diff --git a/app/assets/stylesheets/location.css b/app/assets/stylesheets/location.css
index b5f1ee32ba..76903a0366 100644
--- a/app/assets/stylesheets/location.css
+++ b/app/assets/stylesheets/location.css
@@ -20,6 +20,9 @@
   margin: 0;
 }
 
+#blurred-location-modal .modal-content {
+  margin-top: 0;
+}
 #blurred-location-modal .small-description {
   font-size: 0.9rem;
   color: #808080;
diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
index 06ae7ecdb8..3ab5f69194 100644
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@@ -274,7 +274,6 @@ def moderate
     user = User.find params[:id]
     if logged_in_as(['admin', 'moderator'])
       user.moderate
-      flash[:notice] = 'The user has been moderated.'
     else
       flash[:error] = 'Only moderators can moderate other users.'
     end
diff --git a/app/models/comment.rb b/app/models/comment.rb
index 6078bc18ce..19b90a08c9 100644
--- a/app/models/comment.rb
+++ b/app/models/comment.rb
@@ -473,7 +473,14 @@ def render_body
     if !trimmed_content? && parsed.present?
       body = parsed[:body] + COMMENT_FILTER + parsed[:boundary] + parsed[:quote]
     end
-    body
+
+    allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p iframe del hr img input code table thead tbody tr th td span dl dt dd div)
+
+    # Sanitize the HTML (remove malicious attributes, unallowed tags...)
+    sanitized_body = ActionController::Base.helpers.sanitize(body, tags: allowed_tags)
+
+    # Properly parse HTML (close incomplete tags...)
+    Nokogiri::HTML::DocumentFragment.parse(sanitized_body).to_html
   end
 
   def self.find_by_tag_and_author(tagname, userid)
diff --git a/app/models/tag.rb b/app/models/tag.rb
index 634c88f215..a291dece45 100644
--- a/app/models/tag.rb
+++ b/app/models/tag.rb
@@ -7,16 +7,6 @@ class Tag < ApplicationRecord
   has_many :node_tag, foreign_key: 'tid'
 
   # we're not really using the filter_by_type stuff here:
-  has_many :node, through: :drupal_node_tag do
-    def filter_by_type(type, limit = 10)
-      where(status: 1, type: type)
-        .limit(limit)
-        .order('created DESC')
-    end
-  end
-
-  # the following probably never gets used; tag.node will use the above definition.
-  # also, we're not really using the filter_by_type stuff here:
   has_many :node, through: :node_tag do
     def filter_by_type(type, limit = 10)
       where(status: 1, type: type)
diff --git a/app/views/sidebar/_dashboard.html.erb b/app/views/sidebar/_dashboard.html.erb
index 69bca8c0d8..0252f2c010 100644
--- a/app/views/sidebar/_dashboard.html.erb
+++ b/app/views/sidebar/_dashboard.html.erb
@@ -16,8 +16,17 @@
       </div>
     </div>
   </div>
+  
+<% if current_user %>
+  <div style="margin: 2.2rem 0;">
+    <a class="btn btn-lg btn-outline-secondary blurred-location-input" submit_to="/profile/tags/create/<%= current_user.uid %>"><i class="fa fa-map-marker" style="color:#c40;"></i> Add your location</a>
+    <p style="font-size: smaller; margin: 0.3rem 0;">
+      Add your location to see work near you<br>
+      <a href="https://publiclab.org/location-privacy" target="_blank">About location privacy »</a>
+    </p>
+  </div>
+<% end %>
 
-<br><br>
 <ul class="nav nav-tabs">
   <li class="nav-item" style="width:49%;">
     <a class="nav-link active lists-tab" href="#ask-question" data-toggle="tab">
diff --git a/app/views/tag/show.html.erb b/app/views/tag/show.html.erb
index c38b1c5115..b6ad38eff3 100644
--- a/app/views/tag/show.html.erb
+++ b/app/views/tag/show.html.erb
@@ -25,7 +25,7 @@
       <div class="tag-buttons">
         <div class="btn-group" role="group">
           <% if current_user && current_user.following(params[:id]) %>
-            <a rel="tooltip" title="<%= t('sidebar._post_button.share_your_work') %>" data-placement="bottom" href="/post?tags=<%= params[:id] %>" class="btn btn-primary requireLogin">New post <i class="fa fa-plus fa-white"></i></a>
+            <a rel="tooltip" title="<%= t('sidebar._post_button.share_your_work') %>" data-placement="bottom" href="/post?tags=<%= @title %>" class="btn btn-primary requireLogin">New post <i class="fa fa-plus fa-white"></i></a>
           <% else %>
             <a class="btn btn-primary requireLogin" target="_blank" href="/subscribe/tag/<%= params[:id] %>"> Follow</a>
               <% if @related_tags %>
diff --git a/test/application_system_test_case.rb b/test/application_system_test_case.rb
index c1d6af0ced..7284e44c85 100644
--- a/test/application_system_test_case.rb
+++ b/test/application_system_test_case.rb
@@ -6,7 +6,7 @@ class ApplicationSystemTestCase < ActionDispatch::SystemTestCase
   driven_by :selenium, using: :chrome, screen_size: [1400, 1400], options: { desired_capabilities: caps }
 
