2025 09:41:46 -0500
Subject: [PATCH 16/18] fix test

---
 test/unit/UtilsTest.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/test/unit/UtilsTest.php b/test/unit/UtilsTest.php
index 0ccf76f0..3fd04c33 100644
--- a/test/unit/UtilsTest.php
+++ b/test/unit/UtilsTest.php
@@ -82,11 +82,11 @@ public function testTestValidSSHKey(bool $expected, string $key)
 
     public static function URLComponentProvider()
     {
-        if (CONFIG["site"]["prefix"] != "http://127.0.0.1:8000") {
-            throw new RuntimeException("site prefix has changed!");
+        if (CONFIG["site"]["url"] != "http://127.0.0.1:8000/") {
+            throw new RuntimeException("site url has changed!");
         }
         return [
-            [["", ""], "http://127.0.0.1:8000"],
+            [["", ""], "http://127.0.0.1:8000/"],
             [["", "/"], "http://127.0.0.1:8000/"],
             [["/", "a"], "http://127.0.0.1:8000/a"],
             [["/", "/a"], "http://127.0.0.1:8000/a"],

From cbdbbbfba9d0012f461c93f741d1f4617357ffc1 Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Mon, 15 Dec 2025 10:06:57 -0500
Subject: [PATCH 17/18] remove htmlspecialchars

---
 resources/lib/UnityHTTPD.php | 1 -
 1 file changed, 1 deletion(-)

diff --git a/resources/lib/UnityHTTPD.php b/resources/lib/UnityHTTPD.php
index f434c808..77e9bc7c 100644
--- a/resources/lib/UnityHTTPD.php
+++ b/resources/lib/UnityHTTPD.php
@@ -43,7 +43,6 @@ public static function die(mixed $x = null, bool $show_user = false): never
     public static function redirect(?string $dest = null): never
     {
         $dest ??= getURL($_SERVER["REQUEST_URI"]);
-        $dest = htmlspecialchars($dest);
         header("Location: $dest");
         http_response_code(302);
         if (CONFIG["site"]["enable_redirect_message"]) {

From 430aeea35310ce7b7b96e5b43bb086bc13c9d397 Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Mon, 15 Dec 2025 11:19:51 -0500
Subject: [PATCH 18/18] remove htmlspecialchars

---
 resources/lib/utils.php | 1 -
 1 file changed, 1 deletion(-)

diff --git a/resources/lib/utils.php b/resources/lib/utils.php
index 4250cfd6..9c281145 100644
--- a/resources/lib/utils.php
+++ b/resources/lib/utils.php
@@ -93,7 +93,6 @@ function getURL(...$relative_url_components)
 function getHyperlink($text, ...$url_components)
 {
     $text = htmlspecialchars($text);
-    $url_components = array_map("htmlspecialchars", $url_components);
     $url = getURL(...$url_components);
     return "<a href='$url'>$text</a>";
 }