It's easy for people to unintentionally inject XML-unsafe characters
into a string from a copy/paste when filling out the Description or
Testing Done fields of a review request.

We now sanitize the XML before attempting to parse it, removing any
illegal characters. The result is a string that can be safely parsed
with no noticeably defects.

Unit tests pass.
Manually tested with a string containing the unsafe 0x0C character.