   # https://web.archive.org/web/20170730200309/http://blog.paulrugelhiatt.com/rails/testing/capybara/dropzonejs/2014/12/29/test-dropzonejs-file-uploads-with-capybara.html
-  def drop_in_dropzone(file_path)
+  def drop_in_dropzone(file_path, dropzoneSelector)
     # Generate a fake input element
     page.execute_script <<-JS
       fakeFileInput = window.$('<input/>').attr(
@@ -29,7 +29,7 @@ def drop_in_dropzone(file_path)
         value: new FakeDataTransferObject(fileToDrop)
       });
 
-      var dropzoneArea = document.querySelector('.dropzone');
+      var dropzoneArea = document.querySelector('#{dropzoneSelector}');
       // Transfer the image to the dropzone area
       dropzoneArea.files = dataTransfer.files;
       // Emit the fake "drop" event
diff --git a/test/editor_test.rb b/test/editor_test.rb
new file mode 100644
index 0000000000..838bc50461
--- /dev/null
+++ b/test/editor_test.rb
@@ -0,0 +1,81 @@
+require "application_system_test_case"
+
+class EditorTest < ApplicationSystemTestCase
+
+  def setup
+    visit '/'
+
+    click_on 'Login'
+
+    fill_in("username-login", with: "palpatine")
+    fill_in("password-signup", with: "secretive")
+    click_on "Log in"
+  end
+
+  test "check that rich wiki editor functions correctly" do
+    visit "/wiki/wiki-page-path"
+    find("a[data-original-title='Try the beta inline Rich Wiki editor.'").click()
+    first("div.inline-section").hover()
+
+    # click edit btn
+    using_wait_time(2) { first("a.inline-edit-btn").click() }
+
+    find("div.wk-wysiwyg").set("wiki text")
+
+    click_on "Save"
+    page.assert_selector("p", text: "wiki text")
+  end
+
+  test "check that markdown wiki editor functions correctly" do
+    visit "/wiki/wiki-page-path"
+    find("a[data-original-title='Edit this wiki page.'").click()
+
+    find("#text-input").set("wiki text")
+    find("a#publish").click()
+
+    page.assert_selector("p", text: "wiki text")
+  end
+
+  test "check rich editor features are functional" do
+    visit "/wiki/wiki-page-path"
+    find("a[data-original-title='Try the beta inline Rich Wiki editor.'").click()
+    first("div.inline-section").hover()
+
+    using_wait_time(2) { first("a.inline-edit-btn").click() }
+
+    # test the following features
+    ["bold", "italic", "code", "heading"].each do |element|
+      # clicking on the button generates the element with dummy text
+      find("button.woofmark-command-#{element}").click()
+      # these keys are called to deselect the previous elements
+      find("div.wk-wysiwyg").native.send_key(:arrow_left, :enter)
+    end
+
+    click_on "Save"
+
+    # assert that the features have worked and that the correct wiki elements are displayed
+    page.assert_selector("strong", text: "strong text")
+    page.assert_selector("h1", text: "Heading Text")
+    page.assert_selector("em", text: "emphasized text")
+    page.assert_selector("code", text: "code goes here")
+  end
+
+  test "check markdown editor features are functional" do
+    visit "/wiki/wiki-page-path"
+    find("a[data-original-title='Edit this wiki page.']").click()
+
+    # test the following features
+    ["**strong text**", "_emphasized text_", "`code goes here`", "# Heading Text"].each do |element|
+      find("#text-input").native.send_keys(element)
+      find("#text-input").native.send_keys(:enter)
+    end
+
+    find("a#publish").click()
+
+    # assert that the features have worked and that the correct wiki elements are displayed
+    page.assert_selector("strong", text: "strong text")
+    page.assert_selector("h1", text: "Heading Text")
+    page.assert_selector("em", text: "emphasized text")
+    page.assert_selector("code", text: "code goes here")
+  end
+end
diff --git a/test/functional/notes_controller_test.rb b/test/functional/notes_controller_test.rb
index 56a08f56b3..d069cd79a1 100644
--- a/test/functional/notes_controller_test.rb
+++ b/test/functional/notes_controller_test.rb
@@ -677,7 +677,7 @@ def teardown
     assert (notes & expected).present?
     assert !(notes & questions).present?
   end
-  
+
     test 'first note in /liked endpoint should be highest liked' do
     get :liked
     notes = assigns(:notes)
@@ -696,7 +696,7 @@ def teardown
     actual = notes.first
     assert expected == actual.created
   end
-     
+
   test 'first three posts in /liked should be sorted by likes' do
     get :liked
     # gets first notes
@@ -704,7 +704,7 @@ def teardown
      # sort_by is from lowest to highest so it needs to be reversed
     assert notes.sort_by { |note| note.cached_likes }.reverse ==  notes
   end
-   
+
   test 'should choose I18n for notes controller' do
     available_testing_locales.each do |lang|
       old_controller = @controller
diff --git a/test/integration/moderate_and_ban_test.rb b/test/integration/moderate_and_ban_test.rb
index b798dbc753..38b9ab31c1 100644
--- a/test/integration/moderate_and_ban_test.rb
+++ b/test/integration/moderate_and_ban_test.rb
@@ -114,7 +114,7 @@ class ModerateAndBanTest < ActionDispatch::IntegrationTest
 
