diff --git a/extra_modules/xor.js b/extra_modules/xor.js
new file mode 100644
index 0000000..a4b4ba7
--- /dev/null
+++ b/extra_modules/xor.js
@@ -0,0 +1,27 @@
+function XOR_hex(a, b) {
+    var res = "",
+        i = a.length,
+        j = b.length;
+    while (i-->0 && j-->0)
+        res = (parseInt(a.charAt(i), 16) ^ parseInt(b.charAt(j), 16)).toString(16) + res;
+    return res;
+}
+
+function hexEncode(a){
+    let hex;
+
+    let result = "";
+    for (let i=0; i<a.length; i++) {
+        hex = a.charCodeAt(i).toString(16);
+        result += ("000"+hex).slice(-4);
+    }
+
+    return result
+}
+
+function xor(a,b) {
+    return XOR_hex(hexEncode(a),hexEncode(b)).toString("hex")
+}
+
+module.exports = xor
+  
\ No newline at end of file
diff --git a/package.json b/package.json
index 718b20e..6fcbefa 100644
--- a/package.json
+++ b/package.json
@@ -9,6 +9,25 @@
     "helmet": "^5.1.0",
     "jimp": "^0.16.1",
     "mysql": "^2.18.1",
-    "ws": "^8.8.0"
-  }
+    "ws": "^8.8.1"
+  },
+  "scripts": {
+    "start": "node server.js",
+    "test": "node tests"
+  },
+  "name": "ipost",
+  "description": "IPost is a revolutionary open-source chatting platform featuring an innovative design",
+  "version": "1.0.0",
+  "main": "server.js",
+  "devDependencies": {},
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/002Hub/IPost.git"
+  },
+  "author": "",
+  "license": "ISC",
+  "bugs": {
+    "url": "https://github.com/002Hub/IPost/issues"
+  },
+  "homepage": "https://github.com/002Hub/IPost#readme"
 }
diff --git a/routes/api/dms/PersonalMessages.js b/routes/api/dms/PersonalMessages.js
index 99acabe..c62de3c 100644
--- a/routes/api/dms/PersonalMessages.js
+++ b/routes/api/dms/PersonalMessages.js
@@ -1,11 +1,13 @@
+const xor = require("../../../extra_modules/xor.js")
+
 module.exports = {
     "setup": function(router,con,server) {
         router.get("/api/getPersonalPosts", async function(req,res) {
             res.set("Access-Control-Allow-Origin","")
         
-            let otherperson = req.query.otherperson
+            let otherperson = encodeURIComponent(req.query.otherperson||"")
         