     assert_response :redirect
     follow_redirect!
-    assert_equal flash[:notice], 'The user has been moderated.'
+    assert_equal I18n.t('users_controller.user_has_been_moderated'), flash[:warning]
     u = User.find(u.id)
     assert_equal 5, u.status
 
diff --git a/test/integration/signup_flow_test.rb b/test/integration/signup_flow_test.rb
index eaa97b9e3b..deaad82f78 100644
--- a/test/integration/signup_flow_test.rb
+++ b/test/integration/signup_flow_test.rb
@@ -80,6 +80,26 @@ def setup
     assert response.body.include? 'errors prohibited this user from being saved'
     assert response.body.include? 'Email should look like an email address.'
   end
+  
+  test 'spamaway text area not blank error message' do
+    post '/register', params: {
+      user: {
+         username: "newuser",
+         email: @new_user[:email],
+         password: @new_user[:password],
+         password_confirmation: @new_user[:password]
+      },
+      spamaway: {
+        statement1: @spamaway[:statement1],
+        statement2: @spamaway[:statement2],
+        statement3: @spamaway[:statement3],
+        statement4: @spamaway[:statement4],
+        follow_instructions: "Not_Blank"
+       }
+     } 
+    assert response.body.include? '1 error prohibited this user from being saved'
+    assert response.body.include? 'Spam detection Please read the instructions in the last box carefully.'
+  end
 
   private
 
diff --git a/test/system/comment_test.rb b/test/system/comment_test.rb
index 350c80d40c..44c3ee18e6 100644
--- a/test/system/comment_test.rb
+++ b/test/system/comment_test.rb
@@ -110,7 +110,7 @@ def setup
     reply_preview_button = page.all('#post_comment')[0]
 
     # Upload the image
-    drop_in_dropzone("#{Rails.root.to_s}/public/images/pl.png")
+    drop_in_dropzone("#{Rails.root.to_s}/public/images/pl.png", ".dropzone")
 
     # Wait for image upload to finish
     wait_for_ajax
diff --git a/test/system/post_test.rb b/test/system/post_test.rb
index 1b1bd0914b..4943274b30 100644
--- a/test/system/post_test.rb
+++ b/test/system/post_test.rb
@@ -5,14 +5,17 @@ class PostTest < ApplicationSystemTestCase
   include ActiveJob::TestHelper
   Capybara.default_max_wait_time = 60
 
-  test 'posting from the editor' do
+  def setup
     visit '/'
 
-    click_on 'Login'
-    fill_in("username-login", with: "Bob")
+    find(".nav-link.loginToggle").click()
+    fill_in("username-login", with: "jeff")
     fill_in("password-signup", with: "secretive")
-    click_on "Log in"
 
+    find(".login-modal-form #login-button").click()
+  end
+
+  test 'posting from the editor' do
     visit '/post'
 
     fill_in("title-input", with: "My new post")
@@ -20,27 +23,17 @@ class PostTest < ApplicationSystemTestCase
     el = find(".wk-wysiwyg") # rich text input
     el.set("All about this interesting stuff")
 
-    assert_page_reloads do
 
-      find('.ple-publish').click
-      assert_selector('h1', text: "My new post")
-      assert_selector('#content', text: "All about this interesting stuff")
-      assert_selector('.alert-success', text: "×\nSuccess! Thank you for contributing open research, and thanks for your patience while your post is approved by community moderators and we'll email you when it is published. In the meantime, if you have more to contribute, feel free to do so.")
-
-    end
+    find('.ple-publish').click()
 
+    assert_selector('h1', text: "My new post")
+    assert_selector('#content', text: "All about this interesting stuff")
+    assert_selector('.alert-success', text: "×\nResearch note published. Get the word out on the discussion lists!")
   end
 
   test 'adding tags to the post' do
     visit '/wiki/wiki-page-path/comments'
 
-    find('a[data-target="#loginModal"]', text: 'Login').click()
-
-    fill_in 'user_session[username]', with: 'jeff'
-    fill_in 'user_session[password]', with: 'secretive'
-
-    find(".login-modal-form #login-button").click()
-
     find('a#tags-open').click()
 
     find('.tag-input').set('nature').native.send_keys(:return)
@@ -53,13 +46,6 @@ class PostTest < ApplicationSystemTestCase
   test 'removing tags from the post' do
     visit '/wiki/wiki-page-path/comments'
 
-    find('a[data-target="#loginModal"]', text: 'Login').click()
-
-    fill_in 'user_session[username]', with: 'jeff'
-    fill_in 'user_session[password]', with: 'secretive'
-
-    find(".login-modal-form #login-button").click()
-
     find('a#tags-open').click()
 
     find('.tag-input').set('nature').native.send_keys(:return)
@@ -75,13 +61,6 @@ class PostTest < ApplicationSystemTestCase
   test 'like button on the post' do
     visit '/wiki/wiki-page-path/comments'
 
-    find('a[data-target="#loginModal"]', text: 'Login').click()
-
-    fill_in 'user_session[username]', with: 'jeff'
-    fill_in 'user_session[password]', with: 'secretive'
-
-    click_on 'Log in'
-
     like_button = find('.btn-like').click();
 
     # Make sure that star is toggled
@@ -109,11 +88,7 @@ def assert_page_does_not_reload(message = "page should not reload")
 
   test "edit wiki" do
     visit '/wiki/wiki-page-path/'
-    click_on "Login"
 
-    fill_in 'user_session[username]', with: 'jeff'
-    fill_in 'user_session[password]', with: 'secretive'
-    click_on "Log in"
     find('a.btn-circle:first-of-type .fa-pencil').click()
     fill_in("body", with: "Test for editing wikis!")
 
@@ -131,13 +106,8 @@ def assert_page_does_not_reload(message = "page should not reload")
     Capybara.ignore_hidden_elements = false
     visit '/wiki/new'
 
-    find('.login-page-form #username-login').set('jeff')
-    find('.login-page-form #password-signup').set('secretive')
-
-    find('.login-page-form #login-button').click()
-
     # Upload the image
-    drop_in_dropzone("#{Rails.root.to_s}/public/images/pl.png")
+    drop_in_dropzone("#{Rails.root.to_s}/public/images/pl.png", ".dropzone")
 