-            if(typeof otherperson != "string" || otherperson.length > 100) {
+            if(typeof otherperson != "string" || otherperson.length > 100 || otherperson=="") {
                 res.status(400).json({"error": "invalid otherperson given"})
                 return
             }
diff --git a/routes/api/dms/post.js b/routes/api/dms/post.js
new file mode 100644
index 0000000..8a675ec
--- /dev/null
+++ b/routes/api/dms/post.js
@@ -0,0 +1,102 @@
+const xor = require("../../../extra_modules/xor.js")
+
+module.exports = {
+    "setup": function(router,con,server) {
+
+        const PIDS = {} //[pid]: true/"already_used"
+
+        router.get("/api/dms/pid", async function(req,res) {
+            res.set("Access-Control-Allow-Origin","*")
+            let pid = server.genstring(10) //collision chance is low enough, but we'll check anyways
+            while (PIDS[pid] != undefined){
+                pid = server.genstring(10)
+                console.log(5,"pid collision");
+            }
+            PIDS[pid] = true
+            setTimeout(function() {
+                PIDS[pid]=undefined
+            },40000)
+            res.json({"pid":pid})
+        })
+
+        router.post("/api/dms/post", async function(req,res) {
+            if(!req.body.message) {
+                res.json({"error":"no message to post"})
+                return
+            }
+            if((typeof req.body.message) != "string") {
+                res.json({"error":"no message to post"})
+                return
+            }
+            if((typeof req.body.pid) != "string") {
+                res.json({"error":"no pid given"})
+                return
+            }
+            if(req.body.pid.length != 10 || PIDS[req.body.pid] !== true) {
+                res.json({"error":"invalid pid given"})
+                return
+            }
+            PIDS[req.body.pid] = "already_used"
+
+            let reply_id
+            if(!req.body.reply_id || req.body.reply_id < 0) {
+                reply_id = 0
+            } else {
+                reply_id = req.body.reply_id
+            }
+
+            if((typeof req.body.reply_id) != "number") {
+                res.json({"error":"no valid reply id given"})
+                return
+            }
+
+            if(req.body.message.length > 1000) {
+                res.json({"error":"message too long"})
+                return
+            }
+
+            req.body.message = encodeURIComponent(req.body.message.trim())
+
+
+            req.body.receiver = encodeURIComponent(req.body.receiver||"")
+            if(req.body.receiver == "" || req.body.receiver == encodeURIComponent(res.locals.username) || req.body.receiver.length > 100) {
+                res.status(400).json({"error": "invalid receiver given"})
+                return
+            }
+            let otherperson = req.body.receiver
+
+            if(!req.body.message) {
+                res.json({"error":"no message to post"})
+                return
+            }
+
+            let sql = `insert into ipost.dms (dms_user_name,dms_text,dms_time,dms_receiver_name,dms_from_bot,dms_reply_id) values (?,?,?,?,?,?);`
+            let values = [encodeURIComponent(res.locals.username),req.body.message,Date.now(),xor(encodeURIComponent(res.locals.username),otherperson),res.locals.isbot,reply_id]
+            con.query(sql, values, function (err, result) {
+                if (err) throw err;
+                // let post_obj = {
+                //     post_user_name: encodeURIComponent(res.locals.username),
+                //     post_text: req.body.message,
+                //     post_time: Date.now(),
+                //     post_special_text: "",
+                //     post_receiver_name: req.body.receiver,
+                //     post_from_bot: res.locals.isbot,
+                //     post_reply_id: reply_id
+                // }
+
+                // let message = {
+                //     message: "new_post",
+                //     data: post_obj
+                // }
+                // let messagestr = JSON.stringify(message)
+                // server.wss.clients.forEach(function(ws) {
+                //     if(ws.channel == decodeURIComponent(req.body.receiver)) {
+                //         ws.send(messagestr)
+                //     }
+                // });
+                res.json({"success":"successfully posted dm"})
+                console.log(5,`posted new dm by ${res.locals.username} to ${otherperson} : ${xor(encodeURIComponent(res.locals.username),otherperson)}`);
+            });
+        })
+    }
+}
\ No newline at end of file
diff --git a/server.js b/server.js
index 2c30abe..a69d11d 100644
--- a/server.js
+++ b/server.js
@@ -424,7 +424,9 @@ const toLoad = [
   "api/all.js",
   "api/settingshandler.js",
   "api/post.js",
-  "api/dms/PersonalMessages.js"
+  "api/dms/PersonalMessages.js",
+  "api/dms/post.js",
+  
 ]
 
 for (let i = 0; i < toLoad.length; i++) {
diff --git a/tests/index.js b/tests/index.js
new file mode 100644
index 0000000..72a6883
--- /dev/null
+++ b/tests/index.js
@@ -0,0 +1 @@
+require("./xor.js")
\ No newline at end of file
diff --git a/tests/xor.js b/tests/xor.js
new file mode 100644
index 0000000..8797d1a
--- /dev/null
+++ b/tests/xor.js
@@ -0,0 +1,58 @@
+const xor = require("../extra_modules/xor.js")
+const crypto = require("crypto")
+
+const randomString = (length = 4) => {
+    let chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+    let str = '';
+    for (let i = 0; i < length; i++) {
+        str += chars.charAt(Math.floor(Math.random() * chars.length));
+    }
+    return str;
+
+};
+
+const attempts = 500000
+
+const per = attempts/100
+
+for(let i=0;i<attempts;i++) {
+    let msg = randomString(100)
+    let b = randomString(10)
+    let xored = xor(msg,b)
+
+    let c = randomString(10)
+
+    let unxored = xor(xored,c)
+
+    if(unxored == msg && b != c) {
+        console.error(b,c,"have a collision?!?")
+        process.abort(i+1) //non-zero
+    }
+
+    if(i%10000==0) {
+        console.log("progress: ",i+"/"+attempts,i/per+"%");
+    }
+}
+
+console.log("completed simple randomString xor")
+
+for(let i=0;i<attempts;i++) {
+    let msg = randomString(100)
+    let b = crypto.randomBytes(10).toString("hex")
+    let xored = xor(msg,b)
+
+    let c = crypto.randomBytes(10).toString("hex")
+
+    let unxored = xor(xored,c)
+
+    if(unxored == msg && b != c) {
+        console.error(b,c,"have a collision?!?")
+        process.abort(i+1) //non-zero
+    }
+
+    if(i%10000==0) {
+        console.log("progress: ",i+"/"+attempts,i/per+"%");
+    }
+}
+
+console.log("completed simple randomBytes xor")