     # Wait for image upload to finish
     wait_for_ajax
diff --git a/test/system/rich_text_editor_test.rb b/test/system/rich_text_editor_test.rb
new file mode 100644
index 0000000000..e6d3e58f50
--- /dev/null
+++ b/test/system/rich_text_editor_test.rb
@@ -0,0 +1,45 @@
+require "application_system_test_case"
+# https://guides.rubyonrails.org/testing.html#implementing-a-system-test
+
+class RichTextEditorTest < ApplicationSystemTestCase
+  Capybara.default_max_wait_time = 60
+
+  def setup
+    visit '/'
+
+    find('.nav-link.loginToggle').click()
+    fill_in('username-login', with: 'jeff')
+    fill_in('password-signup', with: 'secretive')
+
+    find('.login-modal-form #login-button').click()
+  end
+
+  test 'thumbnail image drag and drop upload' do
+    visit '/post'
+
+    # Upload the image
+    drop_in_dropzone("#{Rails.root.to_s}/public/images/pl.png", '.ple-drag-drop')
+
+    # Wait for image upload to finish
+    wait_for_ajax
+
+    is_image_url_undefined  = page.evaluate_script("$('.ple-drag-drop').attr('style').includes('url(\"undefined\"')")
+
+    # Make sure that image has been uploaded
+    assert_equal( is_image_url_undefined, false )
+  end
+
+  test 'main textarea image drag and drop upload' do
+    visit '/post'
+
+    # Upload the image
+    drop_in_dropzone("#{Rails.root.to_s}/public/images/pl.png", '.wk-container-drop')
+
+    # Wait for image upload to finish
+    wait_for_ajax
+
+    # Make sure that image has been uploaded
+    page.assert_selector('.wk-wysiwyg img', count: 1)
+  end
+
+end
diff --git a/test/unit/comment_test.rb b/test/unit/comment_test.rb
index 09e778b1b2..4fe938770a 100644
--- a/test/unit/comment_test.rb
+++ b/test/unit/comment_test.rb
@@ -260,12 +260,15 @@ def setup
     comment = Comment.new({
       comment: "Thank you! On Tuesday, 3 July 2018, 11:20:57 PM IST, RP <rp@email.com> wrote:  Here you go."
     })
+
     parsed = comment.parse_quoted_text
+    output = comment.render_body
+
     assert_equal "Thank you! ", parsed[:body]
     assert_equal "On Tuesday, 3 July 2018, 11:20:57 PM IST, RP <rp@email.com> wrote:", parsed[:boundary]
     assert_equal "  Here you go.", parsed[:quote]
     assert_equal "Thank you! ", comment.scrub_quoted_text
-    assert_equal "Thank you! <!-- @@$$%% Trimmed Content @@$$%% -->On Tuesday, 3 July 2018, 11:20:57 PM IST, RP <rp@email.com> wrote:  Here you go.", comment.render_body
+    assert_equal output, "Thank you! On Tuesday, 3 July 2018, 11:20:57 PM IST, RP  wrote:  Here you go."
   end
 
   test 'should give the domain of gmail correctly' do
@@ -313,4 +316,38 @@ def setup
   test 'find comments using tagname and user id' do
     assert_equal('Admin comment', Comment.find_by_tag_and_author("awesome", 5).first.comment)
   end
+
+  test 'sanitizing comment body for XSS' do
+    comment = Comment.new
+    comment.comment = "<img src=x onerror=prompt(133)>" # inserting executable javascript into a comment
+    assert comment.save
+
+    output = comment.render_body
+
+    # Ensure that malicious attributes have been removed
+    assert_equal [], output.scan('src=x')
+    assert_equal [], output.scan('onerror=prompt')
+
+    # Ensure all the OK attributes are preserved, for a wide range of comment types:
+    comment.comment = "<iframe src='/hello' width='100' height='100' border='0'></iframe><p style='color:red;' class='nice' id='cool' title='sweet'></p>"
+    assert comment.save
+    output = comment.render_body
+
+    assert_equal [], output.scan("src='/hello' width='100' height='100' border='0'")
+    assert_equal [], output.scan("class='nice' id='cool' title='sweet'")
+  end
+
+  test 'should close incomplete tags' do
+    comment = Comment.new
+
+    # <iframe> is not closed (</iframe>)
+    comment.comment = "Let’s see how this works with images or an embedded video.\n\n&nbsp;\n\n![](cid:image001.jpg@01D45C10.01D90920)\n\n&nbsp;\n\n\\<iframe width=\"560\" height=\"315\" src=\"https://www.youtube.com/embed/Kt\\_MSMpxy7Y\" frameborder=\"0\" allow=\"autoplay; encrypted-media\" allowfullscreen\\>\\\n\n&nbsp;\n\nIs \\ ***markdown** \\* parsed?\n\n&nbsp;\n\n1. 1. Number 1\n\n2. 4. Number 4\n\n3. 3. Number 3\n\n&nbsp;"
+
+    assert comment.save
+    output = comment.render_body
+
+    # Make sure that <iframe> is closed (</iframe>)
+    assert_not_equal [], output.scan('<iframe width="560" height="315" src="https://www.youtube.com/embed/Kt%5C_MSMpxy7Y">\</iframe>')
+  end
+
 end